fixes#1234 When failover group object is used in the rule, rule
gets placed in FORWARD chain. Working implementation follows these
rules: 1) if cluster interface obejct is used in the rule, it is
expanded to the set of addresses including cluster virtual IP
address and all addresses of the corresponding member firewall
interface; 2) Failover Group is treated as any regular object
group. Expanding Failover group to the address of its
parent (cluster interface) would work but seems counter-intuitive
fixes#1231 rules are placed FORWARD chain if firewall object is
"bridging firewall". This bugfix concerns specific rule
configuration used with bridging firewall where firewall object or
one of its interfaces is used in "destination" and an interface
which is not a bridge port is in the "interface" rule column. Rule
like this should go into INPUT chain but compiler used to splut it
and put generated iptables rules in both INPUT and FORWARD chains.
Rule should be placed in the FORWARD chain only if interface in
"interface" column is bridge port. The same algorithm also applies
to rules with firewall or one if its interfaces in the "Source"
column.
New feature: incremental management of pfsync0 interface on
OpenBSD. The script checks if interface exists and if not, it runs
"ifconfig pfsync0 create" command to create it. If interface
exists, the script only runs ifconfig to configure its parameters
but does not try to create it again. If State Synchronization
group object is deleted in fwbuilder GUI, interface pfsync0 will
be deleted on the firewall by the script.
New feature: generated script adds and removes CARP interfaces
incrementally. This means it is not going to run ifconfig command
to create carp interface if it is already there and will run
"ifconfig carp1 destroy" command if interface carp1 has been
removed in fwbuilder GUI to delete it on the firewall.
New feature: incremental VLAN interface management for OpenBSD and
FreeBSD. When user adds or removes VLAN subinterface in fwbuilder
GUI, geenrated script executes appropriate ifconfig commands to
add or remove corresponding vlan pseudo-interface on the firewall
machine.
New feature: incremental IP address management for OpenBSD and
FreeBSD. Generated script adds and removes ipv4 and ipv6 addresses
of interfaces as needed. When user adds an address in the
fwbuilder object, the script adds it. Second run of the same script
does nothing. If user removes an address in fwbuilder, generated
script removes it from the interfaces to bring actual configuration
of the machine in sync with fwbuilder objects.
warning dialogs for the incorrect interface name would not go
away. If user entered incorrect name of the
subinterace (e.g. name that is not a valid VLAN subinterface name)
the GUI would pop up warning dialog infinitely.
change attempts to fix a bug that causes main menu item Edit /
Paste (keyboard shortcut Ctrl-V) to stop working. The bug is hard
to reproduce and we were not able to find reliable scenario to
trigger it.
fixes#1215 "Edit protocol parameters" button gets disabled for no
reason. This button would get disabled after certain manipulations
in the cluster group object dialog even when no changes were made.
fixes#1210 "syntax error in PF rule - "modulate state" is
required". Per bug reported in the mailing list (and according to
the pf.conf manual), pf.conf requires "keep state", "modulate
state" or "synproxy"if any of the stateful tracking options are
used in the rule. These include "max", "no-sync", "pflow",
"sloppy", "source-track" and others.
fixes#1209 "incorrect syntax in PF rules when only "Activate
source tracking" option is on". Compiler sometimes generated empty
"( )" in the end of the pf.conf line when there were no state
tracking options
fixes#1175 "There is no option for unicast on conntrac
sync-group (like heartbeat)". User can now choose between multicast
and unicast for conntrackd communication.
When user starts the program for the very first time, it shows
a "Welcome" screen that lists summary of features of fwbuilder and
provides a link to the Getting Started Guide on the web site. Link
to the local copy of Release Notes is also provided.
interface with failover protocol heartbeat to have no ip address.
There are legitimate configurations where admin might want to run
heartbeat over an inetrface which itself has no virtual ip
address, for example to confine heartbeat packets to a dedicated
link.
fixes#1201 "add parent to the object properties tooltip".
Include parent name in the tooltip that is shown for interface
objects. This helps identify interfaces in rules, especially
subinterfaces and interfaces with common names in complex
configurations with many firewall objects.
fixes#1200 "SNAT with cluster object in TSrc uses all
interfaces". When a network or host address used in OSrc of a NAT
rule matches one of the interfaces of the firewall or a cluster,
there is not need to use this interface for the "-o" clause in
SNAT rule.
see #1198. The check of subnets defined by the member and cluster
interfaces has been removed. The check originally implemented by
Secuwall developers looked only at the first address of the
interface and ignored others. It also did not allow for the
cluster interface netmask /32, which is the case with vrrpd. All
in all, the value here does not seem to be worth the effort of
implementing checks for all combinations.
"shell function update_addresses_of_interface() does not ignore
virtual addresses of cluster inetrfaces". When generated iptables
script updates ip addresses of interfaces, it should ignore
addresses managed by vrrpd, heartbeat or other failover daemons.
The script did not ignore them and instead removed them from
interfaces.
various multicast groups". Added address objects for standard
multicast groups OSPF, RIP, EIGRP, DHCP server / relay agent, PIM,
RSVP-ENCAPSULATION, VRRP, IGMP, OSPFIGP-TE, HSRP, mDNS, Link-local
Multicast Name Resolution, Teredo.
