Arno's IPTABLES Firewall Script is a secure stateful firewall for both single and multi-homed machines. It supports NAT and SNAT, port forwarding, ADSL ethernet modems with both static and dynamically assigned IPs, MAC address filtering, stealth port scan detection, DMZ support, protection against SYN/ICMP flooding, experimental IPv6 support, multi-interface/aliased-IP support, and extensive user definable logging with rate limiting to prevent log flooding. It has plugin support to add extra features (like SSH Brute Force protection and (Racoon) IPSEC support). It is easy to configure and highly customizable. A filter script that makes your firewall log more readable is also included.
|Operating Systems||POSIX Linux|
Release Notes: arno-fwfilter and the Gentoo init script were updated. Some Gentoo specific stuff that isn't required anymore was removed. The TRACE option was removed. DMZ_INPUT_DENY_LOG and DMZ_OUTPUT_DENY_LOG variables were added. The DYNDNS and Traffic Accounting plugins were refactored. There were also miscellaneous tweaks and changes.
Release Notes: This release fixes RESERVED_NET_DROP, which only worked when RESERVED_NET_LOG was enabled (regression), fixes the installation script, and updates/corrects documentation.
Release Notes: The LAN_INET_OPEN_xxx, LAN_INET_HOST_OPEN_xxx, DMZ_INET_OPEN_xxx, and DMZ_INET_HOST_OPEN logic and handling was changed, and handling of some of the sysctl kernel settings was tweaked. It is now possible to disable setting/resetting of some settings (like forwarding). The default UDP connection timeout is now 60 seconds. Support for a new LOCAL_CONFIG_DIR variable was added. It defaults to "/etc/arno-iptables-firewall/conf.d". Documentation was improved. Miscellaneous tweaks were made for arno-fwfilter.
Release Notes: This release removes DNS_FAST_FAIL and RESOLV_IPS, since they are both obsolete. It adds miscellaneous tweaks.
Release Notes: This release fixes the kernel_ver_chk() function to properly handle kernel 3, fixes variables containing REJECT_UDP with IPv6 enabled (it should use "icmp6-addr-unreachable" for IPv6), parses AIF variables with a common function, and logs missing fields with a warning.