Firewall Builder Release Notes Version 2.0.4 Released 12/02/04 GUI and compilers v2.0.4 require API library libfwbuilder version 2.0.4 Summary For those who wish to build from source, instructions are outlined in the document "Install and Build instructions" on our web site here What's new * Improvements in the GUI * improved error handling: if the GUI is started with a file on the command line or is configured to open a file automatically on startup and RCS can not check the file out, the GUI will come up empty (with only standard objects loaded). Previously in a situation when the GUI was configured to open a file automatically, but the file could not be checked out, there was no way to cancel this automatic file open operation since the GUI would never come up. * Added Japanese translation by Tadashi Jokagi * Added Russian translation by RusBusinessSecurity Co. Ltd., Russia. This translation is fairly complete but is still considered preliminary. Bug reports and suggestions are very welcome. * Improvements in the built-in policy installer * Built-in installer checks exit status of the script it runs on the firewall and aborts installation sequence if it detects an error. OS resource files have been updated accordingly so they return exit status '1' in case of error and '0' when they succeed. * Added an option to push PIX configuration to a standby firewall at the end of install. * Added support in installer for new configuration script formats for PIX: 1. basic or old format when access lists are cleared and added from scratch 2. Access lists have unique names each time policy is recompiled, lists are added without clearing. 3. Access lists are added with temporary names and assigned to interfaces, then the same lists are added with permanent names, lists are swapped and temporary lists cleared Last two methods provide for instantaneous access list swap so that the firewall never runs with empty lists. This helps maintain access to the firewall if configuration is installed remotely. * Improvements in policy compiler for iptables: * implemented Feature Request #1021201: "output iptables-restore compatible config from fwb_ipt". Policy compiler for iptables can use iptables-restore to activate firewall policy. Iptables-restore provides for atomic policy load and allows to load large policy much faster. Atomic load means the whole filter or nat table is activated at once, and if there is an error, nothing is changed. Compiler generates script in three possible formats: 1. the ususal shell script that adds rules one at a time by executing iptables command with an "-A" flag to add a rule; 2. commands are fed to iptables-restore, this format is used when all interfaces of the firewall have static IP addresses and script does not need to determine addresses at run time; 3. script determines IP addresses of interfaces and discovers dynamic interfaces that were defined as a "wildcard" interface in fwbuilder (e.g. 'ppp*'); code that is sent to iptables-restore is generated dynamically by the script at run time. Using iptables-restore is optional and is controlled by the checkbutton in the "Script options" tab of firewall settings dialog. Path to iptables-restore utility can be set in the "Paths" tab of the host settings dialog. * policy installation via iptables-restore has been tested with old versions of iptables (1.2.6a). Script need to include "-m tcp", "-m udp" or "-m icmp", otherwise iptables-restore does not understand options "--dport", "--tcp-flags" and some others. Also had to use "--tcp-flags SYN,RST,ACK SYN" instea dof "--syn" for better backwards compatibility. * A change in the script generated by fwb_ipt: if iptables-restore is not used to load policy, generated shell script purges existing firewall policy (all tables and chains) and sets default chain policies after it configures interfaces of the firewall. Previously, it would flush tables and set default policy before it configured interfaces. * removed code that added iptables command to the "drop" table to drop and log all dropped packets. This rule used obsoleted patch-o-matic patch "drop" which is not available anymore. * moved rule permitting backup ssh access from the management station to the firewall to the top of the script. This helps maintain ssh session, otherwise it may stall or break because stdout buffer is filled with diagnostic or progress output from the script that is printed after all chains are flushed but before rule permitting ssh to the firewall is added. If stdout buffer is full, ssh stops and tries to send the text to the management station but times out because firewall blocks it. * Improvements in policy compiler for pf: * Activation script for PF flushes only information about rules, nat, source and tables (it used to flush "all"). This preserves queue entries and states. * Improvements in policy compilers for all platforms: * added support for prolog and epilog scripts for all firewall platforms. This was available for PIX for some time, now it has been added for all platforms. "Prolog/Epilog" tab of the firewall settings dialog allows for editing of two blocks of commands that will be added to the generated firewall script verbatim. Prolog block is added on top, while epilog block is added at the bottom. Both prolog and epilog are expected to be shell scripts and are added to the generated shell script that activates firewall. For iptables and ipfw all compiler generates is this shell script and prolog and epilog commands are inserted into it. These commands may execute some actions, as well as add any policy or nat commands. For ipf and pf prolog and epilog commands are added to the activation shell script ( .fw file); prolog is added immediately after the command that flushes all rules. This way user may either execute shell commands or add policy and/or nat rules by loading them from external file. * all policy compilers properly detect an error when the output file can not be created or overwritten and print error message to warn the user. * Added element "Target/family" to all OS resource XML files. Compilers use "family" resource element to determine if host OS is supported. User may want to copy host OS resource file to modify installer scriptlets; as long as the family element is kept the same, compiler will accept new resource file. ---------------------------------------------------------------------- Bugs fixed in GUI: * bug #1077072: "CrossPlatform Firewall Builder Crash" - pressing arrow down key on the keyboard right after the GUI started with no firewall objects defined caused crash. * bug (no num): if a library was assigned a name with non-ascii characters, it would appear distorted in the pull-down list in object dialogs. * bug (no number) introduced in 2.0.3 when GUI crashed if user tried to choose pull-down menu item in the firewall list after the very first firewall object has been created. * bug (no number): group object dialog corrupted object names if they contained non-ascii characters. * bug #1046345: "ipfw - no option to specify ipfw executable". Added GUI control to let user specify alternative path to "ipfw" on FreeBSD. Control like that was previously available only for Mac OS X * bug #1028866: "incorrect order when several rules copied using copy/paste". Pasting multiple rules into an empty policy caused rules to be inserted in the wrong order. * bug (no number): Policy installer failed if the following conditions were met: - it was running on Linux, FreeBSD or Mac OS X - working directory configured in the "General" tab of the Preferences dialog did not exist and could not be created or its permissions did not allow user that runs the GUI to access it * Added #include to make code compile with gcc 3.4.2 and glibc 2.3.3 * bug (no number): GUI could not find names of the object libraries in external library files that user added for automatic load in the Preferences dialog on Windows. It would find the name of the library in the first file, but failed to find library names in subsequent files and used the name from the first file. Since this library was only present in the first file, object tree was getting corrupted when the program attempted to load this library from every file configured for automatic pre-load. This only happened on Windows. Bugs fixed in API: * bug #1077496 ] Error compiling libfwbuilder in FreeBSD: The problem was caused by changed major version number of libnetsnmp library in the latest net-snmp port (v5.2) * bug #1055937: "Any->all_multicasts not in INPUT Chain". Need to check if network objects are multicasts; assume that multicast always matches firewall object (e.g fwb_ipt will put rule with such network object in destination in INPUT chain) * bug #1040773: need to match network address as well as broadcast. Packets sent to the network address (192.168.1.0 for net 192.168.1.0/24) go in the broadcast frame and behave just like IP broadcast packets (sent to 192.168.1.1255 for the same net) * bug (no number): rule shadowing algorithm now assumes that IPService object with protocol number '0' shades any other service just like 'any' does. * bug (no num): rule shadowing algorithm checks for IP flags in IP service object. IP service object with protocol 0 shades anything only if its flags are cleared. Two IP services shade each other only if they are completely equal (protocols and all flags settings are the same). However, IP service with protocol 0 shades other IP service with protocol !=0 if all flags settings are the same. * change in the object database merge algorithm: when an object database we are trying to merge has non-empty "Deleted objects" library, deleted objects from this library should be ignored (they used to be deleted from the current tree). Likewise, when current tree has non-empty "Deleted objects" library and objects in it match objects being merged in, objects should be removed from "Deleted objects" library to avoid creating duplicate IDs with objects being merged in. * bug (no number): program crashed on FreeBSD 5.3 when using SNMP to obtain parameters for hosts and interfaces. Crash occurred because of use of uninitialized mutex variables in module dns.cpp * bug (no number): The API used to corrupt CustomService object while saving data to the XML file if service code included special characters such as '&' Bugs fixed in policy compiler for iptables fwb_ipt: * bug #1073491: incorrect code for rules using two interfaces with negation. If a rule had two (or more) interfaces of the firewall in the destination, with negation, the code generated by compiler would check one interface's address in INPUT chain and another in FORWARD chain. It should check addresses of all interfaces from the corresponding rule element in the INPUT chain and also check addresses and possibly services from other rule elements in the FORWARD chain. This bug affected rules with two or more interfaces both in source and destination. * bug #1040788: fwb_ipt and user name. Compiler used to read environment variable "USER" to find out user's name. Sometimes this variable is not set, which caused compiler to abort. Using env variable LOGNAME in addition to USER. * bug #1040599: "unnecessary FORWARD rules". If ip forwarding is turned off in the host settings dialog of the linux-based firewall, compiler should not generate rules in FORWARD chain. * bug (no number): compiler placed extra quote '"' at the end of each NAT command in the script using iptables-restore; this happened only if all interfaces of the firewall had static addresses. * bug (no number) in fwb_ipt that caused no-nat rules with firewall in OSrc to be placed only in OUTPUT chain. Packets originating on the firewall go into OUTPUT and POSTROUTING chains, so no-nat rules must be placed in both. Other minor improvements for NAT of the locally originated connections have been done as well. * bug (no number) where compiler for iptables used option "--destination-port" with module "multiport" for versions of iptables that do not understand it (1.2.6 and later, as well as default version setting 'any'). The option should be "--destination-ports" or "--dports". * bug #1063953: "Wrong accept/multiport rule generated". Compiler generated wrong code for rules using multiple service objects of different types (TCP and UDP, or TCP and ICMP etc), multiple addresses in src or dst with option that requires using TCP RST for action REJECT. This bug was introduced in build 453 * bug (no number): policy compiler for iptables used "tail -1" in the shell script that read actual IP addresses of interfaces of the firewall. This shell code failed to determine correct address of an interface that was configured with a secondary address. Reverted to using grep (I switched to tail when ran into limitations of one of the beta builds of Sveasoft Linksys firmware that did not have grep)