Firewall Builder Release Notes
Version 1.0.1
GUI v1.0.1 requires API library libfwbuilder version 0.10.5
Summary
This version incorporated fixes for bugs filed in January and February
of 2002, as well as some new features. Among other additions comes
support for OpenBSD pf and ipf (ipfilter) packet filters. See below
for details.
We started working on the policy management framework which will
provide mechanism for policy installation on the remote firewall. The
GUI will authenticate to the daemon running on the remote firewall
using private/public key pair. This version comes with experimental
support for the key and certificate management in "Options" dialog.
The rest will become available in stages as we are nearing 1.1
We also started Windows port of Firewall Builder. Parts of the code
already work on win32 platform, however some more work needs to be
done to complete it.
In anticipation of wide distribution of gcc3.0 we've done extensive
testing to make sure both libfwbuilder and fwbuilder compile well with
gcc 3.0 and g++ 3.0
What is new in the API library
-
API now supports AddressRange object type
-
API includes new classes for firewall management and policy
deployment via firewall management daemon (fwbd, in the
process of development) or via old-style install script.
-
API includes new classes for writing policy compilers and for
OS configuration
-
Autoupgrade xslt script makes the following changes to the
user's data files:
-
changes fwbuilder object database version from v0.10.4 to
v0.10.5
-
adds group "Address Ranges" (ID='stdid14')
-
adds subelement Management to Host and Firewall and moves
attributes snmp_read_community and snmp_write_community to
Management/SNMPManagement
-
moves attributes inst_script and inst_cmdline to the element
PolicyInstallScript
-
fixes Interface elements that have address element which
is an empty string
-
adds missing TCP flags 'PSH' and 'URG' to all TCPService
elements
-
changes platform name 'ipfilter' -> 'ipf'
-
Work is being done to port API to win32 platform
What is new in the GUI
-
GUI now uses gdk_pixbuf instead of imlib library for image
rendering
-
Dialog "Options" provides interface for keys and certificate
management system. These keys will be used in the future to
authenticate to fwbd daemon running on remote firewall machine.
-
GUI now supports new object type: Address Range. Not all
policy compilers support it yet though.
-
GUI now provides all the necessary elements to support PIX
policy compiler (network zones, security levels on interfaces,
etc).
-
GUI provides all the necessary elements to support policy
compilers for OpenBSD pf and ipf.
-
Support for previously missing TCP flags PSH and URG has been
added to the GUI
-
GUI has been corrected to work properly with gtk+ 1.2.10 and
gtkmm 1.2.8
-
added support for --limit-burst option for iptables in the
rule options dialog
Policy compiler for OpenBSD PF
This is initial release of the policy compiler for OpenBSD pf.
In this compiler for the first time we use our new compiler
framework classes. Code has been tested on OpenBSD 3.0
Code status: beta
What is supported:
- both pf.conf and nat.conf files are generated
- negation in policy rules
- grouping in "from", "to" and in ports using '{' '}'
- rule with "scrub" policy is generated if object
ip_fragments is used as service and action is Deny or Reject
- turning off stateful inspection in rule options
- choice of icmp or tcp rst replies for rules with action
"Reject"
- matching on TCP flags
-
compiler can generate commands to add virtual address to the
firewall if NAT rule requires translation to or from address
which does not belong to any interface.
What is not supported (yet)
- Address ranges in both policy and NAT
- negation in NAT
- custom services
- setting flags "no-df", "min-ttl" and "allow-opts" via
rule options
Policy compiler for ipf (ipfilter)
This is initial release of this version of policy compiler for
ipf. This code is based on our new compiler framework
classes. We tested on FreeBSD 4.4 with ipf v1.3.20
Code status: beta
What is supported:
- both ipf.conf and nat.conf files are generated
- negation in policy rules (using 'skip')
- rule with ip option 'short' is generated if object
ip_fragments is used as service
- turning off stateful inspection in rule options
- choice of icmp or tcp rst replies for rules with action
"Reject"
- matching on TCP flags
-
compiler can generate commands to add virtual address to the
firewall if NAT rule requires translation to or from address
which does not belong to any interface.
What is not supported (yet)
- Address ranges in both policy and NAT
- negation in NAT
- custom services
OS where Firewall Builder can configure networking parameters in the kernel
Firewall Builder can generate script to configure network parameters
for certain OS. These are:
- Linux (kernels 2.4.x)
- OpenBSD 3.0
- FreeBSD (tested on 4.4, perhaps will work on 4.5)
- Solaris (tested on Solaris 8)
At the moment we can configure only few parameters for each OS,
however we plan to expand the list in the future.
Supported OS and firewall platforms
Operating Systems Firewall Builder has been ported to:
OS |
Compiler |
GUI and policy compilers |
Linux |
gcc 2.96 |
compile and work |
Linux |
gcc 3.0 |
compile but do not link, need more testing
|
Solaris 8 |
gcc 2.95 |
compile and work |
FreeBSD |
|
compile, need more testing |
OpenBSD |
|
not tested |
Win32 |
|
compile but need more work |
Matrix of supported OS and firewall platforms:
OS |
Firewall |
iptables |
ipf |
pf |
Linux (kernel 2.4.x) |
yes |
n/a |
n/a |
Solaris |
n/a |
yes |
n/a |
FreeBSD 4.4 (4.5) |
n/a |
yes |
n/a |
OpenBSD 3.0 |
n/a |
yes |
yes |
Bugs fixed in GUI:
-
#502534: segmentation fault during certain operations with
Copy/Paste in groups
-
#511271 (copy of Debian bug #130789): Crash if user tries to
delete a Service or Time from the user tree using Cut from the
level above, instead of 'Cut Object' from the Edit menu.
-
#504109: hang on `Edit' of object in changed rule
-
#516028: Comments don't copy
-
#520845: configure fails on solaris
-
#521545: extra brackets in the call to
GroupIconList->drag_data_received.connect which broke compile
with g++ 3.
-
#532432: Some fields do not accept keypad digits. This was also
Debian bug# 140330 ( fwbuilder: Can't set interface address
with numpad )
Bugs fixed in iptables policy compiler:
-
#511868: duplicated "-f" generated for ip_fragment service if
both "all fragments" and "'short' fragments" where checked
-
#507209 and #507972: The "accept source route" and other OS
options were not correctly handled by the compiler
-
#501021: optimizer should not supress destination address if it
is broadcast
-
#511260 (copy of Debian bug #131637): fwbuilder could
incorrectly re-use iptables rule names when trying to optimize
common sources and destinations.
-
#511296: commands "ip addr ... " used to remove ipv6 addresses
from interfaces
-
(no number) fixed bug which caused iptables policy compiler to
ignore multiple objects in "Time" rule element if optimization
was enabled.
-
#516033 (tcp-flags... - added missing flags PSH and URG)
-
#516378: correct matching broadcast for iptables if
destination is firewall with negation
-
#520886: multi-line string literals cause warning if code is
compiled with gcc3
-
#523652: "destination to myself: rule in forward ". Checking
if destination address in the rule is the same as an address
of one of firewall's interfaces (rule should go into INPUT
chain.
-
#527187: %I in Generic Log Prefix: compiler cores
-
#530133: Postrouting rule contains trailing colon (certain NAT
rules caused compiler to generate code with extra ':' after
--to-source ADDRESS)