Release Notes

version 2.7.1 (2024-02-12)

• warning type messages in -config logs now do not repeat before 10 minutes. This will reduce the frequency of no ip addresses resolved, etc. log messages significantly.
• disabling Automated System Health Reporting can now be done by setting variable ashr to false from Terraform module v2.7.1 onwards. The earlier method will continue to work.
• automated system health reporting, if left enabled, now runs at shutdown too.
• automatically allowed CRL Endpoints of x509 SSL certificates now emit the name of the otherwise allowed FQDN and the issuing CA in the certificate chain, from which the CRL Endpoint was determined, in the reason field of the -config log. For example, crl endpoint from issuer GTS Root R1 in certificate chain of trends.google.com.
• syslog is no longer sent from DiscrimiNAT VMs to StackDriver (Logs Explorer). This will reduce the level of logging from the operating system.
• resolved an issue where large Microsoft updates over plaintext HTTP, while in see-thru mode, could cause DiscrimiNAT to drop packets after a few weeks of passing such traffic through – needing a restart.

version 2.7.0 (2024-01-03)

• HTTP -flow Logs: additional log fields of http_method, http_user_agent and http_path will be present for plaintext HTTP traffic to aid in determining the source of unencrypted traffic. The traffic will always be denied with the message insecure protocol, use https, though.

• CRL Endpoints of x509 SSL certificates, which are over plaintext HTTP, are now automatically allowed for all TLS FQDNs allowlisted. Only HTTP methods HEAD and GET are allowed to these URLs from only the clients that otherwise have the TLS FQDNs (to which these CRL Endpoints belong) allowed.

• Alias IP Ranges assigned to VM Instances now get recognised and functionally work the same way as a VM's primary IP address. Firewall Rules get applied to the ranges as well, just as they do to the primary IP address of a VM, based on Network Tags.

• no ip addresses resolved warning message in -config log for FQDNs found in the allowlist but for which a DNS lookup did not resolve any IP addresses. This is useful in spotting typos and domain names not configured yet by third parties.

• Terraform module v2.7.0 update: user_data_base64 supersedes startup_script_base64. See diff here.

• Automated System Health Reporting: 10 minutes after boot and then at 0200 UTC every day, each instance of DiscrimiNAT will collect its OS internals & system logs since instance creation, config changes & traffic flow information from last two hours and upload it to a Chaser-owned cloud bucket. This information is encrypted at rest with a certain public key so only relevant individuals with access to the corresponding private key can decrypt it. The transfer is encrypted over TLS.

  Access to this information will be immensely useful to create a faster and more reliable DiscrimiNAT as we add new features. We also aim to learn about how users are interacting with the product in order to further improve the usability of it as they embark on a very ambitious journey of fully accounted for and effective egress controls.

  We understand if certain environments within your deployment would rather not have this turned on. To disable it, a file at the path /etc/chaser/disable_automated-system-health-reporting should exist. From our Terraform module v2.7.0 onwards, this can be accomplished by including the following statement:

  user_data_base64 = "I2Nsb3VkLWNvbmZpZwp3cml0ZV9maWxlczoKLSBwYXRoOiAvZXRjL2NoYXNlci9kaXNhYmxlX2F1dG9tYXRlZC1zeXN0ZW0taGVhbHRoLXJlcG9ydGluZwo="

  The base64 value above decodes to:

  #cloud-config
  write_files:
  - path: /etc/chaser/disable_automated-system-health-reporting

  Which is a cloud-init way of creating that file in the instance.

version 2.6.1 (2023-10-10)

• operating system kernel tuning parameters tweaked (to match with the AWS build) resulting in improved performance of the see-thru mode
• health check logic now also waits for the firewall cache to build up a bit before giving a green light to the load balancer (and therefore accepting traffic on new VMs)
• fixed a bug where a certain configuration of a Firewall Rule would have DiscrimiNAT drop all rules
• two new warning log message types which indicate if the configured port in a Firewall Rule has a connection-level issue:
  • for example test for TLS on 203.0.113.5:80 failed – port 80 was not listening with TLS
  • and for example timed out testing connection to 203.0.113.6:443 – port 443 on that IP address is not open (from DiscrimiNAT's public IP point of view)
• minor update to Terraform modules increasing the health check initial delay from 120 seconds to 360 seconds

version 2.6.0 (2023-07-11)

• the TLS notation for allowlisting now supports IP v4 addresses besides FQDNs (i.e. without SNI), for example discriminat:tls:203.0.113.9
• the see-thru monitoring mode now accepts all specifications of IP addresses, Protocols & Ports on Firewall Rules. Previously, it had required IP addresses to be set to 0.0.0.0/0 and Ports & Protocols to be to set to all.
• two new -flow log reason messages when a network packet is disallowed have been introduced:
  • cache not ready: this message is logged when a new address is added in the allowlist but the firewall has not yet warmed up its cache for it. Expected to occur for up to 2 minutes after adding a new address (FQDN or IP.)
  • spoofing detected: logged when TLS SNI has been manipulated and a connection is attempted to an IP address that doesn't otherwise belong to the given FQDN (in the SNI.)
• enabled Finite Field Diffie–Hellman ciphers for TLS 1.2, for example DHE as opposed to ECDHE
• enabled ciphers without Forward Secrecy for TLS 1.2

Breaking Changes

• the -config log has its fqdn field name changed to addr. Field names have not changed in the -flow log.
• in the -config log, association of a public IP for egress from the firewall had its category (cat field) set to static-ip. This is now set to egress-ip.

version 2.5.3 (2023-05-22)

• increased tolerance towards some rare TLS servers that otherwise resulted in DiscrimiNAT logging connection test failures and not allowing connections to them

version 2.5.2 (2023-03-16)

• change of base OS from Ubuntu 18.04 to Ubuntu 20.04

The CIS Ubuntu Linux 20.04 LTS Benchmark v1.1.0 Level 2 - Server report is available upon request by contacting support. The image scored 215/219. An explanation will be attached for the unmet 4.

version 2.5.1 (2023-01-29)

• External IPs can now be pinned to specific deployments. If the value of a DiscrimiNAT instance VM label discriminat matches the label-key & value of an External IP, that External IP will be preferred for self-attaching. Fallback behaviour remains to self-attaching any allocated but unassociated External IPs with the label-key discriminat set to any value.
• Terraform module updated to support custom deployment IDs (see variable custom_deployment_id), to optionally override the randomly generated ones. This allows fine-grained control over naming and can also be used for matching allocated External IPs to a specific fleet of DiscrimiNAT instances.
• replaced google-fluentd with ops-agent. Ops Agent requires the Monitoring Metric Writer predefined role to be added to the service account. See our Service Account page for more details.

version 2.4.2 (2022-10-05)

• added support for Network Tags in Cloud Composer v2 GKE Clusters
• improved audit (config) logging for subnets
• improved connection handling for very short lived TLS connections with specific server-side implementations (such as Envoy Proxy)

version 2.4.1 (2022-05-05)

• fixed an excessive retries issue with automatic config building where the service account's role allowed querying of Service Projects but the Host Project did not have shared VPC setup enabled
• fixed a sporadic connection reset issue, that emitted unexpected response in the logs, and which only occurred in the see-thru monitoring mode while connecting to a destination at very high latency

version 2.4.0 (2022-03-13)

• new warning message in config logs when a connection test to an FQDN, carried out by discrimiNAT itself, in any allowlist fails
• serverless support introduced; VPC connectors from Cloud Functions etc. will have their outbound traffic filtered
• added support for self-attaching an allocated External IP
• change of one of the default scopes, when the service account is not overridden,from compute-ro to compute-rw; this is to support self-assignment of labelled external IPs
• discrimiNAT's own instance ID added to every log line under the key instance, indicating which instance the log line was emitted from
• updated TLS ECH draft extension identifiers

version 2.3.0 (2021-11-02)

• added support for shared VPC; now Service Projects can use a discrimiNAT instance deployed in their Host Project

version 2.2.0 (2021-08-31)

• see-thru mode introduced; build allowlists super-quick by putting a Firewall Rule in monitor mode first
• improved handling for a large number of FQDNs in the allowlists
• full bypass hook added; please reach out to support for instructions on this
• updated TLS ECH draft extension identifiers

version 2.0.5 (2021-05-03)

• restricted firewall rule scanning to the same VPC as discrimiNAT firewall was deployed in

version 2.0.4 (2021-04-03)

• set compute image family to discriminat
• updated TLS ECH draft extension identifiers

version 2.0.3 (2020-11-05)

• v2 launch
• completely new architecture addressing the potential for mismatch of IPs addresses as looked up by a protected workload from the VPC resolver and as looked up by the discrimiNAT firewall
• rewritten in Rust

version 20200529 (2020-05-29)

available on request; v1 is now deprecated; please upgrade to v2

version 20200524 (2020-05-24)

available on request; v1 is now deprecated; please upgrade to v2

version 20200516 (2020-05-16)

available on request; v1 is now deprecated; please upgrade to v2

version 20191207 (2019-12-07)

available on request; v1 is now deprecated; please upgrade to v2

version 20191107 (2019-11-07)

• v1 launch