Release Notes
version 2.6.1 (2023-10-10)β
- operating system kernel tuning parameters tweaked (to match with the AWS build) resulting in improved performance of the see-thru mode
- health check logic now also waits for the firewall cache to build up a bit before giving a green light to the load balancer (and therefore accepting traffic on new VMs)
- fixed a bug where a certain configuration of a Firewall Rule would have DiscrimiNAT drop all rules
- two new warning log message types which indicate if the configured port in a Firewall Rule has a connection-level issue:
- for example
test for TLS on 203.0.113.5:80 failedβ port 80 was not listening with TLS - and for example
timed out testing connection to 203.0.113.6:443β port 443 on that IP address is not open (from DiscrimiNAT's public IP point of view)
- for example
- minor update to Terraform modules increasing the health check initial delay from 120 seconds to 360 seconds
version 2.6.0 (2023-07-11)β
- the TLS notation for allowlisting now supports IP v4 addresses besides FQDNs (i.e. without SNI), for example
discriminat:tls:203.0.113.9 - the see-thru monitoring mode now accepts all specifications of IP addresses, Protocols & Ports on Firewall Rules. Previously, it had required IP addresses to be set to
0.0.0.0/0and Ports & Protocols to be to set to all. - two new
-flowlogreasonmessages when a network packet isdisallowedhave been introduced:cache not ready: this message is logged when a new address is added in the allowlist but the firewall has not yet warmed up its cache for it. Expected to occur for up to 2 minutes after adding a new address (FQDN or IP.)spoofing detected: logged when TLS SNI has been manipulated and a connection is attempted to an IP address that doesn't otherwise belong to the given FQDN (in the SNI.)
- enabled Finite Field DiffieβHellman ciphers for TLS 1.2, for example DHE as opposed to ECDHE
- enabled ciphers without Forward Secrecy for TLS 1.2
Breaking Changes
- the
-configlog has itsfqdnfield name changed toaddr. Field names have not changed in the-flowlog. - in the
-configlog, association of a public IP for egress from the firewall had its category (catfield) set tostatic-ip. This is now set toegress-ip.
version 2.5.3 (2023-05-22)β
- increased tolerance towards some rare TLS servers that otherwise resulted in DiscrimiNAT logging connection test failures and not allowing connections to them
version 2.5.2 (2023-03-16)β
- change of base OS from Ubuntu 18.04 to Ubuntu 20.04
version 2.5.1 (2023-01-29)β
- External IPs can now be pinned to specific deployments. If the value of a DiscrimiNAT instance VM label
discriminatmatches the label-key & value of an External IP, that External IP will be preferred for self-attaching. Fallback behaviour remains to self-attaching any allocated but unassociated External IPs with the label-keydiscriminatset to any value. - Terraform module updated to support custom deployment IDs (see variable
custom_deployment_id), to optionally override the randomly generated ones. This allows fine-grained control over naming and can also be used for matching allocated External IPs to a specific fleet of DiscrimiNAT instances. - replaced google-fluentd with ops-agent. Ops Agent requires the Monitoring Metric Writer predefined role to be added to the service account. See our Service Account page for more details.
version 2.4.2 (2022-10-05)β
- added support for Network Tags in Cloud Composer v2 GKE Clusters
- improved audit (config) logging for subnets
- improved connection handling for very short lived TLS connections with specific server-side implementations (such as Envoy Proxy)
version 2.4.1 (2022-05-05)β
- fixed an excessive retries issue with automatic config building where the service account's role allowed querying of Service Projects but the Host Project did not have shared VPC setup enabled
- fixed a sporadic connection reset issue, that emitted
unexpected responsein the logs, and which only occurred in thesee-thrumonitoring mode while connecting to a destination at very high latency
version 2.4.0 (2022-03-13)β
- new warning message in config logs when a connection test to an FQDN, carried out by discrimiNAT itself, in any allowlist fails
- serverless support introduced; VPC connectors from Cloud Functions etc. will have their outbound traffic filtered
- added support for self-attaching an allocated External IP
- change of one of the default scopes, when the service account is not overridden,from
compute-rotocompute-rw; this is to support self-assignment of labelled external IPs - discrimiNAT's own instance ID added to every log line under the key
instance, indicating which instance the log line was emitted from - updated TLS ECH draft extension identifiers
version 2.3.0 (2021-11-02)β
- added support for shared VPC; now Service Projects can use a discrimiNAT instance deployed in their Host Project
version 2.2.0 (2021-08-31)β
- see-thru mode introduced; build allowlists super-quick by putting a Firewall Rule in monitor mode first
- improved handling for a large number of FQDNs in the allowlists
- full bypass hook added; please reach out to support for instructions on this
- updated TLS ECH draft extension identifiers
version 2.0.5 (2021-05-03)β
- restricted firewall rule scanning to the same VPC as discrimiNAT firewall was deployed in
version 2.0.4 (2021-04-03)β
- set compute image family to
discriminat - updated TLS ECH draft extension identifiers
version 2.0.3 (2020-11-05)β
- v2 launch
- completely new architecture addressing the potential for mismatch of IPs addresses as looked up by a protected workload from the VPC resolver and as looked up by the discrimiNAT firewall
- rewritten in Rust
version 20200529 (2020-05-29)β
available on request; v1 is now deprecated; please upgrade to v2
version 20200524 (2020-05-24)β
available on request; v1 is now deprecated; please upgrade to v2
version 20200516 (2020-05-16)β
available on request; v1 is now deprecated; please upgrade to v2
version 20191207 (2019-12-07)β
available on request; v1 is now deprecated; please upgrade to v2
version 20191107 (2019-11-07)β
- v1 launch