Firewall Builder Release Notes
Version 0.9.7
What's new in this release:
- We now support single floppy router/firewall
"floppyfw" (http://www.zelow.no/floppyfw/index.html)
See file README.floppyfw in the doc directory for
instructions. We provide install script for floppyfw, so
generated firewall script can be conveniently written to floppfw
floppy disk just with a few clicks of a mouse. Install script
and documentation are packed in a separate RPM called
fwbuilder-floppyfw
- Changes in data structures.
The following new attributes have been added to XML DTD:
- Attribute "label" which provides a way to assign
alternative name to Interface. This attribute allows for
assigning descriptive labels to interfaces, such as
"inside", "outside", "dmz"
- Each interface now is has new attribute called
"security_level". Security level is described by integer
number between 0 and 100, where 0 represents least secure
and 100 most secure one. Some firewall platforms (namely
Cisco PIX) use this concept. Old flag "external" corresponds
to security zone "0". Conversion from old data format to the
new one is transparent and happens automatically when data
file is loaded in fwbuilder GUI v0.9.7 for the first
time
- Attribute "physAddress" added to Interface. This
attribute represents physical address of the interface. For
Ethernet this is its MAC address
- New options and features added for iptables:
- "Clamp MSS to MTU" is supported
- New macro for custom log prefix: "%I" is replaced with
interface name
- code for adding static ARP entries uses /sbin/ip
tool. Package iproute seems to be a standard in all major
Linux distributions so this should not be a problem
- firewall script generated by fwb_iptables turns off ip
forwarding before removing all rules and turns it on only
after all rules have been added
- implemented filtering by MAC addresses (feature request
#478087)
- firewall script makes log record when activated (feature
request #476517)
- compiler can now optimize generated script for repeating
source or destination addresses. It generates special
user-defined chain, so source or destination address is
checked only once in INPUT/OUTPUT/FORWARD chains. If there
are multiple rules with the same source or destination
address, all further checks are done in dedicated chain
- compiler can also use "multiport" module to collapse
multiple script lines together if all parameters are the
same and only port numbers are different
- compiler adds implied iptables rule to accept
ESTABLISHED and RELATED packets only if checkbox in firewall
dialog called "Accept ESTABLISHED and RELATED packets" is
checked. This implied rule is always added on top of the
policy script and inspects all the packets before any other
rule defined by user. If this behavior is undesired, the
checkbox "Accept ESTABLISHED and RELATED packets" should be
unchecked and rule using service "ESTABLISHED" should be
added to the policy by hand. This rule can be placed in any
appropriate place in the policy, so it won't match packets
matched by rules above it.
- Predefined standard service called "ESTABLISHED" is now
part of stadard objects database coming with Firewall
Builder. This service object is added to existing xml files
when file is loaded in the GUI v0.9.7 for the first
time. This service adds rule which matches with ESTABLISHED
and RELATED packets, as defined by ip_conntrack module
- New functions and features in GUI:
- GUI can copy rules between Global and Interface policies
and between different firewall objects
- Added basic support for foreighn locales
- Implemented alternative object quick view method: flying
mouse over object's icon in the policy can show its
properties either on status bar or in a tooltip window
- Object "Host" has new parameter - its MAC address.
- Dependency on Gnome libraries has been eliminated
completely; Firewall Builder now needs only GTK and
GTK--. This makes it possible to port Firewall
Builder to other OS, including MS Windows. This also
should make it lot easier to run it on Linux systems
with KDE.
Bugs fixed in iptables compiler:
- #478444: Implemented workaround for a bug in iptables 1.2.3
which caused error when log level was specified by name. Now log
level can be specified either by name or by number
- #475155: compiler generated incorrect code for REDIRECT NAT
rules with negation
- #476520, #480473: avoid duplicates while adding static arp
entries or alias addresses for certain NAT rules
- #480410: optimizer used to remove NAT rules with the same
address in both source and destination. This caused problems in
certain network configurations where SNAT rule was necessary to
support translation for connects from internal net to the server
on the same net, using its external URL
- #480658: code optimization can now be turned off for NAT rules
- #480801: removed memory leak in compiler; tested on policy with
lots of rules
Bugs fixed in GUI:
- #472344: icon for negated service was corrupted
- #472677: object properties shown in the tree should have changed
when object has been edited
- #472678: pop-up menu and object quick view overlap