Firewall Builder Release Notes
Version 1.1.0
Released 11/23/03
GUI and compilers v1.1.0 require API library libfwbuilder version 1.0.2
Summary
For those who wish to build from source, instructions are outlined
in the document "Install and Build instructions" on our web site http://www.fwbuilder.org/archives/cat_installation.html
This version is stable, future changes to v1.1 will be limited
and will only include bug fixes.
What's new
- Improvements in the GUI:
- Implemented Feature Req. #809106: "Netmask should not be
automatically filled in dialogs". Dialogs that expect IP
address and netmask should not fill the netmask entry fields
with a netmask calculated from the IP address assuming that
the address is classful
- added GUI widgets for new 'fixup' commands in PIX
v6.3(3)
- Added GUI support for the new logging options available
in PIX v6.3 (syslog level and logging interval can now be
set for an individual ACL rule)
- added GUI controls for setting syslog device-id (PIX
v6.3)
- added GUI controls for logging in EMBLEM format (PIX
v6.3)
- added GUI controls for using ACL remarks to associate
generated PIX ACL commands with original rule numbers
- commands "sysopt route dnat" and "sysopt security
fragguard" are deprecated in PIX v6.3. GUI is now aware of
that.
- added GUI elements to support PIX options "max_conns"
and "emb_limit" used for TCP syn flood protection and to
establish a limit on the number of nat'ted connections.
- Improvements in policy compiler for iptables:
- implemented Feature Request #819761 "support new
iptables option 'icmp-admin-prohibited'". This option is
supported in iptables 1.2.9 in combination with target
REJECT.
- changed algorithm in the rule optimizer to improve
policy compile speed. This significantly speeds up
compilation of rules that create huge numbers of
combinations of objects (typically a rule with large address
ranges or large groups of hosts in both source and
destination, or large group of hosts in src or dst and large
group of services in srv)
- iptables script generated by policy compiler fwb_ipt can
now properly find and load kernel modules for Linux kernel
2.6 (module file names have extension .ko in 2.6)
- Improvements in policy compiler for ipfiler:
- Optimizaiton in the policy compiler for ipfilter:
compile speed improved for rules that generate huge numbers
of combinations of objects (many objects in src, dst and/or
srv). Number of generated rules changed from N^3 to 3N for
rules with very large number of combinations of
objects. Compile time has been reduced by the same factor.
- Improvements in policy compilers for all platforms:
- added check for dynamic interface with IP address child
object in all policy compilers.
- fixed bug #827697: "Configure interfaces adds both the
NAT and the local". Option "configure interfaces" used to
add virtual addresses that are needed for NAT rules and
configure regular interfaces of the firewall. These two
functions are now controlled by separate checkboxes in the
"Firewall" tab of the firewall object dialog: "Configure
interfaces" and "Add virtual addresses for NAT".
- implemented Feature Request #815168: "Support for
IPTables 'IPRange'", however instead of using patch-o-matic
patch "iprange" I've implemented an algorithm that converts
address range into a set of networks rather than N
hosts. This works for all policy compilers (rather than only
for iptables) and works even if the patch "iprange" is not
applied.
-
New components:
- Added Address Range objects "broadcast" (address
255.255.255.255) and "old-broadcast" (address 0.0.0.0) to
the standard objects tree. These objects are used to build
rules permitting broadcast-based protocols such as DHCP.
- fixed bug #810497: "Add UDP service microsoft-rpc"
Bugs fixed in libfwbuilder API:
Bugs fixed in GUI:
- fixed bug #811056: "Preserve tab selection". Active notebook
tab is now "sticky" in Firewall and Host dialogs, that is while
switching between different firewall objects the new dialog
opens with the same tab active.
- fixed bug #810400 : "GUI can not show address 0.0.0.0 in
AddressRange obj".
- fixed bug #810000: "Druid creates wrong rule for DHCP". If
firewall works as DHCP server for the local net, the rule permitting
DHCP requests should include both firewall object and a broadcast
address object in destination. This rule uses new standard address
range object "broadcast". The rule permitting DHCP replies should
use only firewall obejct in source.
- fixed bug #827688: "PIX-Network Zone Def is missing
". Policy compiler complained that interface "outside" had no
network zone on a new firewall object, while in fact the Network
zone of that interface was set to 'Any'.
- fixed bug #834739: "network discovery creates bogus Policy
objects for hosts". Network discovery druid would add Interface
Policy objects to interfaces of Host objects discovered during
network crawl (SNMP).
- fixed bug #834726: "No physical address (MAC) for dynamic
address in wizard." The GUI would not let user add a physical
address (MAC address) object to the interface marked as
"dynamic" or "unnumbered".
Bugs fixed in iptables policy compiler fwb_ipt:
- fixed bug 811860: "IPTables Compiler Firewall IP to Input
Chain". On a bridging firewall rules not associated with
interfaces should go into INPUT/OUTPUT chain on interfaces that
do routing and into FORWARD chain on bridging
interfaces. Sometimes bridging interfaces are not created in the
GUI, so to play it safe we will split the rule and put it into
both FORWARD and INPUT/OUTPUT chain.
- fixed bug #834799: "fwb_ipt: Compiler.cc:264 Assertion`o'
failed". This error happened if dynamic interface had an IP
address child object which was used somewhere in the policy
rule. Compiler issued a warning saying that this address was
going to be ignored, and removed it from the interface. If this
address object was used in the policy rule, it caused this
assertion to fail because it had no parent.
- fixed bug #837236: "ipt compiler tries to find wildcard
interfaces". Code that checks if interfaces of the firewall
object exist on the firewall machine should not try to find
wildcard interfaces such as "ppp*".
- fixed bug #828243: "bug with double NAT". A dual translation
NAT rule (the one that translates both source and destination
addresses) that involves negation in OSrc or ODst used to
generate code doing double negation.
- fixed bug #830093 "Don't set custom services in NAT
rules". Compiler fwb_ipt would ignore custom service objects in
NAT rules.
Bugs fixed in iptables policy compiler fwb_ipf:
Bugs fixed in iptables policy compiler fwb_pf:
- fixed bug #822744: "fwb_pf problem". While compiling policy
for the firewall running on FreeBSD and using pf, compiler would
not define variable PFCTL in the firewall activation script (
the .fw file).