service objects in pix8". So far, these objects are only used
for nat configuration.
* NATCompiler_asa8_writers.cpp (processNext): fixes#1903 "correct
order of clear commands for ASA 8.3"
* NATCompiler_asa8_writers.cpp (printSDNAT): refs #1886 "new nat
configuration in pix 8.3". Initial support for new style nat
configuation.
"policy-map type inspect ip-options" command in PIX v8.2 and later.
At this time, of all possible types of "policy-map type inspect"
command only "ip-options" is implemented.
"policy-map type inspect ip-options" command in PIX v8.2 and later.
At this time, of all possible types of "policy-map type inspect"
command only "ip-options" is implemented.
and possibly other embedded Linux systems". Generated script does not
use modprobe utility when host OS is set to "DD-WRT" or "OpenWRT" and
should not try to find this utility on the system. This is also
related to the SourceForge bug 3032293
cluster". Since the order in which I copy rule sets is
undefined and because they may have references to each other via
branching rules, I need to fix references after I create all
of them.
create redirect rule in cluster firewall object". Iptables nat
rule with target REDIRECT could not be built in a cluster
configuration. It should be possible to do this by putting cluster
object in Translated Destination.
addresses of vlan interfaces". This function used to take into
account only interfaces that were direct children objects of the
firewall. Since vlan interfaces are children of the corresponding
physical interface, they were not included.
"generated script gets .fw suffix even when user set output file
name". Suffix .fw should not be appended to the name entered by
the user in the "output file name" input field in the firewall
settings dialog.
"installer hangs and fails after activation of ipfw policy". As
soon as .fw script swapped ipfw sets usig command "ipfw sawp" and
deleted temporary set 1, ssh session would hang and eventually
break. We optionally add ipfw rules to permit ssh session used to
manage the firewall, as well as a rule to permit reply packets but
the latter rule was not built correctly. It should match source
and destination reversed, as well as match keyword "established"
and recreate state with "keep-state". This rule automatically
recreates state for the established ssh session over which
firewall policy is being managed. Also added a comment to the
firewall settings dialog for ipfw to remind the user that address
or subnet they use with this automatic rule should be as narrow as
possible.
wants to use putty session, show session name instead of the ip
address in the "Address that will be used to communicate with the
firewall" input field in the installer options dialog.
matching algorithm that determins which interface a rule should be
associated with for Cisco IOS ACLs. Previously compiler did not
compare subnets properly and because of that it interpreted some
configurations incorrectly. For example in the case with a network
object 10.0.0.0/8 in "source" and an interface with address
10.0.0.1/24 (network should not be considered matching) compiler
considered this interface matching and assigned the rule to the
interface only with direction "inbound".
pscp.exe supports putty session in place of the target name but
not if argument "-load session_name" is also present. Plink.exe
does the same. We can not use fwb_session_with_keepalive if user
wants to use putty session.
behavior is for the compiler to create files in the directory
specified by the argument of the "-d" command line flag. If
flag "-d" is not provided, files should be created in the current
directory.
fixed SF bug 3094273 "no state needed for ipv6-icmp in
ip6tables". Rules that match ICMPv6 objects should be
stateless. Compiler will check for this and reset "stateful" flag
of a rule and issue warning if the rule was built stateful in the
GUI.
problem" (type 4, any code) per SF feature request 3094743. Also
added service group object "ipv6 unreachable messages" that
includes ICMPv6 messages "destination unreachable", "packet too
big", "parameter problem" and "time exceeded" per SF feature
request 3094758
request 3094738 "Set the HL to 255 for IPv6 Neighbor
Discovery". Neighbor discovery packets must have hop limit of 255
per RFC 2461. Automatically generated rules that match neighbor
discovery packets will math hooplimit 255.
"Routing configuration failed". Iptables script generated by
fwbuilder did not configure broadcast when it added ip addresses
to interfaces. Using "ip addr add ADDR/NM boradcast + dev INTF"
syntax to do this.
of address assignment in the generated OpenBSD/PF/CARP cluster
configuration". Need to assign ip addresses to regular interfaces
before trying to assign them to carp interfaces.
"nf_conntrack_ipv6" if generated script has no ipv6 rules"
Shell function load_modules should not try to load module
nf_conntrack_ipv6 if generated script does not load any ipv6
rules. Loading this module fails if ipv6 has been disabled in
the kernel.
r3320 (refs #1790) "When an object is found using Find and the
object is in the object tree, the keyboard focus shifts to the
Object Panel". That change broke highlighting of the found object
in rules.
config will compile without interface in Routing rule". Policy
compiler for PIX now checks that both "interface" and "gateway"
rule elements are not empty.
