files from DTD v18 to DTD v19. This transformation finds
"PolicyRule" elements with missing "Itf" child elements and fixes
them by adding such element with a reference pointint to "any".
Fixes#2383
* fwbuilder.dtd.in: Element "Itf" (an interface) of "PolicyRule"
should be required. DTD version increment.
object is created in the middle of the "new firewall" wizard and
clicking Back creates two firewall objects". If user chose to
create new firewall object from a template and clicked Back after
choosing the template, the program actually created two firewall
objects but only one was visible in the tree.
actions per policy rule". Options "Tag", "Classify" and "Route"
work with iptables in a combination with any action. This
implementation has one restriction: option Route can not be used
in combination with options Tag or Classify and any action that is
not Continue. This is because option Route can yield rules in
PREROUTING or POSTROUTING chains that are also used by options Tag
and Classify. For this combination we create two user-defined
chains that perform routing and tagging (or classification). In
case of a terminating action both chains end with it. This means
if one matches the packet, the other is never going to see it.
Non-terminating action "Continue" does not create this problem.
This limitation may be removed in future versions of fwbuilder.
The change in UsageResolver
eliminates unnecessary scanning of all rule sets to check if the
affected rule set might be used as a branch. The program used to
scan the same objects many times.
.
tentative fix for SF bug 3169045 "Batch installer lists IPv4
address as management address". Built-in installer wanted to use
management interface address in batch mode even when alternative
address or putty session name was provided. This happens only in
batch mode install.
compiling single rule with IPv6 destination and IPv4 gateway or
interface". Routing compiler for iptables does not support ipv6 at
this time and will issue a warning when user tries to place ipv6
address or network in a routing rule. The warning does not appear
when ipv6 address is a member of a group used in the rule. Also
see #1575.
move up the "access-list mode auto-commit" command". Command that
configures access list commit mode should be issued before any
commands that clear and configure access lists. Also in this
change moving commands that set up temporary access list to the
top of the script.
object created on import". Iptables rules in the table mangle
will be imported in the dedicated Policy rule set with name
"Mangle". Rules that use chains FORWARD and POSTROUTING in table
mangle can not be reproduced and will be marked as "bad" (color
red and corresponding comment).
rule action for Continue". Rules with action "Continue" should
translate into iptables commands without "-j TARGET" parameter. If
such rule also has logging enabled, it should use target "-j LOG"
instead of generating additional chain.
MAC-matching rules not generated properly". Iptables NAT rules
matching a group of host objects with both IP and MAC addresses each
in "Original Source" were not generated properly.
3178186 "Add ND/NS allow rules for the FORWARD chain". Rules that are
added automatically to ipv6 Linux firewall to permit neighbor discovery
packets should be also added to the FORWARD chain if the firewall is
a bridge.
see #2323
interfaces with the name vlan<xx> dont show as Bridge Port
Interfaces". This actually applies to all OS where we support vlan
and bridge interfaces. Fwbuilder GUI should allow the user to set
subinterface type to both "ethernet" and "vlan" when its parent
interface has type "bridge". Setting subinterface type to
"ethernet" makes it bridge port, while setting the type to "vlan"
signals policy compiler that it should generate code to configure
real vlan interface. If the name of the subinterface does not
include the name of the parent, such as "vlan101", or when the
name does not match vlan ID, such as "vlan8101", global
preferences option "Verify interface names and autoconfigure their
parameters..." should turned off. The option is located in the
Preferences dialog, tab "Objects".
router firewalls". Added support for basic IOS router clusters.
No failover protocol support at this time, but the cluster can be
configured with protocol "None" and fwbuilder will do address
substitutions at compile time.
with service set to "http" and destination set to asa firewall
object should generate different command syntax". Policy rules
that have firewall object in Destination and http object in
Service now generate "http" commands. This is similar to how
fwbuilder generates "ssh", "telnet" and "icmp" commands to permit
corresponding services to the firewall itself.
