2014-11-04 - Supported Release 1.2.0

Summary

This release has a number of new features and bugfixes, including rule inversion, future parser support, improved EL7 support, and the ability to purge ip6tables rules.

Features

Bugfixes

2014-07-08 - Supported Release 1.1.3

Summary

This is a supported release with test coverage enhancements.

Bugfixes

2014-06-04 - Release 1.1.2

Summary

This is a release of the code previously released as 1.1.1, with updated metadata.

2014-05-16 Release 1.1.1

Summary

This release reverts the alphabetical ordering of 1.1.0. We found this caused a regression in the Openstack modules so in the interest of safety we have removed this for now.

2014-05-13 Release 1.1.0

Summary

This release has a significant change from previous releases; we now apply the firewall resources alphabetically by default, removing the need to create pre and post classes just to enforce ordering. It only effects default ordering and further information can be found in the README about this. Please test this in development before rolling into production out of an abundance of caution.

We've also added mask which is required for –recent in recent (no pun intended) versions of iptables, as well as connlimit and connmark. This release has been validated against Ubuntu 14.04 and RHEL7 and should be fully working on those platforms.

Features

Bugfixes

Known Bugs

2014-03-04 Supported Release 1.0.2

Summary

This is a supported release. This release removes a testing symlink that can cause trouble on systems where /var is on a seperate filesystem from the modulepath.

Features

Bugfixes

Known Bugs

Supported release - 2014-03-04 1.0.1

Summary

An important bugfix was made to the offset calculation for unmanaged rules to handle rules with 9000+ in the name.

Features

Bugfixes

Known Bugs

1.0.0 - 2014-02-11

No changes, just renumbering to 1.0.0.

0.5.0 - 2014-02-10

Summary:

This is a bigger release that brings in “recent” connection limiting (think “port knocking”), firewall chain purging on a per-chain/per-table basis, and support for a few other use cases. This release also fixes a major bug which could cause modifications to the wrong rules when unmanaged rules are present.

New Features:
Bugfixes:

0.4.2 - 2013-09-10

Another attempt to fix the packaging issue. We think we understand exactly what is failing and this should work properly for the first time.


0.4.1 - 2013-08-09

Bugfix release to fix a packaging issue that may have caused puppet module install commands to fail.


0.4.0 - 2013-07-11

This release adds support for address type, src/dest ip ranges, and adds additional testing and bugfixes.

Features

Bugfixes


0.3.1 - 2013/6/10

This minor release provides some bugfixes and additional tests.

Changes


0.3.0 - 2013/4/25

This release introduces support for Arch Linux and extends support for Fedora 15 and up. There are also lots of bugs fixed and improved testing to prevent regressions.

Changes

0.2.1 - 2012/3/13

This maintenance release introduces the new README layout, and fixes a bug with iptables_persistent_version.

Changes

0.2.0 - 2012/3/3

This release introduces automatic persistence, removing the need for the previous manual dependency requirement for persistent the running rules to the OS persistence file.

Previously you would have required the following in your site.pp (or some other global location):

# Always persist firewall rules
exec { 'persist-firewall':
  command     => $operatingsystem ? {
    'debian'          => '/sbin/iptables-save > /etc/iptables/rules.v4',
    /(RedHat|CentOS)/ => '/sbin/iptables-save > /etc/sysconfig/iptables',
  },
  refreshonly => true,
}
Firewall {
  notify  => Exec['persist-firewall'],
  before  => Class['my_fw::post'],
  require => Class['my_fw::pre'],
}
Firewallchain {
  notify  => Exec['persist-firewall'],
}
resources { "firewall":
  purge => true
}

You only need:

class { 'firewall': }
Firewall {
  before  => Class['my_fw::post'],
  require => Class['my_fw::pre'],
}

To install pre-requisites and to create dependencies on your pre & post rules. Consult the README for more information.

Changes

0.1.1 - 2012/2/28

This release primarily fixes changing parameters in 3.x

Changes

0.1.0 - 2012/2/24

This release is somewhat belated, so no summary as there are far too many changes this time around. Hopefully we won't fall this far behind again :-).

Changes

0.0.4 - 2011/12/05

This release adds two new parameters, 'uid' and 'gid'. As a part of the owner module, these params allow you to specify a uid, username, gid, or group got a match:

firewall { '497 match uid':
  port => '123',
  proto => 'mangle',
  chain => 'OUTPUT',
  action => 'drop'
  uid => '123'
}

This release also adds value munging for the 'log_level', 'source', and 'destination' parameters. The 'source' and 'destination' now support hostnames:

firewall { '498 accept from puppetlabs.com':
  port => '123',
  proto => 'tcp',
  source => 'puppetlabs.com',
  action => 'accept'
}

The 'log_level' parameter now supports using log level names, such as 'warn', 'debug', and 'panic':

firewall { '499 logging':
  port => '123',
  proto => 'udp',
  log_level => 'debug',
  action => 'drop'
}

Additional changes include iptables and ip6tables version facts, general whitespace cleanup, and adding additional unit tests.

Changes

0.0.3 - 2011/11/12

This release introduces a new parameter 'port' which allows you to set both source and destination ports for a match:

firewall { "500 allow NTP requests":
  port => "123",
  proto => "udp",
  action => "accept",
}

We also have the limit parameter finally working:

firewall { "500 limit HTTP requests":
  dport => 80,
  proto => tcp,
  limit => "60/sec",
  burst => 30,
  action => accept,
}

State ordering has been fixed now, and more characters are allowed in the namevar:

Changes

0.0.2 - 2011/10/26

This is largely a maintanence and cleanup release, but includes the ability to specify ranges of ports in the sport/dport parameter:

firewall { "500 allow port range":
  dport => ["3000-3030","5000-5050"],
  sport => ["1024-65535"],
  action => "accept",
}
Changes

0.0.1 - 2011/10/18

Initial release.

Changes