Firewall Builder Release Notes
Version 1.0.11
Released 09/03/03
GUI and compilers v1.0.11 require API library libfwbuilder version 1.0.1
Summary
For those who wish to build from source, instructions are outlined
in the document "Install and Build instructions" on our web site
here
What's new
- Improvements in the GUI:
- when host object is discovered by network discover druid but
it does not answer SNMP query and its interfaces can not be
learned, the program assigns generic name to the interface object
it creates. The name has been changed from 'interface1' to 'nic1'.
- Code compiles and runs with gettext 0.12.1
- Code compiles and runs on FreeBSD 4.9
- Improvements in policy compiler for iptables:
- implemented Feature Request #57561: "restricting log
prefix to 29 chars". Compiler issues a warning and truncates
log prefix if it is longer than 29 characters.
- implemented Feature Request #731761: "support for
interfaces that can be down". Firewall script skips rules
using dynamic interface if that interface had no IP address
assigned to it at the moment when firewall policy was
activated. Firewall script will be activated and policy will
work even if one or more dynamic interfaces are down or just
do not have IP addresses. This helps use generated firewall
script if firewall separates networks with statically
assigned IP addresses and at the same time has one or more
interfaces with dynamically assigned address which can
sometimes be down (e.g. Internet connection using PPP
protocol).
- implemented support for 'wildcard' interfaces. If
interface of the firewall has a name that ends with '*'
(e.g. 'ppp*'), it is considered a wildcard interface, that
is compiler assumes that rules associated with this
interface or using its address should be associated, or use
address of all interfaces that match a 'wildcard'. For
interface 'ppp*' that would be ppp0, ppp1, ppp2 etc. Rules
created in the interface policy of this interface get "-i"
or "-o" clause with an interface name ending in a '+'
('ppp*' gets simply converted into 'ppp+'). To provide
support for rules using an address of such interface,
compiler creates a loop where it finds all real interfaces
that match pattern defined by the wildcard interface name
and then copies the rule command using an actual address of
each interface it finds.
- implemented Feature Req. 730501: "ulog-ulgroup option
for logging". ULOG ulgroup can be set both globally and for
individual rules.
- Improvements in policy compiler for ipfiler:
- implemented Feature Request #778150: per-rule log level
setting for ipfilter. Now policy compiler for ipfilter can
generate "log level facility.level" options for individual
rules in firewall policy.
- Improvements in policy compiler for PF:
- Added support for "(if)" syntax for OpenBSD pf. PF can
automatically change address of the dynamic interface when
its name in the rule is specified in parentheses.
- Added GUI and policy compiler support for the following
'scrub' options for PF:
- no-df
- random-id
- min-ttl
- max-mss
- fragment reassemble
- fragment crop
- fragment drop-ovl
- Added GUI and policy compiler support for the following
'set' commands for PF:
- set timeout interval
- set timeout frag
- set limit frags
- set limit states
- set optimization
- Improvements in policy compilers for all platforms:
- added a check for the situation when a host or a
firewall object that has a dynamic interface is used in the
policy or NAT rule of another firewall. Compiler aborts
processing because it can not build a rule using dynamic
interface of another object (its address is unknown at
compile time and can not be determined at a run time)
- Added a check for the typical error: dynamic interface
should not have IPv4 child object(s). Compiler issues a
warning if it does and ignores it.
- implemented Feature Request #774727: Firewall General
tab comment inserted into shell script. Compiler now inserts
comment from the General tab of the firewall dialog into the
generated firewall script.
-
New components:
- standard Custom service object "ESTABLISHED" is now
configured for iptables and ipfw.
- service objects that describe DNS (UDP and TCP, port 53)
have been renamed to 'domain' and service group 'DNS'
including both of them has been added.
- fwbedit: a general purpose object tree editing
command-line tool. This tool can be used for writing scripts
to batch-process data file without loading it in the
GUI. Currently fwbedit can delete given object from the
tree, as well as add and remove objects in the groups. More
operations will be added in the future. See manual page
fwbedit(1) for more information and usage examples.
- fwb_compile_all: a wrapper script that provides a way to
compile policies for several firewalls in one batch job. See
man page fwb_compile_all(1)
- fwbinstaller: a universal policy installer script. It
uses Perl module Net::SSH::Perl and at this point can
install generated policy on Linux/iptables, FreeBSD/ipf,
OpenBSD/pf and Cisco PIX firewalls. Script is distributed in
a separate package fwbuilder-installer. To simplify
installation, it is packed using perl module PAR so that all
modules it depends on, and the script itself, are packed
inside of the single executable. Fwbinstaller will
eventually replace old script fwb_install.
Bugs fixed in libfwbuilder API:
- fixed bug #773271: program crashes while doing network
object discovery.
- fixed bug #774462: wrong interface made external if fw was
discovered by the crawler.
- fixed bug #774834: compiler hangs on a group referencing
itself. If a group referenced itself, policy compilers either
hang or dumped core.
Bugs fixed in GUI:
- fixed bug #747287: GUI crashes after "Open recent". This bug
triggered only on some data sets, where opening the file using the
"File/Open Recent" main menu caused GUI to become unstable and crash
when global policy was opened.
- fixed bug #751656: "menu item Rules/Install does not get
enabled when interface is shown in dialog".
- fixed bugs #759665: "popup menu does not work in empty
group" and #760536: "cannot paste object to group". Right mouse
click in the group editing dialog of the group object did not
open popup menu if the group was empty.
- fixed bug (no number) where the GUI called firewall policy
instllation script without command line option "-d". The command
line options for policy compilers and installation scripts
should be the same, see manual page fwb_install(1). Option "-d"
specifies working directory, i.e. the directory where data file
currently opened in the GUI is located.
- implemented Feature Req. 730501: "ulog-ulgroup option for
logging". ULOG ulgroup can be set both globally and for
individual rules.
- GUI works with a copy of the main object tree when processes
objects for printing. This helped to get rid of the annoying
warning that something in the data has changed every time user
tried to print.
- GUI uses popup dialog to show the output from the printing
subsystem - good for debugging if lpr returned an error.
- fixed bug #764278 "Print error. uiltinDialog". Using
background execution class from libfwbuilder and corresponding
widget to call lpr so that user can see the output generated by
it. Using new method XMLTools::transformFileToFile to apply XSLT
transformation to the data file.
- fixed bug #772723: "new firewall wizard assigns external
interface wrong". "New Firewall" wizard ignored setting made by
the user to mark external interface of the firewall.
- fixed bug (no number) where "About" dialog showed empty
boxes instead of the characters in the title line if font
Helvetica was not available.
Bugs fixed in iptables policy compiler fwb_ipt:
- fixed bug #741933: "compiler does not skip unnumbered
interface". Policy compiler should skip unnumbered interfaces if the
firewall object is used in ODst
- fixed bug #751052: "Problem with more than 15 Services in
Group (iptables)". Compiler should use no more than 15 ports in
one invocation of the NAT rule using multiport module.
- fixed bug #759655: "certain rules on loopback do not get
added to OUTPUT chain". If option "assume firewall is part of
any" is ON, then the rule "any fw_obj any" should generate code
for the OUTPUT chain.
- fixed bug #762489: "rule and logging option". Here is how
policy compiler uses various limits: logging limit set globally
in 'Firewall' tab of the firewall dialog applies only to
logging; limit set in the rule options dialog applies only to
the corresponding rule's target.
- fixed bug #766161: "kernel 2.4.20-18.8custom / rh
8". Iptables does not allow using "--mac --source-mac" in the
OUTPUT chain. Policy compiler for iptables now specifically
checks for this situation.
- fixed bug #772092: fwb_ipt uses bash synatx in generated
script. fwb_ipt used operator == to compare strings; this syntax
is specific to bash and won't work if shell /bin/sh does not
support it.
- fixed bugs #774455: "fwb_ipt produces wrong code when
loopback used in the rule" and #781453: "compiler generates
incorrect firewall script". Compiler produced broken iptables
command if loopback interface object was used in the global
policy rule.
- fixed bug #778734: Multiple interface address in src/dst in
global policy. Compiler used to eliminate too many rules as
duplicates when firewall has two or more dynamic interfaces
- fixed bug #780345: "wrong chain is chosen for the rule in
bridging fw". If bridging firewall's interface address object
had a netmask of 255.255.255.255 in fwbuilder GUI, and firewall
object or its interface was used in the Destination rule
element, then compiler erroneously placed this rule in the
FORWARD chain instead of INPUT.
- fixed bug #780708: "Multiple dest IPs in NAT Table can be
compiled (but aren't)". DNAT rules now allow multiple objects in
Original Destination.
- fixed bug #782687: Protocol 'ip' is not always recognized by
iptables. Although iptables permits using protocol name with
"-p" option, we've got reports that it sometimes can not
properly interpret protocol name 'ip'. Using 'all' instead seems
to be a proper, supported way.
- fixed bug #784029: "Problems with generated Script". Under
certain circumstances generated script could not determine the
type of the firewall's interface (POINTOPOINT vs BROADCAST) and
could not configure its IP address.
- fixed bug #788586: "ICMP and NAT". Compiler used to ignore a
group of ICMP services used together with TCP or UDP services in
the same NAT rule.
Bugs fixed in iptables policy compiler fwb_ipf:
- fixed bug #782927: a way to get "any tcp" in the rdr
rule. Ipfilter permits using "port 0" as a way to match on any
tcp or udp port in rdr rules.
- fixed bug #783931: "wrong interface picked for rdr rule". In
the case when both OSrc and ODst are not 'any' in the rdr rule,
fwb_ipf failed to pick up right interface for the rule.
Bugs fixed in iptables policy compiler fwb_pf:
- fixed bug #771993: pf in OpenBSD-3.3 requires explicit
protocols. PF in OpenBSD 3.3 does not allow using "proto ip" in
nat and rdr rules.
- fixed bug #772460: missing space in the script generated by
fwb_pf
Bugs fixed in iptables policy compiler fwb_ipfw:
- fixed bug #772799: "fwb_ipfw ignores custom
services". Policy compiler for ipfw did not generate code for
Custom service objects used in the policy rules.