Firewall Builder Release Notes
Version 1.0.5
GUI and compilers v1.0.5 require API library libfwbuilder version 0.10.9
Summary
This release delivers long-awaited support for virtual addresses on
interfaces and other improvements, as well as fixes bugs discovered during
the testing of the previous version.
For those who wish to build from source, instructions are outlined
in the document "Requirements" on our web site here
What's new
-
Support for virtual addresses (see below).
-
Added French and German translations in policy compilers.
-
The GUI shows warning dialog if user tries to load data file
with firewall objects configured for platform, support for
wich has not been installed. GUI also shows a warning if it is
being started on a system where no modules supporting target
firewall platforms were installed.
-
On FreeBSD and OpenBSD fwbuilder uses lwres library for
thread-safe DNS calls. This library comes as a part of bind
9.1.3 port (and newer). One needs to start daemon lwresd in
order for library functions to work; fwbuilder GUI issues
warning if the daemon is not running. Unfortunately objects
discovery via DNS zone transfers does not work on FreeBSD and
OpenBSD because of lack of a library providing functions for
zone transfers.
-
Firewall scripts generated by compilers calls command line
tools (iptables, logger, ip etc.) using their explicit full
directory path and a file name. GUI provides controls so that
user can change path if tools are located in a non-standard
place.
-
GUI automatically sorts branches in the tree when objects are
renamed or new ones are inserted.
-
new additions to a collection of standard objects coming with
the program.
-
Using glademm 1.1.1b
Notes on virtual interfaces
Data files created in previous versions of Firewall Builder are
automatically converted when loaded in fwbuilder GUI. All host and
firewall objects get address objects added to their
interfaces. Newly created address objects are named after their
parent host or firewall objects; this seems to be a reasonable
default since it makes it easier to distinguish address objects
when they are used in firewall policy rules. On the other hand,
you may need to rename address objects that belong to firewall
interfaces since they all are going to have the same name (that of
the firewall).
It may take some getting used to the new tree structure,
especially if address objects have the same name as their host or
firewall parent objects. I am going to add icons in the tree
in the future versions.
-
interfaces appear in the tree as regular objects. New
interface can be created either using main menu "Insert"
or popup menu that appear when user clicks right mouse
button on the host or firewall object in the
tree.
-
addresses appear in the tree as child objects of
interfaces. New address can be created either using main
menu "Insert" or popup menu in the tree.
-
Popup menu in the tree is context-sensitive and presents
items that create interfaces only if it is called on host
or firewall object. Likewise, it presents an item that
creates an address object only if it is called on
interface object.
-
Main menu items "Insert/Host" and "Insert/Firewall" call
a simple two-page Druid which facilitates adding interfaces
for the object being created.
-
One interface of the Firewall can be marked as "management
interface". Management interface is used for all
communications between GUI and the firewall machine.
-
Interfaces are shown using their labels in the tree. If
label is blank, then its name is used.
What's new in policy compiler for iptables
-
optimized processing of negation in Src, Dst and Srv for the
case where rule element holds single object (using '!')
-
implemented Feature req. #514507: ability to change logging
level in rule options
-
implemented support for ULOG target. Feature req. #591486
-
implemented "log all" global logging option per Feature
req. #481670
-
better code for "ip addr add" and "ip addr flush" commands,
suggested by Jeremy Bouse
What's new in all policy compilers
Firewall script generated by policy compiler calls command-line
tools such as 'ip', 'iptables', 'logger', 'pfctl', 'ipf', 'ipnat'
etc using their full directory path and a file name. The program
can generate correct default paths for these programs on Debian,
Mandrake, RedHat, SuSE, FreeBSD, OpenBSD, Solaris; GUI provides
controls so that user can make changes if these tools are located
in non-standard places.
Bugs fixed in libfwbuilder API:
-
bug #594656: outbound rule shades inbound rule
-
bug #554286: crawler discovered multicast addresses and
created objects
Bugs fixed in GUI:
-
bug #589767: added missing text to *.po files
-
bug #589763: made tree autoresizeable in Options dialog.
-
bug #589768 : proper handling of plurals in translated text
-
bug #589769: missing translations for column titles in Policy
and NAT widgets
-
bug #590029: When duplicating a firewall the new fw has no
platform ("Unknown/Unknown") even if the original firewall had
one.
-
bug #593234: running in German locale causes "help me build
policy" Druid to produce incorrect rules (XML attribute
"direction" translated)
-
bug #592396: GUI behaved erratically if menu item "add rule
after current" was used on the empty policy
-
bug #597285 (GUI crash opening tab "Interfaces" in firewall
dialog)
Bugs fixed in iptables policy compiler fwb_ipt:
-
bug #590691: logger assumed to be in /usr/bin
-
bug #590690: incorrect processing of action_on_reject "TCP
RST" in combination with logging.
-
bug #596255: log-prefix missing in rules with 'limit' option
-
bug #594093: wrong TZ name in the generated script
-
bug #596349: wrong netmask in virtual addresses added by
compiler
-
bug #596430: compiler ignored more than one custom object used
in the ServiceGroup or together in one rule element
-
bugs #596983 and #603470: multiport requires options
--source-ports and --destination-ports (and does not recognize
"--destination-port" and "--source-port" anymore) starting
from iptables v1.2.6 and newer
-
bug #597418: problems with iptables commands generated for MAC
filtering
-
bug #597296: added netmask and broadcast specification to "ip
addr add" command generated by fwb_ipt
-
bug #597418: (compiler placed code into chain OUTPUT if MAC
address match was requested for a Host with dynamic interface)
-
bug #599454: module 'time' requires specification of all three
parameters: --timestart, --timestop and --days
-
bug# 599650: missing protocol option ("-p") in
SNAT/DNAT/REDIRECT rules with translated port specification
Bugs fixed in ipfilter policy compiler fwb_ipf:
-
bug #601069: fwb_ipf can't compile DNAT rule with ODst any;
also implemented support for "from"/"to" in rdr rules