v0.8.7.0

This is a big release, with the main change of complete ipv6 support implementation across all scripts.

Most scripts have seen many changes, and a new script has been added: detect-local-subnets-AIO.sh. The new script implements proper detection of local subnets, which is needed to avoid blocking the local area network if installing the suite in whitelist mode.

Additional compatibility improvements have been made, which result in removal of dependency on the jq utility, and reduced dependency on specific flavors of some other utilites including ps, grep and sed. So at this point the suite requires very little effort to install on embedded distributions such as OpenWRT.

The one script which has gone through more changes than others is the *fetch script which was almost entirely re-written. Support for fetching directly from registries servers has been removed because it turned out to be unreliable. Instead, support for fetching from RIPE API has been re-implemented, and support for fetching from ipdeny has been implemented from scratch. RIPE source is used by default, while ipdeny is now an optional source which is configurable during installation with the -u ipdeny option.

Full Changelog: v0.8.6.5...v0.8.7.0

v0.8.6.5

This is mostly a maintenance release.

Lots of minor code style improvements, code cleanup, closer integration of shellcheck into the workflow, some fairly minor performance improvements which should be noticeable on slow CPUs but won't make much difference on fast (a.k.a. x86) CPUs. Some improvements to the console and error messages. And a lot of documentation updates.

The one script that has undergone fairly substantial changes is the *common script. That should not be noticeable for a user but makes most of the other scripts a little bit faster, the code a little bit cleaner, and the continuing development a little bit easier for me.

I'm planning to start implementing ipv6 support and nftables support, and I wanted to have the code and the documentation in perfect shape before that - this is what this release is for.

Full Changelog: v0.8.6.4...v0.8.6.5

v0.8.6.4

This release mainly brings changes to how backups work, and to the -backup script implementation as well.

Highlights:

• New option to disable automatic backups altogether when installing (run the -install script with the '-o' option)
• Automatic restore when a fault is detected has been removed. The restore functionality is still there (and working just fine) but I don't want to risk making automatic changes to your firewall under unknown fault conditions. So I decided to leave this as a feature for manual recovery (which probably nobody will ever need, but isn't it good to know that it's there?)
• Now all backup-related work is done in memory, so much less filesystem access and much faster.
• Implemented automatic compression of the backup file, and automatic extraction if the -backup script is called with the 'restore' command. For compression, uses whichever compression utility is available: bzip2, xz or gzip (in this order of preference). If none available (which should never be the case), falls back to uncompressed backups. When extracting, automatically picks the correct utility.
• Overall improved and streamlined the code.
• More error checking in this script, more detailed comments and improved console messages.

Full Changelog: v0.8.6.3...v0.8.6.4

v0.8.6.3

I guess this is a rather important release, although there haven't been too many code changes.

The changes were mainly triggered by me testing this suite on my embedded router running OpenWRT. That turned out useful because OpenWRT is different in so many ways from a desktop Linux OS which I've tested on so far. This helped me figure out some compatibility issues and fix most of them. And some performance issues as well. After these changes, the suite does run on OpenWRT, although this did require to install Bash on it and to upgrade some utilities that by default OpenWRT ships in a very trimmed-down and limited version.

So to sum it up, this realease mainly improves compatibility and somewhat performance.

Highlights:

• Removed the requirement for systemd. That requirement only was in place because systemd allows to easily check if a service is enabled, and we need cron to be enabled. Now I implemented another method that should be compatible with non-systemd operating systems.
• Re-implemented ARIN lists parsing (for the 3rd time already), so now it's at least 3x faster on embedded (desktop users probably won't notice any difference since it was already less than a second on desktop).
• Implemented better parsing of data timestamps, so now it works with trimmed-down versions of the 'date' utility
• Improved logic in the *fetch script when dealing with incomplete lists
• Fixed a bug that was causing the *apply script to sometimes fail to find the local subnet on systems that have ipv6 enabled
• Some additional minor improvements, performance optimization and bugfixes

Full Changelog: v0.8.6.2...v0.8.6.3

v0.8.6.2

This is a fairly small release. There is one important change though, which is why I decided to make a release: the data folder used by the scripts is now only accessible by root. Not like there is some crucial information there, but it does store a backup of the firewall config, so it makes sense to prohibit access to anyone but root.

Much work has gone into making the README.md file more readable (as it was growing quite huge). As part of that, I have split some additional files out of it (specifically NOTES.md and DETAILS.md). I also added the DATASAFETY.md file to make it clear how the scripts handle user's data.

Highlights:

*install:

• set datadir to be readable only by root
• fixed a typo that was preventing the script from writing the default schedule to the config file
• took out the validation portion out of get_local_country() and made a new function validate_ccode() out of it, which will now live in the *common script
• validate country codes input by user from command line against cca2.list
• copy cca2.list to the config directory when installing

*manage:

• compacted and improved output of the report_status() function
• validate country codes input by user from command line against cca2.list

multiple scripts: improved console output, improved error messages, improved output of the usage() function

Full Changelog: v0.8.6.1...v0.8.6.2

v0.8.6.1

This is a fairly minor release but it brings an important change for blacklist users: now when installing in blacklist mode, related and established connections are allowed to the blacklisted countries (which I forgot to mention in the commit for the *apply script). The direct consequence is that while your machine will still drop unsolicited connections from blacklisted countries, if you want to connect to them and receive a reply, now you will be able to.

Besides, some performance improvements have been implemented that should allow the scripts to access a file or a system module they need much more scarcely, as after each such access the information is now stored in memory and refreshed only when needed, which should minimize disk access and improve responsiveness.

Last but not least, the information presented by the get_status() function in the main script (in response to 'geoblocker-bash status' command) has been improved so now you should see some additional useful info provided by the firewall and in a (hopefully) more readable way.

Full Changelog: v0.8.6.0...v0.8.6.1

v0.8.6.0

This release brings a new reliability feature and besides it, improved console messages and a bit of minor bug squashing.

The new feature is smart automatic check for user lock-out as a result of the action that the user requested from the *manage script, and if so then printing a warning and waiting for user input before proceeding. For that, the script needs to know which country the user is in, so asking the user about it in the *install script was also implemented.

First I implemented an automatic country check but later reconsidered because it was relying on a 3rd-party service and I prefer not to deal with that, especially without user's approval - and if I ask them for approval, I may as well just ask them to input their country code directly. So eventually the implementation switched to ask-the-user, and validate user's input vs a known-good list of country codes. (again, I first implemented automatic fetching and parsing of that list but eventually decided to just include it in the suite rather than download from a 3rd party). That known-good list is what the additional 'cca2_codes.list' file is for. (for privacy nerds, you can press Enter to avoid telling the script which country you're in, which will disable the new feature completely and allow you to lock yourself out without getting warned)

Highlights:

*fetch: implemented a slightly faster and much simpler awk-only solution for parsing of ARIN lists (previously it was implemented with a combination of grep, tr and awk).

cca2_codes.list: added new file to the suite (contains valid cca2 country codes)

*install:

• fixed a typo that was causing installation to skip checking required files
• new function: get_local_country()
  --- ask the user to input their country code, then validate it against the cca2 list
• check for cca2 list on initialization

*manage:

• new function: check_for_lockout()
  --- when adding or removing countries to/from the blacklist/whitelist, checks whether the user is about lock themselves out of their remote machine, and outputs a warning if they are
• process check_for_lockout() output and if necessary, print the warning and wait for user input before proceeding

check_ip_in_registry.sh: fixed a minor bug involving variable names inconsistency

Full Changelog: v0.8.5.9...v0.8.6.0

v0.8.5.9

This is a minor release.

Highlights:

• improved syntax compliance across the scripts and more code style improvements
• multiple scripts: wait a bit before destroying ipsets to allow the kernel to catch up
• *common: check_deps: when processing alternative deps, use IFS instead of replacing the delimiter in arguments
• *common: support bash v4.0+

Full Changelog: v0.8.5.8...v0.8.5.9

v0.8.5.8

This release brings minor changes from a user's perspective but rather a lot of changes under the hood. Its main focus is code maintenance, code quality improvement, and some usability improvements.

Highlights:

check-ip-in-registry.sh:

• adapted to utilize the *fetch script for fetching, in order to avoid code duplication

*fetch:

• adapted to be used by check-ip-in-registry.sh
• avoid multiple file writes to store status in the status file

*apply:

• improved performance when compiling a new ip list to feed into ipset

*manage:

• more improvements to the report_status() function output
• warn the user if no country codes have been found in firewall rules

*common:

• implemented check_deps() function
• check for common dependencies on initialization

*install:

• compacted some code by implementing and utilizing functions check_files_exist(), copyscripts()

*run:

• create backup before the action rather than after it

most scripts:

• check dependencies in a more orderly manner, via the new check_deps() function in *common
• Code cleanup and code style improvements
• Improved console output messages and error messages

Full Changelog: v0.8.5.7...v0.8.5.8

v0.8.5.7

This release mainly implements a new feature: support for fetching ip lists for matching countries from ARIN - American Registry for Internet Numbers (in addition to fetching from RIPE).

Fairly significant changes have been made to the *fetch and check-ip-in-ripe.sh scripts to allow for automatic selection of the matching registry and parsing its format.
This solves an issue where fetching ip lists for some countries (particularly for US) would usually succeed only on 3rd attempt when fetching them from RIPE.

Users can continue to use the scripts as before, since matching the country to the registry is done automatically.

Also renamed check_ip_in_ripe.sh to check-ip-in-registry.sh and validate_cron_schedule.sh to validate-cron-schedule.sh.

Full Changelog: v0.8.5.6...v0.8.5.7