Load-splitting for redirection (splits IP traffic
between two alternate destinations) Round-robin redirection to spread traffic load over
multple IP addresses
Load-splitting for redirection (splits IP traffic
between two alternate destinations)
Solaris8 support
IPV6 Support (ipf -6/ipfstat -6)
Save/Restore of state and NAT information (ipfs)
"top" style output option for ipstat (ipfstat -t)
destination and source address matching for map/rdr
rules
l4check - program to monitor redirection destinations
for layer 4 load balancing.
Solaris7 (32bit & 64bit) support
FreeBSD-3 supported
BSD/OS 4.0 support (.o and source patches)
Support securelevel for restricting changes to the
configuration.
ICMP errors can be returned to appear as they came from
the firewall or the endpoint
Setting a range of addresses rather than a CIDR mask
in NAT now possible
Source host filtering on redirects supported
_Large_ static NAT now supported with 1 rule
Logging enhancements, allowing rules to specify syslog
facility and priority
Enhancements to state code.
Additional in-kernel proxies provided for rcmd(3) and
RealAudio(PNA)
BSD/OS 3.1 .o files for easy integration into BSD/OS
enhancements to ipmon (daemon-capable, HUP'able)
NAT support for traceroute
limited in-kernel FTP proxy, for use with or without NAT
IRIX 5.3, 6.2 Support
Linux 2.0.31 Support
(non-GLIBC systems ONLY!)
per-packet authentication
preauthentication
bi-directional NAT mapping
logical grouping of filter rules
Solaris 2.3 - 2.6 supported
patches for OpenBSD 2.1 integration
new input language for ipsend
logging improvements
inverting of host/net matching
compatibility for NetBSD/FreeBSD improved
use quad_t where available for counting packets and bytes
sysctl interface implemented (FreeBSD 2.2 and above)
in-kernel proxying support
logging of NAT and state changes
device files created for NAT, authentication, state and fragment state
fragment state automatically added with "keep state"
Optionally block/pass unrecognisable streams mblks
(Solaris2) (3.1.2)
Drop packets which would be passed if logging fails
(3.1.2)
Using "redirection", transparent proxying
can be achieved, with patches for TIS FWTK ftp-gw provided as an example of
how to do it.
Arbitary functions can be called to make more complex
filtering decisions than standard filtering provides.
Packets can be logged to network interfaces.
Packets can be routed transparently.
Can be built and installed as a Solaris 2 package
(Solaris 2.x only)
Can reset statistics for individual rules.
Regression testing on rule parsing and printing.
ipresend and ipftest can now take input
from a larger variety of file types, now including hex. representation of
complete IP packets.
Device file permissions are meaningful within IP Filter
when processing ioctls.
ipmon can now display logged packets in
hex.
Packet state can be kept and followed for TCP
connections, UDP exchanges and ICMP messages.
Fragment state can be kept and followed on a
per packet basis.
Byte counting can be performed for a separate
list of filter rules.
Includes a Network Address Translation (NAT) table
which can be used to hide and map internal IP#'s to ones accepted by
external networks.
ICMP unreachable codes returned can be different for
each rule
SOLARIS 2.4 & 2.5 SUPPORT
Can now (optionally) log the first 128 bytes of
a packet (if present), including the packet header;
ipmon can now generate log entries with
names in place of numerical hostname and port data by using the -N
command line option;
ipmon can now optionally log output through
syslog using the new -s command line option;
IPSO Basic Security Options filtering;
In-kernel filtering can be turned on/off;
Regression testing to check the correctness of the
filter;
IP test program (ipsend) is now
included with the package to allow the administrator to send arbitary IP
packets, or replay packet sequences at the filter;
Compacts IP header into a directly filterable form;
Three-way filtering results, allowing packets which
don't match any rule to be counted and subjected to a general policy of
denial or permission.
ipftest now supports tcpdump (3.x) binary
utput files (or any such dump file generated using libpcap) as an input
source using the -P flag. (2.7.3)
Changed TCP flags to allow a TCP flag mask,
to select the flags you wish to compare against. See
examples for how this now works.
(2.7.2)
Added return-rst to filter language for
sending back an effective error to TCP applications.Used in block rules, it causes a TCP reset (RST) to whoever sent the packet which (finally) matched this rule, causing the connection to close.
Allow for rules to be inserted into the list
using "@#" to make the rule be number # in the list.Eg
# ipfstat -i block in on le0 from me to any block in on le0 proto udp from any to any pass in on le0 from any to me # echo "@2 block in on le0 from any to any flags S" | ipf -f - # ipfstat -i block in on log le0 from me to any block in on le0 proto tcp from any to any flags S block in on le0 proto udp from any to any pass in on le0 from any to me
Added per-rule hit count (incremented every time
a packet matches against it). To examine this number, use:
# ipfstat -hi or # ipfstat -hoEg:
# ipfstat -hi 2 block in log on le0 from me to any 122 block in on le0 proto tcp from any to any flags S 1133 block in on le0 proto udp from any to any 43232 pass in on le0 from any to me
Included TCP fragments which begin inside the
TCP header to the "short packet" logic.
Logging (through /dev/ipl) is now optional when
compiled.
Support for ip_dirbroadcast (SunOS 4.1) added.
Darren Reed