1254219ScyWhat's new in 5.1 2254219Scy================= 3254219Scy 4254219ScyGeneral 5254219Scy------- 6254219Scy* all of the tuneables can now be set at any time, not just whilst disabled 7254219Scy or prior to loading rules; 8254219Scy 9254219Scy* group identifiers may now be a number or name (universal); 10254219Scy 11254219Scy* man pages rewritten 12254219Scy 13254219Scy* tunables can now be set via ipf.conf; 14254219Scy 15254219ScyLogging 16254219Scy------- 17254219Scy* ipmon.conf can now be used to generate SNMPv1 and SNMPv2 traps using 18254219Scy information from log entries from the kernel; 19254219Scy 20254219ScyNAT changes 21254219Scy----------- 22254219Scy* DNS proxy for the kernel that can block queries based on domain names; 23254219Scy 24254219Scy* FTP proxy can be configured to limit data connections to one or many 25254219Scy connections per client; 26254219Scy 27254219Scy* NAT on IPv6 is now supported; 28254219Scy 29254219Scy* rewrite command allows changing both the source and destination address 30254219Scy in a single NAT rule; 31254219Scy 32254219Scy* simple encapsulation can now be configured with ipnat.conf, 33254219Scy 34254219Scy* TFTP proxy now included; 35254219Scy 36254219ScyPacket Filtering 37254219Scy---------------- 38254219Scy* acceptance of ICMP packets for "keep state" rules can be refined through 39254219Scy the use of filtering rules; 40254219Scy 41254219Scy* alternative form for writing rules using simple filtering expressions; 42254219Scy 43254219Scy* CIPSO headers now recognised and analysed for filtering on DOI; 44254219Scy 45254219Scy* comments can now be a part of a rule and loaded into the kernel and 46254219Scy thus displayed with ipfstat; 47254219Scy 48254219Scy* decapsulation rules allow filtering on inner headers, providing they 49254219Scy are not encrypted; 50254219Scy 51254219Scy* interface names, aside from that the packet is on, can be present in 52254219Scy filter rules; 53254219Scy 54254219Scy* internally now a single list of filter rules, there is no longer an 55254219Scy IPv4 and IPv6 list; 56254219Scy 57254219Scy* rules can now be added with an expiration time, allowing for their 58254219Scy automatic removal after some period of time; 59254219Scy 60254219Scy* single file, ipf.conf, can now be used for both IPv4 and IPv6 rules; 61254219Scy 62254219Scy* stateful filtering now allows for limits to be placed on the number 63254219Scy of distinct hosts allowed per rule; 64254219Scy 65254219ScyPools 66254219Scy----- 67254219Scy* addresses added to a pool via the command line (only!) can be given 68254219Scy an expiration timeout; 69254219Scy 70254219Scy* destination lists are a new type of address pool, primarily for use with 71254219Scy NAT rdr rules, supporting newer algorithms for target selection; 72254219Scy 73254219Scy* raw whois information saved to a file can be used to populate a pool; 74254219Scy 75254219ScySolaris 76254219Scy------- 77254219Scy* support for use in zones with exclusive IP instances fully supported. 78254219Scy 79254219ScyTools 80254219Scy----- 81254219Scy* use of matching expressions allows for refining what is displayed or 82254219Scy flushed; 83254219Scy 84