blob: adbf0a99b4e039202a250a056cc1f4e1b4d7a0ac (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
|
What's new in 5.1
=================
General
-------
* all of the tuneables can now be set at any time, not just whilst disabled
or prior to loading rules;
* group identifiers may now be a number or name (universal);
* man pages rewritten
* tunables can now be set via ipf.conf;
Logging
-------
* ipmon.conf can now be used to generate SNMPv1 and SNMPv2 traps using
information from log entries from the kernel;
NAT changes
-----------
* DNS proxy for the kernel that can block queries based on domain names;
* FTP proxy can be configured to limit data connections to one or many
connections per client;
* NAT on IPv6 is now supported;
* rewrite command allows changing both the source and destination address
in a single NAT rule;
* simple encapsulation can now be configured with ipnat.conf,
* TFTP proxy now included;
Packet Filtering
----------------
* acceptance of ICMP packets for "keep state" rules can be refined through
the use of filtering rules;
* alternative form for writing rules using simple filtering expressions;
* CIPSO headers now recognised and analysed for filtering on DOI;
* comments can now be a part of a rule and loaded into the kernel and
thus displayed with ipfstat;
* decapsulation rules allow filtering on inner headers, providing they
are not encrypted;
* interface names, aside from that the packet is on, can be present in
filter rules;
* internally now a single list of filter rules, there is no longer an
IPv4 and IPv6 list;
* rules can now be added with an expiration time, allowing for their
automatic removal after some period of time;
* single file, ipf.conf, can now be used for both IPv4 and IPv6 rules;
* stateful filtering now allows for limits to be placed on the number
of distinct hosts allowed per rule;
Pools
-----
* addresses added to a pool via the command line (only!) can be given
an expiration timeout;
* destination lists are a new type of address pool, primarily for use with
NAT rdr rules, supporting newer algorithms for target selection;
* raw whois information saved to a file can be used to populate a pool;
Solaris
-------
* support for use in zones with exclusive IP instances fully supported.
Tools
-----
* use of matching expressions allows for refining what is displayed or
flushed;
|