The 10 May 2012 release of CloudPassage® Halo® includes changes to the CloudPassage Daily Status emails, changes to the registration confirmation email, and a variety of minor bug fixes and UI enhancements, including a version specification for the ICMP service for Windows firewall.
Changes to hidden DNS firewall rules
Whenever you create a firewall policy in the Halo Portal, Halo adds a set of basic firewall rules that are required for the Daemon to operate. These rules are “hidden”they do not appear in the Portal and you cannot edit them, although you can view them if you export the firewall policy.
Enhancements have been made to DNS-related hidden firewall rules to improve security for servers that communicate with name servers and for DNS clients and servers themselves.
Support added for multiple IP addresses per server
When you include a server group as a source in a firewall rule, Halo behavior has been to include, for each server, only the IP address that its daemon uses when communicating with the Halo Grid. With this release, all IP addresses of all interfaces used by the server are included.
Improved functionality for Windows firewall rules
Previously, it was possible to create an IP zone with a host address value of 0.0.0.0/0, which would cause installation of a Windows firewall containing that IP zone to fail. With this release, Halo changes existing IP zone addresses of that value to “ANY” if they are applied to a Windows firewall policy, and it prevents the user from creating a new IP zone that includes that address.
Handling duplicate names for IP zones and network interfaces
It has been possible to create an IP zone or network interface with a given name, and thenwhile creating a firewall rulecreate another IP zone or interface with the same name. To enforce uniqueness of names, Halo no longer permits a newly created zone or interface to have the same name as an existing one.
Improved support for custom ICMP firewall rules
Halo now supports, and where necessary creates corresponding outbound rules for, custom ICMP types ping (icmp/8), timestamp (icmp/13), and address_mask (icmp/17) services. Also supported is icmp/all, which includes all three types.