
RELEASE NOTES

Version 5.2 (May 27th 2001)
---------------------------
Modified the rcf script and most of it's functions to make them
compatible with the Linux Router Project (LRP). This involved removing
awk and perl commands, and modifying others. Several commands were
replaced by sed equivalents. Thank you very much to Laura Fairhead
for her help in re-writing the subnet_calc.sh function.

Added a link to 510-auth-servers in the public modules directory.
Restored default system umask before running fetchipac. Fixed
DMZ<->any/0 forwarding problem. Removed GATEWAY interface script
variable -- it wasn't needed/used. Fixed "Total Rules" number printed
when rcf exits - virtual interfaces caused some chains to be counted
twice. Added cross_interface_access.sh function contributed by Vladimir
Smelhaus. This function inserts a jump rule to send cross interface
packets to the destination's input chain. i.e. Packets from subnet1 to
ip2 (on the firewall's interface2) will be transfered to interface2's
input chain instead of going through interface1's input chain. This
effectively prevents the rules from one interface allowing connections
to another interface's IP. Added a WARNING to the INSTALL document about
telnet/ssh options on private interfaces when upgrading from v5.x to
5.1. Added LANG=en_EN variable to rcf script. Added a check for the
"which" binary in the main rcf script, and a function to call the binary
directly. Moved the /etc/firewall/sbin/rcf file to /sbin/rcf. Modified
/etc/rc.d/init.d/firewall script to make it Debian compatible. The
--test command line parameter now prints ipchains commands etc. to
stderr. This makes it possible to run "rcf --test 2>/tmp/commands.sh" to
create a command-only script. Added Vladimir Smelhaus' changes which
create additional chains to deny/reject private network addresses and
IANA networks. Jump rules to these chains are added to public and dmz
interfaces. Added shorter command line parameter names. You ca now use
-uc instead of --update-config, etc. Use the -h parameter to see the
complete list. Used several of Dougal Holmes' suggestions to fix
duplicate and missing private<->private & mz<->mz forwarding rules.
Removed 218.0.0.0/8 from the iana reserved networks group. Updated the
010-dns-servers module to append udp rules only in strict mode (and up)
and tcp rules in paranoid mode. Added 780-ntp-clients, submited by
Dougal Holmes, to the private services. Completely over-hauled the
install.sh screen output. Used append instead of truncate mode when
printing error messages. Removed -print parameter from find commands --
older LRP distros have a broken find which don't support -print.
Optimized include_groups.sh function by adding checks for filenames
within the whole option variable (instead of field by field). Added a
check for find options. If all necessary options are found, then a
quicker "security file check" is used. The home page of rcf has moved to
<http://rcf.mvlan.net/>. The archives are now stored under
<http://rcf.mvlan.net/dist/>. All the old URLs are re-directed to these
addresses automatically. Added test for a working sort. Older LRP
distros have a broken sort. Added "dots" to the display when testing
file owners and mods. Moved ToS rules to the top of output chains.
Replaced all "tr" commands by To_Upper/To_Lower functions. Added "ip
addr" and "ip route" commands to replace ifconfig/route when these
binaries aren't available. Added bitlen_to_netmask.sh function to
calculate the netmask based on the bit length. Thanks to Paolo Bonzini
<bonzini@pc-amo3.elet.polimi.it> for contributing the sed code for this
function. Updated iana-reserved-networks group and added
accept-{int}-ftppasv- ports option to limit incoming TCP connections for
local FTP servers.  Added 755-securemote-servers module. Fixed a problem
where dhcp broadcasts from clients was denied on the private interfaces.
Updated install.sh to use Red Hat's chkconfig only when found. This way,
install.sh won't generate errors on other distros. Changed
security_check.sh function to use GID's instead of group names when
checking file owners. This fixes a problem where some LRP distro's use
wheel as the group name for GID 0. Added Interface_Up function to
replace ifconfig commands in the rcf script (to validate interface
up/down status). Incorporated several module changes suggested by
Douglas Holmes. Modified the "which" function (in the rcf script) to
test for the execute bit on the output from the which binary. Just in
case the which binary sends it's error output to stdout (a bug reported
in red hat 7.1).  Douglas Holmes fixed the accept_hostports.sh function
for clusters when declaring local ports, and changed the
Accept_Hostports INTERFACE param to INTOPT in the service_rules.sh
function. Fixed set_cluster_vars.sh function. Additional dmz/mz
interface clusters were being ignored.  Renamed the 700-dhcp-clients
module to 700-bootp-clients. Renamed the accept-{int}-ping-clients
option to accept-{int}-icmp-clients. The option will be converted
automatically and it's value kept. Dougal Holmes submitted an
icmp-servers module specifically for clusters. I adapted it to control
outgoing pings and traceroute on all interfaces. The default for the
accept-{int}-icmp-servers option will be "any/0". Dougal also submitted
a new 550-whois-servers module and an update for 330-smb-hosts to
support clusters.  Added Hostports function which behaves like
Accept_Hostports, except that the first parameter is
[accept|deny|ignore]. Also modified Accept_Hostports to call this new
function. Added support for a "novirtual" keyword in the module
configuration option "#i#". This will exclude the module's options from
virtual interfaces. Most *-servers modules make use of this new keyword.
Added check for working grep in Security_Check function. Removed '#i#
cluster' from the ipsecvpn module.  Modified the set_mode_num.sh
function to check only the first letter of the mode name (upper or lower
case). This should make the function more robust to typos. Thanks to
Hugo Visser for suggesting this change. :-) Added Dougal Holmes'
Outlook/Exchange modules in /etc/firewall/modules/contrib/services/.

Version 5.1 (March 6th 2001)
----------------------------
In summary, version 5.1 adds a "paranoid" mode (full control of outgoing
packets), support for non-masq'ed DMZs (subnet with public IPs) and MZs.
Anti-spoofing rules were improved slightly. Many new services were added
for public, dmz, and mz interfaces/networks. Added support for server
groups within option values. Also fixed support for virtual interfaces.
Renamed distribution from rc.firewall to rcf.

Updated man pages and documentation to reflect the new mailing list and
web server domain (dyndns.org -> mvlan.net). Added fetchipac command to
save ip accounting data before flushing ipchains rules (thanks to Edwin 
for noticing this one). Moved the /etc/firewall-modules/ directory to 
/etc/firewall/modules/. Added Robert Winder's Quake3 modules for online
gaming and port forwarding. Added support for option "groups" -- text 
files can be created under /etc/firewall/groups/ and used in option
values. See the firewall-groups man page for further details. Removed
double-quotes from configuration values. Option names are also right-
justified based on the longest option in the "set". This makes it easier
to find an option visually. Added dmz-interfaces and dmz-{pub}-clusters
options. Added deny-{pub}-iana-networks option. This option's value 
should be verified once or twice per year. Moved rules for illegal/
malformed addresses BEFORE services are added. The only exception are
private network addresses which are blocked after the DHCP client rules
are added (some ISPs use private addresses on their network). Fixed a
problem where rc.firewall would find two or more network addresses for
an interface. Replaced the INTERFACE parameter to the Accept_Hostport
function by [local|remote]. Removed the INTERFACE parameter from the
Forward_Hostports function. It wasn't really necessary and caused
problems with the new DMZ code. The INTERFACE variable in all modules
has been renamed to INTOPT (necessary to suport DMZ clusters). Added the
accept-{pub}-dns-servers option. Don't forget to review the accept-
{pub}-dns-servers option. If you have a DNS on your firewall, you'll
have to set your public interface's option to "any/0". If you use your
ISP's DNS, you can enter it's IP address here instead. If the the DNS
doesn't support recursive lookups (unlikely), you'll have to use
"any/0". Renamed the mode option to public-interfaces-security. Added
the "paranoid" value for public-interfaces-security. Added the 110-http-
servers, 115-https-servers, and 120-smtp-servers modules -- their
options will be added to the configuration file automatically when
running in paranoid mode. Relaxed mode has been opened-up a little more.
Outgoing UDP and incoming UDP to high ports is now allowed. Added the 
accept-{pub}-icqdirect-servers option. Moved iana-reserved-networks 
option values into a group file. Added the --show-config command line 
parameter. Fixed problem where a multicast route would be added even 
if one already existed (generating an error message). Virtual interface
chains are now linked against the real interface. Linux routing does not
seem to use virtual interfaces - this caused all virtual interface 
chains to be ignored. Added the 520-ftp-servers and 315-ftppasv-servers
modules. The FAQ text file has been replaced by an html version. Removed
the enable-{pri}-masq-network option and added forward-{pub}-masq-
networks. This option contains a list of IP addresses (or networks) 
which are masqueraded when passing through the interface. Fixed network 
detection for private interface access. RCF was looking for gateway 
information in the routing table for the local subnet. Made changes to
the firewall startup script (/etc/rc.d/init.d/firewall under Red Hat) to
make it compatible with Debian. Moved the /etc/rc.d/rc.firewall script 
to /etc/firewall/sbin/rcf. A symbolic link will be created in it's 
place. Again, this is to make RCF more compatible with other 
distributions. Added 410-wmstream-servers, 790-time-servers, and 
920-irc-servers modules (used in paranoid mode only). Moved masquerading
and forwarding rules before private/public interface rules. If your DNS 
is located on another LAN server, this solves DNS lookup problems when 
executing RCF. Added private-interfaces-security, dmz-interfaces-
security, mz-interfaces-security, dmz-clusters-security, and mz-
clusters-security options. Moved-up group file insertion to include 
interface options. Moved most public modules into the common directory 
and created symlinks to replace them. Updated the description of several
modules -- thanks to Edwin for the updates. Modified several *-servers
modules to use the Accept_Hostports function and/or fixed the rules for
cluster compatibility. Moved most functions into seperate files under
/etc/functions. Added the --functions command line parameter. Added
additional accept-{int}-masq-networks options for private/dmz/mz
interfaces. This allows the masquerading of specific ips/subnets on
private interfaces. Added options to forward ports on private/dmz/mz
interfaces. The accept- {int}-tcp-hostports and accept-{int}-udp-
hostports options have also been expanded to include private/dmz/mz 
interfaces. Also added standard README/CHANGES header to function files.
Added Device_Subnets function to return all networks and netmasks routed
through an interface. Added Forward_Interfaces function to allow 
forwarding between two interfaces. Modified the Subnet_Calc function to 
use the ipcalc binary if it's available, otherwise it will fallback to 
perl. Included many syntax changes recommended by Edwin to make rcf 
compatible with the LRP distro. The forward-{pub}-masq-networks option 
will only include private interface networks when creating a new 
configuration file. Improved the execution speed of config_modules.sh a
little bit (used in --update-config).

Version 5.0.1 (November 7th 2000)
---------------------------------
Added an "install.sh" for users of the tarball. The archives have also
been renamed from rc.firewall-[version] to rcf-[version]. Improved the
Security_Check function's speed. Sorted module options in configuration
file. Removed global allow of incoming packets on SSHPORTS when accept-
{pub}-ssh-clients option was used. Added accept-{pub}-imap2-servers and
accept-{pub}-nfs-servers options. Petr Prazak suggested an improvement
to the behavior of forward-{pub}-[prot]-hostports to add local->remote
port matching. Added accept-{pub}-ssh-servers option. Added ignore-
{pub}-auth-clients and deny-{pub}-auth-clients options. Renamed the 
accept-{pub}-icqfiletrans-[clients|ports] to accept-{pub}-icqdirect-
[hosts|ports]. Added code to convert old option names automatically.
Also changed the code which assigned default option values. Instead of
assigning defaults when a new configuration file is created, defaults
will be assigned if the option does not already exist. Renamed the 
block-high-ports and strict-mode module sub-directories to block-local-
ports and block-remote-ports. Added a 'mode check' to several modules.
This prevents the accept-{pub}-telnet-servers option (for example) from
being included in the configuration file in relaxed mode -- it's only
necessary in strict mode. Added a check to make sure we have a valid 
network IP before blocking ICMP Smurf attacks (ICMP to/from network IP).
Made a few other changes in preperation for v5.1 which will include a
'paranoid' mode. Added rules to forward private networks between all 
private interfaces. Added perl function to calculate network and 
broadcast IPs if necessary.

Version 5.0 (October 23rd 2000)
---------------------------------
Many thanks to Edwin ten Brink for all his useful suggestions, bug
reports, SMB rules, and FAQ. The big news for v5.0 is that rc.firewall 
supports DMZs and all services have been modularized! This means you 
can have multiple public IPs and setup different rules and forwarding 
for each. Services can also be easily prioritized, installed and/or
upgraded. Added a security_checks function to verify the PATH variable,
file owners/mods, and locate essential system utilities. Warnings have 
been added for missing kernel functionality (tcp syn cookies, tcp/ip 
address hacking, ip defrag, etc.). Added the --config command line 
parameter to specify an alternate configuration file. The --modules 
parameter also lets you specify an alternate path for the modules 
directory. The --nosecurity-file-check parameter will skip file owner 
and mod checks. I also added a few IPv4 configuration file checks (Edwin
found quite a few of these); accept_redirects, accept_source_route, 
bootp_relay, proxy_arp, log_martians, icmp_echo_ignore_all, icmp_echo_
ignore_broadcasts, icmp_ignore_bogus_error_responses, and tcp_rfc1337.
icmp_echoreply_rate is set to 100. In a ping-flood, 98% of packets will 
be dropped. Normal pings work just fine. Also added a check for icmp_
destunreach_rate, icmp_paramprob_rate, and icmp_timeexceed_rate which 
should already be set to 100. Renamed all internal/external options and
variables to private/public. Removed Half-Life game option which didn't
work. Added the ignore-{pubint}-blacklist-hosts, ignore-{pubint}-smb-
hosts, ignore-{pubint}-http-clients, ignore-{pubint}-https-clients,
ignore-{pubint}-smtp-clients, ignore-{pubint}-who-clients, ignore-
{pubint}-who-clients, accept-{pubint}-napster-hosts, accept-{pubint}-
irc-clients, enable-{pubint}-masq-network, accept-{pubint}-syslog-
clients, and accept-{pubint}-printer-clients options. Renamed the
ip-masq-timeout and ip-masq-module to ip-masq-timeouts and ip-masq-
modules. Improved loopback IP spoofing security. Added rules to deny 
connections to port 33270 on the internal interfaces. This port is used
by the Trinity v3 DoS Tool to install a root-shell. The internal 
interface rules were tightened-up a few versions back to accept only 
traffic to/from pertinent sub-nets. This broke DHCP servers since most 
of the traffic is broadcast based. I've added a new enable-{privint}-
dhcp-clients option to open-up this access. Fixed a bug which prevented 
logging rejected/denied packets on the internal interfaces. Moved the 
configuration file to /etc/firewall.conf. The firewall no longer re-
writes it's configuration file every time it's executed. You'll have to 
use the --update-config command line parameter instead. Once updated, 
the script will terminate without implementing any rules. You'll have to
use this parameter whenever you upgrade the script or remove/add 
interfaces (config options are based on the interface names) and 
modules. Added code to populate private and public interface options 
when a new configuration file is created. Removed default values for 
services when creating a new config file. Changed all configuration 
options to lower case. The command line and config options are now 
identical except for the "--" prefix on the command line. Added --accept
-all command line parameter. This changes the input, output, and 
forwarding policies to accept. The only chains created will be for ip 
accounting. Re-arranged rules for better performance (frequently used 
are top-most). Changed service blocks to test for strict mode before 
selecting interface names. This should increase execution speed in 
relaxed mode. Moved FTP passive rules to lowest level. These open all 
high-ports (if used) and could have over-ridden other denied ports. 
Added a specific rules to block TCP connects on port 33270. This 
prevents the FTP passive rules from making it available. The Trinity v3 
DoS tool installs a root-shell on this port. Added support for MySQL and
Virtual Tunnel (VTUN). Fixed typo in ENABLE_MULTICAST variable check. 
Added a Type of Service (ToS) flag for IRC. Added a --mode parameter
which accepts 'relaxed' or 'strict' values. The --debug parameter can
also accept 'yes' and 'no' values (--debug alone also works).

Version 4.1 (September 12th 2000)
---------------------------------
Added ACCEPT_EXT_CVSPSERVER_CLIENTS variable to support the CVS pserver 
(port 2401). Noel sent me a link to a security advisory for the Trinity 
v3 Denial of Service tool <http://xforce.iss.net/alerts/advise59.php>.
There are two parts to this "trojan". The first connects to several IRC
servers on port 6667 and waits for commands. These commands will trigger
DoS attacks directed at other servers. The second issue is a root shell 
which installs itself on port 33270 of the local machine and waits for 
connections. The standard firewall rules will protect against any such 
connections from the internet (though not from your internal LAN). 
Outgoing connections to the affected IRC servers on port 6667 have been 
blocked in strict mode. Edwin ten Brink sent me several suggestions: IP 
defragmentation will be enabled when the /proc/sys/net/ipv4/ip_always_
defrag file found. Added a check for the /proc/sys/net/ipv4/ip_dynaddr 
file before enabling Dynamic TCP/IP Address Hacking. And a few other 
cosmetic changes. :-) Rick Macdougall described a problem with changing 
interface names. I've added the --ext-interfaces and --int-interfaces 
command line variables to solve this problem. Added support for an 
external script to add custom rules. The script must be named 
"rc.firewall.custom-ports" and located in the same directory as 
rc.firewall. The contents should follow the syntax already established 
in the rc.firewall script. It will be INCLUDED in the running script 
just before the high-port rules are implemented.

Version 4.0 (September 3rd 2000)
--------------------------------
Enhanced some of the configuration descriptions. Removed 217.0.0.0/8 
from the reserved IANA addresses (now assigned to RIPE NCC Europe). 
Added 36.0.0.0/8 (formerly Stanford University), 59.0.0.0/8, and a few 
others to the reserved IANA address list. Fixed syntax of internal 
variable names to handle virtual interfaces. Renamed the 
ACCEPT_EXT_PROXY_PORT variable to ACCEPT_EXT_PROXY_PORTS and added code 
to handle multiple port entries. Changed imap2, route, and ospf entries 
to their numerical equivalent. This fixes a compatibility problem with 
Suse 6.4 Andreas Grau reported. At the suggestion of Thomas Tschoepke 
S., I added support for ICQ file transfers (see the 
ACCEPT_EXT_ICQFILETRANS_CLIENTS and ACCEPT_EXT_ICQFILETRANS_PORTS
variables). Jeremy Higgs suggested adding ICP support for Squid which 
is available under the ACCEPT_EXT_SQUIDICP_SERVERS variable. Fixed 
detection of ipmasqadm binary which reported an error even if it wasn't 
needed. Fixed typo in LOG_DENIED_DHCP_INPUT parsing. Renamed 
FORWARD_UDP_PORTS and FORWARD_TCP_PORTS variables to include interface 
type. Added ACCEPT_EXT_UDP_HOSTPORTS and ACCEPT_EXT_TCP_HOSTPORTS 
variables to accept connections on misc ports. Vladimir Smelhaus sent me
a patch to check if an interface is up or down before using it. This 
way, the firewall script can be run before and after dial-up connections
are made. Michael Neuffer reported a problem when routing multiple 
subnets through the private LAN interface. These subnets were being 
blocked by the firewall since it ignored routing information. The 
firewall script will now examine routing tables and open access to all 
subnets routed through internal interfaces. Added support for 
Battle.net, DirectX games, Unreal Tournament and Half-Life.

Version 3.3 (July 18th 2000)
----------------------------
Holger Lubitz e-mailed me to suggest I shorten the input/output chain 
names to allow 6 char. interfaces instead of just 4. He also pointed out
a small typo in the SSH rules -- all the ports were open for TCP replies
instead of just high ports. Rene Beaulieu requested support for the 
SIMAP and SPOP3 services.

Version 3.2 (July 2nd 2000)
---------------------------
Greg Thomsen sent me a patch to create seperate input and output chains 
for each interface. I've incorporated his changes with a few tweeks of 
my own. You can see the results by using the "ipchains -L -n" command. 
Troy Dack also sent me a bug report on the port forwarding function. The
forwarding rules were being flushed for each execution of the function 
(ack!). A variable would also retain it's value between calls and this 
would screw-up some of the host/port parsing. Wagar Malik also 
contributed an input/output rule for an IPSec VPN to enable key 
exchange. Rop Slijkerman pointed out a typo in the OSPF Multicast 
filtering. Instead of denying, the rule was set to accept.

An interesting tid-bit: Version 3.1 was posted on freshmeat.net and 
generated 1800 hits in just 24 hours!

Version 3.1
-----------
Fixed the ALLOW_EXT_DNS_CLIENTS variable to allow UDP queries from 
external clients. Previous versions only allowed TCP traffic for zone 
transfers.

Version 3.0
-----------
Added the ACCEPT_EXT_IPSEC_VPN_HOSTS variable. Port 500 UDP input and 
output is opened for these hosts. Removed DNS_QUERY_SOURCE_PORT variable
which blocked nslookups on external DNS servers. Also added the 
FORWARD_UDP_PORTS and FORWARD_TCP_PORTS variable. Renamed the 
ACCEPT_EXT_JUNKBUSTER_CLIENTS variable to ACCEPT_EXT_PROXY_CLIENTS. Also
added the ACCEPT_EXT_PROXY_PORT variable since not all proxies use the 
same port. The old variable will be converted automatically. Increased 
logging when using debug mode. The level of logging should resemble a 
tcpdump, so using grep will become necessary. :-)  Also changed the use 
of command line variables. Instead of over-riding the configured value,
it will add to it. Added the --test command line parameter. Enabled 
multiple entries in the INT_INTERFACES and EXT_INTERFACES.

Version 2.5
-----------
Added --debug command line parameter. Renamed DEBUG_MODE variable to 
simply DEBUG. Added the DNS_QUERY_SOURCE_PORT variable.

Version 2.4.2
-------------
Added DEBUG_MODE variable.

Version 2.4.1
-------------
Added an accept for incoming packets from the NTP server's port 123 to 
our High Ports.

Version 2.4
-----------
Added the DENY_EXT_BLACKLIST_HOSTS variable to deny access to ALL 
external services.

Version 2.3
-----------
Added ACCEPT_EXT_NFS_CLIENTS, ACCEPT_EXT_SMB_CLIENTS (unfinished), and 
ACCEPT_EXT_ICQ_SERVERS variables. Removed "catch all" rule (inherited 
from David Ranch's script) which allowed incoming UDP traffic on high 
ports.

Version 2.2.1
-------------
Changed the name of functions. Oddly enough, someone reported an 
"invalid identifier" related to the function names.

Version 2.2
-----------
Added the DENY_EXT_HTTPS_CLIENTS, ACCEPT_EXT_JUNKBUSTER_CLIENTS and 
LOG_DENIED_DHCP_INPUT variables.

Version 2.1
-----------
A friend who also uses a caching DNS was having problems resolving 
hostnames. It turns out an option in my named.conf defined a specific 
source port, but the standard install doesn't. I've changed the outgoing
DNS rules to allow any source port on UDP output and reply traffic.

Version 2.0
-----------
Removed the configuration variables from the script. When running 
rc.firewall for the first time, it will create an rc.firewall.conf file 
in the same directory (probably /etc/rc.d). You should edit this 
configuration file and make the necessary changes for your environment. 
This file is over-written (keeping your settings) every time rc.firewall
is executed. This means that as variables are added in future versions, 
they'll appear (without values) in your configuration file. Also added 
the DENY_EXT_SMTP_CLIENTS and DENY_EXT_HTTP_CLIENTS variables.

Version 1.5
-----------
Added ACCEPT_EXT_SYSLOG_SERVERS and ACCEPT_EXT_PRINTER_SERVERS. Entering
hostnames in these variables will enable outgoing syslog messages and 
print jobs.

Version 1.4
-----------
Denied SMB packets coming from external subnet WITHOUT logging. On a 
Windows network, the default rules would quickly fill-up syslog files. 
Removed logging from incoming multicast packets.

Version 1.3.3
-------------
SYN cookie protection used /proc/sys/net/ipv4/tcp_cookies, but the 
actual file is tcp_syncookies. Thanks to Jussi Torhonen for catching 
that one. Also added a note in the setup instructions about saving 
ipchains syslog messages.

Version 1.3.2
-------------
Added ACCEPT_EXT_FTPACTV_SERVERS variable and rules to fix outgoing FTP 
(active) data connections. Created a firewall mailing list at 
firewall@jsm-mv.dyndns.org.

Version 1.3.1
-------------
Added support for outgoing SSH from ports 513->1023. These source ports 
are used when SSH is suid, otherwise source ports are 1024+.

Version 1.3
-----------
Changed most displayed text - should be a little more readable to users 
with out firewall knowledge. Also added several rules to reject outgoing
traffic in "strict" mode (systat, netstat, chargen, exec, login, shell, 
talk, etc.).

Version 1.2.1, March 3rd 2000
-----------------------------
Added the ACCEPT_EXT_MULTICAST_IGMP_SERVERS variable which allows IGMP 
Multicast input. This is used by some cable providers as a "keep alive".

Version 1.1, March 2nd 2000
---------------------------
Opened output of Fragmentation Needed ICMP (Type 3) sub-type. Fixed typo
in variable name which left NTP ports closed. Completed the section 
needed to open incoming ping.

Version 1.0, March 1st 2000
---------------------------
First public release.

