Firewall Builder Release Notes
Version 2.0
Released 07/28/04
GUI and compilers v2.0 require API library libfwbuilder version 2.0
Summary
Firewall Builder GUI v2.0 has been completely rewritten using QT
For those who wish to build from source, instructions are outlined
in "Install
and Build instructions"
What's new
The GUI has been rewritten from scratch. The new GUI is based on
QT 3.x. It has been tested with Qt v3.1.1, 3.2.3 and 3.3.1. We
build on RedHat 9.0, Mandrake 10, SuSE 9.1, FreeBSD 5.2 using QT
packages that come with these systems.
The GUI has been redesigned to addresses problems known to
exist in fwbuilder 1.1.x user interface:
- Speed imporevements in the GUI. Firewall policy that consist
of 1000 rules renders just as fast as policy that has only 10
rules. The GUI has actually been tested with 1000 rules
policies.
- Object tree is not synchronized with firewall policy
view. Selecting an object in the tree does not immediately open
it in the right hand panel in the main window. Right hand side
panel is dedicated for the policy view and always shows policy
or NAT rules of the firewall selected in the pull-down menu
above it. Editing of all objects is done in a separate floating
editor window that can be kept open at all times.
- Properties of an object selected in the tree or in any rule
are shown in the information panel under the tree. The size of
the panel can be changed; the panel has three modes of
operation: a) hidden, b) showing only comment associated with
selected object, c) showing its parameters and comment. User can
choose the mode by clilcking on the toolbar button under the
information panel.
- "Find object" function finds obejcts by their name in the
tree, in groups and in rules. Regular expressions are
recognized.
- Built-in version control based on RCS provides for a simple
way to track changes.
- Data file can be opened read-only for inspection. If the
file is checked out and locked by a different user, it can only
be opened read-only.
- Data file can be given on the command line without "-f"
switch. The "-f" is also supported for backwards
compatibility.
- The program does not make copies of standard objects in user
data file anymore (per Feature Request #810504 "'Standard'
definitions should not be saved" )
- Users can create and distribute their own libraries of
objects. The GUI allows for objects to be exported to external
library file with extension .fwl and imported from such
file.
- Objects in the 'Standard' objects library, as well as
objects in libraries imported from external files, are
read-only
- Added an option for autosave - if this option is turned on,
the gui periodically saves data to the file. The autosave
interval can be set between 1 minute and 2 hours.
- The GUI detects collisions between objects when external
library is imported. Collision is detected when any attribute of
an objects in the tree is different from that attribute in the
object with the same unique ID in the file being imported. Some
old data files may trigger collisions because of subtle
differences in comments
- Whenever user changes the name of a firewall, host or an
interface object, the GUI asks whether they want to also rename
all IP and MAC addresses that belong to that firewall or
host. If user agrees to rename them, the program generates names
automatically using scheme 'host_name:interface_name:ip' and
'host_name:interface_name:mac'
- Deleted objects are moved to a special library and can be
recovered with "Undelete" operation
- Rules can be color-labeled in all policies.
- Window size and position is remembered across multiple
sessions for all dialogs.
- Two modes of drag-and-drop of objects in policy and NAT
rules: dragging of an object moves it; dragging of an object
with Ctrl key pressed copies it
- Multiple objects can be selected in the tree. Operations
such as duplication, moving between libraries, copy/paste can be
performed on multiple selected objects
- Multiple rules can also be selected for operations such as
moving, deleting, copy/paste, setting colors
- A collection of firewall template objects comes in a
separate XML file with the package. You can create a new
firewall object using one for these templates. This replaced
"help me build firewall" wizard.
- The "Help me build firewall policy" wizard was phased out
and replaced with firewall templates. The template library will
be extended in the future releases.
- GUI has a built-in installer that uses external ssh client
to communicate with firewall. Installer has simple GUI interface
and works on both Linux and Windows (uses putty or SecureCRT on
Windows). There is no need in external install script
fwb_install anymore.
- An option has been added to firewall platforms iptables,
ipfilter, pf and ipfw that sets up a policy rule to permit ssh
access from one specified IP address to the firewall regardless
of other rules. This is for a backup ssh access from the
management workstation in case of an error in the policy that
locks user out of the firewall. The option (a checkbox and entry
field for the management station address) is located in the
"Compiler" tab of the firewall settings dialog. A command that
permits ssh to the firewall from the given address is added on
top of all other rules.
- Packages for Windows 2000, Windows XP and Mac OS X will be
distributed under a different license.
- The build process is based on qmake and uses autoconf
sparingly. Libtool is not used at all.
- Internationalization is done using gettext 0.14.1 which
supports QT .qm files
- Reasonably complete French translation is provided.
- Object names and comments are stored in the object file in
UTF-8 format. This allows for names and comments to be entered
and displayed in local languages. Although object names can be
localized, it is recommended to keep firewall names in plain
ASCII because compilers do not support UTF-8 yet. This fixes
very old bug #657156: "Special characters problem".
- Code compiles with gcc 3.4
New firewall platforms and new features that apply to all
platforms:
-
Added support for Linksys devices running Sveasoft
firmware. Firewall object should be configured as platform
"iptables", host OS "linksys". Policy installer works both
using password and public key authentication.
- Added an option to firewall platforms iptables, ipfilter, pf
and ipfw that sets up a policy rule to permit ssh access from
one specified IP address to the firewall regardless of other
rules. This is for a backup ssh access from the management
workstation in case of an error in the policy that locks user
out of the firewall. The option (a checkbox and entry field for
the management station address) is located in the "Compiler" tab
of the firewall settings dialog. A command that permits ssh to
the firewall from the given address is added on top of all other
rules.
- added attribute 'lastModified' to element FWBObjectDatabase
in DTD. this attribute holds time of last modification done to
any object in the database (GMT). Added support for this
attribute in class FWObjectDatabase. This attribute is
implied.
Bugs fixed in libfwbuilder API:
- fixed bug that appeared only when used with libxml2 2.6.6
and libxslt 1.0.33 - '*Group' elements were not converted
properly (losing all child elements). It worked on RH 9 with
libxml2 2.5.4 and libxslt 1.0.27. Fix tested with libxml2 2.6.6
and libxslt 1.0.33 on Fedora C1
- Method Firewall::duplicate replaces references to the
firewall, its interfaces as well as IPv4 and physical addresses
of the interfaces in all rule sets with references to the copies
of corresponding objects. Now firewall created from another one
using 'duplicate' does not reference interfaces or addresses
that belong to the original firewall object.
- bug #950857: "Incorrect conversion of address range" -
address range that consisted of two IP addresses was converted
to a set of networks incorrectly.
- bug that occured on big endian architecture (e.g. Macintosh)
because of incorrect usage of preprocessor directives to check
BYTE_ORDER. This bug caused incorrect address arithmetics.
- bug #906709: "A dynamic interface". Dynamic interface used
to "shadow" old broadcast object (0.0.0.0)
New features in iptables policy compiler fwb_ipt:
- Feature Request #913273: make "assume fw is part of any" a
per-rule option
- Processing of policy rules where firewall object is used in
src or dst with negation (possibly in combination with other
objects) has been optimized. Before, generated script would
match firewall's addresses in INPUT/OUTPUT and FORWARD chains
which added redundant checks in the FORWARD chain.
Bugs fixed in iptables policy compiler fwb_ipt:
-
bug #956544: "Error into load modules script generation",
where generated script would not load kernel modules with
names "module.ko.gz". Regular expression should match on
".ko.*$" to find these modules properly. Thanks to Andrey
Kaminsky who pointed this out.
- bug #934949: "duplicate rules". fwb_ipt created duplicate
rules for a bridging firewall if fw object or its interfaces or
their addresses were not in the source or desintaion
- bug #912849: "Reorder activation of network interfaces in
IPT" - script generated by the compiler for iptables sets
default policy to DROP, flushes all rules and then reconfigures
interfaces of the firewall (it used to reconfigure intefaces and
then flush the rules).
- bug #906709: "A dynamic interface". Dynamic interface used
to "shadow" old broadcast object (0.0.0.0)
- bug #979484: "improper command for rule with service any and
action reject." For rules like that, and if rule options dialog
does not specify particular way to handle this combination, the
compiler splits the rule; the first iptables command rejects any
tcp packet with TCP RST, while the second rejects everything
else with ICMP message.
- bug #917422: "compiler misinterprets interface with addr
0.0.0.0". If an interface has IP address "0.0.0.0", it is
considered an error.
- bug #978854: "false rule generated for fw object in
interface rule". Policy compiler for iptables generated
incorrect code for rules using negated firewall object in source
or destination when global option "assume firewall is part of
any" was turned off.
- bug #925199: "compiles wrongly a double negation". Policy
compiler for iptables generated incorrect code for rules where
two rule elements used negation (i.e. both src and dst, or dst
and srv, etc.)
- bug #988860: "Logging missing when firewall start is
aborted". When iptables script generated by fwb_ipt finds
missing interfaces, it prints error message both on stdout and
sends it to the log.
- bug #965558: "False ruleset generated for iptables (negate
w/ nat)". There were problems with double negations in NAT rules
(OSrc and ODst, or ODst and OSrv, etc).
- bugs #935794: "dual translation and negation in fwb_ipt" and
#986376: "Wrong result for negated source in NAT rules". Dual
translation rule with negation in OSrc did not process negation
in the second half (POSTROUTING rule, the one that translates
the source).
- bug #990037: "Wrong rule generated: fw interface included in
negated group". Rules with negation should not generate code in
INPUT/OUTPUT chains if option "assume firewall is part of any"
is off.
Bugs fixed in iptables policy compiler fwb_pf:
- bug (no number) where fwb_pf would not include code defined by
custom service object in the .conf file
- bug #985527: pf NAT rules miss destination port
specification. NAT rules that translate to "map" missed
destination port specification.
- bug #986518: "PF redirection always point to loopback
address"