Skip to main content

Release Notes

version 2.6.0 (2023-07-24)​

  • the TLS notation for allowlisting now supports IP v4 addresses besides FQDNs (i.e. without SNI), for example discriminat:tls:
  • the see-thru monitoring mode now accepts all specifications of IP addresses, Protocols & Ports on Security Groups. Previously, it had required IP addresses to be set to and Ports & Protocols to be to set to all.
  • two new -flow log reason messages when a network packet is disallowed have been introduced:
    • cache not ready: this message is logged when a new address is added in the allowlist but the firewall has not yet warmed up its cache for it. Expected to occur for up to 2 minutes after adding a new address (FQDN or IP.)
    • spoofing detected: logged when TLS SNI has been manipulated and a connection is attempted to an IP address that doesn't otherwise belong to the given FQDN (in the SNI.)
  • enabled Finite Field Diffie–Hellman ciphers for TLS 1.2, for example DHE as opposed to ECDHE
  • enabled ciphers without Forward Secrecy for TLS 1.2
  • instance types have been updated to t3.small, c6i.large, c6i.xlarge, c6i.2xlarge, c6a.large, c6a.xlarge, c6a.2xlarge, c5.large,c5.xlarge and c5.2xlarge. Note that the c6a AMD types, although cheaper and equally performant, may not be available in all Availability Zones.

Breaking Changes

  • the -config log has its fqdn field name changed to addr. Field names have not changed in the -flow log.
  • in the -config log, association of a public IP for egress from the firewall had its category (cat field) set to static-ip. This is now set to egress-ip.

version 2.5.3 (2023-05-31)​

  • increased tolerance towards some rare TLS servers that otherwise resulted in DiscrimiNAT logging connection test failures and not allowing connections to them

version 2.5.2 (2023-03-27)​

  • change of base OS from Ubuntu 18.04 to Ubuntu 20.04
The CIS Ubuntu Linux 20.04 LTS Benchmark v1.1.0 Level 2 - Server report is available upon request by contacting support. The image scored 215/219. An explanation will be attached for the unmet 4.

version 2.5.1 (2023-02-03)​

  • general OS updates

version 2.5.0 (2022-11-07)​

Breaking Changes

  • CloudWatch log group name changed from discrimiNAT to DiscrimiNAT. The first letter of the word DiscrimiNAT is, and going-forwards will be, in upper-case.
  • IAM Policy has been updated to reflect the upper-case letter D.
  • AMI name has seen the same change.
  • A new patch version, 2.4.1, of the ENI Terraform module has been released that constrains it to DiscrimiNAT version 2.4.x AMIs only. The ENI Terraform module will be updated in due course to support DiscrimiNAT version 2.5.x and onwards.

version 2.4.2 (2022-10-11)​

  • improved connection handling for very short lived TLS connections with specific server-side implementations (such as Envoy Proxy)

version 2.4.1 (2022-05-11)​

  • fixed a sporadic connection reset issue, that emitted unexpected response in the logs, and which only occurred in the see-thru monitoring mode while connecting to a destination at very high latency

version 2.4.0 (2022-03-01)​

  • new warning message in config logs when a connection test to an FQDN, carried out by discrimiNAT itself, in any allowlist fails
  • added support for self-attaching an allocated Elastic IP
  • discrimiNAT's own instance ID added to every log line under the key instance, indicating which instance the log line was emitted from
  • updated TLS ECH draft extension identifiers

version 2.2.0 (2021-09-06)​

  • see-thru mode introduced; build allowlists super-quick by putting a Security Group in monitor mode first
  • serverless support introduced; Lambdas etc. with an interface in the VPC will have their outbound traffic filtered
  • full bypass hook added; please reach out to support for instructions on this

version 2.1.0 (2021-08-19)​

version 2.0.5 (2021-05-11)​

  • restricted firewall rule scanning to the same VPC as discrimiNAT firewall was deployed in

version 2.0.4 (2021-04-07)​

version 2.0.3 (2020-11-10)​

  • v2 launch
  • completely new architecture addressing the potential for mismatch of IPs addresses as looked up by a protected workload from the VPC resolver and as looked up by the discrimiNAT firewall
  • rewritten in Rust

version 20200524 (2020-05-27)​

available on request; v1 is now deprecated; please upgrade to v2

version 20200516 (2020-05-20)​

available on request; v1 is now deprecated; please upgrade to v2

version 20191207 (2019-12-10)​

available on request; v1 is now deprecated; please upgrade to v2

version 20191108 (2019-11-12)​

available on request; v1 is now deprecated; please upgrade to v2

version 20190911 (2019-09-13)​

  • v1 launch