onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-24 04:07:55 +01:00
Code Issues Releases Wiki Activity

release notes 4.1.3 fixed #1839

Browse Source
This commit is contained in:
Vadim Kurland 2010-11-11 17:17:20 -08:00
parent 82ae242fae
commit d782d648ec
1 changed files with 346 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

346
src/res/help/en_US/release_notes_4.1.3.html Normal file
View File

@ -0,0 +1,346 @@
<h1>Firewall Builder 4.1.3 Release Notes</h1>
<p>
</p>
<p>
<a href="https://sourceforge.net/tracker/?atid=1129518&group_id=5314">SourceForge: Tickets for V4</a>
</p>
<p>
</p>
<p>
v4.1.3 has been tested, and we believe it to be ready for production
use, but if you do find a bug or issue please let us know.
</p>
<a name="gui"></a>
<h2>GUI Updates</h2>
<ul>
<li>
<p>
see #1823 "Add Preference option for Advanced / Power users".
Added checkbox to the Preferences dialog, this checkbox turns
off some tooltips that can be annoying for users who are
sufficiently familiar with the GUI
</p>
</li>
<li>
<p>
see #1787 "new fw name input field should have focus when new
firewall wizard opens"
</p>
</li>
<li>
<p>
code refactoring: see #1822 "refactor all GUI classes into
libgui library and link executable with it"
</p>
</li>
<li>
<p>
code refactoring: see #1826 "Please place all unit tests in one
directory". All GUI and other unit tests moved to the
directory src/unit_tests
</p>
</li>
<li>
<p>
see #1809 "Add Firewall Setting in Logging settings for default
log setting on new rules". Added a tab "Policy Rule" to the
"Objects" page of the global preferences dialog; checkbox in
this tab allows the user to choose whether new policy rules
should be created with logging turned on or off.
</p>
</li>
<li>
<p>
See #1832, SF bug 3097419 "installer uses bare IP address
instead of putty session name". It appears pscp.exe on Windows
can use putty session name in place of the host name. This
change restores old behavior where session name was used like
that but does it for both plink.exe and pscp.exe. This only
affects users who run fwbuilder GUI on Windows
</p>
</li>
<li>
<p>
fixed #1837 "generated script gets .fw suffix even when user set
output file name". Suffix .fw should not be appended to the name
entered by the user in the "output file name" input field in the
firewall settings dialog.
</p>
</li>
<li>
<p>
</p>
</li>
<li>
<p>
</p>
</li>
<li>
<p>
</p>
</li>
<li>
<p>
</p>
</li>
<li>
<p>
</p>
</li>
<li>
<p>
</p>
</li>
</ul>
<a name="std_lib"></a>
<h2>Changes and improvements in the library of standard objects</h2>
<ul>
<li>
<p>
added ICMPv6 object "parameter problem" (type 4, any code) per
SF feature request 3094743. Also added service group object
"ipv6 unreachable messages" that includes ICMPv6 messages
"destination unreachable", "packet too big", "parameter problem"
and "time exceeded" per SF feature request 3094758
</p>
</li>
</ul>
<a name="iptables"></a>
<h2>Changes in support for iptables</h2>
<ul>
<li>
<p>
fix for the SF bug #3095615 "reopen no PREROUTING rule with
*-Interface - ID: 3077132". Configlet used wrong shell variable
to access ip address of a wildcard interface.
</p>
</li>
<li>
<p>
fixed #1820 "skip module "nf_conntrack_ipv6" if generated script
has no ipv6 rules" Shell function load_modules should not try to
load module nf_conntrack_ipv6 if generated script does not load
any ipv6 rules. Loading this module fails if ipv6 has been
disabled in the kernel.
</p>
</li>
<li>
<p>
fixed SF bug 3091069: "Routing configuration failed". Iptables
script generated by fwbuilder did not configure broadcast when
it added ip addresses to interfaces. Using "ip addr add ADDR/NM
boradcast + dev INTF" syntax to do this.
</p>
</li>
<li>
<p>
implemented SF feature request 3094738 "Set the HL to 255 for
IPv6 Neighbor Discovery". Neighbor discovery packets must have
hop limit of 255 per RFC 2461. Automatically generated rules
that match neighbor discovery packets will math hooplimit 255.
</p>
</li>
<li>
<p>
fixed SF bug 3094273 "no state needed for ipv6-icmp in
ip6tables". Rules that match ICMPv6 objects should be
stateless. Compiler will check for this and reset "stateful"
flag of a rule and issue warning if the rule was built stateful
in the GUI. This could be version-dependent, we may need to
revisit this in the future when netfilter fixes the underlying
issue. Some resources:
https://bugzilla.redhat.com/show_bug.cgi?id=243739
https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/479105
</p>
</li>
<li>
<p>
fixed SF bug 3090249 "fwb_ipt ignores -d option ". Documented
behavior is for the compiler to create files in the directory
specified by the argument of the "-d" command line flag. If flag
"-d" is not provided, files should be created in the current
directory.
</p>
</li>
<li>
<p>
fixed #1824 "should not try to verify wildcard interfaces".
</p>
</li>
<li>
<p>
fixed #1838 "function configure_interfaces() does not manage ip
addresses of vlan interfaces". This function used to take into
account only interfaces that were direct children objects of the
firewall. Since vlan interfaces are children of the
corresponding physical interface, they were not included.
</p>
</li>
<li>
<p>
fixed SF bug 3103582 "Cant create redirect rule in cluster
firewall object". Iptables nat rule with target REDIRECT could
not be built in a cluster configuration. It should be possible
to do this by putting cluster object in Translated Destination.
</p>
</li>
<li>
<p>
</p>
</li>
<li>
<p>
</p>
</li>
<li>
<p>
</p>
</li>
</ul>
<a name="pf"></a>
<h2>Support for PF</h2>
<ul>
<li>
<p>
fixed #1807 "wrong order of address assignment in the generated
OpenBSD/PF/CARP cluster configuration". Need to assign ip
addresses to regular interfaces before trying to assign them to
carp interfaces.
</p>
</li>
</ul>
<a name="ipf"></a>
<h2>Support for ipfw</h2>
<ul>
<li>
<p>
fixed #1836 "installer hangs and fails after activation of ipfw
policy". As soon as .fw script swapped ipfw sets usig command
"ipfw sawp" and deleted temporary set 1, ssh session would hang
and eventually break. We optionally add ipfw rules to permit ssh
session used to manage the firewall, as well as a rule to permit
reply packets but the latter rule was not built correctly. It
should match source and destination reversed, as well as match
keyword "established" and recreate state with "keep-state". This
rule automatically recreates state for the established ssh
session over which firewall policy is being managed. Also added
a comment to the firewall settings dialog for ipfw to remind the
user that address or subnet they use with this automatic rule
should be as narrow as possible.
</p>
</li>
</ul>
<a name="ios"></a>
<h2>Changes in support for for Cisco IOS ACL</h2>
<ul>
<li>
<p>
see #1834 Fixed matching algorithm that determins which
interface a rule should be associated with for Cisco IOS
ACLs. Previously compiler did not compare subnets properly and
because of that it interpreted some configurations
incorrectly. For example in the case with a network object
10.0.0.0/8 in "source" and an interface with address 10.0.0.1/24
(network should not be considered matching) compiler considered
this interface matching and assigned the rule to the interface
only with direction "inbound".
</p>
</li>
</ul>
<a name="pix"></a>
<h2>Changes in support for for Cisco ASA (PIX)</h2>
<ul>
<li>
<p>There are no changes in the support for ASA in this release
</p>
</li>
<li>
<p>
</p>
</li>
<li>
<p>
</p>
</li>
</ul>
<a name="procurve"></a>
<h2>Support for HP ProCurve</h2>
<ul>
<li>
<p>There are no changes in the support for HP ProCurve in this release
</p>
</li>
</ul>