warning dialogs for the incorrect interface name would not go
away. If user entered incorrect name of the
subinterace (e.g. name that is not a valid VLAN subinterface name)
the GUI would pop up warning dialog infinitely.
change attempts to fix a bug that causes main menu item Edit /
Paste (keyboard shortcut Ctrl-V) to stop working. The bug is hard
to reproduce and we were not able to find reliable scenario to
trigger it.
fixes#1215 "Edit protocol parameters" button gets disabled for no
reason. This button would get disabled after certain manipulations
in the cluster group object dialog even when no changes were made.
fixes#1210 "syntax error in PF rule - "modulate state" is
required". Per bug reported in the mailing list (and according to
the pf.conf manual), pf.conf requires "keep state", "modulate
state" or "synproxy"if any of the stateful tracking options are
used in the rule. These include "max", "no-sync", "pflow",
"sloppy", "source-track" and others.
fixes#1209 "incorrect syntax in PF rules when only "Activate
source tracking" option is on". Compiler sometimes generated empty
"( )" in the end of the pf.conf line when there were no state
tracking options
fixes#1175 "There is no option for unicast on conntrac
sync-group (like heartbeat)". User can now choose between multicast
and unicast for conntrackd communication.
When user starts the program for the very first time, it shows
a "Welcome" screen that lists summary of features of fwbuilder and
provides a link to the Getting Started Guide on the web site. Link
to the local copy of Release Notes is also provided.
interface with failover protocol heartbeat to have no ip address.
There are legitimate configurations where admin might want to run
heartbeat over an inetrface which itself has no virtual ip
address, for example to confine heartbeat packets to a dedicated
link.
fixes#1201 "add parent to the object properties tooltip".
Include parent name in the tooltip that is shown for interface
objects. This helps identify interfaces in rules, especially
subinterfaces and interfaces with common names in complex
configurations with many firewall objects.
fixes#1200 "SNAT with cluster object in TSrc uses all
interfaces". When a network or host address used in OSrc of a NAT
rule matches one of the interfaces of the firewall or a cluster,
there is not need to use this interface for the "-o" clause in
SNAT rule.
see #1198. The check of subnets defined by the member and cluster
interfaces has been removed. The check originally implemented by
Secuwall developers looked only at the first address of the
interface and ignored others. It also did not allow for the
cluster interface netmask /32, which is the case with vrrpd. All
in all, the value here does not seem to be worth the effort of
implementing checks for all combinations.
"shell function update_addresses_of_interface() does not ignore
virtual addresses of cluster inetrfaces". When generated iptables
script updates ip addresses of interfaces, it should ignore
addresses managed by vrrpd, heartbeat or other failover daemons.
The script did not ignore them and instead removed them from
interfaces.
various multicast groups". Added address objects for standard
multicast groups OSPF, RIP, EIGRP, DHCP server / relay agent, PIM,
RSVP-ENCAPSULATION, VRRP, IGMP, OSPFIGP-TE, HSRP, mDNS, Link-local
Multicast Name Resolution, Teredo.
skip virtual addresses configured on cluster interfaces while
updating addresses of interfaces". The problem only affected
cluster interfaces with VRRP failover protocol.
fixes#1191 "broken behavior in InterfaceEditorWidget". When user
added and then deleted bunch of ip addresses to an interface in
the new firewall or new cluster wizard, addresses below the
deleted row were ignored.
* InterfaceEditorWidget.cpp (InterfaceEditorWidget::deleteAddress):
fixes#1189 "GUI crash in newFirewall dialog upon completion".
GUI crashed in the new firewall wizard if user deleted an address
of an interface that had 3 or more addresses.
"compiler/GUI crash compiling cluster NAT rule when cluster and
members have dynamic interface". It should be possible to have
cluster interface that is mapped to dynamic interfaces of the
member firewalls and then use this interface or whole cluster
object in rules. Compiler should expand cluster object and replace
it with its interfaces and corresponding interfaces of the member
firewall and then correctly handle dynamic ones.
fixes#1177 "problems with commands for conntrack_max, hashsize
and other advanced conntrack parameters". Needed to add a line
break between shell commands that set up kernel variables and
those that set up conntrack kernel variables.
subwindow on maximize/restore". The GUI would revert to the
non-maximized subwindows display if user de-maximized subwindow,
then maximized it again and tried to open new data file.
protocol uses virtual ip address". New cluster wizard did not
allow the user to add ip address to cluster interface configured
with heartbeat failover protocol.
