mirror of
https://github.com/fwbuilder/fwbuilder
synced 2026-03-20 10:17:16 +01:00
255 lines
15 KiB
Plaintext
255 lines
15 KiB
Plaintext
Firewall Builder Release Notes
|
|
|
|
Version 2.0.4
|
|
|
|
Released 12/02/04
|
|
GUI and compilers v2.0.4 require API library libfwbuilder version 2.0.4
|
|
|
|
Summary
|
|
|
|
For those who wish to build from source, instructions are outlined in the
|
|
document "Install and Build instructions" on our web site here
|
|
|
|
What's new
|
|
|
|
* Improvements in the GUI
|
|
|
|
* improved error handling: if the GUI is started with a file on the
|
|
command line or is configured to open a file automatically on
|
|
startup and RCS can not check the file out, the GUI will come up
|
|
empty (with only standard objects loaded). Previously in a
|
|
situation when the GUI was configured to open a file
|
|
automatically, but the file could not be checked out, there was
|
|
no way to cancel this automatic file open operation since the GUI
|
|
would never come up.
|
|
* Added Japanese translation by Tadashi Jokagi <elf@elf.no-ip.org>
|
|
* Added Russian translation by RusBusinessSecurity Co. Ltd.,
|
|
Russia. This translation is fairly complete but is still
|
|
considered preliminary. Bug reports and suggestions are very
|
|
welcome.
|
|
|
|
* Improvements in the built-in policy installer
|
|
|
|
* Built-in installer checks exit status of the script it runs on
|
|
the firewall and aborts installation sequence if it detects an
|
|
error. OS resource files have been updated accordingly so they
|
|
return exit status '1' in case of error and '0' when they
|
|
succeed.
|
|
* Added an option to push PIX configuration to a standby firewall
|
|
at the end of install.
|
|
* Added support in installer for new configuration script formats
|
|
for PIX:
|
|
|
|
1. basic or old format when access lists are cleared and added
|
|
from scratch
|
|
2. Access lists have unique names each time policy is
|
|
recompiled, lists are added without clearing.
|
|
3. Access lists are added with temporary names and assigned to
|
|
interfaces, then the same lists are added with permanent
|
|
names, lists are swapped and temporary lists cleared
|
|
|
|
Last two methods provide for instantaneous access list swap so
|
|
that the firewall never runs with empty lists. This helps
|
|
maintain access to the firewall if configuration is installed
|
|
remotely.
|
|
|
|
* Improvements in policy compiler for iptables:
|
|
|
|
* implemented Feature Request #1021201: "output iptables-restore
|
|
compatible config from fwb_ipt". Policy compiler for iptables can
|
|
use iptables-restore to activate firewall policy.
|
|
Iptables-restore provides for atomic policy load and allows to
|
|
load large policy much faster. Atomic load means the whole filter
|
|
or nat table is activated at once, and if there is an error,
|
|
nothing is changed. Compiler generates script in three possible
|
|
formats:
|
|
|
|
1. the ususal shell script that adds rules one at a time by
|
|
executing iptables command with an "-A" flag to add a rule;
|
|
2. commands are fed to iptables-restore, this format is used
|
|
when all interfaces of the firewall have static IP addresses
|
|
and script does not need to determine addresses at run time;
|
|
3. script determines IP addresses of interfaces and discovers
|
|
dynamic interfaces that were defined as a "wildcard"
|
|
interface in fwbuilder (e.g. 'ppp*'); code that is sent to
|
|
iptables-restore is generated dynamically by the script at
|
|
run time.
|
|
|
|
Using iptables-restore is optional and is controlled by the
|
|
checkbutton in the "Script options" tab of firewall settings
|
|
dialog. Path to iptables-restore utility can be set in the
|
|
"Paths" tab of the host settings dialog.
|
|
|
|
* policy installation via iptables-restore has been tested with old
|
|
versions of iptables (1.2.6a). Script need to include "-m tcp",
|
|
"-m udp" or "-m icmp", otherwise iptables-restore does not
|
|
understand options "--dport", "--tcp-flags" and some others. Also
|
|
had to use "--tcp-flags SYN,RST,ACK SYN" instea dof "--syn" for
|
|
better backwards compatibility.
|
|
* A change in the script generated by fwb_ipt: if iptables-restore
|
|
is not used to load policy, generated shell script purges
|
|
existing firewall policy (all tables and chains) and sets default
|
|
chain policies after it configures interfaces of the firewall.
|
|
Previously, it would flush tables and set default policy before
|
|
it configured interfaces.
|
|
* removed code that added iptables command to the "drop" table to
|
|
drop and log all dropped packets. This rule used obsoleted
|
|
patch-o-matic patch "drop" which is not available anymore.
|
|
* moved rule permitting backup ssh access from the management
|
|
station to the firewall to the top of the script. This helps
|
|
maintain ssh session, otherwise it may stall or break because
|
|
stdout buffer is filled with diagnostic or progress output from
|
|
the script that is printed after all chains are flushed but
|
|
before rule permitting ssh to the firewall is added. If stdout
|
|
buffer is full, ssh stops and tries to send the text to the
|
|
management station but times out because firewall blocks it.
|
|
|
|
* Improvements in policy compiler for pf:
|
|
|
|
* Activation script for PF flushes only information about rules,
|
|
nat, source and tables (it used to flush "all"). This preserves
|
|
queue entries and states.
|
|
|
|
* Improvements in policy compilers for all platforms:
|
|
|
|
* added support for prolog and epilog scripts for all firewall
|
|
platforms. This was available for PIX for some time, now it has
|
|
been added for all platforms. "Prolog/Epilog" tab of the firewall
|
|
settings dialog allows for editing of two blocks of commands that
|
|
will be added to the generated firewall script verbatim. Prolog
|
|
block is added on top, while epilog block is added at the bottom.
|
|
Both prolog and epilog are expected to be shell scripts and are
|
|
added to the generated shell script that activates firewall. For
|
|
iptables and ipfw all compiler generates is this shell script and
|
|
prolog and epilog commands are inserted into it. These commands
|
|
may execute some actions, as well as add any policy or nat
|
|
commands. For ipf and pf prolog and epilog commands are added to
|
|
the activation shell script ( .fw file); prolog is added
|
|
immediately after the command that flushes all rules. This way
|
|
user may either execute shell commands or add policy and/or nat
|
|
rules by loading them from external file.
|
|
* all policy compilers properly detect an error when the output
|
|
file can not be created or overwritten and print error message to
|
|
warn the user.
|
|
* Added element "Target/family" to all OS resource XML files.
|
|
Compilers use "family" resource element to determine if host OS
|
|
is supported. User may want to copy host OS resource file to
|
|
modify installer scriptlets; as long as the family element is
|
|
kept the same, compiler will accept new resource file.
|
|
|
|
----------------------------------------------------------------------
|
|
|
|
Bugs fixed in GUI:
|
|
|
|
* bug #1077072: "CrossPlatform Firewall Builder Crash" - pressing arrow
|
|
down key on the keyboard right after the GUI started with no firewall
|
|
objects defined caused crash.
|
|
* bug (no num): if a library was assigned a name with non-ascii
|
|
characters, it would appear distorted in the pull-down list in object
|
|
dialogs.
|
|
* bug (no number) introduced in 2.0.3 when GUI crashed if user tried to
|
|
choose pull-down menu item in the firewall list after the very first
|
|
firewall object has been created.
|
|
* bug (no number): group object dialog corrupted object names if they
|
|
contained non-ascii characters.
|
|
* bug #1046345: "ipfw - no option to specify ipfw executable". Added GUI
|
|
control to let user specify alternative path to "ipfw" on FreeBSD.
|
|
Control like that was previously available only for Mac OS X
|
|
* bug #1028866: "incorrect order when several rules copied using
|
|
copy/paste". Pasting multiple rules into an empty policy caused rules
|
|
to be inserted in the wrong order.
|
|
* bug (no number): Policy installer failed if the following conditions
|
|
were met: - it was running on Linux, FreeBSD or Mac OS X - working
|
|
directory configured in the "General" tab of the Preferences dialog
|
|
did not exist and could not be created or its permissions did not
|
|
allow user that runs the GUI to access it
|
|
* Added #include <errno.h> to make code compile with gcc 3.4.2 and glibc
|
|
2.3.3
|
|
* bug (no number): GUI could not find names of the object libraries in
|
|
external library files that user added for automatic load in the
|
|
Preferences dialog on Windows. It would find the name of the library
|
|
in the first file, but failed to find library names in subsequent
|
|
files and used the name from the first file. Since this library was
|
|
only present in the first file, object tree was getting corrupted when
|
|
the program attempted to load this library from every file configured
|
|
for automatic pre-load. This only happened on Windows.
|
|
|
|
Bugs fixed in API:
|
|
|
|
* bug #1077496 ] Error compiling libfwbuilder in FreeBSD: The problem
|
|
was caused by changed major version number of libnetsnmp library in
|
|
the latest net-snmp port (v5.2)
|
|
* bug #1055937: "Any->all_multicasts not in INPUT Chain". Need to check
|
|
if network objects are multicasts; assume that multicast always
|
|
matches firewall object (e.g fwb_ipt will put rule with such network
|
|
object in destination in INPUT chain)
|
|
* bug #1040773: need to match network address as well as broadcast.
|
|
Packets sent to the network address (192.168.1.0 for net
|
|
192.168.1.0/24) go in the broadcast frame and behave just like IP
|
|
broadcast packets (sent to 192.168.1.1255 for the same net)
|
|
* bug (no number): rule shadowing algorithm now assumes that IPService
|
|
object with protocol number '0' shades any other service just like
|
|
'any' does.
|
|
* bug (no num): rule shadowing algorithm checks for IP flags in IP
|
|
service object. IP service object with protocol 0 shades anything only
|
|
if its flags are cleared. Two IP services shade each other only if
|
|
they are completely equal (protocols and all flags settings are the
|
|
same). However, IP service with protocol 0 shades other IP service
|
|
with protocol !=0 if all flags settings are the same.
|
|
* change in the object database merge algorithm: when an object database
|
|
we are trying to merge has non-empty "Deleted objects" library,
|
|
deleted objects from this library should be ignored (they used to be
|
|
deleted from the current tree). Likewise, when current tree has
|
|
non-empty "Deleted objects" library and objects in it match objects
|
|
being merged in, objects should be removed from "Deleted objects"
|
|
library to avoid creating duplicate IDs with objects being merged in.
|
|
* bug (no number): program crashed on FreeBSD 5.3 when using SNMP to
|
|
obtain parameters for hosts and interfaces. Crash occurred because of
|
|
use of uninitialized mutex variables in module dns.cpp
|
|
* bug (no number): The API used to corrupt CustomService object while
|
|
saving data to the XML file if service code included special
|
|
characters such as '&'
|
|
|
|
Bugs fixed in policy compiler for iptables fwb_ipt:
|
|
|
|
* bug #1073491: incorrect code for rules using two interfaces with
|
|
negation. If a rule had two (or more) interfaces of the firewall in
|
|
the destination, with negation, the code generated by compiler would
|
|
check one interface's address in INPUT chain and another in FORWARD
|
|
chain. It should check addresses of all interfaces from the
|
|
corresponding rule element in the INPUT chain and also check addresses
|
|
and possibly services from other rule elements in the FORWARD chain.
|
|
This bug affected rules with two or more interfaces both in source and
|
|
destination.
|
|
* bug #1040788: fwb_ipt and user name. Compiler used to read environment
|
|
variable "USER" to find out user's name. Sometimes this variable is
|
|
not set, which caused compiler to abort. Using env variable LOGNAME in
|
|
addition to USER.
|
|
* bug #1040599: "unnecessary FORWARD rules". If ip forwarding is turned
|
|
off in the host settings dialog of the linux-based firewall, compiler
|
|
should not generate rules in FORWARD chain.
|
|
* bug (no number): compiler placed extra quote '"' at the end of each
|
|
NAT command in the script using iptables-restore; this happened only
|
|
if all interfaces of the firewall had static addresses.
|
|
* bug (no number) in fwb_ipt that caused no-nat rules with firewall in
|
|
OSrc to be placed only in OUTPUT chain. Packets originating on the
|
|
firewall go into OUTPUT and POSTROUTING chains, so no-nat rules must
|
|
be placed in both. Other minor improvements for NAT of the locally
|
|
originated connections have been done as well.
|
|
* bug (no number) where compiler for iptables used option
|
|
"--destination-port" with module "multiport" for versions of iptables
|
|
that do not understand it (1.2.6 and later, as well as default version
|
|
setting 'any'). The option should be "--destination-ports" or
|
|
"--dports".
|
|
* bug #1063953: "Wrong accept/multiport rule generated". Compiler
|
|
generated wrong code for rules using multiple service objects of
|
|
different types (TCP and UDP, or TCP and ICMP etc), multiple addresses
|
|
in src or dst with option that requires using TCP RST for action
|
|
REJECT. This bug was introduced in build 453
|
|
* bug (no number): policy compiler for iptables used "tail -1" in the
|
|
shell script that read actual IP addresses of interfaces of the
|
|
firewall. This shell code failed to determine correct address of an
|
|
interface that was configured with a secondary address. Reverted to
|
|
using grep (I switched to tail when ran into limitations of one of the
|
|
beta builds of Sveasoft Linksys firmware that did not have grep)
|