Version 2.7.0

[new23d]

Release Notes

• HTTP flow Logs: additional log fields of http_method, http_user_agent and http_path will be present for plaintext HTTP traffic to aid in determining the source of unencrypted traffic. The traffic will always be denied with the message insecure protocol, use https, though.

• CRL Endpoints of x509 SSL certificates, which are over plaintext HTTP, are now automatically allowed for all TLS FQDNs allowlisted. Only HTTP methods HEAD and GET are allowed to these URLs from only the clients that otherwise have the TLS FQDNs (to which these CRL Endpoints belong) allowed.

• no ip addresses resolved warning message in config log for FQDNs found in the allowlist but for which a DNS lookup did not resolve any IP addresses. This is useful in spotting typos and domain names not configured yet by third parties.

• Terraform module v2.7.0 update: variable startup_script_base64 has been renamed user_data_base64.

• Automated System Health Reporting: 10 minutes after boot and then at 0200 UTC every day, each instance of DiscrimiNAT will collect its OS internals & system logs since instance creation, config changes & traffic flow information from last two hours and upload it to a Chaser-owned cloud bucket. This information is encrypted at rest with a certain public key so only relevant individuals with access to the corresponding private key can decrypt it. The transfer is encrypted over TLS.

  Access to this information will be immensely useful to create a faster and more reliable DiscrimiNAT as we add new features. We also aim to learn about how users are interacting with the product in order to further improve the usability of it as they embark on a very ambitious journey of fully accounted for and effective egress controls.

  We understand if certain environments within your deployment would rather not have this turned on. To disable it, a file at the path /etc/chaser/disable_automated-system-health-reporting should exist. From our Terraform module v2.7.0 onwards, this can be accomplished by including the following statement:

  user_data_base64 = "I2Nsb3VkLWNvbmZpZwp3cml0ZV9maWxlczoKLSBwYXRoOiAvZXRjL2NoYXNlci9kaXNhYmxlX2F1dG9tYXRlZC1zeXN0ZW0taGVhbHRoLXJlcG9ydGluZwo="
  

  The base64 value above decodes to:

  #cloud-config
  write_files:
  - path: /etc/chaser/disable_automated-system-health-reporting
  

  Which is a cloud-init way of creating that file in the instance.

• Instance types c5.large, c5.xlarge, c5.2xlarge, c6i.2xlarge and c6a.2xlarge are no longer supported. Please choose from one of t3.small, c6i.large, c6i.xlarge, c6a.large and c6a.xlarge.

• DiscrimiNAT Firewall's product code on the AWS Marketplace has changed from a83las5cq95zkg3x8i17x6wyy to bz1yq0sc5ta99w5j7jjwzym8g. This has no impact on users unless they had been using the product code to lookup its AMI ID, for example. Terraform modules version 2.7.0 onward encapsulate this change.

🔗 Preceding Release Notes

Released

14 Jan '24