2008-04-13 Vadim Kurland * NATCompiler_PrintRule.cpp (PrintRule::_printAddr): fixed bug (no #): compiler fwb_ipt used to treat host objects as networks in TDst and generate iptables output with /netmask of the interface. * (various places in src/ipt): PREPARATION FOR IPV6: Changing IPv4::cast to dynamic_cast everywhere. In loops that walk child objects of interfaces, cast child objects to InetAddrMask* or to FWObject* instead of IPv4*. This is to facilitate support for ipv6 in the future. In all these places we need to use two aspects of the child objects: either their position in the tree, in which case FWObject* is sufficient, or their address/netmask, in which case we should use InetAddrMask. 2008-03-09 vadim * (from 2.1) pf.cpp: fixed bug #1899914: "Script to apply the new rules." It is enough to execute "pfctl -f file.conf" to load PF policy. There is no need to purge filter and nat rules first, then reload it. * (from 2.1) RCS.cpp (RCSEnvFix::RCSEnvFix): fixed bug #1908351: "rcs does not save log message and file remains locked" * (from 2.1) Compiler.cpp (emptyGroupsInRE::countChildren): (libfwbuilder) fixed bug #1905718: "Group of DNS Name objects considered empty" 2008-03-05 vadim * VERSION: started v2.1.18 * src/cisco_lib, src/iosacl, src/pix: Code for policy compilers for Cisco IOS ACL and PIX has been released under GPL and merged into the main fwbuilder tree. 2008-02-18 vadim * CircularQueue.hpp (antlr): fixed crash of the policy importer on 64-bit systems. This fixes bug #1886575: "Seg Fault on reading vanilla Fedora iptables file". See comment in module CircularQueue.hpp for details. 2008-02-10 vadim * pt_BR.po: updated Brazilian Portuguese translation by Rubens Ferreira Neto and Jose Carlos Medeiros * PrefsDialog.cpp (PrefsDialog::PrefsDialog): fixed bug #1886570: Diagnostic related to Edit->Preferences. Removed harmless but annoying error message that appeared on stderr when user opened Preferences dialog. * IPTImporter.cpp (IPTImporter::pushPolicyRule): Fixed bug 1883536: "fwbuilder segfaults when importing iptables conf". Added support for TCPMSS target with option --clamp-mss-to-pmtu in iptables importer; also made importer upderstand option --tcp-option but skip it since it is not supported in fwbuilder. 2008-02-06 * RCS.cpp (RCSEnvFix::RCSEnvFix): fixed bug #1849392: "RCS using windows 2003 without administrator rights". Pass TMP and TEMP environment variables to RCS tools * pix_os.xml.in: more for the bug #1816798: "Installing policy on PIX 501 fails". The fix that was made for v2.1.16 did not cover test-mode install, which is now fixed too. Command "terminal pager " is valid only for PIX 7.x and caused error while installing policy on PIX 6.3. Removed this command from the install sequence, it was not essential. 2007-12-29 * SSHUnx.cpp (SSHUnx::stateMachine): using signal proper for qt4 (bytesWritten(quint64) instead of wroteToStdin) 2007-12-19 vadim * v2.1.16 release 2007-12-15 vadim * OSConfigurator_linux24.cpp (OSConfigurator_linux24::printRunTimeWrappers): fixed bug #1851166: "Installscript does not test for destination ip address". The problem affected specific case of a firewall with two (or more) interfaces that get their address dynamically and a policy rule that has one such interface in source and another in destination. Generated iptables script retrieves actual addresses of both interfaces and assigns them to variables, then uses these variables in actual iptables rules. Special check is provided in case some interface did not obtain any ip address at a time of execution of the script. Previously such test was only done for one dynamic interface per rule. This change makes the script check for both. * ipt.cpp: bug #1850352: "Install script wrongly completes successful". Storing exit status of iptables-restore so that generated firewall script can return the same status after it executes commands that set kernel parameters and runs user-defined epilog code. * PolicyCompiler_pf_writers.cpp (PrintRule::_printRouteOptions): applied patch #1850357: "Add support fo load balancing with pf to PolicyRule::Route" by Tom Judge (tomjudge@users.sourceforge.net) that adds support for load balancing rules in PF. Extended the patch adding support for address/netmask format of the next hop. Added checks for illegal IP addresses and netmasks in the next hop. Test cases for the PF load balancing rules are in test/pf/objects-for-regression-tests.fwb, firewall object firewall40-1. 2007-12-13 vadim * linux24.xml.in: working on bug #1850352: "Install script wrongly completes successful". Added more checks to the installer scriptlet to make it properly terminate with non-zero error code if iptables-restore returned error. Previously "echo" in the end of the generated masked error code returned by iptables-restore and made the GUI report successfull install even when it terminated with an error. Also added test for the presence of pkill on the system so that the script does not try to run it if it is not available. * platforms.cpp (list): applied patch #1850368: 'PF 3.7 has support for "set skip on"'. Patch by tomjudge@users.sourceforge.net extends support for "set skip on" option to pf 3.7. * platforms.cpp (isDefaultPolicyRuleOptions): fixed bug #1850346: "GUI has 2 views on which actions should be stateless". Even though GUI made rules with action Route stateful by default, code that determined if combination of options of a given policy rules was default thought these rules should be stateless. * ipt.cpp: Applied patch 1835308: "Patch for adding "-q" option to fwb_ipt". Option "-q" suppresses timestamp that is normally included in the generated script. This way, if no objects or rules changed in the firewall builder, generated script will be exactly the same. Timestamps made generated script different even if nothing really changed in the objects, which made external version control systems detect changes when there were none. * PolicyCompiler_PrintRule.cpp (PrintRule::_printOptionalGlobalRules): fixed bug 1848204: "ULOG-Setting ignored for invalid packets", applied patch #1848609 provided by reporter. Code that matched and logged packets in state INVALID always used target LOG, which was a problem for iptables installations that only come with target ULOG. * tcpservicedialog_q.ui: patch #1849500: "tooltip patch for tcpservicedialog_q.ui". Additional tooltips in the TCP Service dialog to explain function of tcp flags masks and settings. 2007-12-12 vadim * ipt.cpp: fixed bug #1849328: "iptables restore unusable in 2.1.15". This bug was introduced by the change for the bug 1812295. If option "use iptables-restore to activate policy" is on, we always generate script that prints iptables commands using echo and sends them to the input of iptables-restore via pipe. * VERSION (FWB_MICRO_VERSION): begin v2.1.16 2007-12-08 vadim * PolicyCompiler_pf_writers.cpp (PrintRule::processNext): fixed bug #1821576: "Rule option tracking gives inavlid config with default value". Compiler should skip max-src-nodes when it is set to default '0' in the GUI. * Added Brazilian Portuguese translation by Jose Carlos Medeiros 2007-11-25 vadim * Starting with build 320 Windows packages install on Vista 2007-11-15 vadim * FWObjectDropArea.cpp (FWObjectDropArea::paintEvent): more fixes for bug #1826558: need to fill background rectangle in "object drop" widget for search. * RuleSetView.cpp (RuleSetView::paintCell): more fixes for bug #1826558: need to fill background rectangle in action, options and comment columns. 2007-11-14 vadim * RuleSetView.cpp (RuleSetView::paintCell): fixed bug #1826558: "OSX 10.5 font problem". This problem appeared only in Mac OS X Leoprard (10.5) build, other platforms were unaffected. 2007-11-02 vadim * instDialog.cpp (instDialog::installSelected): previous fix for the bug #1811781: "Batch Install" was insufficient. Needed to clear altAddress input field in the install options dialog in case of the batch install. 2007-10-28 vadim * PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::createPrintRuleProcessor): fixed bug #1812295: "Can't use runtime address tables AND iptabels-restore". Script generated by fwb_ipt used "here document" if the option "use iptables-restore to activate policy" was turned on. This did not work in case policy used any tun-time address table objects. Now generated script always uses "echo" to generate iptables commands that it sends to th standard input of iptables-restore. * instDialog.cpp (instDialog::doInstallPage): fixed bug #1811781: "Batch Install". Built-in installer used address of the first firewall of the batch to communicate with all firewalls in the "batch install" mode. * PolicyCompiler_pf.cpp (PolicyCompiler_pf::addDefaultPolicyRule): fixed bug #1800875 "'keep state' missing from pass out going traffic rule". Compilers for pf, ipf and ipfw were affected. * pix_os.xml.in: fixed bug #1816798: "Installing policy on PIX 501 fails". Command "terminal pager " is valid only for PIX 7.x and caused error while installing policy on PIX 6.3. Removed this command from the install sequence, it was not essential. 2007-10-06 vadim * ipfAdvancedDialog.cpp (ipfAdvancedDialog::ipfAdvancedDialog): applied patch by to add support for Kerberos rcmd and Kerberos ekshell proxies in ipfilter NAT rules. * VERSION (FWB_MICRO_VERSION): begin v2.1.15 2007-09-10 vadim * 2.1.14 release 2007-09-08 vadim * configure.in: patch by Carlos Silva to add third parameter to AC_DEFINE_UNQUOTED 2007-08-25 vadim * RuleOptionsDialog.cpp (RuleOptionsDialog::loadFWObject): fixed bug #1764971: "allowed value range for burst limit". Iptables "--limit-burst" option should not be limited in the GUI. * instDialog.cpp (instDialog::continueRun): fixed bug #1772722: "installer should recognize when it uses plink 0.60". We detect when installer uses plink on Windows by checking the name of the configured ssh client. The check should be case-insensitive. 2007-08-06 vadim * configure.in: applied patch by Carlos Silva to make configure.in use ANTLR C++ run-time installed on the system if it can find one; otherwise it uses copy in src/antlr 2007-08-05 vadim * IPTImporter.cpp: fixed bug (no num): importer for iptables should properly assign rule options when it finds "-m limit" and "--limit" options in the input file. * IPTImporter.cpp: added a workaround for a situation when several iptables commands pass control to the same user-define chaine in the iptables-save file. As of fwbuilder v2.1, branch ruleset is a child object of PolicyRule. This means two different rules can not point at the same branch ruleset. This is unfortunate but it is hard to fix in the current version because it requires changes XML DTD and API. Will do this in 3.0. Meanwhile, checking if branch ruleset with requested name already exists and change the name by adding suffix '1', '2' etc to make it different. Imported rule is marked as 'bad' (red background) and gets a comment explaining this. * iptables.g (tcp_flags_list): fixed bug #1764988: "iptables import -> GUI crash": syntax for TCP flag matching in iptables-save should allow for more than 2 flags in 'comp' part * iptables.g (target_options): added missing supprot for "--log-tcp-sequence", "--log-tcp-options" and "--log-ip-options" options for target LOG to iptables policy importer * iptables.g (protocol_word): fixed bug (no num): iptables policy importer should properly parse numeric protocol specification (e.g. "-p 47"). * Importer.cpp (Importer::getTCPService): fixed bug #1764988: "iptables import -> GUI crash": iptables policy importer recognizes and parses TCP flag parameters ALL and NONE * IPTImporter.cpp (IPTImporter::pushPolicyRule): fixed bug #1764988: "iptables import -> GUI crash": iptables policy importer recognizes and parses target RETURN 2007-08-01 Vadim * FirewallDialog.cpp: fixed bug reported in Debian Bug report #417685 - added missing #include to make code compile with gcc 4.3 * fixed bug #1761373: "libfwbuilder doesn't build on Mandriva cooker". Applied fixes to make the code compile with gcc 4.2 * VERSION: started 2.1.14 2007-07-18 vadim * PolicyCompiler_ipt.cpp (InterfaceAndDirection::processNext): compiler permits setting direction in the rule while interface field is "All". This generates iptables command in chain INPUT or OUTPUT with "-i +" or "-o +" interface specification to match all interfaces. 2007-07-14 vadim * platforms.cpp (isDefaultPolicyRuleOptions): platform "iosacl" does not have any rule options at this time; making sure we never show an icon indicating non-default options. * templates.xml: added simple template for Cisco router 36xx * pf.cpp (main): Added support for "set skip on " command for PF. If an interface is marked as "unprotected" in the GUI, compiler generates this command for it. This is useful for loopback or other virtual interfaces. * PolicyCompiler_pf_writers.cpp (PrintRule::processNext): better compliance with PF 4.x. Feature Req. #1679793: "add 'no state' and 'flags any'". If version is set to 4.x, compiler skips "flags S/SA keep state" for rules mathcing tcp services. However, according to the section "1.2. Operational changes" in PF FAQ at http://www.openbsd.org/faq/upgrade41.html , there should be a way to add "keep state" explicitly for rules on interface enc0. Added this option to the rule options dialog. * pf.cpp (main): implemented support for PF limit options "src-nodes", "tables" and "table-entries". Feature Req. #1674919: "Support "set limit table-entries"" 2007-07-12 vadim * SSHSession.cpp: More key caching request and other messages for wider variety of ssh clients. * SSHPIX.cpp (SSHPIX::stateMachine): fixed bug #1753188: "policy activation fails on PIX and IOS". Installer failed if account used to authenticate to the router or PIX went straight to 'enable' mode after login. 2007-07-07 vadim * PolicyCompiler_pf_writers.cpp (PrintRule::_printLogging): fixed bug #1747828: "anchors generation - "log" not supported". "Log" keyword is not allowed in "anchor" rules; compiler should not generate it even if user turned logging on in a rule with action 'Branch' * PolicyCompiler_ipt.cpp (checkForRestoreMarkInOutput::processNext): fixed bug #1747332: "missing CONNMARK/ restore mark in Output Chain" * PolicyCompiler_PrintRule.cpp (PrintRule::_flushAndSetDefaultPolicy): fixed bug #1746257: "fwbuilder breaks IPv6". Added an option to the firewall settings dialog for iptables that controls whether compiler should skip generation of the code to set default policy of all ipv6 chains to DROP. This option is off by default, that is compiler puts the code in. This helps maintain backwards compatibility with old data files that do not have this option, which is equivalent to this option being "off". 2007-07-06 vadim * ObjectManipulator.cpp (ObjectManipulator::unlockObject): fixed bug #1743117: "crash while editing any". Added check, user should not be able to unlock Standard objects library * FWObject.cpp (FWObject::shallowDuplicate): fixed bug #1740766: "lock not saved". This method now copies the value of "ro" attribute (read-only). Clear it in the caller if neccessary. Method duplicate() clears it after calling shallowDuplicate in order to be able to modify the object, then restores this attribute to its original value. 2007-06-23 vadim * v2.1.12 release * iptables.g (target_options): parser for iptables is aware of "--set-tos" target option. Even though fwbuilder does not support target TOS, importer should be able to import policy that uses it without crashing. 2007-06-20 vadim * FWWindowPrint.cpp (printFirewall): fixed bug #1739373: "FWB2111, register Routing not printed". Tab "Routing" was not included in the printed copy of firewall policies. * NATCompiler_pf.h: fixed bug #1740545: "AddressTable in NAT section". Policy compiler for PF crashed if AddressTable object was used in TDst element of a NAT rule. 2007-06-17 vadim * instDialog.cpp (instDialog::initiateCopy): fixed bug (no number) where installer failed to properly copy .fwb file over to the firewall if file name contained whitespace 2007-06-16 vadim * instDialog.cpp (instDialog::prepareInstallerOptions): discovered and fixed bug in the installer: if management interface of the firewall is dynamic (i.e. had no IP address) and address of the firewall was given in the "Installer" tab of the firewall object dialog, installer failed to copy it to the instOptionsDialog and filled corresponding entry field with 0.0.0.0 * OSConfigurator_linux24.cpp (OSConfigurator_linux24::printShellFunctions): fixed bug 1737733: "install script doesn't detect BROADCAST if eth is NO-CARRIER". If firewall script runs before network interface comes up (i.e. is still in NO-CARRIER state), script failed to add virtual addresses for NAT. 2007-06-13 vadim * ActionsDialog.cpp (registerOption): after changes made in the compiler to simplify algorithm used to decide which chain a rule with action Tag should go to, rule action option "Mark connections in PREROUTING chain" ( "ipt_mark_prerouting" ) has been deprecated. 2007-06-12 vadim * FWWindow.cpp (FWWindow::reopenFirewall): Added platform capability element "supports_nat" - if True, platform supports NAT rules so the main window should show tab "NAT" in the policy view. If this parameter is False, the tab disappears. * DiscoveryDruid.cpp (DiscoveryDruid::DiscoveryDruid): added main menu item "File -> Import Policy" that activates Discovery Druid and opens it on the page where user can choose configuration file for import. 2007-06-09 vadim * PolicyCompiler_PrintRule.cpp (PrintRule::_flushAndSetDefaultPolicy): fixed bug #1711595: "ip6tables DROPs". Compiler adds rules to permit any-to-any on loopback interface for ipv6 in addition to rules that set default policy to DROP for all chains in ipv6 2007-06-06 vadim * antlr.pro: Added ANTLR C++ runtime to the project under src/antlr 2007-06-05 vadim * PolicyCompiler_ipt.cpp (setChainPreroutingForTag::processNext): streamlined algorithm that assigns chain to a rule with action Tag. The goal is to always use chain PREROUTING for rules with direction Inbound or Both and a combination of OUTPUT and POSTROUTING for rules with direction Outbound and Both. 2007-06-02 vadim * DiscoveryDruid.cpp (DiscoveryDruid::importPlatformChanged): finalized rule importer GUI. 2007-06-01 vadim * IPTImporter.cpp (IPTImporter::pushNATRule): NAT import now works 2007-05-30 vadim * pf.cpp (main): fixed bug #1727715: "Policy Installer failed but indicates succes". Activation script for PF exits with non-zero return code if script activation fails. * IPTImporter.cpp (IPTImporter::addSrv): import of target MARK and TagService for iptables * IPTImporter.cpp (IPTImporter::pushRule): support for module "limit" in importer for iptables 2007-05-29 vadim * IPTImporter.cpp (IPTImporter::pushRule): meaningful import of iptables-restore files with all actions for filter table. Action "Continue" helps import iptables commands with targets LOG and ULOG. * PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::compile): Added support for action "Continue" (an empty action) in the GUI and compiler for iptables. This action creates a rule that does nothing, however it generates iptables command with target "-j LOG" if logging is turned on. This can be useful if one wants only to log packets that match certain pattern but not make any policy decision in the same rule. 2007-05-28 vadim * IPTImporter.cpp (IPTImporter::pushRule): basic iptables-restore import works (only policy rules, only minimal set of modules) 2007-05-27 vadim * IPTImporter.cpp: initial work on iptables importer * OSConfigurator_linux24.cpp (OSConfigurator_linux24::generateCodeForProtocolHandlers): Fixed bug in the shell code that finds netfilter modules (missing closing '"'). This bug broke generated iptables script. Bug was introduced in 2.1.12 some time before build 270 2007-05-25 vadim * iosacl.g (vlan): ignore "vlan" commands while importing IOS config * IOSImporter.cpp (IOSImporter::finalize): IOS accesslists importer properly handles situation when the same list is applied to multiple interfaces with different directions. 2007-05-22 vadim * run-tests.sh: simple framework for automated unit tests * importer_test.cpp: unit test for Cisco IOS access lists importer * IOSImporter.cpp (IOSImporter::finalize): IOS access lists importer works with a large complex test file. Test can be imported and then compiled with no manual changes. * PolicyCompiler_ipt.cpp (InterfacePolicyRulesWithOptimization): allow for object group in "Interface" rule element 2007-05-21 vadim * DiscoveryDruid.cpp (DiscoveryDruid::loadDataFromImporter): finished configuration importer GUI 2007-05-16 vadim * RoutingCompiler_ipt_writers.cpp: fixed bug #1718791: "Bug with more than one router". This bug affected routing rules. * OSConfigurator_linux24.cpp (OSConfigurator_linux24::generateCodeForProtocolHandlers): fixed bug #1720022: "Fail to load modules .ko.gz". * MangleTableCompiler_ipt.cpp (keepMangleTableRules::processNext): fixed bug #1720480: '"-A POSTROUTING -i interface" in branching rules'. Compiler should not generate iptables commands in POSTROUTING chain with "-i interface" clause. 2007-05-15 vadim * DiscoveryDruid.cpp (DiscoveryDruid::importConfig): basic GUI support for the configuration importer * IOSImporter.h (class IOSImporter): derived class - importer for Cisco IOS ACLs * Importer.h: generalized policy importer framework. Requires grammar for each platform. * iosacl.g: ANTLR grammar for IOS ACLs. Only "access-list ", "ip access-list extended" and certain "interface" commands cam be parsed 2007-05-11 vadim * SSHSession.cpp (SSHSession::readFromStdout): note about built-in installer on windows. Installer seems to have broke with upgrade of QT to 3.3.8. Specifically, in SSHSession::readFromStdout(), proc->readStdout() returns a byte array that contains actual output from the device, with some garbage appeneded to it. The garbage is included in the size() count of QByteArray returned by readStdout so it gets included into the QString which we append to stdoutBuffer. This happens only on win32; reverting to QT 3.3.7 fixes the problem. 2007-05-10 vadim * SSHPIX.cpp (SSHPIX::stateMachine): implemented support for scheduled reload for PIX firewalls (for roll-back). * instOptionsDialog.cpp (instOptionsDialog::instOptionsDialog): PIX and Cisco routers (IOS) : built-in installer can schedule reboot of the firewall before activating new policy, then cancel it if the policy has been activated successfully. * instOptionsDialog.cpp (instOptionsDialog::instOptionsDialog): fixed long-standing problem with size of the built-in installer options dialog. The dialog was too big and did not properly resize itself when some options were hidden. * SSHIOS.cpp (SSHIOS::stateMachine): installer for Cisco routers 2007-05-09 vadim * InterfaceDialog.cpp (InterfaceDialog::loadFWObject): added support for the new attribute "unprotected" for the Interface object in the GUI. Compilers skip this interface while assigning ACLs or policy rules to interfaces. This is supported only in the compiler for Cisco IOS ACLs at this time. 2007-05-08 vadim * iosAdvancedDialog.cpp (iosAdvancedDialog::iosAdvancedDialog): Added dialogs and resource files for Cisco IOS ACLs 2007-05-07 vadim * RuleSetView.cpp (RuleSetView::changeAction): setting option "stateless" appropriately when new rule is created. * objects_init.xml: added object "All TCP established" - a tcp object with open port range and flag "established" * PolicyCompiler_ipf.cpp (PolicyCompiler_ipf::compile): using rule processor CheckForTCPEstablished in compilers for iptables, ipf and pf to check for TCP service objects with flag "established". This is considered an error because these platforms do not provide support for "established". * PolicyCompiler_ipfw_writers.cpp (PrintRule::processNext): using new TCPService object flag "established" in compiler for ipfw. * PolicyCompiler_ipf.cpp (doSrcNegation::processNext) and PolicyCompiler_ipfw.cpp: rules created for negation with action 'Continue' should be stateless. * PolicyCompiler_ipt.cpp (Branching::expandBranch): fixed bug (no number): compiler used to not set unique internal id for rules in branches, which lead to chain names like 'C.0' in generated script. * PolicyCompiler_PrintRule.cpp (PrintRule::_printLogPrefix): fixed bug (no number): when a rule number is inserted into a log record in place of macro %N, it should be formatted as "N/M" for rules in a branch. * PolicyCompiler_ipt.cpp (decideOnChainForClassify::processNext): fixed bug (no number): setting chain for Classify action only if it has not been set before. Setting chain to POSTROUTING always broke things if a rule with action 'Classify' was used in a branch (so the chain has been set to that of the branch) * RuleSetView.cpp (RuleSetView::changeAction): working on bugs #1676635: "no way to match on state if the action is drop" and #1671910: "2.1.8 In 'Branch' acton compiler doesn't insert NEW stanza". Rule option 'stateless' is automatically set when user changes rule action so it becomes anything except 'Accept', 'Tag' or 'Route'. This option is also automatically cleared when action is switched to any of these three actions. The user can override these default settings by checking or unchecking the option in the rule options dialog. * PolicyCompiler_PrintRule.cpp: working on bugs #1676635: "no way to match on state if the action is drop" and #1671910: "2.1.8 In 'Branch' acton compiler doesn't insert NEW stanza". Rely only on rule option 'stateless' to decide whether the rule should have "-m state --state NEW". 2007-05-06 vadim * v2.1.12 started 2007-04-28 vadim * v2.1.11 release 2007-04-24 vadim * SSHUnx.cpp (SSHUnx::SSHUnx): fixed bug #1702830: "fwbuilder does not detect errors during policy install". Built-in installer detects error messages printed by iptables and iptables-restore and aborts installation process. Summary page shown in the end reflects this as failed install. * instOptionsDialog.cpp (instOptionsDialog::updateRollback): fixed bug #1701971: "Enabeling test mode doent activate the reboot interval". Checking "Test mode" checkbox in the installer options dialog should enable widgets that configure automatic reboot timeout. 2007-04-23 vadim * PolicyCompiler_PrintRule.cpp (PrintRule::_printModules): bug #1699483: "hashlimit-htable-expire not set". Compiler automatically generates name for the --hashlimit-name option if it is not set in the GUI. * PolicyCompiler_ipt.cpp (TagIfSrcFw::processNext): fixed bug #1703954: "Mark target in postrouting chain". Packets that originate on the firewall should be marked in the OUTPUT chain. According to the netfilter packet flow diagram at http://www.shorewall.net/NetfilterOverview.html , rerouting happens after OUTPUT hook but before POSTROUTING hook. * FWBTree.cpp (FWBTree::isSystem): fixed bug #1703595: "build 230 crashes when seaching for a deleted object" 2007-04-13 vadim * PolicyCompiler_PrintRule.cpp (PrintRule::_printModules): fixed bug 1699483: "hashlimit-htable-expire not set". Added GUI controls and compiler support for hashlimit module options "--hashlimit-name", "--hashlimit-htable-size", "--hashlimit-htable-max", "--hashlimit-htable-expire" and "--hashlimit-htable-gcinterval" * OSConfigurator_linux24.cpp (linux24::generateCodeForProtocolHandlers): fixed bug #1697832: "fc5 kernel 2.6.20 moved *conntrack* modules". Starting with kernel 2.6.20, netfilter installs *conntrack* modules in "/lib/modules/`uname -r`/kernel/net/netfilter/" rather than "/lib/modules/`uname -r`/kernel/net/ipv4/netfilter/". Modified shell code that finds and loads all "*conntrack*" and "*nat*" modules, it should now work with both old and new kernels. I do not know if this directory change was introduced only by Fedora or it is general for the netfilter. * TCPServiceDialog.cpp (TCPServiceDialog::validate): fixed bug #1695481: "compliation error with lower end port". Before, user could enter start port range number greater than the end port range number. Neither the GUI nor compiler noticed this, which resulted in the incorrect firewall configuration. This fix adds check in the GUI to not let the user enter port ranges like that. 2007-04-03 vadim * PolicyCompiler_ipf_writers.cpp (PrintRule::_printWith): fixed bug #1676845: "lsrr option not compiling" * PolicyCompiler_ipf_writers.cpp (PrintRule::_printWith): fixed bug #1678410: "Ipfilter compiler uses wrong keyword for "fragment"" * utils.cpp (getUserName): fixed bug #1684334: "RCS should use $LOGNAME when commit" * ActionsDialog.cpp (ActionsDialog::loadFWObject): fixed bug #1692411: "can't set accouting rule name (fwbuilder 2.1.11)" 2007-03-24 vadim * RuleSetView.cpp (RuleSetView::paintCell): fixed bug #1685741: "GUI crash: click on an empty part of obj tree, then desktop" 2007-03-21 vadim * ObjectTreeView.cpp (ObjectTreeView::focusOutEvent): working on the bug #1685741: "GUI crash: click on an empty part of obj tree, then desktop" 2007-03-18 vadim * InterfaceDialog.cpp (InterfaceDialog::loadFWObject): minor redesign of the interface object dialog to make network zone more prominent and easier to set when network and group objects have long names. 2007-03-13 vadim * PolicyCompiler_pf_writers.cpp (PrintRule::processNext): fixed bug #1674940: "if max-src-conn == 0: syntax error". Options max-src-conn and max-src-states can not have value '0' * TimeDialog.cpp (TimeDialog::loadFWObject): redesigned TimeService object dialog * PolicyCompiler_PrintRule.cpp (PrintRule::_printTimeInterval): fixed bug #1672191: "Time limit generates unexpected iptables command" * PolicyCompiler_PrintRule.cpp (PrintRule::_printTimeInterval): Added support for --datestart and --datestop options for module 'time' in compiler for iptables * started v2.1.11 2007-02-17 vadim * RuleSetView.cpp (RuleSetView::findWhereUsedSlot): added an item "Where used" to the context menu associated with objects in rules * FWWindow.cpp (FWWindow::setPolicyBranchTabName): a workaround for the bug 1629461: "Policy tabs do not scroll @ window extent on OSX". The tab widget used to show policy, nat, routing and policy branch rulesets does not switch to a "folded" mode on Mac OS X when it needs to show more tabs that fit in the window. Since I can't figure out a way to force it to do that, I am dropping "Policy/" from the tab titles for branches to make them shorter. This will help users with policies with many branches, however it does not solve the problem because as they keep adding branches, at some point they won't fit in the window again. 2007-02-15 vadim * FWWindow.cpp (FWWindow::fileCompare): fixed bug #1659832: "No compile with QT without STL support" * instDialog.cpp (instDialog::initiateCopy): fixed bug #1661140: "built-in installer broken in 2.1.9 for PF". Installer incorrectly set name for files it copied to the firewall if compiler generated more than one file. Normally two files are generated for PF and ipfilter. * v2.1.10 started 2007-02-10 vadim * v2.1.9 release * main.cpp (tty_raw): bug #1650369: "[patch] please add support for GNU/kFreeBSD". Applied patch to make code compile on kFreeBSD. 2007-02-03 vadim * listOfLibraries.cpp (list): fixed bug #1620284: "conflict when adding library to Preferences/Libraries". When the user tried to add a library to the list in Preferemces/Libraries when a data file with the same object library was loaded, the GUI detected the conflict and showed error dialog. * FWWindow.cpp (FWWindow::fileCompare): New feature: new operation "Tools/Find Conflicting Objects in Two Data Files". This operation inspects two data files (either .fwb or .fwl) and finds conflicting objects. Conflicting objects have the same internal ID but different attributes. Two data files can not be merged, or one imported into another, if they contain such objects. This operation also helps identify changes made to objects in two copies of the same data file. This operation does not find objects present in one file but not in the other, such objects present no problem for merge or import operations. This operation works with two external files, neither of which needs to be opened in the program. Currently opened data file is not affected by this operation and objects in the tree do not change. In the process of this operation user is presented with series of dialogs showing conflicting objects side by side. In the end the program can generate report and write it to a text file. 2007-01-30 vadim * instDialog.cpp (instDialog::initiateCopy): more for the bug #1617501:"Install fails after compile". Making sure we always strip directory path from the file name if user specified full path for the policy file in the "Output file name" input field in the "Compiler" tab of firewall object dialog. Need to strip path when macro "%FWSCRIPT%" is substituted in installation scriptlets and in some other places. 2007-01-15 vadim * OSConfigurator_linux24.cpp (linux24::printRunTimeWrappers): fixed bug (no num.): data files used for run-time AddressTable objects can have empty lines, the script should skip them. 2007-01-14 vadim * iptAdvancedDialog.cpp (iptAdvancedDialog::iptAdvancedDialog): more for bug #1618381: "CLASSIFY/MARK are non-terminating". Emulation of the terminating behavior for Classify and Tag actions is now controlled by a global option in the "Compiler" tab of the firewall properties dialog. This means emulation can be turned on and off for all rules that might require it at once. It is impossible to mix such rules with terminating and non-termninating behavior. The reason for this is that shadowing detection algorithm can only work with either terminating or non-terminating rules, not with the mix. Hopefully this is the last change made for this bug. * PolicyCompiler_ipt.cpp (ipt::getAddressTableVarName): fixed bug #1632054: "Runtime AddressObjects FAIL to load if "Name:" contains "."". Compiler checks if the name of the run-time AddressTable object contains characters that have special meaning in sheel and relaces them with '_' when it generates the name of the temporary shell variable. * PolicyCompiler_ipt.cpp (splitNonTerminatingTargets): update for bug #1618381: "CLASSIFY/MARK are non-terminating". Adding iptables rule with target ACCEPT to make Tag and Classify rules terminating. This is controlled by checkbox in the action dialog for actions Classify and Tag. Default setting is off. 2007-01-09 vadim * FWWindow.cpp (FWWindow::scheduleRuleSetRedraw): fixed bug (no num.): GUI used show fanthom 'Policy', 'NAT' and 'Routing' tabs when user deleted objects from the Deleted Objects library, provided some of these objects were previously deleted firewalls. 2007-01-07 vadim * GroupObjectDialog.cpp (GroupObjectDialog::dropped): fixed bug #1624577: "group window doesn't stay open on multiple-adds". Using special flag to tell ObjectTreeView that it should ignore MouseReleaseEvent it gets after d&d operation, so it wont switch object in the editor panel. Note the bug triggered only on Mac OS X. * FWWindow.cpp (FWWindow::FWWindow): "Apply" and "Close" buttons in the objct editor panel should be of fixed size horizontally 2007-01-06 vadim * instDialog.cpp (instDialog::testFirewall): fixed bug #1617501:"Install fails after compile". The GUI got confused when user enter full path to the policy file in the "Output file name" input field in the "Compiler" tab of firewall object dialog. * SimpleTextEditor.cpp (SimpleTextEditor::loadFromFile): fixed bug 1619930: "Prolog tab's ScriptEditor's import fails to overwrite" * OSConfigurator_linux24.cpp (linux24::printRunTimeWrappers): fixed bug #1628989: "run-time-loaded rules don't accept ";" as line comment" * RuleOptionsDialog.cpp (RuleOptionsDialog::changed): fixed bug #1620206: "RuleOptions' "Apply" button greyed-out until menu selection" * SimpleTextEditor.cpp (SimpleTextEditor::SimpleTextEditor): fixed bug #1619842: "prolog "script editor" opens behind other windows" * RuleSetView.cpp (RuleSetView::removeRule): fixed bug #1629521: "can't delete empty chain/policy tab" * instOptionsDialog.cpp (instOptionsDialog::hidePIXOptions): installOptionsDialog was too large and did not fit on some laptop screens. Doing tricks to make sure the dialog properly resized after unused GUI elements are hidden. 2007-01-04 vadim * PolicyCompiler.cpp (DetectShadowingForNonTerminatingRules::processNext): (API change) fixed bug #1618381: "CLASSIFY/MARK are non-terminating". Non-terminating rules shadow each other "backwards", that is more general rule shadows other rules _above_ it. Added flag 'reverse' to the method find_more_general_rule and added new rule processor DetectShadowingForNonTerminatingRules that finds such cases of 'reverse' shadowing. Using it for rules in the mangle table for iptables. * PolicyCompiler_ipt.cpp (finalizeChain::processNext): working on bug #1618381 * For action Branch with option to add branching rule to the mangle table: we now generate rules in PREROUTING, POSTROUTING, INPUT, OUTPUT and FORWARD chains. This is because some targets can only work in PREROUTING or POSTROUTING chains but we do not know what rules will user put in the branch. So we need to branch in all chains * For rules in mangle table with direction set to Inbound or Outbound force chain to PREROUTING or POSTROUTING respectively early. This eliminates duplicates such as the same rule in PREROUTING and INPUT chains. Also since most (all?) targets that require mangle table go into either PREROUTING or POSTROUTING chains, it should be enough to use these two chains. 2007-01-01 vadim * ActionsDialog.cpp (ActionsDialog::setRule), PolicyCompiler_ipt.cpp (splitNonTerminatingTargets::processNext): working on bug #1618381: "CLASSIFY/MARK are non-terminating". Converting non-terminating targets MARK and CLASSIFY into equivalent of terminating targets using intermediate chain and "-g" option to pass control to it. Added a checkbox to the rule options dialog for action Classify for this, by default this feature is off. 2006-12-27 vadim * Compiler.cpp (Compiler::expandGroupsInRuleElement): fixed bug #1620925: "compile-time AddressTable object with empty file". Compile-time AddressTable object that uses file with no addresses should be treated as an empty group according to the "Ignore empty groups" option. Changes are made as follows: - Compiler::expandGroupsInRuleElement does not call s->setAnyElement(); to set rule element to 'any' before adding addresses from the group. This means that if group is empty, rule element remains empty (not even 'any', just with no children, i.e. with size()==0). Note that AddressTable::loadFromSource() leaves AddressTable object empty if the file does not have any addresses. - Compiler::emptyGroupsInRE specifically checks for run-time MultiAddress objects and skips them so they wont be treated as empty groups (since they are indeed empty). Compile-time MultiAddress objects are treated as groups and algorithm that depends on option 'ignore empty groups' is executed for both empty regular groups and empty compile-time MultiAddress objects. * PolicyCompiler_ipt_optimizer.cpp (optimize1::optimizeForRuleElement): fixed bug #1623113: 'connlimit fails in compiled "address table" rules' Module connlimit can only be used in iptables rules matching TCP services. Such iptables commands have "-p tcp" and/or "-m tcp" options. If a rule in fwbuilder uses TCP Service and connlimit option and has multiple objects in src and dst, optimizer used to split it to minimize matches. It however preserved connlimit option in all subrules, even though some of them did not have TCP service after the split. This lead to generation of incorrect iptables commands. * PolicyCompiler_ipt.cpp (Branching::expandBranch): fixed bug #1623338: "Can not disable rules in a branch". Compiler for iptables ignored flag 'disabled' on rules in a branch. 2006-12-26 vadim * VERSION (FWB_MICRO_VERSION): set version to 2.1.9 2006-12-03 vadim * v2.1.8 released 2006-11-30 vadim * FirewallDialog.cpp (FirewallDialog::applyChanges): fixed bug #1589743: "compiler setting should be erased when fw platform changes". If user configured firewall object to use thrid-party compiler, this setting should be erased when firewall platform of this object changes. 1) compilers are always platform-specific and old compiler most likely won't work with different platform; 2) 'advanced' firewall settings dialog may not have an entry field for the compiler (e.g. dialog for PIX does not have it) 2006-11-26 vadim * gui.pro (TARGET): All binaries are renamed to drop suffix '21'. Opinion poll amongs the mailing list sbscribers showed majority of users does not care for the ability to install and run both old and new versions of fwbuilder on the same machine. This feature creates substantial problems because of the symlinks to libfwbuilder libraries that have the same name regardless of the library version ('libfwbuilder.so' and 'libfwcompiler.so'). These symlinks are required on Linux and *BSD and can not be avoided easily. The only simple alternative was to rename libraries to libfwbuilder21 and libfwcompiler21. I was impartial and thought of doing this but FreeBSD port maintainer did not like this solution. Given that most users said in the poll they do not want this feature anyway, I am reverting binary and man page names back to the old standard scheme without suffix '21'. 2006-11-16 vadim * FindObjectWidget.cpp (FindObjectWidget::matchAttr): added back search by regexp - object name or port, protocol or ICMP type numbers can be defined as regular expressions. 2006-11-09 vadim * PolicyCompiler_PrintRule.cpp (PrintRule::_printDirectionAndInterface): fixed bug #1593221: "iptables filtering bridge problem - PHYSDEV: no physdev opti..." Some times rules were generated with "-m physdev" but witout "--physdev-in" or "--physdev-out" options. * PolicyCompiler_ipt.cpp (Branching::expandBranch): fixed bug #1592130: "Policy Chaining Issues". Policy compiler should expand rule subsets recursively * FWWindow.cpp (FWWindow::addPolicyBranchTab): working on bug #1592130: "Policy Chaining Issues". The GUI should properly display nested branch rulesets. * set version to 2.1.8 2006-10-30 vadim * v2.1.7 released 2006-10-28 vadim * RuleSetView.cpp (RuleSetView::paintCell): fixes for QT w/o STL support 2006-10-24 vadim * manually removed from findobjectwidget_q.ui and findwhereusedwidget_q.ui * build 155 2006-10-23 vadim * platforms.cpp (getRouteOptions_pf_ipf): fixed bug (no num): the program used to incorrectly save "route option" parameter that is used for pf anf ipf firewalls when user edited action "Routing" for iptables firewall. This would corrupt saved XML file if the program was used under non-English locale. 2006-10-22 vadim * ObjectTreeView.cpp (ObjectTreeView::updateTreeItems): eliminated useless creation of interim QPixmap objects. It appears this was responsible for creation of tons of extra pixmaps that triggered bug 1582130 on windows. Bug ##1582130: "GUI crashes on windows when very large data file is opened" is now fixed. 2006-10-21 vadim * ObjectManipulator.cpp (ObjectManipulator::addTreePage): working on bug #1582130: "GUI crashes on windows when very large data file is opened". Using QPixmapCache everywhere. * PixmapFactory.cpp (PixmapFactory::getPixmap): bug #1582130 "GUI crashes on windows when very large data file is opened". Ran into a known limitation on number of simultaneously created pixmaps on Windows. If the data file contains over 3000 obects or so, the GUI crashes on Windows. This is caused by the fact that GDI has global limit on the number of pixmaps. See here: http://lists.trolltech.com/qt-interest/2005-01/thread00679-0.html Using QPixmapCache class to cache and reuse pixmaps, using it via simple wrapper PixmapFactory that automatically creates pixmaps not found in the cache. 2006-10-20 vadim * listOfLibraries.cpp (listOfLibraries::listOfLibraries): fixes for QT w/o STL support on win32 2006-10-19 vadim * DialogData.cpp (DialogData::loadToWidget): properly using remapping tables while loading strings into QComboBox when program runs under international locale. Strings for qomboboxes are defined in platforms.cpp and need to be translated accordingly. 2006-10-16 vadim * RCSFileDialog.cpp (RCSFileDialog::getSelectedRev): fixed bug #1578502: "crashing opening file". The GUI crashed if the user switched "open file" dialog to detailed list mode and then tried to open a file. 2006-10-15 vadim * PolicyCompiler_pf_writers.cpp (PrintRule::_printAction): All compilers print error mesage when they encounter unknow action in a rule * Preprocessor.cpp (Preprocessor::convertObject): fixed bug #1575355: "Compiler tries to resove deleted AddressTable objects". Using findWhereUsed to find if MultiAddress object is used in firewall being compiled so we don't try to resolve objects that are not used anywhere. * FWObjectDatabase.cpp (FWObjectDatabase::findObjectsInGroup): code refactoring: moved methods findObjectsInGroup and findWhereUsed from the GUI to API. 2006-10-08 vadim * v2.1.6 build 134: major improvements in support for outbound ACLs in PIX 7.0 in compiler for PIX. Added file 'v21_migration_notes.txt' to fwbuilder-pix package 2006-10-07 vadim * NATCompiler_PrintRule.cpp (PrintRule::_printDstService): fixed bug#1572735: "Wrong syntax with TagService in NAT table". Added mssing "-m mark" 2006-10-06 vadim * PolicyCompiler_ipfw.cpp (SpecialRuleActionsForShadowing::processNext): rule with action 'Pipe' or 'Custom' should not shadow other rules * PolicyCompiler_ipfw_writers.cpp (PrintRule::processNext): compiler for ipfw generates rule with action check-state depending on the setting of he option "Add rule to accept packets matching dynamic rules created for known sessions". This option is controlled by a checkbox in the firewall settings dialog. * TableFactory.cpp (TableFactory::PrintTables): if AddressTable object is configured to resolve at run time but file name is left blank, compiler for PF generates PF configuration as follows: "table persist". That is, it omits 'file "filename"' clause all together. This is useful if table is updated automatically using "max-src-conn, overload " option and does not need to be pre-populated with addresses from a file. 2006-10-05 vadim * pixAdvancedDialog.cpp (pixAdvancedDialog::pixAdvancedDialog): added option "Generate outbound ACLs" for PIX 7.0 2006-10-02 vadim * Checking in updated German translation by Hans Peter Dittler 2006-09-29 vadim * PolicyCompiler_ipt.cpp (ipt::compile): fixed bug #1567873: "CLASSIFY/Logging". eed to run rule processor decideOnChainForClassify before rule is split for negation or logging to properly pick up chain for action Classify. Previously rules with this action and either negation or logging would match packets in chains INPUT/OUTPUT/FORWARD but use chain POSTROUTING when applying action. 2006-09-28 vadim * pf.cpp (main): 'Prolog' section of the generated script can now be added in different places: - to the activation shell script, as before - at the very top of generated .conf file - after 'set' commands in the generated .conf file - after 'scrub' commands in the generated .conf file - after table definitions in the generated .conf file but before all policy commands 2006-09-26 vadim * checking in updated Russian localization by 2006-09-21 vadim * ObjectManipulator.cpp (ObjectManipulator::deleteObj): fixed bug #1562965: "no confirmation when deleting an object". In a scenario when user starts with an emty object tree, then adds a firewall with an interfaces, then tries to delete the interface, the GUI would just delete it without presenting the user with "Are you sure ?" confirmation dialog. 2006-09-20 vadim * PolicyCompiler_ipt.cpp (convertAnyToNotFWForShadowing::processNext): fixed bug #1562348: "a case of undetected rule shadowing". Compiler did not detect shadowing in the pair of rules where first rule was 'any any service' (flag 'firewall is part of any' is ON) and the second was 'fw any service' when global flag 'firewall is part of any' is OFF * confirmdeleteobjectdialog_q.ui: fixed bug #1561165: "Delete dialog box sizing incorrect" * FWObject.cpp (FWObject::shallowDuplicate): API change: fixed bug 1562290: "GUI crashes in discovery druid". FWObject::shallowDuplicate should add to database index only if dbroot is defined. If dbroot==NULL, trying to copy it from parameter x of shallowDuplicate (the object we are duplicating), but need to check if dbroot is != NULL after that as well, because object we are dulicating may not belong to any object tree. This is the case with interface objects created in SNMPQuery::fetchInterfaces 2006-09-17 vadim * PolicyCompiler_pf_writers.cpp (PrintRule::processNext): feature request #1531599: "max-src-conn and max-src-conn-rate". Added support for max-src-conn and max-src-conn-rate options n compiler for PF. * RuleOptionsDialog.cpp (RuleOptionsDialog::loadFWObject): feature request #1531599: "max-src-conn and max-src-conn-rate". Added GUI elements to support these PF options. 2006-09-16 vadim * SSHPIX.cpp (SSHPIX::stateMachine): fixed a bug in the code that deals with previously unseen ssh host key. Properly terminating session if user hits 'No'; stopping heartbeat timer while waiting for user input. * FWWindow.cpp (FWWindow::install): compile/install wizard is now a top level non-modal window, it can be used in parallel with the main window so one can inspect and fix rules while still looking at the output produced by the compiler, or work with objects and rules while pushing policy update to the firewall. 2006-09-15 vadim * instDialog.cpp (instDialog::installerError): fixed bug #1559697: "built-in installer crashes on incorrect password" 2006-09-14 vadim * FWObjectClipboard.h: clipboard holds list of object IDs instead of object copies. Clearing clipboard when an object is deleted from the "Deleted objects" library in ObjectManipulator::delObj. * FWWindow.cpp (FWWindow::load): calling FWObjectDatabase::reIndex to fix object reference counters and rebuild the index after object tree is loaded from .fwb file. Doing the same in all policy compilers. * NATCompiler_pf.cpp (splitForTSrc::processNext): fixed bug #1556984" "Nat statements in PF are missing (source-natting)" Compiler was too restrictive checking firewall's interfaces while generating 'nat' rules. It generated such rule only when it was able to find an interface with address/netmask combination that defined subnet to which TSrc address belonged. 2.0.X used to be more liberal and created nat rule even if such interface was not found, in such case it generated nat rule bound to all interfaces of the firewall. 2006-09-13 vadim * ActionsDialog.cpp (ActionsDialog::iptRouteContinueToggled): fixed bug #1557827: "iptables, routing, iif and continue". GUI enforces rules on options to iptables target ROUTE: 'continue' is mutually exclusive with --iif and --tee, therefore checking option 'Continue packet inspection' disables options 'Change inbound interface to' and 'Make a copy' (GUI elements are greyed out). 2006-09-10 vadim * FWWindow.cpp (FWWindow::scheduleRuleSetRedraw): using timer event to make sure rule sets are redrawn no more than once when needed. 2006-09-08 vadim * FWWindow.cpp (FWWindow::load): using FWObjectDatabase::addToIndexRecursive to quickly reindex whole database once datafile is loaded. This works very fast. Fixes everywhere for the new format of FWObjectDatabase::create 2006-09-07 vadim * FWWindow.cpp (FWWindow::load): improvements in the GUI ergonomics when working with very large data files: - The main window opens before the file specified on the command line is loaded - Using status bar to print messages indicating progress of the file loading process - Enforcing objects indexing after the file is loaded, this speeds things up later * ObjectEditor.cpp (ObjectEditor::actionChanged): fixed bug #1553394: "Options windows stays the same". 2006-09-05 vadim * FWWindow.cpp (FWWindow::killInstDialog): compile/install dialog is now not modal, this means the user can look at the policy and objects while compilation and/or installation is going on. This is especially convenient as it allows one to inspect the rules after failed compilation while still having compiler error on screen. * VERSION: set version to 2.1.6 * configure.in: added check to make sure qmake found by configure really is part of QT 3.x. This should help avoid build failures on systems where both QT 3.x and 4.x are installed and where /usr/bin/qmake is really QT 4.x qmake which we can not use. 2006-08-31 vadim * PolicyCompiler_ipfw.cpp (processMultiAddressObjectsInRE): checking for (currently unsupported) run-time AddressTable objects * All compilers: fixed bug #1544488: 'Error with DNS_name object when "resolve during run time"'. Needed to swap run-time DNSName and AddressTable objects with MultiAddressRunTime during rule shadowing run 2006-08-29 vadim * instDialog.cpp (readFromStdout): properly processing text coming from the background process if it comes buffered in chunks that include several lines of text and possibly incomplete last line. Previously, text would come out werdly formatted in the log window. * instDialog.cpp (processExited): detectig situation when background process (compiler) crashes or is killed * RuleSetView.cpp (fixRulePosition): this method fixes rule position if it is incorrect (this happens sometimes because of errors in auto-upgrade transformations). fixRulePosition checks if object the rule belongs to is read-only or belongs to a read-only subtree in the database and temporarily breaks the lock in order to be able to fix rule position. This method is recursive so it supports cases when several objects between the rule and database root are read-only. 2006-08-27 vadim * instDialog.cpp (prepareInstallerOptions): Added checkbox 'save copy of fwb file on the firewall' to the installer options dialog. If this checkbox is on, installer copies .fwb file to the firewall before it copies generated configuration and activates it. This can be used as last resort backup but should be avoided if firewall is managed from remote workstation and especially if many firewalls are managed from dedicated management workstation (because storing fwb file on each firewall means security policy of all firewalls resides on all every one of them). This option is off by default. 2006-08-26 vadim * ConfirmDeleteObjectDialog.cpp (findForObject): redesign of the dialog: now showing objects to be deleted and their parent objects in the same list with selection disabled. This removes confusion caused by the text in the dialog saying that 'seletect objects' were bout to be deleted and ability to select objects in the confirmation dialog. 2006-08-20 vadim * PolicyCompiler_pf.cpp (fillDirection::processNext): fixed bug #1543684: "fwb 2.1.5 IPFilter fallback rule issues". Fallback rule should be 'pass out' if option 'Pass all outgoing' is used. 2006-08-19 vadim * MangleTableCompiler_ipt.cpp (processNext): (new feature): added checkbox to the action 'Branch' for iptables "In addition to 'filter', create branching rule in 'mangle' table as well". When this parameter is activated, compiler creates branching rules in both filter and mangle tables; in mangle table it always uses chains PREROUTING, INPUT, OUTPUT and FORWARD. * PolicyCompiler_ipt.cpp (processNext): fixed bug #1534423 "2.1.5, mark action rules in branches". Added checkbox "Mark packets in PREROUTING chain" to the action "Tag" for iptables. Compiler places rule into PREROUTING chain when this parameter is activated. 2006-08-18 vadim * PolicyCompiler_ipt.cpp (compile): working on bug #1534423 "2.1.5, mark action rules in branches". Branch rules with action Tag go into mangle table. 2006-08-17 vadim * gui.cw: this file is used by QT to save descriptions of custom widgets * ObjectManipulator.h: added bunch of missing virtual destructors to various classes 2006-08-10 Vadim * ConfirmDeleteObjectDialog.cpp (ConfirmDeleteObjectDialog): completed implementation of feature request #1116454: "Where Used Option". When the user tries to delete an object from the tree, the GUI presents a list of groups and firewall rules where this object is used. 2006-08-09 Vadim * instDialog.cpp (findFirewalls): main menu item 'Compile' and corresponding toolbar button activate compilation/installation for all firewalls in all libraries. This fixes bug #1531007: "no firewall in comp/inst dialog if standard library selected" * utils.h (findByObjectType): added parameter bool skip_system_libs. This method will skip libraries DELETED_LIB and TEMPLATE_LIB if this parameter is true (which is its default value). 2006-08-08 Vadim * ObjectEditor.cpp (validateAndClose): fixed bug (no num.): "Apply" button in the editor panel would not activate when user reopened an object after it was edited and then editor panel closed. 2006-08-08 Vadim * ObjectEditor.cpp (apply): fixed bug #1531020: "gui behaviour on object renaming". Changing name of the selected object in the editor updated it in the tree but not in the rule set view. * ActionsDialog.cpp (applyChanges): fixed bug #1531008: "gui behaviour improvements". Gui used to reset rule selection after user selected different object in the tree. 2006-08-05 Vadim * newFirewallDialog.cpp (newFirewallDialog): fixed bug #1525808: "fwbuilder21: Windows are too large ". One of the pages of the firewall creation druid was too large vertically, as the result whole druid would not fit on screens 1024x768 with standard font bigger than 18pt * FindWhereUsedWidget.h (class FindWhereUsedWidget): Feature request #1116454: "Where Used Option". Ilya implemented "Find Where Used" function which quickly finds and shows rules of all firewalls that utilize a given object. 2006-07-23 vadim * RuleSetView.cpp (copyRule): still debugging problems caused by QT w/o STL support. Also got rid of methods RuleSetView::isSrc, isDst, isSrv etc, makes code cleaner cause these methods violated data access boundaries in the class hierarchy. 2006-07-22 vadim * FWObjectPropertiesFactory.cpp (getPolicyRuleOptions): fixes in bunch of places where code assumed QT is built with STL support 2006-07-20 vadim * PolicyCompiler_ipt_optimizer.cpp (processNext): checking if objects in srv are of the type TCPService or UDPService; if they are, treat srv as if it has one object even if there are several in it. This eliminates uncessesary rule splitting that optimizer used to do. * PolicyCompiler_ipt.cpp (compile): moved InterfacePolicyRulesWithOptimization further down the chain of rule processors to let other processors properly decide on chain for rules that are associated with multiple interfaces. Such rule is now treated as if it has one interface, and most of the chain and target decisions are made before the rule is split. When the rule is split in InterfacePolicyRulesWithOptimization, each part gets one interface from the original list. * PolicyCompiler_ipt.cpp (SrcNegation): all rule processors that work with negation reset "Interface" rule element in subrules they create except for the very first. * main.cpp (main): removed plays with styles on Mac, they proved unnecessary 2006-07-18 vadim * unit_tests.cpp (main): unit test for RCS module, currently only checks if rlog reading routing works right * RCS.cpp (RCS): trying to fix mysterious bug that causes RCS module to misinterpret RCS log in some cases and read modification date/time instead of the name of the user who apparently opened and locked the file. However in cases like that the file in fact is checked in and unlocked. Instead of reading rlog output line by line and using regex to parse each line separately, we now read the output in chunks using '------' as a separator. Each chunk corresponds to one revision and all regexps are written to work on the whole chunk instead of one line. 2006-07-17 vadim * RuleSetView.cpp (paintCell): When user selects an object in the rule set, all references to the same object in other rules are highlighted by drawing thin red frame around them. Similarly, when an object is selected in the tree, all references to it in the currently visible ruleset are similarly highlighted. This helps enforce the notion that all instances of the object in rules are really references to the same object, as well as helps locate these references visually. 2006-07-12 vadim * FWWindow.cpp (exportLibraryTo): user choses libraries for export using spearate modal dialog instead of built-in panel in the file choosing dialog in the "File/Export Library" function 2006-07-11 vadim * FWWindow.cpp (FWWindow): FindObjectWidget is not a custom widget anymore - this is a workaround for QT bug #85440 : http://www.trolltech.com/developer/task-tracker/index_html?id=85440&method=entry 2006-07-09 vadim * ObjectTreeView.cpp (contentsMouseReleaseEvent): bugfix: the GUI used to switch object in the editor if user tried to open a different library and expand/collapse subtree in it. It should not do this, expading/collapsing subtrees should not cause object switch in the editor. 2006-06-30 vadim * RuleSetView.cpp (paintCell): highlighting whole table cell for rule options/actions/directions/etc when corresponding rule element is selected. * Added title bar with icon and object type name to dialog panels for all object types 2006-06-25 vadim * PrefsDialog.cpp (PrefsDialog): removed "Data format" tab from the Preferences dialog. Option that turns off saving standard objects in every users data file was on by default for a long time, now it is time to remove the GUI control all together. * FWBSettings.h: using macro SETTINGS_PATH_PREFIX to define path prefix for settings. This makes it easier to change the prefix when new version is introduced 2006-06-23 vadim * DiscoveryDruid.cpp (): using QDns to get host names for discovered ip addresses instead of our own DNS methods 2006-06-21 vadim * NATCompiler_pf_writers.cpp (_printPort): fixed bug #1509411: "FWB does not build correct PF RDR port ranges". RDR rules should support port ranges in the RHS of "->" * qmake.inc.in: Passing CXXFLAGS from environment to the build process. Fedora engineers had to add a hack to their .spec file to do this, this change makes their hack unnecessary 2006-06-17 vadim * PolicyCompiler_pf_writers.cpp (_printRouteOptions): implemented spport for action Route for PF 2006-06-15 vadim * ObjectTreeView.cpp (contentsMouseReleaseEvent): fixed selection of multiple objects in the tree and interaction with editor. 2006-06-14 vadim * PolicyCompiler_ipt.cpp (processNext): implemented support for action Route for iptables 2006-06-13 vadim * RuleSetView.cpp (openObjectInTree): selecting object in a rule automatically opens it in the tree (both when editor opened and when it is closed) 2006-06-11 vadim * FWWindow.cpp (requestEditorOwnership): moved all the logic controlling switching between objects whith editor open to this method of FWWindow, this significantly simplifies other classes. Now we can properly process situations when user opens an object in a rule, edits it and then tries to open an object in the tree for editing. This also works in other situations when object with unsaved changes is opened in the editor and user tries to switch to another one, possibly in a different panel or widget. Still need to explore ways to maintain synchronized object highlighting in the tree and in rules. 2006-06-06 vadim * RuleSetView.cpp (maybeTip): directions are represented only by icons with no text; added tooltip for directions * ObjectEditor.cpp (validateAndSave): cleanup in ObjectEditor class - reusing method validateAndSave in methods close, validateAndClose * FirewallDialog.cpp (loadFWObject): "snmp" tab of the firewall object dialog has been deprecated 2006-06-04 vadim * RuleSetView.cpp (revealObjectInTree): change in the GUI behavior: - selection in the tree and ruleset are mutually exclusive, that is selecting an object in ruleset turn selection off in the tree and vice versa. Added menu item "Reveal in tree" to the context menu that appears when user clicks right mouse button on an object in ruleset. * PolicyCompiler_ipt.cpp (processNext): Added support for CONNMARK as an option for rules with action Tag. If a checkbox "Mark connections created by packets that match this rule" in rule options of a rule with action Tag is checked, compiler adds iptables command to save mark set by the Tag action into connmark module, and then adds another command at the beginning of the policy to restore it. 2006-06-03 vadim * ActionsDialog.cpp (setRule): New rule action: "Route", to be mapped to ROUTE target for iptables and 'route' option for pf and ipf 2006-05-31 vadim * RuleSetView.cpp (paintCell): When a group is opened in the editor, an object can be highlighted there which is different from the object highlighted in rules. Using alternatie color to highlight object in rules when user switches keyboard focus to the editor panel. This helps avoid confusion caused by identical look of objects highlighted in rules and group view. Currently using QColorGroup::midlight() to get color for when ruleset widget has no focus. This is probably incorrect because color should change when widget's colorGroup() changes from active to normal. Using midlight color may lead to incorrect results if QT theme does not define this color properly. 2006-05-25 vadim * ObjectManipulator.cpp (edit): GUI opens objects in the editor panel on single mouse click on an object in the tree if editor panel is opened. If it is closed, click just changes selection in the tree. Drag and drop works because object is opened in the editor on mouse release. Similarly, if user navigates in the tree using keyboard, object is opened in the editor on keyReleased event. Multiple selection works both by mouse and by keyboard. 2006-05-20 vadim * PolicyCompiler_pf.cpp (swapAddressTableObjectsInRE): AddressTable objects are converted to PF tables with the name of the object in both run-time and compile-time mode. This is so only for PF because other compilers simply expand compile-time AddressTable objects as a group of addresses (and lose its name in the process). Administrator can use compile-time AddressTable object to create tables with names known beforehand. In the future these tables can be used with 'overflow' rule option that updates tables automatically. * TableFactory.cpp (init): implemented persistent tables in compiler for PF: compiler maintains list of tables it creates between passes for NAT and policy rules. This reduces duplication if the same tables need to be created for both policy and NAT rules. Tables for branched rule sets (anchors) are generated separately and may duplicate those in the main rule set (although their name is different). 2006-05-16 vadim * PolicyCompiler_pf.cpp (processMultiAddressObjectsInRE): DNSName object now inherits MultiAddress, this allows for DNSName to be expanded into multiple addresses at compile time. Run time support hasn't changed because most fw platforms automatically expand domain name into all IP addresses defined as DNS A records for this name. 2006-05-14 vadim * FWWindow.cpp (unselectRules): rule set should lose focus when object editor is opened in a panel. Object shown in the editor is highlighted in the tree anyway. This works better during search when "find next" finds object in the tree * NATCompiler_PrintRule.cpp (processNext): fixed bug #1476797: "ipt NETMAP, POSTROUTING** chain --to problem with multiple network targets". * PolicyCompiler_PrintRule.cpp (_printModules): Added support for hashlimit module for iptables (with an option for older systems where the same module is called dstlimit) 2006-05-13 vadim * PolicyCompiler_PrintRule.cpp (_printModules): added support for connlimit module for iptables 2006-05-12 vadim * RuleOptionsDialog.cpp (loadFWObject): added input fieds for iptables module "connlimit" * Many dialogs: converting all object, rule options and actions editors from pop-up dialogs to built-in panels. 2006-05-07 vadim * PrefsDialog.cpp (accept): removed entry field for scp, it is not used by the installer. Cleaned up in all places where we check if path to ssh is configured to make sure installer can use it. * TableFactory.cpp (createTablesForRE): names for tables that go into an anchor have anchor name prepended to them as a prefix to ensure global uniqueness. One side effect of this is that AddressTable objects can only be used either in global rules or in an anchor, but not in both at the same time because the name of the table created for such object follows the name of the object and hence appears the same in the main rule set and in the anchor. 2006-05-06 vadim * pf.cpp (main): Added support for branching rules for PF, imlpemented via anchors. Rules defined in branches are stored in separate .conf files and loaded by the .fw file using pfctl -a -f Anchor rule files are also added to manifest in the .fw file to make sure the built-in installer will copy them to the firewall. * PolicyCompiler_ipt.cpp (processNext): support for branching rules for iptables (via user-ddefined chain, chain name is specified as action parameter for action 'Chain') * FWWindow.cpp (reopenFirewall): added support for policy branches. Setting rule action to "Chain" or "Anchor" (depending on platform) creates additional tab with a policy rule set. These rules represent a branch in the policy, implemented by means of a user-defined chain for iptables and anchor for pf. Chain or anchor name is set as action parameter through standard action options dialog. * FWWindow.cpp (fileSaveAs): fixed bug #1424880: "Save As" works incorrectly. "Save As" works as follows: * a new file is created with the name provided by user, this file captures the state of the object database as of the moment when user executed 'Save As' operation. * if the old file was not in RCS, then any changes made to it since it was saved to disk last time are lost. In other words, next time user opens the old file, its content will be as it was when it was saved to disk last time before using 'Save As' operation * if the old file was in RCS, then it is reverted to the head revision in RCS * fixed bug #1434321: firewall name heading incorrect after duplicate. After a firewall object is duplicated, the name of the new object as shown in the tree and in pull-down list of firewalls was incorrect. * ActionsDialog.cpp (setRule): Added GUI support for action 'Branch' (represented as 'Chain' for iptables and 'Anchor' for pf) 2006-04-30 vadim * platforms.cpp (getActionNameForPlatform): remapping names of some new actions depending on the target firewall platform. For example, action "Tag" appears as "Tag" for PF and as "Mark" for iptables. Also remapping name for actions Pipe and Accounting. This should help adoption of the new actions by people who are familiar with corresponding features of the target firewall platforms. Name mapping is done only for presentation; all internal references to actions use their abstract internal names both in the GUI and in all compilers. 2006-04-30 * PolicyCompiler_PrintRule.cpp (_printOptionalGlobalRules): fixed bug #1464806: "Global custom log prefix not applied to built in options". Autogenerated rule that blocks packets matching INVALID state will use globally set custom logging prefix. "-1" is used for the rule number; macro "%C" is replaced with the chain name "drop_invalid" * NATCompiler_pf_writers.cpp (processNext): fixed bug #1407328: "NAT / RDR Exception PF problem". "no nat" rule in PF can translate either into 'no nat' or 'no rdr', depending on what the user really needs to achieve. There is no way fwbuilder can guess right by just analysing this single rule, so it will generate both variants. 2006-04-23 vadim * SSHSession.h: fix for bug #1455772 did not work on windows where QProcess added '\0' to each line of the stream passed to the ssh client. On Unix we run fwbuilder as a wrapper for ssh client and can intercept and filter these characters but on windows we do not use wrapper and can't fix the problem that way. Better fix is to avoid QString (and therefore conversions UTF8 <-> Unicode) all together. Changed last parameter for constructor of SSHSession and derived classes from QStringList to list. Now instDialog reads script as sequence of bytes and does not convert it to Unicode, then passes to the ssh client via SSHSession as-is. In principle, this alleviates the need in the hack in main.cpp but I leave it there just in case. (Forward ported from 2.0.12) 2006-04-23 vadim * pixAdvancedDialog.cpp (displayCommands): changed title of the tab where user controls protocol inspectors from "Fixup" to "Inspect". Added a button to show commands that will be generated by the compiler for a current combination of inspector configuration, this button calls policy compiler fwb_pix and feeds XML to it via standard input. Doing this automatically every time user touches something in the inspector control widgets may be slow on underpowered machines or when the data tree is very large because the GUI needs to start external process, which reads and parses the whole XML file. 2006-04-22 vadim * pixAdvancedDialog.cpp (pixAdvancedDialog): calling fwb_pix to generate protocol inspection commands. Need to implement saving into a buffer in FWObjectDatabase to make this work. 2006-04-19 ilya * FWWindow.cpp (singleInstall): batch compile and intsall operations are possible when user selects several firewalls in the tree and uses context menu items "Compile" and "install". Selected firewalls are automatically checked in the batch install dialog. * FirewallDialog.cpp (loadFWObject): support for attribute "inactive" in Firewall. Inactive firewalls are not picked for batch compile and install operations. 2006-04-10 vadim * NATCompiler_ipf.cpp (processNext), ipfAdvancedDialog.cpp (ipfAdvancedDialog): Added support for PPTP and IRC proxies for ipfilter 2006-04-07 ilya * instDialog.cpp (selected): implemented batch compile and batch install modes. Requires some work to polish the UI but basic functionality works 2006-03-26 vadim * OSConfigurator_linux24.cpp (generateCodeForProtocolHandlers): fixed bug#1364060: "conntrack modules not found". The name of the 'conntrack' module in Linux 2.6 is 'ip_conntrack.ko' and 'ipt_conntack.ko'. Changed shell pattern to match new modules as well as old ones. * linux24.xml.in: made "chmod +x" part of the sequence that copieswall script to make the script is executable. This fixed bug #1455748: "make firewall script executable" * main.cpp (main): it appears some older versions of Qt have a bug referred to in the following article: http://lists.trolltech.com/qt-interest/2004-10/thread00024-0.html This bug causes '\0' to be appended to strings passed to/from QProcess if they are converted to/from utf-8. Added workaround in the ssh wrapper code to skip zeros. In combination with converting config file strings from/to utf-8 this fixes bug #1455772: "Problem with UTF8 Descriptions in FW Objects" * instDialog.cpp (initiateCopy): need to convert strings of the config file from utf-8 in order to be able to use methods of QString to process them. Strings are converted back to utf-8 right before they are sent to the background ssh process to be copied to the firewall in SSHSession::sendLine() 2006-03-22 vadim * PolicyCompiler_ipt.cpp (prolog): switched from Compiler::objcache to object index in FWObjectDatabase. Replaced calls to Compiler::getCachedObject with calls to FWReference::getPointer() everywhere 2006-03-20 vadim * ipf.cpp, ipt.cpp, pf.cpp, ipfw.cpp (main): added call to Preprocessor::compile() to convert DNSName and AddressTable objects before rule processing starts 2006-03-18 vadim * OSConfigurator_solaris.cpp (printPathForAllTools): fixed bug #1393004: "Solaris does not have "egrep -q". Since egrep shipped with Solaris does not have option '-q', using '-s' * ipf.cpp (main): fixed bug #1386226: "generated -nat.conf is not removed when nat rules removed.". Old fw-nat.conf was left in place when user deleted all NAT rules (the new one was not created either). Now compiler deletes *-ipf.conf and *-nat.conf files before creating new ones, also installer gets correct list of files to read. * PolicyCompiler_PrintRule.cpp (PolicyRuleToString): fixed bug #1375432: "fwb_ipt with twice -m state". Compiler used to generate options "-m state --state XYZ" twice in a situation when administrator uses custom service that already includes this code and rule is not stateless. 2006-03-15 ilya * ObjectManipulator.cpp (findFirewallsForObject): Using method findWhereUSed to find firewalls that require compile/install after an object is modified. 2006-03-15 vadim * ObjectManipulator.cpp (_findWhereUsed): generic recursive method that finds all groups and rules that use an object. 2006-03-10 ilya * ObjectManipulator.cpp (contextMenu): added temporary pop-up menu item 'simulate Install' for testing. * ObjectManipulator.cpp (__Is_Object_Ref_In_Firewall): added support for detection of firewall objects that require compile and install after any object in the tree is modified. The code keeps track of changes made to firewall's policy rules, as well as changes in all objects in the tree. After the user applies changes in an object editor, the program inspects every firewall trying to determine if the object is used in one of its rules. When one or more firewalls using this object are found, corresponding items in the tree are highlighted. Indirect usage, such as if the object is a member of a group that is used in a rule, is also detected. Multi-level group membership is detected too. 2006-03-07 vadim * All compilers: compiler prints only one 'success' message at the and of processing instead of after each section (policy, NAT etc). This makes it easier to keep track of its progress and is less confusing if it runs in a silent mode and takes a long time to process one section. Before, when it printed "Rules compiled successfully" after each section, the user could interpret this message as if compiler was done, while in fact it was still working on the next section 2006-03-06 vadim * PolicyCompiler_ipt.cpp (removeFW): restored rule processor that removes firewall object from src or dst to simplify rule if it uses OUTPUT or INPUT chain. Doing this only if original rule did not have negation and we do not add any virtual addresses for NAT. After removal the rule collapses to a simple command like this: iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT this works fine except if we have added virtual addresses for NAT. It is assumed that firewall object in rules represents combination of addresses configured in its interfaces in the GUI. Virtual addresses added for NAT are considered to be a side effect and connections should not be implicitly permitted to them by a rule with fw object in destination. The same applies to fw object in source. See bug #685947 for discussion. To avoid inadvertently opening holes in the firewall by a rule like that, we remove fw object only when it is safe to do so. 2006-03-05 vadim * PolicyCompiler_ipt.cpp (decideOnChainForClassify): setting chain to POSTROUTING for rules with action Classify. Also added checks for this action in all rule processors that split rules in order to assign them to INPUT/OUTPUT/FORWARD chains later because this is not needed for this action (since only one chain is allowed anyway) * PolicyCompiler_PrintRule.cpp (_printDstService): added checks for iptables version "1.3.0" * PolicyCompiler_PrintRule.cpp (_printDirectionAndInterface): added support for physdev module for bridging firewalls. This module is used if interface a rule is associated with is marked as bridge port and iptables version is set to 1.3.0 or later in the firewall settings. Feature Request #1000757: "bridging: using physdev" * All compilers: by default treating bridge port interfaces the same as unnumbered interfaces, unless target firewall platform provides special support for bridge ports, such as module 'physdev' in iptables * InterfaceDialog.cpp (loadFWObject): added support for bridge port interface 2006-03-04 vadim * fwbedit.cpp (main), fwblookup.cpp (main): using global variable instead of singleton FWObjectDatabase::db. FWObjectDatabase::db is not used in fwbuilder2 anywhere and can be eliminated. * FWObjectClipboard.cpp (add): must create new objects using current instance of FWObjectDatabase because it maintains internal object index. Replacing FWObjectDatabase::db with mw->db() to accomplish that * getting rid of singleton FWObjectDatabase::db in the GUI - replacing it everywhere with mw->db() 2006-02-28 Vadim * FWObjectPropertiesFactory.cpp (getObjectProperties): printing firewall's lastModified, lastCompiled and lastInstalled timestamps in the info window and in tooltips 2006-02-26 ilya * ObjectManipulator.cpp (updateLastModifiedTimestamp): added methods to keep timestamps for the moments when a Firewall has been modified, compiled and installed. Using these timestamps to provide visual indication for when a firewall needs to be installed using bold font for its name in the tree view. Will use the same mechanism to automatically suggest which firewalls to install when user hits "Install" menu item or toolbar button. Still need to implement object modification tracking to properly detect which firewall needs to be marked when an object is modified (an object can be used in a firewall rule directly or indirectly if it is a member of a group) 2006-02-19 vadim * FWWindow.cpp (reopenFirewall): the GUI shows "Routing" tab only if the corresponding policy compiler for a give host OS supports it. Using element in the res/os/OS.xml resource file. * FirewallDialog.cpp (fillVersion): fixed a bug where firewall versions would appear in a mixed order in the 'version' pull-down in firewall object dialog 2006-02-18 vadim * Added support for load balancing rules in PF * Added support for address ranges and network objects in TSrc in NAT rules for PF * Added support for pool types in NAT rules for PF ('bitmask', 'random', 'source-hash', 'round-robin') as well as 'static-port' option * PolicyCompiler_ipf_writers.cpp (_printAction): basic support for Custom action for ipfilter. Lack of examples for actions 'auth' and 'call' in ipfilter documentation or anywhere on the web makes it hard to implement right. * PolicyCompiler_ipfw_writers.cpp (_printAction): Added support for policy rule action Custom for ipfw * PolicyCompiler_ipfw_writers.cpp (_printAction): Fwbuilder policy rule action 'Classify' is mapped to ipfw actions 'pipe' or 'queue'. Fwbuilder policy rule action 'Pipe' is mapped to ipfw action 'divert' 2006-02-17 ilya * execDialog.cpp (saveLog): Added a button and function to save compile or install progress log to a file with extension .txt * killed startup wizard; the GUI starts accordingly to the setting on the first page of the Preferences dialog - it can either start up showing just standard objects library or automatically open file the user was editing last time the GUI was used. * object created using "Duplicate" menu item is automatically activated and opened in the editor 2006-02-15 vadim * PolicyCompiler_pf_writers.cpp (_printQueue): implemented support for action 'Classify' in compiler for PF, mapped to a filtering rule option 'queue _queue_name_' * PolicyCompiler_PrintRule.cpp (PrintRule): implemented support for actions 'Classify' and 'Custom' in compiler for iptables. Action 'Classify' is mapped to '-j CLASSIFY --set-class M:N'; action 'Custom' is used verbatim 2006-02-15 ilya * :version 2.1.5 * :Added new Actions 'Classify' and 'Custom'. * :Added new dialog NATRuleOptionsDialog. * RuleSetView: In NATView inserted new column "Options" for viewing of Nat Rule Options. 2006-02-11 ilya * DiscoveryDruid.cpp (checkSNMPCommunity): unified method to check validity of the host name/ip address for dns name server used for zone transfer and seed host used for snmp crawler 2006-02-09 vadim * PolicyCompiler_pf_writers.cpp (_printDstService): added support for the TagService object (using 'tagged') * PolicyCompiler_PrintRule.cpp (_printDstService): added support for the TagService service object (using --mark) 2006-02-09 ilya * DiscoveryDruid.cpp (DiscoveryDruid): improvements in the implementation of the address and name validity for snmp crawler seed host and dns server for dns zone import. Implemented support for IP aliases in snmp crawler 2006-02-05 ilya * DiscoveryDruid.cpp (save): saving/restoring parameters of the DiscoveryDruid between sessions 2006-01-27 ilya * DiscoveryDruid.cpp (changedSelected): proper implementation of long/short name generation for dns zone import; proper checks for correctness of the seed host address for snmp crawler; showing number of interfaces in discovered hosts on the results page 2006-01-21 vadim * gui.pro (IMAGES): grand icons clean-up and update. Removed old unused icons and images, added new icon theme by Irina Filvarova 2006-01-20 ilya * DiscoveryDruid.cpp (changedSelected): working version of discovey druid. Got rid of all calls to setModal, hence workarounds defined in qt_workarounds.h are not needed anymore 2006-01-16 vadim * DiscoveryDruid.cpp (stripObjects): minor formatting cleanup in DiscoveryDruid; fixed typos in DiscoveryDruid ('wasCanceled' -> 'wasCancelled'); refactored #includes to improve compilation speed in DiscoveryDruid * DiscoveryDruid.cpp: had to move '#include "DiscoveryDruid.h"' below all qt #include's to make code compile on windows. When this #include was above qt includes, compiler would stop with an error: ------------------------------------------------------------ C:\Qt\3.3.1\include\qlistbox.h(139) : warning C4003: not enough actual parameter s for macro 'index' C:\Qt\3.3.1\include\qlistbox.h(139) : error C2059: syntax error : ')' C:\Qt\3.3.1\include\qlistbox.h(139) : error C2143: syntax error : missing ')' be fore ';' ------------------------------------------------------------ I haven't figured out where does 'index' macro come from * discoverydruid_q.ui.h: added workarounds for missing QDialog::setModal in QT 3.1 * FWWindow.cpp (doCompile): since we now package platform and os resource files with externally packaged compilers, we do not need to use "-r" flag while calling compilers anymore 2006-01-10 ilya * DiscoveryDruid.cpp (startHostsScan): implemented object import from a file in "/etc/hosts" format. This includes druid page where user selects objects from the list, a page where they can assign object type for each record and a page where they chose a library new objects should be part of 2006-01-07 vadim * PolicyCompiler_ipfw_writers.cpp (_printAction): support for action Pipe in ipfw. This action can be implemented using "divert", "pipe" or "queue" rule actions in ipfw; the method is chosen using rule action parameters dialog in the GUI. * ActionsDialog.cpp (setRule): support for action Pipe for ipfw in the GUI. * PolicyCompiler_pf_writers.cpp (_printAction): added support for Tag action for PF 2006-01-03 vadim * ipt.cpp (main): implemented checks for the situation when compiler produces an empty script. In such cases we avoid printing any header or commit commands (such as '*mangle' and 'COMMIT' if iptables-restore format is used) * PolicyCompiler_ipt.cpp (processNext): implemented support for QUEUE target in compiler for iptables. Commands with this target are generated for fwbuilder rules with action "Pipe" * MangleTableCompiler_ipt.h: Implemented support for MARK target for iptables. Iptables commands with target MARK are generated for fwbuilder rules using action "Tag". Rules are placed in INPUT,OUTPUT and FORWARD chain of the "mangle" table, this ensures that DNAT happens before rules placed in the mangle table see the packet. PREROUTING chain in mangle table is executed before PREROUTING chain in the nat table, so placing tagging rules in the PREROUTING chain would make them fire before DNAT. POSTROUTING chain of the mangle table, as well as its FORWARD and OUTPUT chains, work before corresponding chains of the nat table. In all cases the goal is to make sure DNAT rules process the packet before, and SNAT rules process it after filtering and tagging rules. * AddressTableDialog.cpp (preview): AddressTable dialog "preview" function looks for the table file in the same directory as currently opened data file if file name is entered as relative path 2005-12-16 ilya * FWObjectPropertiesFactory.cpp : For objects of type 'interface' a path to library is included in "detailed properties". * FWWindow.cpp : Added new menu "/tools/Discovery Druid" * DiscoveryDruid.cpp : Created basic gui for Discovery druid 2005-12-16 ilya * SimpleTextView.cpp: new custom text viewer. * AddressTableDialog.cpp: file preview uses SimpleTextView. * newfirewalldialog_q.ui: Dialog size fixed (now all internal widgets are visible) * fwbedit.cpp : fixed run with unknown options. Added a new option: -u - interactive file upgrade 2005-12-14 ilya * Added detailed tooltips for rule options for all fw platforms * Redrawing policy view if user changes firewall version; this ensures that icon that indicates non-default rule options is correctly updated in case different versions of the same fw platform support different combinations of rule options. * Redesigned page of the new host dialog where user adds interfaces manually. Before buttons "add","Update","remove" were hidden because dialog was too small. 2005-12-13 vadim * po.pro: Added Swedish translation made by Daniel Nylander 2005-12-13 ilya * RuleSetView.cpp (maybeTip): added tooltips for rule elements Action and Options 2005-12-02 vadim * NATCompiler_ipf.cpp (processNext): Run-time AddressTable objects are not supported in ipfilter; added a placeholder for corresponding rule processors, aborting compilation when such object is detected in a rule * OSConfigurator_linux24.cpp (printPathForAllTools): fixed bug #1361564: "Prolog script env settings unavailable". Need to define env variables IPTABLES, LSMOD etc before prolog. (OSConfigurator_linux24::printChecksForRunTimeAddressTables): compiler for iptables inserts shell code to ensure that data files used in run-time AddressTable objects are present before firewall policy is activated. * PolicyCompiler_PrintRule.cpp (processNext): implemented run-time mode for AddressTable object in compiler for iptables. Current implementation *dos not* emulate dynamic table reloads as can be done for PF using "pfctl -t table -Treplace" command. The whole policy script must be run again if data file AddressTable object refers to changes. Current implementation does not allow comments in the data file 2005-12-01 ilya * version 2.1.4 * new object type TagService Actions 'Mark' and 'Queue' renamed as 'Tag' and 'Pipe' respectively. * fwbedit.cpp: fixing of absent 'TagServices' group added. * ActionsDialog.cpp: new actions control dialog * RuleSetView.cpp: changed actions context menu to use new parameters dialog (support of actions with parameters). 2005-11-24 vadim * PolicyCompiler_pf.cpp (processNext): added support for run-time AddressTable objects for PF. * PolicyCompiler_pf (PrintRule::_printAddr) * TableFactory.cpp (TableFactory::PrintTables): support for DNSName run-time mode in compiler for pf, ipfw and ipf * PolicyCompiler_PrintRule.cpp (_printAddr): support for DNSName run-time mode in compiler for iptables 2005-11-23 Vadim * AddressTable object dialog 2005-11-22 vadim * TableFactory.cpp (createTablesForRE): class TableFactory reuses existing tables separately for NAT and policy rules. Reuse of tables created for NAT in the policy rules is difficult because tables themselves are created in the temporary copy of the tree in the NAT compiler (the same applies to the objects - members of the tables) 2005-11-21 vadim * NATCompiler_pf_writers.cpp (_printAddr): Improvement in the compiler for PF: using '!' syntax for one-object negations * NATCompiler_pf.cpp (CeateTables): Improvement in the compiler for PF: Using tables for NAT rules * TableFactory.cpp (createTablesForRE): using the same class to generate tables for both policy and NAT rules for pf. Table names are composed using rule positions so that table names do not change between compiler runs (they used to change because they were created using rule IDs, which changed because compiler generated lots of copies of rules) 2005-11-14 Vadim * version 2.1.3 new object type DNSName using this method in Compiler::prolog to resolve DNSName objects that are supposed to be resolved at compile-time Redesigned RuleOptionsDialog to make room for new options Added actions MARK and QUEUE with basic support in API and GUI Added new object type AddressTable 2005-11-05 vadim * iptAdvancedDialog.cpp (iptAdvancedDialog): fixed bug #1349326 "ulogd option does not work". There was a typo in the class iptAdvancedDialog ( useULOG instead of use_ULOG ) *** Ported from 2.0.10 *** 2005-11-01 vadim * NATCompiler_ipt.cpp (processNext): fixed bug #1342495: "SNAT with address range". Compiler used to print warning "Adding virtual addresses for NAT is not supported for address range" even if adding virtual addresses for NAT was turned off. *** Ported from 2.0.10 *** 2005-10-26 vadim * PolicyCompiler_ipt.cpp (processNext): fixed bug #1313420: "OUTPUT chain is built wrong under certain conditions." Rules that have firewall in SRC and DST, while DST has negation, should be split so that the second generated rule goes into OUTPUT chain rather than FORWARD *** Ported from 2.0.10 *** 2005-10-24 vadim * FirewallDialog.cpp (openFWDialog): fixed bug #1315892: "fwbuilder crashes on missing OS template" The GUI crashed if user added new hostOS or firewall platform template under resources/os or resources/platforms, then reinstalled the package (and therefore lost their custom template files), then tried to open firewall or host OS settings dialog for the object using new template. *** Ported from 2.0.10 *** * RuleOptionsDialog.cpp (loadFWObject): fixed bug #1305933: "fwbuilder/Solaris: compilation errors". Another case of implicit type conversion QString->string which does not compile on systems with QT built w/o STL support. *** Ported from 2.0.10 *** * main.cpp: fixed bug #1304878: fwbuilder: signal.h required (Solaris). Using 'AC_CHECK_HEADERS([signal.h])' in configure.in to check for the appropriate #include. *** Ported from 2.0.10 *** * configure.in: fixed bug #1304764: "configure script: Sun make check fails". Need to use ${MAKE-make} instead of $ac_make when checking for GNU make. *** Ported from 2.0.10 *** * fixed bug #1304785: "fwbuilder - Solaris has no libutil". Using better way to check whether we need to link with libutil. *** Ported from 2.0.10 *** 2005-10-22 vadim * VERSION: set version to 2.0.10 in branch fwb2-2.0-maint 2005-09-29 Vadim * PolicyCompiler_ipt.cpp (InterfacePolicyRulesWithOptimization): new rule processor: checks if the rule is associated with an interface and uses setInterfaceId to record its id. If the rule is associated with multiple interfaces, splits the rule accordingly. Unlike basic processor PolicyCompiler::InterfacePolicyrules, this processor tries to optimize rules applied to multiple interfaces using user-defined chain ***** Policy compilers support multiple interfaces and negation in "Interface" rule element 2005-09-28 Vadim * RuleSetView.cpp (paintCell): merged interface policies with global policy. Keeping most of the code that implements interface policy tabs just in case. * set version to 2.1.2 2005-09-26 Vadim * RoutingRuleOptionsDialog.cpp (loadFWObject): Added support for routing rules. Using "fwbuilder-routing" patch provided by Tidei Maurizio * set version to 2.1.1 * ObjectManipulator.cpp (createObject),(newDNSName), newHostDialog.cpp (accept): added checks for broken object tree 2005-09-20 * DNSNameDialog.cpp (loadFWObject): new object type: DNSName (Illiya) 2005-09-17 * 2.0.9 release in branch fwb2-2.0-maint 2005-09-12 * fwsm.xml.in: Added support for Cisco FWSM (platform and host OS) * pixAdvancedDialog.cpp (pixAdvancedDialog): Added support for manual ACL commit in FWSM 2005-09-11 * SSHPIX.cpp (SSHPIX): enable_prompt should include string "Access Rules Download Complete" which is _sometimes_ printed by FWSM when in auto-commit mode. 2005-09-07 * ObjectManipulator.cpp (lockObject): Added ability to lock/unlock individual objects in the tree (Illiya) * GroupObjectDialog.cpp (listViewSelectionChanged): Illiya implemented Feature Req #1151208: "Allow multiple objects select to make an action (Group)" 2005-09-07 * SSHSession.cpp (cmpPrompt): overloaded method SSHSession::cmpPrompt to be able to specify prompt as a regular expression. This variant is very convenient for PIX prompts. 2005-09-05 * fixed bug #1254775: "RCS checkin fails on Windows when data file is too big". RCS tools failed to check the file in if it consisted of one huge line of text. This fix makes th GUI save data file (.fwb) in formatted form on Windows, just like on Linux. This means each XML element is saved on separate line instead of all of them being on the same line. 2005-09-04 * NATCompiler_pf.cpp (processNext): fixed bug #1276083: "Destination NAT rules". Old restriction on "rdr" rules that required service in OSrv is not valid anymore, pf supports rdr rules with no protocol specification. (ported from 2.0.9) 2005-09-04 Vadim Kurland * FWWindow.cpp (fileCommit): properly handling situation when user hits Cancel in check-in log dialog (should abort File/Commit operation entirely) * main.cpp (main): added a workaround to make the GUI work in Spanish locale (QT 3.3.4 ships with broken qt_es.qm file at least on Fedora-C4 and Mac OS X) 2005-08-31 * SSHUnx.cpp (stateMachine): fixed bug #1277129: "script is truncated when installed by the GUI running on Mac". Large script was getting truncated while copied to the firewall if GUI was running on Mac OS X (bugfix ported from 2.0.9) 2005-08-17 * fwbedit.cpp (usage): Finished implementation of RFE #1211612 "fwbedit - add object?". Using "-p","-L","n" and "-o" command line switches to specify parent, library, name and attributes of an object 2005-08-04 * fwbedit.cpp (main): Illiya is working on RFE #1211612: "fwbedit - add object?" and #1114501: "Data file repair". Fwbedit can now add objects as well as repair tree structure. Still needs some more work. 2005-07-31 * LINGUAS: Added Spanish translation, thanks to Carlos Lozano 2005-07-30 * Started v2.1.0 2005-07-30 * FWWindow.cpp (fileCommit): Illya implemented Feature Request #1187461 "Add "commit" menu item". This menu item commits opened data file to RCS but keeps it opened so the user can continue editing. 2005-07-29 * FWWindowPrint.cpp (addObjectsToTable): Illiya implemented Feature Request #1225393 "FeatureRequest Print comments on objects" 2005-07-23 * RuleSetView.cpp (dragMoveEvent): Illiya fixed bug #1226069: "Segfault: Drag&Drop between two instances" 2005-07-21 * platforms.cpp (getLogFacilities): Illiya moved definitions of log levels, log facilities and actions on reject to module platforms.cpp. Methods getLogLevel, getLogFacilities and getActionsOnReject return string lists suitable for using with DialogData to provide mapping between localized and english strings so that the user sees translated ones but enlish ones are written into FWOptions object and used by compilers. This fixes bugs #1240205: "Iilegal --log-level Information" and #1233165: "Illegal Logging-Limit string.". 2005-07-08 v2.0.8 released 2005-07-05 * SSHSession.cpp (allDataSent): calling allDataSent from heartBeat slot method because on windows signal 'wroteToStdin' is emitted before I had a chance to connect it to a slot in SSHUnx::stateMachine in state PUSHING_CONFIG after entire file has been transmitted. I used to send an extra '\n' to force signal 'wroteToStdin', but that made the file to be sligltly different on the receiving end and I do not like that. * RuleSetView.cpp (dragMoveEvent): not really a change: bug 1226069 "Segfault: Drag&Drop between two instances" requires redesign of the drag&drop mechanism so that live pointer to FWObject is not passed between sender and receiver. 2005-07-04 * SSHSession.cpp (startSession): fixed bug #1232478: "FWB shuts down on incorrect password". Bug was intorduced in build 624 while working on installer stalls and undescriptive ssh termination error when OpenSSH 4.0 was used. 2005-07-02 Vadim Kurland * main.cpp (main): ignore SIGHUP in the child process in ssh wrapper. Closing stdin at the end of the file copy sends SIGHUP to the child. By some reason, this caused ssh to terminate with error message "killed by signal 1" and return code 255 on Fedora C4 which uses OpenSSH v4.0p1 2005-07-02 * main.cpp (tty_raw): switched from TCSAFLUSH to TCSANOW in call to tcsetattr when we switch tty to raw mode in ssh wrapper code. This should fix mysterious stalls in the installer that were introduced when I worked on the wrapper code to fix bug #1213361 (problems with file copies on FreeBSD 5.4) * instDialog.cpp (initiateCopy): added missing "-v" option to ssh call used to copy policy script to the firewall if "verbose" checkbox is checked. This should help troubleshoot problems with installer when ssh fails and terminates with an error. 2005-06-25 * configure.in: need to call macro AC_PROG_MAKE_SET before using $ac_make to check for GNU make * configure.in: added check for cfmakeraw (which is absent on Solaris) * configure.in: make script continue if forkpty is not found, the program will use emulation. 2005-06-13 * FWObjectPropertiesFactory.cpp (getObjectPropertiesDetailed): sorting list of objects for tooltips. Sorting is done by object name, alphabetically. TODO: use locale-aware sort and ignore case of the letters. 2005-06-12 * main.cpp (main): need to switch the pipe and stdin in the child process to raw mode in order to ensure proper communication when fwbuilder works in ssh wrapper mode. This (really) fixes bug #1213361 * configure.in: Added path to QT where it is installed on 64-bit systems to the list configure tries while searching for QT 2005-06-11 * PolicyCompiler_ipt.cpp (processNext): fixed bug #1215279: "rate limiting rule logs everything". Rule utlilizing "limit" module to rate limit packets with logging logged every packet and dropped those that exceeded the limit. The fix makes it apply the limit first and then log only packets that were dropped. * main.cpp (forkpty): fixed bug #1072842: "fwbuilder: Solaris and forkpty". We need forkpty fr built-in installer but this function is not awailable on Solaris. I am adding re-implementation, but it hasn't been tested since I do not have Solaris machine. * FWObjectPropertiesFactory.cpp (getObjectPropertiesDetailed): fixed bug #1212179: "tool tips for TCP services cuts off some services". The gui would show very long tooltip for large groups; if the group was too large, the tooltip did not fit on the screen. * main.cpp (main): fixed bug #1213361: "PF on FreeBSD-5.4R". Bug description is misleading, the probem was caused by built-in installer rather than by compiler for PF. Installer would not copy generated script over ssh if the script was longer than some threshold and the gui was running on FreeBSD. 2005-06-05 * linux24.xml.in: fixed bug #1212121: "sudo shutdown doesn't work". Installer needs to schedule reboot when the user activates policy in a test mode. There was a bug in the installer script that improperly used sudo to run shutdown when installation was performed using regular user account. * linux24.xml.in: fixed bug #1212123: "executing file below /tmp as root". Avoiding world-writable directory /tmp/ while activating policy in the test mode. This change makes installer use subdirectory "tmp" under directory specified in the "intaller" tab of firewall settings dialog. That directory is expected to have proper permissions; subdirectory "tmp" can be created manually, otherwise installer creates it. Either way, it is not world-writable, therefore unauthorized users can not create scripts in it. * freebsd.xml.in: Using pkill to find running shutdown process and kill it to cancel pending reboot. Pkill simplifies the scriptlet so we don't need to deal with output redirection etc. Pkill is available on FreeBSD, Linux, OpenBSD and Solaris. * linux24.xml.in: another fix for a bug #1201406: "shutdown messages should be suppressed". Scriptlet has been modified to make sure it works in both sh and csh (user who installs the policy may have tcsh as their login shell, root may use tcsh too) 2005-05-30 * src/res/os/*.xml.in: fixed bug #1201406: "shutdown messages should be suppressed". Installation scriptlet tries to kill shutdown process, if there is one, to cancel pending shutdown that might have been left over from test install. If there is none, the script prints an error message "shutdown process not found" or similar, which confuses user. Needed to suppress these error messages. * fixed bug #1155351: "Remote install of FW rulset fails due to race condition". Generated ipfw firewall script could not be ran reliably over ssh session because "ipfw -f" flushes all rules and all state, which breaks ssh session. As soon as the script needed to print anything, it got I/O error from the system because TCP session for ssh was blocked; this stopped the script and did not let it activate new firewall policy. * PolicyCompiler_ipfw_writers.cpp (processNext): improvemet in the compiler for ipfw: added "established" rule on top of the regular backup ssh access rule; this allows to maintain management ssh session after the policy is reloaded. both "ipfw -f" and swapping sets flushes all states, so the ssh session used to upload and activate new policy breaks. A rule with "established" keyword maintains this session. * PolicyCompiler_ipfw_writers.cpp (processNext): improvement in the compiler for ipfw: using rule sets to atomically swap old and new rules. New rules are loaded in the set 1 and then swapped into set 0. If there is an error in a new rule set, it is caught while loading rules into inactive set 1, at which point script stops without changing old firewall rules. * PolicyCompiler_pf.cpp (addDefaultPolicyRule): implemented support for subnets for backup ssh access for pf,ipf,ipfw. Subnet can be defined using either full netmask or bitlength: both "192.168.1.0/255.255.255.0" and "192.168.1.0/24" are acceptable. Single host address works too, both as "192.168.1.10" and as "192.168.1.10/255.255.255.255" or "192.168.1.10/32". Incorrect address or netmask cause compiler to abort processing. 2005-05-28 * GroupDialog: fixed bug #1207983: "incorrect size of "I" and "L" buttons in the group view dialog". Tested with large font and cleaned up layout in many dialogs. * HostDialog.cpp (loadFWObject): removed 'snmp community' option from the Host object dialog - it was not used anywhere * ipt.cpp (main): fixed bug #1205665: "Error with summer time when compiling script". Sometimes timezone name has "'" in it which confuses shell and causes an error when generated script prints "Activating firewall policy..." log message * RCS.cpp (RCSEnvFix): fixed bug #1204067: "incorrect timezone handling in RCS". Windows version of RCS incorrectly converts check-in time when time zone is east of GMT. Had to use "-z" option on all RCS commands to explicitly set offset; "-zLT" produces wrong results in rlog. * fwb_compile_all (LIB): fixed bug #1200902: "fwb_compile_all does not work in 2.0". Script fwb_compile_all broke because of changes in data file format * PolicyCompiler_PrintRule.cpp (_printTimeInterval): fixed bug #191423: "Weekend Time restriction not created correctly". Rules with time restriction spanning from Saturday to Sunday were generated with incorrect "--day" option * objects_init.xml.in: fixed bug #210518: 'Incorrect ending day in the standard object "weekends"'. This object defined time interval ending at 23:59 on Monday instead of Sunday * implemented Feature Request #1145666: "Print RCS Log". File/Properties dialog can now print RCS log. Thanks to "Ilya V. Yalovoy" for the patch. 2005-05-23 * added updated German translation by Hans Peter Dittler 2005-05-20 * set version to 2.0.8 2005-05-08 * v2.0.7 released 2005-05-04 * OSConfigurator_linux24.cpp (printPathForAllTools): fixed bug #1195201: "getaddr function return error ip address". Yet another change in the way we use grep to find IP addresses of an interface on Linux. We can't use regex (bug #1123748) and need to filter out secondary addresses from the "ip addr show" output. It looks like "grep -v :" neatly solves the problem without using regex. 2005-05-02 * snmp.cpp: API change: Compiled all OIDs. The program may run on a system where MIBs are not installed, so we can not always use symbolic OID names Also using snmp_out_toggle_options to turn numeric output in all responses (equivalent to -On in snmp tools) 2005-05-01 * snmp.cpp (walk): API changes: verbose error message, printing response->errstat code as well as corresponding error string; this should help debug snmp -related problems better * snmp.cpp (walk): API changes: using snmp_error to print last snmp error string 2005-04-27 * implemented support for SNMP operations in Windows packages * qmake.inc files overhaul 2005-04-26 * newFirewallDialog.cpp (getInterfacesViaSNMP): switched to using QT class DNS to get host/firewall name in new HostDialog and newFirewallDialog classes. This seems to work better on Windows. Also added more locks to prevent reentering getInterfacesViaSNMP if user clicks the button multiple times in quick succession 2005-04-23 * newFirewallDialog.cpp (accept): fixed bug #1187248: using "find" for an address "192.168.10*" several times after a firewall objects has been created using templates caused GUI to crash 2005-04-17 * findDialog.cpp (matchAttr): implemented feature request #1151206: "Search for IP Addresses". "Find" dialog searches for objects by a combination of name and one of the following attributes: address, tcp/udp port, ip protocol number or icmp message type. Regular expressions can be used for both name and attribute. * ObjectTreeView.cpp (getSimplifiedSelection): fixed bug #1151212: "Collapsed sub-objects shouldn't be added if they are hidden". When user selects multiple objects in the tree some of which have child objects, those child objects used to be also selected and added to groups in addition to their parent objects via drag-and-drop operation. * GroupObjectDialog.cpp (pasteObj): fixed bug #1184791: "can not copy/paste multiple objects into a group" * FWWindow.cpp (doCompile): implemented feature req. #1151220: "Close" button should change is caption/title to "Install". When user clicks "Install" toolbar button or main menu item, the "Close" button in the pop-up window that displays compiler progress changes its text caption to "Install" 2005-04-13 * PolicyCompiler_ipt.cpp (addPredefinedPolicyRules): fixed bug #1181359: "Missing traling space in "INVALID state" syslog message" 2005-04-10 * instDialog.cpp (continueRun): Improvement in built-in installer: user can specify additional command line parameters for ssh that built-in installer runs to access firewall. This allows for alternative ssh port or alternative ssh identity to be used when accessing firewall. Parameters can be added in the "Installer" tab of firewall settings dialog for all platforms. 2005-04-09 * ipt.cpp (main): fixed bug #1179103: 'compiled rules can not be install'. Generated iptables script could not be used on systems with non-English locale where timezone name used local characters because these characters were printed as hex ( "台" ) and '&' caused problems with shell. Now using single quotes to make shell ignore any characters in the string. Will deal with proper printing of localazed timezone later. 2005-04-07 * OSConfigurator_freebsd.cpp (printPathForAllTools): function getaddr() falls back to 0.0.0.0/32 if dynamic interface has not been assigned an address yet or is down. Ipfilter policy using run-time substitution of dynamic interface addresses will be functional even if these interfaces are down or do not have IP address. 2005-04-05 * PolicyCompiler_PrintRule.cpp (_flushAndSetDefaultPolicy): fixed bug #1176890: "block IPv6". Generated iptables script sets default policies to DROP in all ipv6 filter chains. More detailed control can be implemented using prolog or epilog scripts. 2005-04-03 * PolicyCompiler_pf.cpp (separateSrcPort): fixed bug #1176051: "incorrect rule generated for TCP service ftp-data". If a rule used several TCP or UDP service objects and one of them has source port range configured, generated PF filter rule incorrectly matched on a combiantion of that source port range _and_ destination port ranges from all other service objects. This bug affected compilers for OpenBSD PF and ipfilter 2005-03-31 * FWWindowPrint.cpp (filePrint): fixed bug #1155163: "print does not print group contents". The program printed only number of objects contaned in object or service groups. Now it prints lists of member objects for all groups used in rules. If groups contain other groups, they are printed recursively. 2005-03-30 * objects_init.xml.in: fixed bug #1172620: "Add tcp service object for icslap". Added this object to the objects library "Standard". * FWWindow.cpp (info): fixed bug #1151243: "Maintain format of description text". The GUI ignored text formatting in object comment when displayed it in the info panel (lower left corner of the main windows) * FWOptions.cpp (toXML): API change: fixed bug #1173801: '"&" character in prolog/epilog'. Needed to call xmlEncodeSpecialChars to encode special characters in firewall options 2005-03-29 * ipf.cpp (printActivationCommandWithSubstitution): fixed bug #1173064: "support for dynamic interfaces in ipfilter". Actual address of dynamic interface is now determined at run-time in the policy activation script .fw generated by fwbuilder. If dynamic interface is used somewhere in the policy or nat rules, it will be replaced with its actual address by activation script before configuration is sent to ipf or ipnat for activation. This run-time substitution is done only if a checkbox is checked in the "Script options" tab of firewall settings dialog. Default behavior is to use "any". This is because ipfilter configuration files -ipf.conf and -nat.conf that rely on run-time substitution of dynamic interface address can not be loaded using standard activation scripts that come with FreeBSD. This also fixes another problem in fwb_ipf where it generated rdr and nat commands with address 0.0.0.0/32 if dynamic interface was used in a NAT rule. 2005-03-28 vadim * PolicyCompiler_PrintRule.cpp (_printMultiport): fixed bug #1160186: 'IPTables Compiler - Multiport Issue'. When 16 or 31 ports were used in a single rule, compiler generated command with conflicting options "-m multiport --dport" * NATCompiler_ipf.cpp (processNext): fixed bug #1173067: "support for port ranges in NAT rules (ipfilter)" - policy compiler for ipfilter should split DNAT rules (rdr) that use TCP or UDP objects with port ranges. A warning is issued if more than 20 rules are created. 2005-03-20 * utils.cpp (getFileDir): fixed bug #1157976: "patches to make fwbuilder compile under NetBSD 1.6". Applied patches. * newHostDialog.cpp (newHostDialog): fixed bug #1151219: "New Host creation window is not well dimensioned". Fixed wrong dialog page layout in the new host wizard. * OSConfigurator_linux24.cpp (printPathForAllTools): fixed bug #1123748: "busybox grep -E". Busybox in floppyfw is compiled without support for egrep (or grep -E). Switched to using "plain" grep. * InterfaceDialog.cpp (loadFWObject): fixed bug #1151052: "Not external interfaces marked as external". Dialog for an interface object that belongs to a host should not show checkbox "external (insecure) interface" * Tools.cpp: API change: fixed bug #1158870: "mutexes are not properly created on FreeBSD". Mutexes gethostbyname_mutex and gethostbyaddr_mutex were never created but used on OS where thread-safe resolver is not available. 2005-02-17 * v2.0.6 released 2005-02-17 * ipt.cpp (main): fixed bug #1123933 "iptables add_addr() expr binary not found". As it turns out, /usr/bin/ is not in PATH during boot time on Slackware. I added /usr/bin/ to PATH variable in generated iptables script. 2005-02-16 * OSConfigurator_linux24.cpp (printPathForAllTools): fixed bug #1123748 "busybox grep -E". Busybox does not support option "-E" with grep, however it has "egrep". 2005-02-12 * instDialog.cpp (instDialog): proper localization in the installer where it displays progress of the installation operation 2005-02-11 * main.cpp (main): Troubleshooting weird case of data file corruption during install * RCS.cpp (RCS): fixed bug #1120904: "GUI hangs when accessing RCS file". Improved parsing of rlog output. 2005-02-09 * utils.cpp (getUserName): working on bug #1118717: "fwbuilder 206 on Windows XP SP2: error checking out". Env variable USERNAME was not set in user's profile, which triggered this bug. Now using getuid to get user name on Unix and GetUserName on Windows. This should make the program more resilient for situations when environment variable LOGNAME or USERNAME is not set 2005-02-08 * ipt.cpp (main): Using getuid to read real user's ID on Unix 2005-02-07 * instDialog.cpp (continueRun): Fix for support request #1118039: "Error when Windows client calls plink -ssh". The problem is that putty ignores protocol and port specified in the session file if command line option -ssh is given. On the other hand, the sign of session usage is an empty user name, so we can check for that. If user name is empty, then putty will use current Windows account name to log in to the firewall and this is unlikely to work anyway. This seems to be a decent workaround. * printerStream.cpp (printQTable): further bugfixes in printing, in particular fixed a problem with partially greyed-out horizontal and vertical headers when ruleset was small enough to fit on the first page. 2005-02-05 * RuleSetView.cpp (selectionChanged): fixed bug #1030538: "incorrect highlighting when selecting multiple rules". This bug seems to be specific to Mac OS X * printerStream.cpp (printQTable): improvements in printing: - if a rule set does not fit on a single page, the program repeats table header on each page ("Source","Destination","Service" etc) - the program does not draw the whole rule set in memory anymore. Instead, it "scrolls" the table and only draws section that fits on a single page. This means we can now print really huge policies that can not be drawn as a whole because they exceed maximum coordinate value. Tested with a rule set that consists of 1200 rules which has size of 677x34884 pixels on my machine. 2005-02-03 * instDialog.cpp (selected): working on bug #1115412: "Problem installer FWbuilder 2.0.5 for Windows". Switched to command line option "-l" to specify user name for external ssh in installer. This was necessary because Van Dyke SecureCRT on Windows does not support user@host syntax. * instDialog.cpp: Installer verbose and quiet modes work as follows: - if quiet is off, verbose is off: prints everything that firewall script prints on stdout and stderr; does not add "-v" to calls to external ssh utilities - if quiet is off, verbose is on: adds "-v" to ssh command line - if quiet is on - supresses script output but still prints short messages to indicate when it copies files to the firewall and when it executes them 2005-02-01 * ObjectManipulator.cpp (delObj): slightly changed logic with user warnings in the object removal code. The program asks the user for confirmation if they remove an ordinary object from a regular library. Confirmation is not asked if object is removed from "Deleted objects" library or when a library is being deleted (in this case we ask a different quastion later anyway). This helps avoid double warning when a library is deleted. 2005-01-31 * POmakefile.in (POTFILES): Added module FWWindowPrint.cpp to the list of files processed for localization * FWWindowPrint.cpp (filePrint): Added small margin inside table cells in Legend and Object tables in the printout. 2005-01-30 * PolicyCompiler_ipt.cpp (processNext): fixed bug #1112470: "Problem with FW part of ANY in Bridged mode". If fw is considered part of any, we should place rule in INPUT/OUTPUT chains even if it is a bridging fw since fw itself may send or receive packets. * PolicyCompiler_ipt.cpp (accounting): implemented feature req. #1112980: "Need unique names for accounting rules". User can now specify a unique name for rules with action 'Accounting'; this name will be converted to a chain name. This simplifies accounting since chain name for such rule won't change if the user adds or removes rules above or below. * PolicyCompiler_ipt.cpp (accounting): fixed bug #1112976: "Accounting rule with logging produces looped iptables command" * FWWindowPrint.cpp (beginPage): implemented Feature Req. #1112778: "include date and time on printouts". Added date and time to the header on each printed page. * RuleSetView.cpp (paintCell): fixed bug #1112776: "some items touching seperator lines on printouts". Rule elements "Action", "Direction", "Options" and "Comment" were placed right at the top of the table cell which led to their clipping when rule set was printed on Mac OS X. Need more testing. * FWWindowPrint.cpp (filePrint): fixed bug #1112764: "some Objects are partially obscured in printout". Parts of the "Objects" table were clipped. Need to test some more. 2005-01-29 * FWBSettings.cpp (init): fixed bug #1112264: "Load last edited file" setting doesn't work. This was broken only on Mac OS X. * FWObjectDatabase.cpp (merge): API change: fixed bug #1105167: "Crash when importing a library that has been deleted". 2005-01-27 * NATCompiler_pf_writers.cpp (_printPort): not quite fixed bug #1105755 "Custom Service objects not working for PF compiler". User tried to generate a nat rule like this using CustomService object: nat on eth1 proto {tcp udp icmp gre} from 192.168.1.0/24 to any -> 22.22.22.22 Taken from the bug report: it turned out, I can not fix this. You are trying to use Custom Service object to insert protocol list into a "nat" rule. Normally, a service object such as TCP or UDP service generates two components for any rule where it is used: a protocol specification and port specification (type/ code spec for ICMP). PF is sensitive to the order of parameters in the rule, in particular, protocol must be defined after interface but before src/dst addresses in the rule, while port numbers go after addresses. Compiler easily retrieves this information from IP, TCP, UDP and ICMP services and places it in a proper slots in the rule it generates. CustomService does not have a notion of protocol and parameters for it, so compiler puts a string that is configured in the CustomService in the place reserved for port numbers. This means you can not use CustomService to specify protocols. There still was a bug in fwb_pf where it would print "custom_service" in place of protocol. This is fixed in 2.0.6 build 542. Protocols can not be inserted with Custom Service though. Feature request #1111267 "CustomService should specify protocol and parameters for it" has been opened * PolicyCompiler_ipt.cpp (processNext): fixed bug #1102629: "lost chain in accounting rules". Rules with multiple objects in one of the rule elements and action 'Accounting' generated code that ignored objects in that rule element * ObjectManipulator.cpp (newPhysicalAddress): fixed bug #1111244 "GUI allows to add more than one MAC address to an interface". There can only be one MAC address for each interface. * FWWindowPrint.cpp (printQTable): While printing rule sets, the program makes sure rule set tables are broken on the rule boundaries while switching to a new page. * Added "Page setup" dialog to set parameters such as printing header, printing of a legend and object lists etc. * fixed bug #1109174: "Cannot print rule base" - implemented printing 2005-01-25 * instDialog.cpp (selected): fixed bug #1109631: "can not copy firewall script to /etc on Linksys". Added an option ot all OS resource files that determines whether user is allowed to change installation directory on the firewall. Currently it is allowed on all supported OS except Linksys/Sveasoft because there /etc/ resides on read-only filesystem 2005-01-24 * PolicyCompiler_ipt.cpp (processNext): fixed bug #1101910: "Samba problem with Bridged Firewall". Need to split rule to take care of broadcasts forwarded by the bridge and broadcasts that are accepted by the firewall itself. Need to do this only if the rule is not associated with any bridging interface. * PolicyCompiler_PrintRule.cpp (_printOptionalGlobalRules): fixed bug #1106701: 'backup ssh access' and statefulness interation. Need to add rules matching states ESTABLISHED and RELATED for the backup ssh access to make sure it works even if global rule matching these states is disabled. * configure.in: fixed bug #1107838: "bug in configure script in fwbuilder 2.0.6". Need to specify path "./" when calling runqmake.sh * FWWindowPrint.cpp (filePrint): printing legend and a list of objects at the bottom of a printed document. * Compiler_ops.cpp (operator==): API change: fixed bug #1108861: "two rules using MAC address matching shadow each other". Need to check for MAC addresses while processing rules for shadowing. 2005-01-21 * FWWindowPrint.cpp (filePrint): Implemented printing of firewall rule sets. Using standard QT class QPrinter; can print to a system printers or to a file (PostScript), both in black and white or a color where available. Prints policies of the currently opened firewall. The program can calculate total number of pages and offer the user a choice in the Print dialog only if QT v3.2 and later is used. Each printed page has a header with the file name, RCS revision and a page number. Currently, the header can not be turned off (will implement in the future). 2005-01-07 * v2.0.5 released 2005-01-06 * RCS.cpp (isDiff): writing RCS log in UTF-8, this simplified localization 2005-01-02 * RCS.cpp (RCS): working on localization of RCS log entries. Build 516 converts log strings into 8bit string into locale-specific format on Unix before sending it to ci. Strings returned by rlog are converted from locale-specific format. No conversion is done on Windows and Mac OS X. * objects_init.xml.in: fixed bug (no num) that caused GUI crash when user created new firewall object using template with three interfaces. 2004-12-30 * PolicyCompiler_ipfw_writers.cpp (processNext): fixed bug #1093620: "path (to ipfw) with spaces fails". Generated script failed if path to ipfw contained space. I only worked around this problem for ipfw; paths to sysctl and logger must be standard and never contain spaces. * PolicyCompiler_ipfw.cpp (processNext): fixed bug #1093472: "ipfw port range(s) errors". There can only be one port range in a single ipfw rule. * PolicyCompiler_ipfw_writers.cpp (_printProtocol): fixed bug #1093461: "problem with 'established' in ipfw". Ipfw requires protocol to be set to 'tcp' if option 'established' is used in a rule. 2004-12-29 * RCS.cpp (RCS): fixed bug #1092810: "Multiline RCS comments are shown as a single line on windows". As it turned out, this bug affected all platforms. * RCS.cpp (ci): an attempt to fix a bug that does not allow to enter RCS comment using non-english locale. 2004-12-28 * PolicyCompiler_ipt.cpp (getInterfaceVarName): fixed bug #1059393: "function getaddr failed for eth1.0020". Generated script can now work with interfaces that have a dot in their name (such as "eth1.0020" - vlan interface) * PolicyCompiler_PrintRule.cpp (_printOptionalGlobalRules): fixed bug #1092141: "irritating FORWARD rule for established connections". Need rule in FORWARD chain only if ip forwarding is on or set to "no change" 2004-12-22 * Compiler.cpp (createRuleLabel): API change: fixed bug #1068119: "additional whitespace for Rule comments in .fw file". Added extra space between rule number and interface spec in rule comments. * PolicyCompiler_ipfw.cpp (processNext): fixed bug #1089866: "multiple services in one rule confuses ipfw compiler". If several UDP or TCP objects were used in the same policy rule and these service objects had source port ranges defined, the compiler would produce incorrect code by combining source port range specifications together in the same ipfw command. * main.cpp (main): Pull-down menu "On startup" in the "General" tab of the preferences dialog now has three items: "Load standard objects", "Load last edited file" and "Ask user what to do". The last item is default. * PolicyCompiler_PrintRule.cpp (_printProtocol): fixed bug #1089586: "default --icmp-type value is 0 in iptables < 1.2.9". The problem concerns policy rules using service object "any ICMP". A rule like this is supposed to match any ICMP packet. Few versions ago I had to add option "-m icmp" (and "-m udp", "-m tcp") because I've discovered that iptables-restore on some systems (linksys sveasoft firmware, iptables v1.2.11) refused to load rules without it. Now it turns out that iptables v < 1.2.9 (tested on 1.2.6a and 1.2.7a) implicitly adds equivalent of "--icmp-type 0" to rules with "-p icmp -m icmp" and without "--icmp-type" option. Since type 0 is actually icmp echo reply, a rule like this does not match "any ICMP" as it was supposed to do. Iptables 1.2.9 implicitly adds "--icmp-type 255" which matches any icmp type. Using "--icmp-type 255" on iptables 1.2.6 and 1.2.7 does not work (a rule does not match icmp packets with type different from 255). The fix generates "-p icmp -m icmp --icmp-type any" for iptables 1.2.9 and later, as well as when iptables version is not specified in the firewall object settings. It generates just "-p icmp" for versions < 1.2.9. 2004-12-19 * ObjectManipulator.cpp (newInterfaceAddress): GUI change: main menu item "Object/New Object/Address" and corresponding toolbar button always creates an Address object under Objects/Addresses folder in the tree. Address of an interface can be created using pop-up menu item "Add IP Address" 2004-12-16 * Bunch of cosmetic bugfixes in the GUI * PrefsDialog.cpp (setButtonColor): implemented feature request: colors that are used to color rules can be changed in Preferences dialog. 2004-12-13 * FWWindow.cpp (fileOpen): when user clicks menu item "File/Open" to open a new file, the GUI should save and close currently opened file only after the user chooses new file. If user clicks Cancel in the File/Open dialog, operation should be cancelled so the user can continue working with currently opened file. The same applies to operation File/New. 2004-12-12 * po.pro: fixed bug (no num): localization was broken on win32 and mac os x because translation files were not installed properly. * ObjectManipulator.cpp (pasteTo): improved behavior of the main menu "Edit" as well as pop-up menu that appears when user right mouse clicks on an object in the tree. Menu item "Paste" should only be enabled if the clipboard is not empty and objects that are stored in it can be pasted into selected object in the tree. 2004-12-10 * RCSFilePreview.cpp (selectedRevision): fixed bug (localization): RCS log entries made using non-ascii characters used to appear as '???' in Open File and File/Properties dialogs. * ObjectEditor.cpp (validateAndClose): more bugfixes for the behavior of the object editor dialogs. Dialog should ask if user wants to save data and then validate it when user clicks on [x] to close editor dialog. It used to validate the data first, then ask if they want to close dialog. 2004-12-09 * FWWindow.cpp (load): when user opens data file in the old format (fwbuilder v1.1.x, extension .xml) and after autoupgrade the program discovers that the same file with extension .fwb already exists, it offers the user a chance to choose different name. If user clicks "Cancel" at this point, the program cancel operation and reverts upgraded data file back to its original name and version. * listOfLibraries.cpp (add): fixed bug (internal #34) the program should issue a warning when user tries to add a library file (.fwl) that contains object library that already exists in the opened data file. * ObjectEditor.cpp (validate): Streamlined logic in the object editor dialog. This improves handling of the situation when user closes dialog by clicking on [x] while 1) there are unsaved data and/or 2) some of the object's parameters have illegal values. The dialog behavior also depends on the setting of the global flag "Autosave" that causes dialog to automatically save data when user switches between objects. 2004-12-08 * listOfLibraries.cpp (add): numerous fixes for localization 2004-12-05 * ObjectManipulator.h: numerous bugfixes: - properly synchronizing state of the items main menu with state of corresponding items in the pop-up menu that appears when user right-mouse-clicks on an object in the tree - fixes for non-localized text strings in dialogs (mostly "Continue", "Yes"/"No" etc. in many places) - proper localization of the human-readable version number text for iptables; also made info window print readable text instead of "lt_1.2.6" - cosmetic changes in some dialogs layout to make the look better when localized text makes strings much longer - firewall object dialog tab "Templates" has been hidden. It is unlikely that this feature will be implemented in 2.0.X series. 2004-12-04 * listOfLibraries.cpp (add): fixed bug (no num): the GUI crashed when user tried to add a library file for auto-load in Preferences/Libraries and the first library object in that file had a name using non-ascii characters * Bunch of other fixes to avoid '????' in various places for localized strings 2004-12-04 version 2.0.4 released 2004-12-02 * utils.cpp (fillLibraries): fixed bug (no num): if a library was assigned a name with non-ascii characters, it would appear distorted in the pull-down list in object dialogs. * fixed bug #1077496 ] Error compiling libfwbuilder in FreeBSD: The problem was caused by changed major version number of libnetsnmp library in the latest net-snmp port (v5.2) 2004-12-01 * FWWindow.cpp (openFirewall): fixed bug #1077072: "CrossPlatform Firewall Builder Crash" - pressing arrow down key on the keyboard right after the GUI started with no firewall objects defined caused crash. 2004-11-30 * po/ru.qm: Updated Russian translation 2004-11-25 * PolicyCompiler_ipt.cpp (splitIfSrcNegAndFw::processNext): fixed bug #1073491: incorrect code for rules using two interfaces with negation. If a rule had two (or more) interfaces of the firewall in the destination, with negation, the code generated by compiler would check one interface's address in INPUT chain and another in FORWARD chain. It should check addresses of all interfaces from the corresponding rule element in the INPUT chain and also check addresses and possibly services from other rule elements in the FORWARD chain. This bug affected rules with two or more interfaces both in source and destination. * po/LINGUAS: translators maintain Russian localization using QT linguist rather than gettext, removed ru locale from gettext Makefiles but left it in po.pro for installation * fwblookup.cpp: a fix to make it compile on FreeBSD w/o gnugetopt port * utils.cpp (addPopupMenuItem): minor fix to help localization ('add object' and operation on rules pull-down menus did not translate properly) 2004-11-23 * instDialog.cpp (continueRun): built-in installer checks exit status of the script it runs on the firewall and aborts installation sequence if it detects an error. OS resource files have been updated accordingly so they return exit status '1' in case of error and '0' when they succeed. * Compiler_ops.cpp (checkForShadowing): API change: still working on the IPService object shadowing changes. ip fragments object was shadowing GRE object, which was incorrect. Hopefully this change finally fixes it. 2004-11-21 * OSConfigurator_linux24.cpp (printPathForAllTools): fixed bug (no number): policy compiler for iptables used "tail -1" in the shell script that read actual IP addresses of interfaces of the firewall. This shell code failed to determine correct address of an interface that was configured with a secondary address. Reverted to using grep (I switched to tail when ran into limitations of one of the beta builds of Sveasoft Linksys firmware that did not have grep) 2004-11-18 * NATCompiler_ipt.cpp (processNext): fixed bug #1068936: "unnumbered interace not using MASQUERADE". Comiler for iptables will use target "MASQUERADE" if unnumbered interface is used in Translated Source in a NAT rule. * utils.cpp (fillLibraries): fixed bug (no num): group object dialog showed incorrect library name for groups located in the "Standard" library 2004-11-17 * listOfLibraries.cpp (add): fixed bug (no number): GUI could not find names of the object libraries in external library files that user added for automatic load in the Preferences dialog on Windows. It would find the name of the library in the first file, but failed to find library names in subsequent files and used the name from the first file. Since this library was only present in the first file, object tree was getting corrupted when the program attempted to load this library from every file configured for automatic pre-load. This only happened on Windows. * dns.cpp (init): API change: fixed bug (no number): program crashed on FreeBSD 5.3 when using SNMP to obtain parameters for hosts and interfaces. Crash occurred because of use of uninitialized mutex variables in module dns.cpp 2004-11-16 * main.cpp (main): improved error handling: if the GUI is started with a file on the command line or is configured to open a file automatically on startup and RCS can not check the file out, the GUI will come up empty (with only standard objects loaded). * po/ja.po: Added Japanese translation by Tadashi Jokagi * DialogFactory.cpp (createFWDialog): added XML element FWBuilderResources/Target/dialog to platform and host OS resource files. This element describes GUI dialog that should be opened for the firewall object for a given firewall platform or host OS. This is to be used with customized resource files, e.g. when user wants to add their own host OS resource file to change commands used to load and activate policy on the firewall. Such customized resource file will have unique "description" element (the value of this element appears in the pull-down menu in firewall object dialog) and the same values for "family" and "dialog" elements to indicate which firewall family it belongs to and which dialog should be used. Policy compilers consult "family" element to check if the firewall platform is supported by the compiler. * GroupObjectDialog.cpp (addIcon): fixed bug (no number): group object dialog corrupted object names if they contained non-ascii characters. 2004-11-13 * pixAdvancedDialog.cpp (pixAdvancedDialog): Removed "always new" mode for access lists and object groups for PIX configurations. This mode works well when user installs new configuration but causes problems if they want to reinstall the same configuration. Also converted old option "pix_add_clear_statements" to one of the confgiuration script modes. So, final list of script modes for PIX is as follows: - basic or old format when access lists are cleared and added from scratch. This is the simplest mode which can be used if management station connects to the firewall from inside. Remote management over IPSEC tunnel may be difficult since tunnel traffic is blocked as soon as "clear access-list" command is executed. - access-list and object-group commands are generated but "clear access-list" and "clear object-groups" commands are not added. User's installation scripts should take care of that. This option replaces old option pix_add_clear_statements (with opposite semantics) - temporary access list is created and added to outside interface, then main lists and object groups are added with permanent names and assigned to interfaces. Temporary list permits all traffic from a single subnet configured in the GUI via option pix_acl_temp_addr. Temporary list is small and is not cleared in the end. Temporary list helps maintain IPSEC tunnel for the time when access-lists are cleared and firewall is running with default acl that does implict deny for all traffic. 2004-11-12 * pf.cpp (main): fixed bug (no number): pfctl expects "-F Sources" and "-F Tables" command line options with "Sources" and "Tables" capitalized. * FWObjectDatabase.cpp (merge): API change: changes in the object database merge algorithm: when an object database we are trying to merge has non-empty "Deleted objects" library, deleted objects from this library should be ignored (they used to be deleted from the current tree). Likewise, when current tree has non-empty "Deleted objects" library and objects in it match objects being merged in, objects should be removed from "Deleted objects" library to avoid creating duplicate IDs with objects being merged in. 2004-11-10 * Compiler_ops.cpp (checkForShadowing): API change: fixed bug (no number): rule shadowing algorithm now assumes that IPService object with protocol number '0' shadows any other service just like 'any' does. * PolicyCompiler_ipt_optimizer.cpp (optimizeForRuleElement): fixed bug #1063953: "Wrong accept/multiport rule generated". Compiler generated wrong code for rules using multiple service objects of different types (TCP and UDP, or TCP and ICMP etc), multiple addresses in src or dst with option that requires using TCP RST for action REJECT. 2004-11-07 * SSHPIX.cpp (getACLs): New feature: added support for new configuration script formats for PIX in installer: - basic or old format when access lists are cleared and added from scratch - access lists have unique names each time policy is recompiled, lists are added without clearing. - access lists are added with temporary names and assigned to interfaces, then the same lists are added with permanent names, lists are swapped and temporary lists cleared Last two methods provide for instantaneous access list swap so that the firewall never runs with empty lists. This helps maintain access to the firewall if configuration is installed remotely. * SSHPIX.cpp: New feature: Installer always clears unused access lists after confgiuration is loaded. 2004-11-06 * fwcompiler/Compiler.cpp (complexMatch): fixed bug #1055937: "Any->all_multicasts not in INPUT Chain". Need to check if network objects are multicasts; assume that multicast always matches firewall object (e.g fwb_ipt will put rule with such network object in destination in INPUT chain) * instDialog.cpp (instDialog): Added an option to push PIX configuration to a standby firewall at the end of install. 2004-11-01 * NATCompiler_PrintRule.cpp (_printDstService): fixed bug (no number) where compiler for iptables used option "--destination-port" with module "multiport" for versions of iptables that do not understand it (1.2.6 and later, as well as default version setting 'any'). The option should be "--destination-ports" or "--dports". 2004-10-31 * FWBSettings.cpp (init): fixed bug (no number): Policy installer failed if the following conditions were met: - it was running on Linux, FreeBSD or Mac OS X - working directory configured in the "General" tab of the Preferences dialog did not exist and could not be created or its permissions did not allow user that runs the GUI to access it * NATCompiler_ipt.cpp (processNext): fixed bug (no number) in fwb_ipt that caused no-nat rules with firewall in OSrc to be placed only in OUTPUT chain. Packets originating on the firewall go into OUTPUT and POSTROUTING chains, so no-nat rules must be placed in both. Other minor improvements for NAT of the locally originated connections have been done as well. 2004-10-30 * NATCompiler_PrintRuleIptRst.cpp (_endRuleLine): fixed bug (no number): compiler placed extra quote '"' at the end of each NAT command in the script using iptables-restore; this happened only if all interfaces of the firewall had static addresses. * PolicyCompiler_PrintRule.cpp (_printProtocol): testing policy installation via iptables-restore with old versions of iptables (1.2.6a). Need to include "-m tcp", "-m udp" or "-m icmp", otherwise iptables-restore does not understand options "--dport", "--tcp-flags" and some others. Also had to use "--tcp-flags SYN,RST,ACK SYN" instea dof "--syn" for better backwards compatibility. 2004-10-26 * ipt.cpp (main): iptables: Added ability to instert shell commands defined in the prolog script in three places: - on the top of generated script - after interface configuration but before resetting existing iptables policy - after existing policy rules are flushed and optional global implied rules added but before all policy and NAT rules 2004-10-24 * PolicyCompiler_PrintRuleIptRst.cpp (_createChain): implemented Feature Request #1021201: "output iptables-restore compatible config from fwb_ipt". Policy compiler for iptables can use iptables-restore to activate firewall policy. Iptables-restore provides for atomic policy load and allows to load large policy much faster. Atomic load means the whole filter or nat table is activated at once, and if there is an error, nothing is changed. Compiler generates script in three possible formats: - the ususal shell script that adds rules one at a time by executing iptables command with an "-A" flag to add a rule; - commands are fed to iptables-restore, this format is used when all interfaces of the firewall have static IP addresses and script does not need to determine addresses at run time; - script determines IP addresses of interfaces and discovers dynamic interfaces that were defined as a "wildcard" interface in fwbuilder (e.g. 'ppp*'); code that is sent to iptables-restore is generated dynamically by the script at run time. Using iptables-restore is optional and is controlled by the checkbutton in the "Script options" tab of firewall settings dialog. Path to iptables-restore utility can be set in the "Paths" tab of the host settings dialog. * A change in the script generated by fwb_ipt: if iptables-restore is not used to load policy, generated shell script purges existing firewall policy (all tables and chains) and sets default chain policies after it configures interfaces of the firewall. Previously, it would flush tables and set default policy before it configured interfaces. 2004-10-23 * RuleSetView.cpp (pasteRuleAbove): fixed bug #1028866: "incorrect order when several rules copied using copy/paste". Pasting multiple rules into an empty policy caused rules to be inserted in the wrong order. * freebsdAdvancedDialog.cpp (freebsdAdvancedDialog): fixed bug #1046345: "ipfw - no option to specify ipfw executable". Added GUI control to let user specify alternative path to "ipfw" on FreeBSD. Control like that was previously available only for Mac OS X * PolicyCompiler_ipt.cpp (checkForMatchingBroadcastAndMulticast), Compiler.cpp (_complexMatchWithInterface): fixed bug #1040773: need to match network address as well as broadcast. Packets sent to the network address (192.168.1.0 for net 192.168.1.0/24) go in the broadcast frame and behave just like IP broadcast packets (sent to 192.168.1.1255 for the same net) * PolicyCompiler_ipt.cpp (finalizeChain::processNext): fixed bug #1040599: "unnecessary FORWARD rules". If ip forwarding is turned off in the host settings dialog of the linux-based firewall, compiler should not generate rules in FORWARD chain. 2004-10-20 * linux24.xml.in: Added element "Target/family" to all OS resource XML files. Compilers use "family" resource element to determine if host OS is supported. User may want to copy host OS resource file to modify installer scriptlets; as long as the family element is kept the same, compiler will accept new resource file. * linksys.xml.in: Added elements "Target/options/suppress_comments" and "Target/options/suppress_modules" to the OS resource files linksys.xml and linux24.xml. These options suppress printing comments in the generated script and remove commands that load kernel modules. These options are used for Linksys/Sveasoft appliance but can also be used for other firewalls based on Linux. 2004-10-19 * pf.cpp (main): Activation script for PF flushes only information about rules, nat, source and tables (it used to flush "all"). This preserves queue entries and states. * ipt.cpp (main): moved rule permitting backup ssh access from the management station to the firewall to the top of the script. This helps maintain ssh session, otherwise it may stall or break because stdout buffer is filled with diagnostic or progress output from the script that is printed after all chains are flushed but before rule permitting ssh to the firewall is added. If stdout buffer is full, ssh stops and tries to send the text to the management station but times out because firewall blocks it. * ipt.cpp: removed code that added iptables command to the "drop" table to drop and log all dropped packets. This rule used obsoleted patch-o-matic patch "drop" which is not available anymore. 2004-10-17 * ipt.cpp (main): fixed bug (no number): all policy compilers properly detect an error when the output file can not be created or overwritten and print error message to warn the user. * New feature: added support for prolog and epilog scripts for all firewall platforms. This was available for PIX for some time, now it has been added for all platforms. "Prolog/Epilog" tab of the firewall settings dialog allows for editing of two blocks of commands that will be added to the generated firewall script verbatim. Prolog block is added on top, while epilog block is added at the bottom. Both prolog and epilog are expected to be shell scripts and are added to the generated shell script that activates firewall. For iptables and ipfw all compiler generates is this shell script and prolog and epilog commands are inserted into it. These commands may execute some actions, as well as add any policy or nat commands. For ipf and pf prolog and epilog commands are added to the activation shell script ( .fw file); prolog is added immediately after the command that flushes all rules. This way user may either execute shell commands or add policy and/or nat rules by loading them from external file. 2004-10-10 * FWWindow.cpp (addFirewallToList): fixed bug (no number) introduced in 2.0.3 when GUI crashed if user tried to choose pull-down menu item in the firewall list after the very first firewall object has been created. * SSHPIX.cpp: Added #include to make code compile with gcc 3.4.2 and glibc 2.3.3 * ipt.cpp (main): fixed bug #1040788: fwb_ipt and user name. Compiler used to read environment variable "USER" to find out user's name. Sometimes this variable is not set, which caused compiler to abort. Using env variable LOGNAME in addition to USER. 2004-09-30 * v2.0.3 released 2004-09-28 * instDialog.cpp (instDialog): since config diff is broken for pix v6.3(3) (because it does not permit adding duplicate ACL entries), "save diff to file" option is temporary disabled. "Incremental" install renamed to "install only ACL,icmp,telnet,ssh,nat,global and static commands" 2004-09-27 * OSConfigurator_linux24.cpp (printPathForAllTools): script generated by compiler for iptables checks if /usr/sbin/ip exists on the firewall before it tries to use it to verify interfaces and configure IP addresses. This check is only performed if user activated options that use this tool. An error message "Interface eth0 does not exist" was generated if package iproute2 was not installed on the firewall, which was confusing. * FWWindow.cpp (doCompile): Added option "output file name" to firewall settings dialogs for all platforms. User can specify the name for the output file; this name is then used by built in installer in place of a macro %FWSCRIPT%. * ipt.cpp (main): Added command line option "-o" for all compilers * FWWindow.cpp (save): fixed bug #1035800: "Autosave failure opens error window repeatedly". This bug was in fact fixed earlier. 2004-09-26 * FWWindow.cpp (fileSaveAs): fixed bug #1035130: 'Persistent "Save" dialog box'. Certain combination of actions on user's part used to lead to an indefinite loop of "do you want to save the data" dialogs. The problem was triggered if user skipped choosing a name for the new file in startup dialog. * linux24.xml.in: fixed bug #1035132: "compile errors with default Linksys firewall object". This bug has been introduced in build 435. When user created a new firewall object using one of the template objects, the GUI would add bunch of garbage to the firewall options. This garbage violated XML DTD, so compilers and the GUI would not accept the data file anymore. 2004-09-25 * ipt.cpp (main): using "set -x" to turn debugging on in generated iptables script. This will work even if the script is activated with "sh script.fw" command. * OSConfigurator_linux24.cpp (generateCodeForProtocolHandlers): changed commmand line for sed to more portable version. We used to use 'stmt; stmt' syntax, which is not always portable. Switched to a supposedly more portable syntax using multiple "-e" command line options. 2004-09-23 * instDialog.cpp (getActivationCmd): fixed bug (no number): as of build #430, installer ignored activation command configured in the "install" tab of firewall settings dialog. Restored this functionality. * OSConfigurator_linux24.cpp (printPathForAllTools): just like with "tail -1", some busybox based systems require "head -1" to be changed to "head -n1" 2004-09-22 * instDialog.cpp (testRunRequested): fixed bugs in installer that prevented it from working on OpenBSD. Enabled shceduled reboot for all OS except PIX. 2004-09-21 * instDialog.cpp (testRunRequested): "schedule reboot" option is only enabled for linksys since it does not work on other platforms (yet) * FWWindow.cpp (openFirewall): implemented Feature Request #1032126: "Firewall label for clarity". Printing the name of the firewall object that is opened in the policy panel in a large font right above interface/policy tabs. This was easy to implement but I consider it an experiment. Will request feedback from users. * SSHSession.cpp (startSession): refactored code in built-in installer. Moved interaction with ssh to classes SSHSession, SSHUnx and SSHPIX. Moved "scriptlets" that are executed on firewall to activate policy in different modes to resource files. Using ssh rather than scp to copy policy script to unix-based firewalls (pscp.exe on Windows works only if the server supports sftp, but dropbear on Linksys does not support it so installer breaks if we use scp/pscp.exe to copy the policy). Still having problems with scheduled reboot option on Linux/BSD firewalls (it works on Linksys though). * OSConfigurator_linux24.cpp (printPathForAllTools): bugfix: some editions of busybox do not support "tail -1" syntax and require "tail -n1" 2004-09-19 * instDialog.cpp (getActivationCmd): Improvement in the built-in installer: added an option to schedule automatic firewall reboot in specified time (in minutes) after policy activation. This option is available for all firewall platforms but PIX. This option only works if user requested policy activation in a test mode, in which case policy is copied and activated on the firewall but not stored in the permanent location. After reboot the firewall reverts to the previous version of the policy. To cancel scheduled reboot, run installer again with "test run" option turned off. Installer stores the policy in the permanent location, activates it and cancels scheduled reboot. * src/res/os/linux24.xml.in and other: moved all commands used by built-in installer to resource files. 2004-09-18 * NATCompiler_pf.cpp (processNext): NAT rule of type DNAT (rdr rule) is assigned to an interface of the firewall if interface object or its address object is used in ODst. To get rdr rule without interface assignment, use an Address or a Host object that has the same IP address as that of firewall's interface but that is not a child of an interface. This is the same approach that is used in iptables. * PolicyCompiler_pf.cpp (compile): Compiler for pf always uses tables; this breaks compatibility with older OpenBSD systems (3.2 and 3.3) * PolicyCompiler_pf.cpp (findDynamicInterfaces): Compiler for pf puts interface name in a table even if interface is dynamic for rules that use multiple objects in src or dst and one of these objects is dynamic interface of the firewall that is being processed. Using dynamic interface of another object in a rule is still considered an error. Compiler puts the name of dynamic interface in a table verbatim, without brackets '(' ')' since pf does not replace dynamic interface with its address dynamically if it is used in a table (pfctl issues an error if interface is put in brackets) 2004-09-17 * OSConfigurator_linux24.cpp (configureInterfaces): flushing only secondary ip addresses on interfaces. This should fix a bug that caused linksys/sveasoft unit to lose default route upon reboot if external interface has static IP address. 2004-09-15 * PolicyCompiler_pf.cpp (addDefaultPolicyRule): fixed bug #1028980: "need an option to turn logging on on fallback rule" * PolicyCompiler_pf_writers.cpp (processNext): fixed bug #1028973: fwb_pf: missing "flags S/SA" in front of "modulate state" * pfAdvancedDialog.cpp (pfAdvancedDialog): added an option to permit tcp sessions opened prior to firewall restart. This is needed now since compiler generates "flags S/SA" for the "keep state" and "modulate state" rules which means firewall won't permit TCP sessions unless it saw opening SYN packet. * instDialog.cpp (getActivationCmd): improvements in policy installer: added an option for test run. When this option is activated, policy script is pushed to the firewall and is executed but is not stored there permanently. Firewall reverts to the last working configuration after reboot. * NATCompiler_ipt_writers.cpp (processNext): using abbreviated versions of "--dport", "--sport", "--dports", "--sports" options to make generated iptables script smaller. Also changed the name of the variables used to hold IP address of dynamic interface from "interface_" to "i_". All this should help to fit larger policies into small FLASH on linksys. These changes shrunk my test script from 7964 bytes to 7430 bytes 2004-09-14 * platforms.cpp (isDefaultOptions): fixed bug #1028078: "options.png is not displayed for "Assume firewall is part..." * pfAdvancedDialog.cpp (pfAdvancedDialog): fixed bug (no num): "firewall settings" dialog for OpenBSD pf did not save option "Use tables". * instDialog.cpp (getActivationCmd): implemented compression of the firewall script for Linksys/Sveasoft combo. Using gzip and uuencode/uudecode to compress the script and store it in flash variable 'fwb'. Installer prints flash memory stats after commiting changes. Installer uses scp to copy firewall script to the firewall and autogenerated prompt to detect when it logged in; it does not depend on Linksys shell prompt anymore. 2004-09-12 * PolicyCompiler_ipt.cpp (addPredefinedPolicyRules): implemented feature request #1023430: "add checkbox for INVALID support in fw settings". Added two checkboxes to the firewall settings dialog: one adds a rule to drop INVALID packets and another adds logging to the rule. * FWWindow.cpp (fileSaveAs): fixed bug #1026945: '"Save As" does not work if current file is in RCS' * FWWindow.cpp (removeFirewallFromList): fixed a bug (no number): after deleting a library firewall objects that belong to it were not removed from the pull-down list * PolicyCompiler_ipt_optimizer.cpp (optimizeForRuleElement): fixed bug #1026794: multiple SRC ntwks --> "iptables: invalid argument". Recent changes in optimizer introduced this bug. Rules with multiple objects in src or dst, TCP service, action Reject and option "reject with TCP RST" would generate iptables command that used option "--reject-with tcp-reset" without "-p tcp" * PolicyCompiler_pf_writers.cpp (_printDstAddr): fixed bug #1006906: "Negated network causes pass on network". Compiler for pf uses native negation syntax that is now available in pf 2004-09-11 * PolicyCompiler_ipt.cpp (TimeNegation): fixed bug #1022216: "negated time produces incorrect iptables rule". Implemented negation for the "Time" rule element for iptables * PolicyCompiler_ipt.cpp (processNext): fixed bug #1026509: "incorrect rules generated for dual negation with time". Compiler generated incorrect iptables commands for rules that had negation in two or more rule elements, one of which was Time. 2004-09-09 * OSConfigurator_linux24.cpp (prolog): rules that permit packets associated with ESTABLISHED,RELATED states moved to the beginning of the script before NAT rules. * PolicyCompiler_ipt_writers.cpp: added a checkbox and support in policy compiler for iptables to generate rules that drop packets that are associated with no know connection (state "INVALID") 2004-09-08 * Firewall.cpp (duplicate): API change: fixed bug (no number): all references to the interfaces, as well as their IP and MAC addresses, in policy and NAT rules should be replaced when Firewall object is duplicated. Until now only references to the firewall object itself and to its interfaces were replaced with references to the newly created copies of object. References to IP and MAC addresses still pointed at the old objects. * FWObjectDatabase.cpp (IDcounter): fixed bug #1022788: "GUI corrupts XML file after creating a second firewall". Global object ID counter was getting reset every time new FWObjectDatabase object was created. This lead to the ID collision if user quickly created and deleted complex objects (such as Firewall) and used database merge. This should also fix bug #1022785: "GUI corrupts XML file after creating a host entry" * PolicyCompiler_ipt_optimizer.cpp (processNext): fixed bug #1024861: "optimizer is broken in fwb_ipt". Used idea and a patch by Mark Vevers . Fixed compiler fwb_ipt generates more efficient iptables script for rules with multiple objects in all rule elements. The script is smaller and eliminates unnecessary comparisons for packet attributes. Every attribute (i.e. source address, destination address, protocol and port numbers) is checked by the script only once. This should help reduce load on firewalls with lots of complex rules. * VERSION: set version to 2.0.3 2004-08-31 * v2.0.2 released 2004-08-31 * ipt.cpp (main): fixed bug #1019943: "Missing ip addresses in the rule using interfaces" * linksysAdvancedDialog.cpp (linksysAdvancedDialog): fixed bug #1019691: "040829 nightly build doesn't add paths for linksys" 2004-08-30 * VERSION (VERSION): version 2.0.2, revision 1 * aboutdialog_q.ui.h (init): "About" dialog shows registration status (used only in non-GPL versions) 2004-08-28 * fixed FreeBSD port, now compiles on 5.3BETA 2004-08-25 * RuleOptionsDialog.cpp (loadFWObject): Added support for options "max", "max-src-nodes" and "max-src-states" in pf. These allow to limit number of concurrent state table entries ("max"), number of source addresses that can simultaneously have state table entries ("max-src-nodes") and number of simultaneous state entries per source address ("max-src-states") per rule. * LibExportDialog.cpp (accept): fixed bug #1015884: "Export more than one library fails with 0 references". Export library operation failed if user exported two libraries with groups or rules in one library referencing objects in the other. 2004-08-24 * pfAdvancedDialog.cpp (pfAdvancedDialog): Implemented support for all timeout settings in pf: tcp.first,tcp.opening,tcp.established, tcp.closing,tcp.finwait,tcp.closed,udp.first,udp.single,udp.multiple, icmp.first,icmp.error,other.first,other.single,other.multiple, including adaptive timeout scaling options adaptive.start and adaptive.end 2004-08-23 * FWBTree.cpp (getStandardSlotForObject): fixed bug #1014725: "adding new ICMP types". If user created service group with the name "ICMP", the GUI would place new ICMP objects under this group instead of the standard folder "ICMP". There was the same problem with other object types, too. * ObjectManipulator.cpp (simplifySelection): debugging in operations "delete object", "move object", "undelete". Making sure we can delete and undelete libraries, delete and move several objects at once, group several objects. There were problems if user selected several host or firewall objects using Shift-Click (although interface and address objects were not visible to the user, they were selected and acted upon in delete or move functions; this lead to unexected results or crashes). 2004-08-22 * templates.xml.in: added template firewall objects for Linksys firewall and a web server. * templates.xml.in: fixed bug #1013957: "incorrect NAT rule in firewall created from template #3". The problem was caused by incorrect ip address of interface "dmz" in the template object #3. * pixAdvancedDialog.cpp (pixAdvancedDialog): implemented a backup ssh access rule. The user specifies management station IP in the firewall settings dialog for PIX and compiler adds a rule on top of all other rules to permit ssh from this address to the firewall. 2004-08-21 * OSConfigurator_linux24.cpp (prolog): avoiding grep in the generated iptables script - Sveasoft Alchemy pre-5.2.3 does not have grep * API change: fixed bug #1012733: "configure --libdir=DIR will be ignored at installation". Needed to use macro _libdir to specify target directory for libraries. Used it in configure, qmake.in, libfwbuilder-config-2 and a .spec file * objects_init.xml.in: added new service objects to the Standard objects library: "xmas scan" (old object renamed "xmas scan - full"), rsync, distcc, cvspserver, cvsup, afp, whois, bgp, radius and radius acct, SSDP and UPnP. This fixes bug #1011248: "need two xmas scan service objects" * FWWindow.cpp (fileImport): function File/Import offers a choice of .fwl, .fwb and "all files" in the open file dialog. This fixes bug #1013485: "File/Import should allow to import .fwb file" * FWWindow.cpp (load): fixed bug #1008956: "Existing .fwb file gets overwritten if has wrong extension". If the GUI needs to rename a data file with old extension .xml to .fwb, it checks if a file with new extension exists and offers user a chance to choose a different name. It also treats symlinks in a special way: if user creates a symlink with extension .xml pointing at a file with extension .fwb, the GUI simply follows the link and works with .fwb file. This should work with Windows shortcuts, too. * instDialog.cpp (instDialog): built-in installer uses shell prompt string patterns configured in the host OS settings dialog for linksys. This fixes bug #1013022: "can not install policy script on linksts Alchemy pre-5.2" * linksysAdvancedDialog.cpp (linksysAdvancedDialog): Added host OS settings dialog for linksys/Sveasoft. Dialog provides entry fields for paths to iptables, lsmod, modprobe, logger tools and two shell prompt string patterns, this should help to work around changes in the shell prompt on Linksys. This fixes bug #1013018: "host OS settings" dialog is missing for linksys 2004-08-20 * ObjectManipulator.cpp (contextMenu): fixed bug #1009345: "Can only move one host object at a time between libraries" * ObjectManipulator.cpp (deleteObj): fixed bug #1013177: "deleting multiple hosts causes crash" * DTD change: fixed bug #1011617: "deleting physcal address object leads to the DTD violation" 2004-08-08 * PolicyCompiler_ipt_writers.cpp (_printDstService): fixed bug #1005148: "MAC matching - space missing". Space was missing between MAC address and custom service code. 2004-08-06 * listOfLibraries.cpp (add): fixed compile problem on systems where QT is built without STL support * PolicyCompiler_ipt_writers.cpp (_printLimit): fixed bug #1004153 "limit-burst = 0 is not valid". Iptables does not accept the rule using "limit-burst" option if it is set to zero. 2004-08-04 * ObjectManipulator.cpp (pasteTo): fixed bug #1003068: "object copy/paste not always working". IP address object could not be placed under interface using copy/paste operation. Now ip address object can be pasted to interface as well as to Objects/Addresses folder. * FWWindow.cpp (fileDiscard): Operation File/Discard closes the file, discards all the changes that have been made to it and replaces it with a fresh copy of the head revision from RCS. This works if user wants to abort file upgrade when they switch to the new version of fwbuilder. 2004-08-02 * FWObject.cpp (deleteChildren): fixed bug #1001833: "memory leak" - children objects were not deleted when FWObjectDatabase object was destroyed. * iptAdvancedDialog.cpp (accept): fixed bug #1002388: "Clamp MSS to MTU" option is missing in 2.0 2004-08-01 * objects_init.xml.in: there were two TCP Service objects "linuxconf" in the Standard objects library. Object with ID id3AED0D6D has been removed. It seems this object has been duplicated long time ago (at least it was like this in 1.1.2) * FWObject.cpp (getPath): fixed bug #1001725: "object with empty name can not be deleted". the problem was caused by the algorithm used in FWObject::getPath. If object had had a blank name, the path returned by this method would end with the name of its parent without slash. * FWWindow.cpp (showFirewalls): fixed bug #1000485: "Firewalls in the drop-down box not ordered". List of firewalls in the pull-down that controls policy views is now alphabetically sorted on program startup. * utils.cpp (fillLibraries): fixed bug #1000862: "Creating groups in Deleted Objects". Library "Deleted objects" should not be offered as a choice for "group objects" operation. * ObjectManipulator.cpp (contextMenu): fixed bug #1001275: "object duplication fails w/ no action". GUI used to not allow user to duplicate IP address object. Now any object can be duplicated so that the copy is placed under the same parent, including IP address. * ICMPServiceDialog.cpp (applyChanges): fixed bug #1001521: "Cant create ICMP service". ICMP Service dialog did not save icmp code and type numbers in the object. 2004-07-29 * 2.0 released, CVS tag set 2004-07-27 * FWWindow.cpp (install): the GUI calls external installer script if it is configured in firewall settings dialog when user clicks 'Install', otherwise it should use built-in installer. 2004-07-24 * RuleSetView.cpp (insertRule): correctly copying rule direction when interface rule is copied/pasted * instDialog.cpp (selected): proper error messages for management interface misconfigurations 2004-07-20 * ICMPServiceDialog.cpp (loadFWObject): ICMP service dialog allows for setting type and code to 'any' (-1) 2004-07-19 * OSConfigurator_linux24.cpp (processFirewallOptions): fixed bug #992969: "argument to log should be quoted" 2004-07-14 * PolicyCompiler_ipt.cpp (processNext): working on bug #990037: "Wrong rule generated: fw interface included in negated group". Rules with negation should not generate code in INPUT/OUTPUT chains if option "assume firewall is part of any" is off. * ObjectManipulator.cpp (delObj): fixed bug #990675: "Application crashes when deleting objects" 2004-07-11 * PolicyCompiler_ipt.cpp (splitIfSrcNegAndFw): optimized processing of policy rules where firewall object is used in src or dst with negation (possibly in combination with other objects). Before, generated script would match firewall's addresses in INPUT/OUTPUT and FORWARD chains which added redundant checks in the FORWARD chain. * NATCompiler_ipt.cpp (processNext): fixed bugs #935794: "dual translation and negation in fwb_ipt" and #986376: "Wrong result for negated source in NAT rules". Dual translation rule with negation in OSrc did not process negation in the second half (POSTROUTING rule, the one that translates the source). * NATCompiler_ipt.cpp (processNext): fixed bug #965558: "False ruleset generated for iptables (negate w/ nat)". There were problems with double negations in NAT rules (OSrc and ODst, or ODst and OSrv, etc). * OSConfigurator_linux24.cpp (printPathForAllTools): fixed bug #988860: "Logging missing when firewall start is aborted". When iptables script generated by fwb_ipt finds missing interfaces, it prints error message both on stdout and sends it to the log. 2004-07-10 * FWObject.cpp (_moveToDeletedObjects): now move deleted objects to the special library with id 'sysid99' rather than delete them completely. This serves two purposes: 1. can easily provide for undelete function which is very useful 2. can catch a situation when an object has been deleted fromt he external library but is still used in the data file * FWObjectDatabase.cpp: while merging object trees, checking for deleted objects. If an object is present in the current tree but has been deleted in the file being merged in, special form of conflict resolution dialog is shown. User has only one option - to delete the object from the file. Typical situation when this happens is when an object from external library is used in a rule or group in a data file, then this object is deleted in the external library. If this external library is preloaded and then the data file using this object is opened, conflict occurs because this object is present in the file but is in the "Deleted objects" in the library. The problem is that the library is read-only, so if we kept the object (actually, its copy coming from the data file), the user would not be able to delete it. So, not only object magically reappeared after it has been deleted from the library, it appeared in read-only library and can not be deleted anymore. To avoid this situation we must delete it in the file if it has been deleted in the library. * ObjectManipulator.cpp (delObj): "delete object" function moves it to "Deleted objects" library. * PrefsDialog.cpp (accept): Added checkbox "Show deleted objects" to the preferences dialog. If this option is on, user has access to deleted objects via library "Deleted objects". * ObjectManipulator.cpp (contextMenu): pull-down menu item "Move" turns into "Undelete" if an object is in "Deleted objects" library. This provides for a simple undelete function. 2004-07-09 * PolicyCompiler_ipt.cpp (processNext): fixed bug #925199: "compiles wrongly a double negation". Policy compiler for iptables generated incorrect code for rules where two rule elements used negation (i.e. both src and dst, or dst and srv, etc.) * PolicyCompiler_ipt.cpp (prolog): fixed bug #978854: "false rule generated for fw object in interface rule". Policy compiler for iptables generated incorrect code for rules using negated firewall object in source or destination when global option "assume firewall is part of any" was turned off. * fwb_ipt: implemented Feature Request #913273: make "assume fw is part of any" a per-rule option 2004-07-08 * FWWindow.cpp (setupAutoSave): Added an option for autosave - if this option is turned on, the gui periodically saves data to the file. The autosave interval can be set between 1 minute and 2 hours. * ipt.cpp (main): fixed bug #917422: "compiler misinterprets interface with addr 0.0.0.0". If an interface has IP address "0.0.0.0", it is considered an error. * added option "strip comments in the script" to the installer for Linksys and PIX * do "nvram uset rc_firewall" before loading fw script on Linksys * added the following to the list of errors for Linksys /dev/nvram: Cannot allocate memory * skip table "mangle" when flushing iptables rules 2004-07-07 * NATCompiler_ipt_writers.cpp (processNext): fwb_ipt does not include comments in the script if it is intended for linksys firewall. Linksys has small nvram and script should be kept small, otherwise it may not fit in nvram. * NATCompiler_pf.cpp (processNext): fixed bug #986518: "PF redirection always point to loopback address" 2004-07-06 * instDialog4.cpp (stateMachineLinksys): Activating policy on Linksys/Sveasoft wothout reboot (using command "nvram get rc_firewall | /bin/sh" instead) * OSConfigurator_linux24.cpp (prolog): added an option to firewall platforms iptables, ipfilter, pf and ipfw that sets up a policy rule to permit ssh access from one specified IP address to the firewall regardless of other rules. This is for a backup ssh access from the management workstation in case of an error in the policy that locks user out of the firewall. The option (a checkbox and entry field for the management station address) is located in the "Compiler" tab of the firewall settings dialog. A command that permits ssh to the firewall from the given address is added on top of all other rules. 2004-07-05 * RuleSetView.cpp (dropEvent): fixed bug #985187: "Usability bug: Copy objects from one rule to another". Dragging an object from one rule to another with Ctrl down makes a copy. If Ctrl is up, then the object is moved. * instDialog4.cpp (stateMachineLinksys): Added support for Linksys devices running Sveasoft firmware. Firewall object should be configured as platform "iptables", host OS "linksys". Policy installer works both using password and public key authentication. * NATCompiler_pf_writers.cpp (processNext): fixed bug #985527: pf NAT rules miss destination port specification. NAT rules that translate to "map" missed destination port specification. * main.cpp: the gui can now use external wrapper scipts for ssh and scp all the way (removed all direct references to commands "ssh" and "scp", use whatever is configured in preferences everywhere) 2004-07-04 * RuleSetView.cpp (contextMenu): fixed bugs in the rule selection. The user can select one rule with a simple left-click on the rule number, or multiple consequtive rules using shift-left-click. Selecting non-ajacent rules with ctrl-click is not supported; ctrl-click acts as normal click. Right-click calls context menu and uses existing selection if click is on one of the selected rules, or resets it if click is outside of the selection. 2004-06-29 * ObjectTreeView.cpp (dragObject): implemented drag and drop of multiple objects. User can select and then drag several objects from the tree to a group or a rule. * LibExportDialog.cpp (accept): a change in the export library algorithm. We now permit exporting several libraries to one file, but check that all these libraries have only references to each other and to objects in the Standard lib and have no references to objects in libraries that are not going to be exported to the same file. This ensures integrity of this file and helps avoid pulling objects from other libraries into it. User can edit objects in the exported libraries by opening this file as usual; the GUI does not preload libraries configured in Preferences/Libraries when .fwl file is opened and unlocks all libraries in this file so objects can be edited. This way user can edit objects and move them between libraries in the .fwl file. 2004-06-28 * RCS.cpp (RCSEnvFix): fixed a bug (no #) that appeared only on Windows: the GUI failed to check a file in to RCS if it was launched by windows explorer via file extension association. * platform.cpp: pull-down "versions" is now translatable and says "1.2.9 or later" for iptables v > 1.2.9 2004-06-26 * LibExportDialog.cpp: when a library is exported to a file, the program checks whether any groups or rules in this library use objects in the othe libraries. Only self-contained libraries can be exported. 2004-06-24 * PolicyCompiler_ipt.cpp (processNext): fixed bug #979484: "improper command for rule with servie any and action reject." For rules like that, and if rule options dialog does not specify particular way to handle this combination, the compiler splits the rule; the first iptables command rejects any tcp packet with TCP RST, while the second rejects everything else with ICMP message. * minor bugfixes in the gui * incorporated changes suggested by a user to make code compile with gcc 3.4 2004-06-23 * LINGUAS: added Vietnamese translation .po file * FWBSettings.cpp (init): Option "do not save standard libraries in the user's data file" is now ON by default. User can still turn it off though. * FWWindow.cpp (save): Usability fixes in methods that work with libraries: - libary files have extension .fwl - preloaded libraries are always read-only (flag RO is set when library file is loaded, regardless of the value this attribute has in the file) - user can open library file using normal File/Open operation. Read-only flag is cleared when library file is opened, so it can be edited. File can be added to RCS and saved using normal File/Save or File/SaveAs operations. - When user opens library file for editing, other libraries that are configured in Preferences/Libraries are not preloaded. 2004-06-22 * LibExportDialog.cpp (init): when object library is exported to a file, the file gets extension .fwl to distinguish it from the regular data file. The GUI allows to export only one library to a file. * FWWindow.cpp (fileDiscard): added main menu function "File/discard" which discard all changes that have been done to the data and saved to the file and checks out clean copy of its head revision from RCS. This provides for a quick way to roll back to the latest revision. Older revisions can be checked out from RCS using list of versions in the right hand panel in open file dialog (this creates a branch in RCS). 2004-06-20 * IPv4Dialog.cpp (DNSlookup): "DNS Lookup" button in the IP address dialog runs dns query for the name of the address object and if that fails, repeats query for the name of the host or firewall object this address belongs to. If address object is in the folder "Addresses", it does only one DNS lookup on its name. 2004-06-18 * ObjectManipulator.cpp (ObjectManipulator): disabled ability to drop objects into groups in the tree. It was confusing and not really useful. Objects can still be dropped into a group opened in the editor dialog. * ObjectTreeView.cpp (dragObject): enabled dragging of all objects in the tree. It turns out, QListView will highlight multiple items in the tree in Extended selection mode when user drags mouse across items _and_ the first item they started cursor move on is not drag-enabled. So, to avoid this unexpected highlighting behavior, need to enable drag of all objects. We then make sure that system folder can not be dropped anywhere. 2004-06-16 * Compiler_ops.cpp (checkForShadowing): fixed bug #906709: "A dynamic interface". Dynamic interface used to "shadow" old broadcast object (0.0.0.0) * OSConfigurator_linux24.cpp (configureInterfaces): fixed bug #912849: "Reorder activation of network interfaces in IPT" - script generated by the compiler for iptables sets default policy to DROP, flushes all rules and then reconfigures interfaces of the firewall (it used to reconfigure intefaces and then flush the rules). * IPv4Dialog.cpp (DNSlookup): Button "DNS lookup" in the IP address editor dialog does DNS lookup on the address object name if the object is located in the "Addresses" folder, or on the parent host object name if it belongs to an interface of a host or a firewall. * ObjectManipulator.cpp (moveObject): refactored "move object" functions and added debug printing. Trying to debug crash reported by one of the users. 2004-06-15 * ObjectEditor.cpp (hide): checking if screen position for the dialog is 0,0 and not storing this value. This should help to work around a weird bug where screen position of dialogs sometimes is returned as 0,0 when GUI runs in Gnome. * Object names and comments are stored in the object file in UTF-8 format. This allows for names and comments to be entered and displayed in local languages. Although object names can be localized, it is recommended to keep firewall names in plain ASCII because compilers do not support UTF-8 yet. This fixes very old bug #657156: "Special characters problem". 2004-06-13 * init.cpp (init): the program uses reasonable default for the directory where user might want to save their data files on each OS. ( $HOME on Unix, $HOME/Documents on Mac, $USERPROFILE/Documents in windows) * ObjectManipulator.cpp (updateObjName): whenever user changes the name of a firewall, host or an interface object, the GUI asks whether they want to also rename all IP and MAC addresses that belong to that firewall or host. If user agrees to rename them, the program generates names automatically using scheme 'host_name:interface_name:ip' and 'host_name:interface_name:mac' 2004-06-12 * newHostDialog.cpp (selected): implemented "new host" wizard. User can choose to add interfaces manually or can use a library of predefined host object templates. 2004-06-10 * PolicyCompiler_pf_writers.cpp (_printDstService): fixed a bug (no number) where fwb_pf would not include code defined by custom service object in the .conf file 2004-06-08 * ObjectManipulator.cpp (copyObj): implemented multi-object and multi-rule copy/cut/paste operations * ObjectManipulator.cpp (moveObject): implemented "move object" operation - moves object to another library; operation is accessed via pull-down menu in the object tree. 2004-06-06 * ObjectManipulator.cpp (groupObjects): added ability to select multiple objects in the tree. Currently the following operations are performed on multiple objects: delete, duplicate, group. * ObjectManipulator.cpp (groupObjects): operation of grouping of selected obejcts. User selects several objects in the tree and choses menu item "group" in the pull-down menu; the GUI brings up a dialog asking for the new group name and a library it should be put in. New group is created and all selected objects are automatically added to it when user hits "Create group" button. 2004-06-05 * pixAdvancedDialog.cpp (accept): added "Installer" tab to the PIX firewall settings dialog * FWBSettings.cpp (getScreenPosition): checking if the window fits in the screen before restoring its geometry. * ObjectListView.cpp (dragObject): setting hot spot in the center of the object icon for drag and drop. * FWObjectPropertiesFactory.cpp (getObjectPropertiesDetailed): showing group members in tooltips and conflict resolution dialog * ObjectEditor.cpp (ObjectEditor): redesigned ObjectEditor class. All individual object editor classes are now inherited from QDialog and are top-level windows. Class ObjectEditor is just a manager that opens and hides appropriate dialog and manages its size and position on the screen. Geometry is remembered separately for each dialog for each object type, so we can have group object editor open wider than, say, IP service object editor. Each object editor has its optimal size. * pfAdvancedDialog.cpp (pfAdvancedDialog): yet another redesign of PF firewall settings dialog. Using individual checkboxes to enable/disable each "limit" and "timeout" option * ipt.cpp (main): all compilers do not create any files if there was an error during rule processing (not even empty ones) 2004-06-04 * RuleSetView.cpp : Info window shows properties of an object selected in rules * RuleSetView.cpp (paintCell): added tooltips for objects in the policy view, using the same detailed properties text that is used for Info panel. * iptAdvancedDialog.cpp (accept): the actual command that installer should run on the firewall to activate the policy can now be specified in the "installer" tab of firewall settings dialog for all platforms. If this input field is left blank, installer will run firewall script, using sudo if user name used to authenticate to the firewall is not 'root'. On Windows, installer also does chmod +x on the file. * FWBSettings.cpp (setSSHPath): directory path and a file name for the secure file transfer and secure shell utilities can be configured in the Preferences (tab "SSH"). This allows for using of different SSH packages on Windows, as well as using SSH installed in a non-standard directory on Unix. 2004-06-03 * ObjectTreeView.cpp (dragObject): standard folders in the tree can not be dragged into groups or rules and open/close on double click. Regular objects open editor on doubleclick. * ipt.cpp (main): compiler for iptables sets up PATH environment variable at the beginning of the generated script. This is particularly useful if policy is compiled on windows or mac for Linux firewall that runs unknown version of Linux, so we cant be sure where standard tools such as iptables, lsmod etc are located. Most systems place them in /sbin, but for example SuSe places iptables in /usr/sbin. If policy is compiled on one of the Linux systems, we assume generated script will run on the same system (which may not be true, btw), but if we compile on Windows, there is no way to know where these tools are located beforehand. In this case we need PATH. User can always override this behavior and specify full path to all tools explicitly. 2004-06-02 * linux24.xml.in: changed "Linux 2.4" to "Linux 2.4/2.6" in all menu * iptAdvancedDialog.cpp (iptAdvancedDialog): removed "log all dropped packets" option from the firewall settings dialog for iptables. This option required p-o-m patch that has become obsoleted and is not included in p-o-m anymore. * FWWindow.cpp (install): when user hits "Install", the GUI checks if objects in the database were modified since policy of a firewall has been compiled last time. If existing policy file is older than the database, program offers the user to compile it before it is installed. There are options to recompile, install old copy or cancel the operation. 2004-05-31 * RuleSetView.cpp: Added support for operations that act on multiple rules: setting rule color, moving to a different position in rule set, disabling/enabling, deleting. User can select multiple rules by dragging mouse across several rows in the column that shows rule numbers. Copy/Cut/Paste operations of multiple rules are not supported yet. 2004-05-29 * RuleSetView.cpp (dragObject): implemented drag-and-drop of objects in the rules * utils.cpp (setDisabledPalette): all entry fields in the object editor are disabled if an object is read-only or is located in read-only library. Object editor is still opened for read-only objects, but since all fields are disabled, changes are not allowed. Opening object editor for read-only and standard objects allows for inspection of their properties. * FWWindow.cpp (load): file objects_init.xml does not include empty "User" library anymore. Instead, this library is created dynamically using method FWBTree::createNewLibrary when user creates new data file. This simplified things since 1) "User" library now has unique random ID in every data file so it can be safely exported and then imported back without any conflicts; 2) since its ID is unique, it can be renamed without creating any conflicts. The library is only created in FWWindow::load() (i.e. when new data file is created). It is not created when existing data file is loaded because it is supposed to be there. Old data files that still have this library with semi-standard ID will load it as before, but the ID loses its standard meaning. 2004-05-23 * filePropDialog.cpp (filePropDialog): added "File properties" main menu item and dialog * debugDialog.cpp (debugDialog): added "debug" menu item under "Help" 2004-05-20 * instDialog.cpp : built-in installer works with all supported firewall platforms: iptables, ipf, pf, ipfw and pix. * instDialog.cpp (instDialog): built-in installer reads list of files that policy compiler generated for a given firewall object ("manifest") from the .fw file and installs them on the firewall. One file in the manifest needs to be marked as executable, installer runs it after all files are copied. * all policy compilers: all compilers include a list of files generated for a given firewall object ("manifest") in .fw file. 2004-05-18 * RuleSetView.cpp (contextMenu): split long context menu that used to be shown when user clicked right mouse button on an object in a rule. Now this menu has only actions related to the object, while actions for the whole rule belong in the context menu shown when user clicks right mouse button on the rule number. * fr.po, ru.po: checked in updated French translation by Jean-Michel Poure and added some rudimentary Russian translation. Both translations are done in UTF-8. 2004-05-15 * init.cpp (init): define global var localepath that is initialized with a path to the directory where translation files (*.qm) are installed. This path is defined as $respath/locale on all systems (on Unix this typically is /usr/share/fwbuilder/locale, while on Windows and Mac it will be a subdirectory "locale" in the directory where the binary is installed) 2004-05-14 * ColorLabelMenuItem.cpp (ColorLabelMenuItem): implemented RFE #725461: "Colors". Added ability to color-code rules in the policy. User can pick one of the 7 predefined colors (plus none) in the pop-down menu that appears when they right-mouse-click on the policy or NAT rule. Custom text can be associated with each color using a panel in the Preferences dialog, this text appears as a tool tip when user flies mouse cursor over color buttons in the pop-down menu. 2004-05-12 * src/gui/ui: QT's ui translator uic creates code in this directory. This allows me to add generated files to the internationalization infrastructure (include in the .pot file). also added *.cpp files in src/gui/ui to cvs so translators can look at them to better understand context without having full QT development environment. 2004-05-09 * PolicyCompiler_ipt.cpp (processNext): fixed bug #934949: "duplicate rules". fwb_ipt created duplicate rules for a bridging firewall if fw object or its interfaces or their addresses were not in the source or desintaion 2004-05-04 * newFirewallDialog.cpp (accept): "new firewall" wizard can create a new firewall object using predefined templates from the file templates.xml (the file is a pat of the package and is installed in /usr/share/fwbuilder on Linux and in c:\FWBuilder\resources on Windows). User picks a template and the program creates a duplicate of the template object in the "User" object library. The wizard page where user picks template shows a diagram of the firewall configuration that illustrates its interfaces, their configuration and addresses. Comment text associated with template object explains its specific properties and is shown on the page as well. 2004-05-02 * templates.xml.in : a library of firewall object templates. This library is a part of the distribution and is installed in ${prefix}/share/fwbuilder on Linux and BSD and in C:FWBuilder/resources on windows (the same dir where standard objects are installed). This library is not loaded by default though. * listOfLibraries.cpp (listOfLibraries): Added a page to the preferences dialog to manage add-on libraries. The GUI maintains a list of available add-on libraries and allows user to define which ones will be automatically loaded when the GUI is started. The program always adds "standard" and "templates" libraries to the list, then scans directory $HOME/.fwbuilder/lib/ ( C:\FWBuilder\lib on windows) and adds all .fwb files found there to the list. It stores list of libraries in the user's preferences together with a boolean flag that is set if a library should be loaded on a start-up. Library added using main menu "Import Library" is also added to the list so the user can make the program load it automatically. 2004-04-29 * Makefile.in: Added support for internationalization. Using gettext 0.14.1. This is the first version where support for QT lanuage files is available, but it is not available in RedHat or other Linux distributions yet. Therefore had to copy some m4 macro colelctions from example to directory 'm4', as well as copied a Makefile.in and script remove-potcdate.sin to directory 'po'. New version of xgettext recognizes standard QT localization method tr() and can generate usual .pot files from strings used with it. The nwe msgfmt can generate .qm files from translated .po files. 2004-04-25 * instDialog.cpp (cmd): this method can be used whenever we need to execute several commands on the firewall sequentially. * (instDialog): install dialog hides incremental install options if 'diff' program can not be found (perhaps compiler that comes with it is not installed) * instDialog2.cpp (PIXincrementalInstall): integrated with fwb_pix_diff * instDialog2.cpp (PIXbackup): implemented function that stores backup copy of firewall configuration in a file 2004-04-18 * findDialog.cpp (find): 'find object' function is implemented by means of an external modeless dialog that allows for searching in the tree and or policy rules and supports matching with regular expressions. * newFirewallDialog.cpp (getInterfacesViaSNMP): 'new firewall' wizard can discover interfaces using SNMP. Finished work on the page where user can arrange interfaces according to their security levels. 2004-04-15 * newFirewallDialog.cpp (accept): added 'new firewall' wizard. Still need to work on the page where user sets security levels of interfaces. 2004-04-14 * VERSION (BETA): added a variable in the VERSION file that designates code revision as beta and stores beta testing period expiration time (+30 days). Currently only About dialog shows this time, but in the future I may make the program disable itself if it is used past this time. The released version won't have this limitation. This can be used to prompt people to upgrade, so I do not have to support old versions. 2004-04-11 * FWBSettings.cpp (restoreGeometry): added ability for dialogs to automatically remember and restore their geometry (size and relative position on the screen). Currently only main window, conflict resolution dialog and object editor dialogs do this. Geometry is stored in preferences. Main window comes up with a default geometry 100,100,750,600 (x,y,w,h) when no geometry is found in settings. 2004-04-10 * FWWindow.cpp (ConflictResolutionPredicate): implemented conflict detection and resolution for the "merge" operation. The same mechanism works for "open file" since it is also based on merge. When there is a conflict during merge, the program opens a dialog and asks the user which copy of the object they want to keep. 2004-04-09 * instDialog3.cpp (stateMachineSSHSUDO): builtin installer works with Linux/BSD systems using combination of ssh on the client side and sudo on the firewall. User provides a password for authentication and the program logs in into the firewall as that user, copies firewall script to "/etc/fw" (directory path is hardcoded), then executes it using sudo. Sudo should be configured for this user or group she belong to to be able to execute this script as root with no password. 2004-04-08 * instDialog.cpp (instDialog): added universal (hopefully) policy installer program. The program uses ssh in a background on both Unix and Windows (on Windows it requires putty/plink) to communicate with the firewall. Currently only supports PIX but I will add Linux/BSD later. Installer GUI asks user for a password. 2004-04-07 * RuleOptionsDialog.cpp (loadFWObject): added rule options dialog for ipt 2004-04-06 * FWWindow.cpp (search): implemented advanced search method that finds and highlights objects both in the tree and in any rule of any firewall. This resolves problem outlined in Feature Request #837448: '"Where used" only shows fw objects' 2004-04-04 * FWWindow.cpp (save): implemented saving data file without making copies of objects in the 'Standard' library (Feature Request #810504). This feature is considered experimental and is off by default. An option in Preferences dialog activates it. * FWWindow.cpp (load): All load is done via merging of the loaded file with a standard object tree. Now we can load files saved without copies of unused standard objects. * FWWindow.cpp (fileImport): implemented data import. Using method FWObjectDatabase::merge to merge imported data with current object tree. Only object IDs are compared, so modified standard object in the imported file will be ignored and its changes will be lost. 2004-04-03 * export.cpp (exportLibrary): Implemented library export * StartWizard.cpp (StartWizard): added simple startup wizard that asks user if they want to open existing file or create a new one. It also sets some useful preferences such as adds new file to RCS and makes the program automatically open it when it is started next time. * OSConfigurator_linux24.cpp (generateCodeForProtocolHandlers): Fixed bug #956544: "Error into load modules script generation", where generated script would not load kernel modules with names "module.ko.gz". Regular expression should match on ".ko.*$" to find these modules properly. Thanks to Andrey Kaminsky who pointed this out. * RuleSetView.cpp (doubleClicked): double-clicking on an object in the policy rule opens that object in the editor 2004-04-02 * ObjectManipulator.cpp (ObjectManipulator): using combobox widget instead of a tab widget for libraries. This way we can fit more libraries without making interface cluttered. 2004-03-31 * ipt.cpp (main): the GUI saves path to the DTD and resources in user's settings using QT QSettings class. Policy compilers and other tools can read this setting to quickly determine location of DTD and resources. 2004-03-29 * getting rid of STL classes in the GUI. The idea is to make GUI use QT classes in most of the code and use STL classes such as 'string', 'map', 'list' where it has to pass data to and from API which is STL-based. This should simplify using QT compiled without STL support (much less conversions between string and QString). 2004-03-28 * main.cpp (main): the data file can be specified on a command line both as an argument for option '-f' and after all options. Option '-f' is preserved for compatibility with old versions. Preferred method is to specify the file name as a parameter without any option: "fwbuilder file.fwb" 2004-03-27 * platforms.cpp (getVersionsForPlatform): usability improvement: "combo boxes" that do not allow typing in them should not have empty choices. Fixed this for a drop-down menu of version numbers in firewall dialog. 2004-03-26 * RuleSetView.cpp (insertRule): counting rules from zero in the GUI * (RuleSetView): this is not a change, I just wanted to document that I tested the GUI with a policy that has 1000 rules. I haven't noticed any delay in loading this policy compared with when it had <100 rules. 2004-03-25 * FWWindow.cpp (fileSaveAs): gui automatically chooses working dir if none is set and user calls 'file save as' menu item : * on Unix will use current dir. * on Windows will use user's document dir. * NATCompiler_ipt.cpp (processNext): added a workaround for a bug (no number): if address range object was used in SNAT or DNAT rule and option 'manage virtual addresses' was on, compilerwould not add virtual address properly. It still won't do it, but at least there is a check for this situation and it prints appropriate warning message. The problem with this is that if the range is large, we end up with potentially lots of virtual addresses. Let the user deal with this themselves. * ipt.cpp: compiler(s) understand new command line option '-R', which should specify a full path to the resources. This is useful on Windows and Mac where resources are installed in a non-fixed place by the GUI package, but need to be used by the compilers. 2004-03-24 * ObjectManipulator.cpp (contextMenu): each system group object in the tree has an item in its pop-down menu that allows user to quickly add an object to that group. * IPv4Dialog.cpp (DNSlookup): added ability to determine IP address of an Address object using DNS lookup (using QDns class) * FWBSettings.cpp (FWBSettings): explicitly setting scope for QSettings as "User" 2004-03-22 * ObjectManipulator.cpp (addTreePage): added attribute 'ro' to all elements in DTD (see API). This provides for a way of locking down parts of the tree. * ObjectManipulator.cpp (addTreePage): read-only subtrees are marked with an icon of a lock and text 'read-only' * objects_init.xml : standard objects tree is now read-only. User objects can not be moved into 'standard' tree and standard objects can not be edited but can be duplicated (a copy is automatically created in the first user-defined library, most often it is a library 'User') * FWWindow.cpp (install): GUI supplies a path to the firewall object as a parameter to installation script rather than just its name (as before). This is because the path has changed when library element has been added. Changes made in the GUI (send path instead of name) and in fwb_install script (to make it interpret path). 2004-03-21 * pixosAdvancedDialog.cpp (pixosAdvancedDialog): 'advanced host settings' dialog for PIX * RuleSetView.cpp (contentsMousePressEvent): selectedObject is chosen in mouse press and key press even handlers; got rid of currentChanged slot all together. This eliminated flicker that was caused by extra repaint of the cell when selected object was chosen in currentChanged slot. 2004-03-20 * DialogData.cpp (DialogOption): universal class to load and save data in dialogs * pixAdvancedDialog.cpp (pixAdvancedDialog): 'advanced' firewall options dialog for PIX. Implemented tabls 'Compiler options', 'Prolog/Epilog', 'Timeouts' and partially 'Fixups'. Fixup pages are disabled using resource string that defines which fixups are available in certain PIX version. * FirewallDialog.cpp (openFWDialog): firewall dialog saves version from the widget to the object before opening 'advanced' firewall options dialog. This is a departure from the dialog logic where all data is stored when user clicks 'Apply changes' button. 2004-03-19 * FWBSettings.cpp: added support for an "object autosave" option (automatic saving of changes in dialogs while switching between objects) * RuleSetView.cpp (insertRule): added main menu items "insert rule" and "add rule after current" * RuleSetView.cpp (contextMenu): added pop-up menu items for adding, removing and moving rules up and down, as well as standard copy/cut/paste operations on moves. Similar menu items added to the main menu. * RuleSetView.cpp (paintCell): implemented double-buffering in paintCell to improve performance and remove flickering 2004-03-17 * FWBSettings.cpp: saving the size of the info window in settings * RCSFileDialog.cpp (RCSFileDialog): 'open file' dialog automatically looks for files in the working directory configured in a global preferences dialog. * main.cpp (main): added a global setting "startup action" in Preferences. Currently two actions are available: "load standard objects" and "load last edited file". * FWBSettings.cpp (FWBSettings): a specialized wrapper for QSettings. I will be adding methods to this class to simplify access to whatever global program preferences and options I need. Currently it supports 'working dir' and 'info window style' settings. Settings are stored in a platform-depended way as QSettings does it. 2004-03-16 * NATCompiler_ipt_writers.cpp (_printOPorts): minor bugifx - fixed typo ( '==' -> '=' ) * ObjectEditor.cpp (closeEvent): object editor checks for modifications before closing if user closes it using window manager buttons. * FWWindow.cpp (unselectRules): the main window maintains single selection across objects in the tree and in the policy view. Selecting an object in the tree automatically unselects object in the policy and vice versa. Now I can implement copy/cut/paste functions driven by the main menu; these operations will work on the currently selected object either in the tree or in the policy. * FWWindow.cpp (editCut): copy/cut/paste operations work between the tree and policy views using both context menus and main menu. * ipt.cpp: output stream is created with a mode ios::binary on Windows * RCS.cpp (isDiff): having problems with rcsdiff.exe in windows, for now will assume that the file always changes and needs checkin comment. 2004-03-15 * RCS.cpp (co): using windows-specific functions to create a temporary file for the file checkout * global.h: added redefinition of macro assert to be able to use it on windows where we compile without debugging info. (the reason I do not build Debug version on win32 is because I use precompiled libraries libxml2 etc that are built using Release CRT, and I can't mix different runtimes). * RCS.cpp (co): GUI makes sure that if the file has been opened and locked by a user, another user can only open it read-only. The same user has a choice of opening it read-only or read-write. The latter case is useful in case of a program crash that leaves opened files in the locked state. * RCS.cpp (co): added ability to open older revision of the file read-only. Requested revision is checked out into temporary file, which is then loaded and immediately deleted. The object tree is locked read-only and 'save' and 'save as' operations are disabled. 2004-03-14 * RCS.cpp (add): using "rcs -i -kb" to add a file to RCS, this should help avoid extra CR in the file while working on windows because it makes RCS use binary mode while working with the file. 2004-03-13 * ObjectManipulator.cpp: GUI redesign: switched to a single window design. Object manipulation happens inside three classes: ObjectManipulator (the tree widgets and algorithms), ObjectEditor (a stack of editor widgets and a glue logic), obejct info browser (class QTextBrowser). Object editor appears as a non-modal dialog when user double-clicks an object in the tree. Single click updates data in the info window but does not open the editor. Objects can be selected in the tree in any supported way - keyboard arrows, keyboard shortcuts, hitting the first letter of the objects's name, mouse click. In any case, appropriate object is selected and info window is updated with its attributes. Info window has three modes: collapsed (there is no info window), showing only comment attrbibute and showing brief summary of object's parameters and a comment. User can switch between modes using a button located on the main window panel directly under the info widget. 2004-03-12 * build environment is based on qmake: file qmake.inc is included from qmake project files in all subdirectories. File qmake.inc defines all variables for all platforms, so project files in subdirs only add lists of files and take care of exceptions. File qmake.inc is generated by configure, but all substitutions are only needed for Unix and Mac. This file is checked in to cvs so it could be used on Windows without a need to run configure. All qmake project files in subdirectories need no substitutions by configure, so they all are checked in to cvs and can be used on windows right away. Qmake project files fwbuilder2.pro and src/src.pro use template 'subdirs' and make qmake descent into subdirectories and rebuild projects there. Now using qmake to generate Makefile and MSVC project files in src/fwblookup, src/fwbedit, src/ipt. Makes it easier to generate consistent MSVC projects without having to edit them manually. resource files (src/res/*.xml and src/res/*/*.xml) are generated by configure, however, since substitutions made in them are only relevant on Unix and Mac, generated files are checked in to cvs so they can be used on windows without running configure. No need to run configure (or autogen.sh) on Windows anymore. To build on Unix and Mac: $ autogen.sh $ make $ make install To build on windows: run qmake, then make in the root dir. of the project Open fwbuilder2.dsw in MSVC and rebuild all * NATCompiler_ipt.cpp, PolicyCompiler_ipt.cpp and others in src/ipt: code cleanup. Removed all unused variables and added handling for 'default' case in switch operators. 2004-03-10 * FWWindow.cpp (compile): implemented main menu items "Rules/compile" and "Rules/install". Still need to add toolbar buttons though. * execDialog.cpp (execDialog): a dialog for a background execution of external commands. This class is used to call external policy compilers and installer scripts. Uses QT class QProcess. * ipt.cpp: transfered compiler for iptables over to fwb2. Only minor changes: new file name schema (*.h, *.cpp); proper choice of the directory where resource files are located; eliminated last dependencies on glib 2004-03-09 * iptAdvancedDialog.cpp (accept): firewall settings dialog saves all data in the object. 2004-03-07 * iptAdvancedDialog.cpp (iptAdvancedDialog): firewall settings dialog for iptables. Saving of the data back in the firewall object is not implemented yet. * DialogFactory.cpp (createDialog): DialogFactory: class that creates dialogs for all object types. * FWBTree.cpp (FWBTree): refactored code: all methods that enforce our standard tree structure now belong to the class FWBTree * TimeDialog.cpp (applyChanges): added dialog for the Time interval object. 2004-03-06 * GroupObjectDialog.cpp (setupPopupMenu): added pop-up menu in the group view (both icon and list modes) with oprations copy,cut,paste and delete. * all dialogs: object is moved from library to library when user clicks 'apply changes' (before it would move immediately when the library was changed in the pop-down menu). * CustomServiceDialog.cpp (loadFWObject): added dialog for the Custom Service object 2004-03-05 * PropertyEditor.cpp (copyObj): added pop-up menu to object tree view; implemented functions 'duplicate', 'copy', 'cut', 'paste' 2004-03-04 * ObjectTreeView.cpp (contentsMouseReleaseEvent): objects in the tree are selected with double-click. 2004-03-03 * RuleSetView.cpp (getRE): added platform capabilities check for columns 'Time' and 'log/options' in policy views * RuleSetView.cpp (dragMoveEvent): support for d&d of Time objects 2004-03-02 * InterfaceDialog.cpp (loadFWObject): added dialog elements for interface security level, 'external' checkbox, network zone. * RCS.cpp (isDiff): added a wrapper for rcsdiff in RCS class 2004-02-29 * PropertyEditor.cpp (createObject): properly creating interfaces and addresses for the firewall object * further testing and improvements in RCS integration 2004-02-28 * FWWindow.cpp (load): file can be opened with or without RCS, a head revision or any specific revision, read-write or read-only. File name, revision number and read-only status is displayed on the main window's title bar. * FWWindow.cpp (load): added ability to open data files read-only * RCS.cpp (RCS): refactored the code, made class RCS a wrapper for the command-line rcs tools. It should be possible to use the same or similar interface for other version control system if needed. 2004-02-26 * RCSFilePreview.cpp (showFileRLog): Open File dialog shows RCS revisions of the chosen file in a preview panel. Added button "add to RCS" that allows user to add selected file to RCS right from the "open file" dialog. Added elements for opening file read-only and with or without locking (but these functions have not been implemented yet). 2004-02-23 * RCS.cpp (rlog): class RCS provides simple integration with RCS. Uses portable functions provided by QT to call external RCS programs. * configure.in: added checks for external RCS programs ci, co, rlog. 2004-02-22 * FWWindow.cpp: added basic integration with RCS. Every time a data file is opened, it is checked out from RCS and locked. If the file has not been added to RCS, an initial checkin is performed with a generic comment. Every time an opened file is saved (using "save" or "save as" menu), it is checked in and kept in a locked state. A new menu item "File/Close" has been added; this menu item checks the file in and removes lock (does 'ci -u') so other users can work on it, then it reopens a standard objects database in the GUI. Opening a file while another file is already opened in the GUI causes the latter to be closed (checked in and lock removed) and a new one opened as described above. still TODO: add a dialog to ask the user for a checkin comment text. Add a global option "Use RCS" so that using version control is optional. Test the whole thing on Windows. 2004-02-16 * PropertyEditor.cpp (PropertyEditor): added dialogs for interface, MAC address, network, address range and other objects. * FWObjectDrag.h: implemented custom drag class FWObjectDrag; all widgets dynamically check if the object being dragged can be dropped in them. User can drag objects from the tree into groups and rules, as well as from a group into the tree. 2004-02-08 * IPServiceDialog.cpp (libChanged): implemented gui elements and support for moving objects between libraries. 2004-01-20 * added dialog for object IPv4. This object can now be created in a standard place in the tree in a group Objects/Addresses as well as as a child object of interface (as before in fwbuilder 1). This allows for using object IPv4 as an abstract for an IP address which is simpler than using a Host object. 2004-01-04 * GroupObjectDialog.cpp: Experiment: user and standard object tree views have different background colors. This provides simple visual clue of what library the object shown in the editor panel belongs to. This is especially useful if a standard object is referenced from the user defined group and user opens it; in this case the tree switches from user-defined objects to the standard onces but this switch may not be evident from the first glance, thus user loses context and may be confused why his objects apparently have gone away. 2004-01-03 * PropertyEditor.cpp (PropertyEditor): property editor has window type "dialog" and always stays on top of the main window. Implemented simple history feature for the object navigation and added a button "Back" to the toolbar. * GroupObjectDialog.cpp (loadFWObject): group object dialog can now show group contents as a set of icons or as a list; switching between two modes is done using toggle buttons a-la file list modes in the "open file" dialog. * PropertyEditor.cpp (loadObjects): merged object tree and object property editor in one dialog. 2003-12-20 * main.cpp (main): resources and preferences files can now be found dynamically, using a full path to the directory the binary has been launched from. The RES_DIR macro defined in config.h now specifies relative path to the resource files starting from the application root dir. If program is installed in /usr/local/bin, then the application root is "/usr/local" and resources should be located in /usr/local/$RES_DIR directory.