cluster". Since the order in which I copy rule sets is
undefined and because they may have references to each other via
branching rules, I need to fix references after I create all
of them.
create redirect rule in cluster firewall object". Iptables nat
rule with target REDIRECT could not be built in a cluster
configuration. It should be possible to do this by putting cluster
object in Translated Destination.
addresses of vlan interfaces". This function used to take into
account only interfaces that were direct children objects of the
firewall. Since vlan interfaces are children of the corresponding
physical interface, they were not included.
"generated script gets .fw suffix even when user set output file
name". Suffix .fw should not be appended to the name entered by
the user in the "output file name" input field in the firewall
settings dialog.
"installer hangs and fails after activation of ipfw policy". As
soon as .fw script swapped ipfw sets usig command "ipfw sawp" and
deleted temporary set 1, ssh session would hang and eventually
break. We optionally add ipfw rules to permit ssh session used to
manage the firewall, as well as a rule to permit reply packets but
the latter rule was not built correctly. It should match source
and destination reversed, as well as match keyword "established"
and recreate state with "keep-state". This rule automatically
recreates state for the established ssh session over which
firewall policy is being managed. Also added a comment to the
firewall settings dialog for ipfw to remind the user that address
or subnet they use with this automatic rule should be as narrow as
possible.
wants to use putty session, show session name instead of the ip
address in the "Address that will be used to communicate with the
firewall" input field in the installer options dialog.
matching algorithm that determins which interface a rule should be
associated with for Cisco IOS ACLs. Previously compiler did not
compare subnets properly and because of that it interpreted some
configurations incorrectly. For example in the case with a network
object 10.0.0.0/8 in "source" and an interface with address
10.0.0.1/24 (network should not be considered matching) compiler
considered this interface matching and assigned the rule to the
interface only with direction "inbound".
pscp.exe supports putty session in place of the target name but
not if argument "-load session_name" is also present. Plink.exe
does the same. We can not use fwb_session_with_keepalive if user
wants to use putty session.
behavior is for the compiler to create files in the directory
specified by the argument of the "-d" command line flag. If
flag "-d" is not provided, files should be created in the current
directory.
fixed SF bug 3094273 "no state needed for ipv6-icmp in
ip6tables". Rules that match ICMPv6 objects should be
stateless. Compiler will check for this and reset "stateful" flag
of a rule and issue warning if the rule was built stateful in the
GUI.
problem" (type 4, any code) per SF feature request 3094743. Also
added service group object "ipv6 unreachable messages" that
includes ICMPv6 messages "destination unreachable", "packet too
big", "parameter problem" and "time exceeded" per SF feature
request 3094758
request 3094738 "Set the HL to 255 for IPv6 Neighbor
Discovery". Neighbor discovery packets must have hop limit of 255
per RFC 2461. Automatically generated rules that match neighbor
discovery packets will math hooplimit 255.
"Routing configuration failed". Iptables script generated by
fwbuilder did not configure broadcast when it added ip addresses
to interfaces. Using "ip addr add ADDR/NM boradcast + dev INTF"
syntax to do this.
of address assignment in the generated OpenBSD/PF/CARP cluster
configuration". Need to assign ip addresses to regular interfaces
before trying to assign them to carp interfaces.
"nf_conntrack_ipv6" if generated script has no ipv6 rules"
Shell function load_modules should not try to load module
nf_conntrack_ipv6 if generated script does not load any ipv6
rules. Loading this module fails if ipv6 has been disabled in
the kernel.
r3320 (refs #1790) "When an object is found using Find and the
object is in the object tree, the keyboard focus shifts to the
Object Panel". That change broke highlighting of the found object
in rules.
config will compile without interface in Routing rule". Policy
compiler for PIX now checks that both "interface" and "gateway"
rule elements are not empty.
panel once its created". This has side effect in that some
other operations that open an object in the tree will also
scroll the tree to position this object at the top.
templates button on the New Firewall Wizard". Use of the
custom template library to create new firewall object is now
optional, controlled by a checkbox in the "Object" tab of the
gobal preferenes dialog. New users will have this option turned
off by default, however existing users will see it enabled for
backwards compatibility.
is found using Find and the object is in the object tree, the
keyboard focus shifts to the Object Panel". The "find" pabel now
retains keyboard focus after it shows found object in the tree,
this allows the user to just hit Enter on the keyboard to find
the next object.
that happened when user switched from page 0 to page 1 of the new
firewall wizard. Pause was caused by the DNS queries the program
ran trying to determine ip address of the firewall using the name
provided on the first page of the wizard. Now DNS query is
launched only if user wants to create interfaces uses snmp scan.
improved design of the widget used to edit ip addresses and other
attributes of an interface in the new firewall, new host and new
cluster wizards. Removed "MAC Address" imput field and rearranged
other input fields according to the result of usability tests.
nothing. This button should only be enabled if user switched to
their own library of template objects. The button should be
disabled if they switched back to the standard template library
or never switched to their own one.
and host OS". The placeholder text in the interface name and label
input fields in the new firewall wizard will depend on the host OS
chosen in the first page of the wizard.
fields. This text is displayed in greyed-out small font inside
the imput field but is cleared as soon as user starts their input.
The text gives user a prompt as of what is expected in each input
field. The "placeholder" text support is available only in Qt 4.7
and later so the code is conditional on the version of Qt.
