Firewall Builder Release Notes
Version 2.0.8
Released 07/08/2005
GUI and compilers v2.0.8 require API library libfwbuilder version 2.0.8
Summary
This is a bug fix release
For those who wish to build from source, instructions are outlined
in the document "Install and Build instructions" on our web site here
What's new
- Improvements in the GUI
- Included updated German translation by Hans Peter
Dittler <hpdittler at braintec-consult.de>
- implemented Feature Request #1145666: "Print RCS
Log". File/Properties dialog can now print RCS log. Thanks
to "Ilya V. Yalovoy" <yalovoy@pilot.aip.mk.ua> for the
patch.
- Some code changes were made to make the code comiple and
work on Solaris. In particular, tests and emulation for
forkpty and cfmakeraw functions were added. Currently this
still remains largely untested.
- Improvements in policy compilers for pf, ipf, ipfw
- implemented support for subnets for backup ssh access for
pf,ipf,ipfw. Subnet can be defined using either full netmask or
bitlength: both "192.168.1.0/255.255.255.0" and "192.168.1.0/24"
are acceptable. Single host address works too, both as
"192.168.1.10" and as "192.168.1.10/255.255.255.255" or
"192.168.1.10/32". Incorrect address or netmask cause compiler
to abort processing.
- Improvements in compiler for ipfw
- using rule sets to atomically swap old and new
rules. New rules are loaded in the set 1 and then swapped
into set 0. If there is an error in a new rule set, it is
caught while loading rules into inactive set 1, at which
point script stops without changing old firewall rules.
- added "established" rule on top of the regular backup
ssh access rule; this allows to maintain management ssh
session after the policy is reloaded. both "ipfw -f" and
swapping sets flushes all states, so the ssh session used to
upload and activate new policy breaks. A rule with
"established" keyword maintains this session.
Bugs fixed in the Standard Objects library:
- bug #210518: 'Incorrect ending day in the standard object
"weekends"'. This object defined time interval ending at 23:59
on Monday instead of Sunday
Bugs fixed in scripts and tools:
- bug #1200902: "fwb_compile_all does not work in 2.0". Script
fwb_compile_all broke because of changes in data file
format
Bugs fixed in GUI:
- bug #1072842: "fwbuilder: Solaris and forkpty". We need
forkpty fr built-in installer but this function is not awailable
on Solaris. I am adding re-implementation, but it hasn't been
tested since I do not have Solaris machine.
- bug #1201406: "shutdown messages should be
suppressed". Installation scriptlet tries to kill shutdown
process, if there is one, to cancel pending shutdown that might
have been left over from test install. If there is none, the
script prints an error message "shutdown process not found" or
similar, which confuses user. Needed to suppress these error
messages.
- bug #1204067: "incorrect timezone handling in RCS". Windows
version of RCS incorrectly converts check-in time when time zone
is east of GMT. This caused the GUI to incorrectly show checkin
time of files in the "Open File" dialog if the program was
running in locale East of GMT, for instance in Japan.
- bug #1207983: "incorrect size of "I" and "L" buttons in the
group view dialog". Tested with large font and cleaned up layout
in many dialogs.
- bug #1212121: "sudo shutdown doesn't work".
- bug #1212123: "executing file below /tmp as root". Avoiding
world-writable directory /tmp/ while activating policy in the
test mode. This change makes installer use subdirectory "tmp"
under directory specified in the "intaller" tab of firewall
settings dialog. That directory is expected to have proper
permissions; subdirectory "tmp" can be created manually,
otherwise installer creates it. Either way, it is not
world-writable, therefore unauthorized users can not create
scripts in it.
- bug #1212179: "tool tips for TCP services cuts off some
services". The gui would show very long tooltip for large
groups; if the group was too large, the tooltip did not fit on
the screen.
- bug #1213361: "PF on FreeBSD-5.4R". Bug description is
misleading, the probem was caused by built-in installer rather
than by compiler for PF. Installer would not copy generated
script over ssh if the script was longer than some threshold and
the gui was running on FreeBSD.
Bugs fixed in policy compiler for iptables:
- bug #191423: "Weekend Time restriction not created
correctly". Rules with time restriction spanning from Saturday
to Sunday were generated with incorrect "--day" option
- bug #1205665: "Error with summer time when compiling
script". Sometimes timezone name has "'" in it which confuses
shell and causes an error when generated script prints
"Activating firewall policy..." log message
- bug #1215279: "rate limiting rule logs everything". Rule
utlilizing "limit" module to rate limit packets with logging
logged every packet and dropped those that exceeded the
limit. The fix makes it apply the limit first and then log only
packets that were dropped.
Bugs fixed in policy compiler for iptw:
- bug #1155351: "Remote install of FW rulset fails due to race
condition". Generated ipfw firewall script could not be ran
reliably over ssh session because "ipfw -f" flushes all rules
and all state, which breaks ssh session. As soon as the script
needed to print anything, it got I/O error from the system
because TCP session for ssh was blocked; this stopped the script
and did not let it activate new firewall policy. Using rule sets
and "established" rule for the backup ssh access solved the
problem.