fwbuilder/doc/ReleaseNotes_2.1.12.html

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<link rel="stylesheet" type="text/css" href="http://www.fwbuilder.org/pages/fwbuilder.css">
</head>
 <body>
<h1>		Firewall Builder Release Notes </h1>
<br>
<h2> Version  2.1.12   </h2>
<br>
<p>
Released 06/24/2007
<br>
<b>GUI and compilers v2.1.12 require API library libfwbuilder version 2.1.12</b>
<br>
<h2>Summary </h2>
<p>
This release comes with support for Cisco IOS access lists and ability
to import existing iptables and IOS access lists
configurations. Multiple bug fixes are included as well.

<p>
<b>For those who wish to build from source, instructions are outlined
in the document "Install and Build instructions" on our web site <a
href="http://www.fwbuilder.org/archives/cat_installation.html">here</a></b>

<h2>Support for Cisco IOS access lists</h2>

Policy compiler for Cisco IOS Access lists has been implemented as
part of the Firewall Builder GUI as of version 2.1.12. The first
functional build were importer worked on all supported OS was build
270 (May 22, 2007)
<p>

  <b>Features implemented in this version:</b>
<p>
<ul>

<li> The compiler generates extended ACLs using "ip access-list
   extended" command. ACL names are automatically generated using
   abbreviated interface names and direction symbols to make it easy
   to figure out which ACL is which. Compiler uses rather minimal set
   of options of the "ip access-list" command and should generate code
   that will work for IOS 12.x. I did not test with 11.x but I am
   pretty sure it will work, at least with the latest versions of
   11.x.

<li> Compiler can also add commands to configure logging.

<li> The GUI includes built-in installer for routers which works just
   like installer for PIX. Both installers were updated however to
   improve support for the automatic roll-back feature in case you
   lose connect with the firewall or the router because of an error in
   the policy. Now you can make installer schedule reboot in a few
   minutes, then upload new policy or ACLs and then cancel reboot if
   upload was successful. While before auto-rollback option was only
   available if you installed in the test mode, now you can always use
   it. Test mode means that installer does not save configuration in
   the permanent memory, as before.

<li> All three installation methods that were available for PIX are now
   available for routers: you can make it clear all access lists and
   then load new ones or just update access lists without
   clearing. The last method (the "safety net" method) creates
   temporary acl to permit communication with the management station,
   assigns it to the interface marked as management interface, then
   clears all access lists and loads new ones and in the end swaps
   proper list on the management interface.  This helps prevent
   locking yourself out of the router in the middle of the
   installation process in case of an error in the ACL and at the same
   time does not leave the router with no acls for the time it takes
   to install new policy. In combination with automatic roll-back,
   installation process is pretty reliable.

<li> New option has been added to the interface object, called
   "unprotected". This allows you to mark some interfaces to be
   skipped by the compiler when it picks interfaces for ACL
   rules. This should be useful when you have routers with many
   interfaces and only want to add ACLs to some of them. Also, you can
   explicitly put interface objects into policy rules and specify
   direction if you want to do this manually.

<li> Since router ACLs have no state, all rules should be created in the
   policy pretty much like you do it on the router, including rules
   that permit reply packets.  New option has been added to the TCP
   Service object, called "established". This makes compiler use
   option "established" in rules it generates if it is supported by
   the firewall platform. Compilers for iptables, ipfilter, pf and PIX
   can not use objects with this option and treat it as an error
   because corresponding platforms do not support it. IPFW, on the
   other hand, supports it so compiler fwb_ipfw can use it.

</ul>
<p>

  <b>Shortcomings of this version:</b>
<p>
<ul>
<li> "tos", "precedence" and "time-range" options are not supported
<li> "igmp" access lists can no be generated
</ul>
<p>


  <h2>Policy import iptables configurations (v2.1.12, build 281 and later)</h2>
<p>
Policy importer has been implemented as part of the Firewall Builder
GUI as of version 2.1.12. The first functional build were importer
worked on all supported OS was build 270 (May 22, 2007)
<p>
Policy importer uses ANTLR lexer and parser ( http://www.antlr.org/ )
Version 2.7.7 is used in Firewall Builder v2.1.12 ( http://www.antlr2.org/ )
<p>
Firewall Builder needs ANTLR C++ runtime header files and library and
include these in the source tree under src/antlr.  Unless you want to
change the grammar (*.g files) you don't need to install ANTLR
separately. All relevant ANTLR files are included in the package.  For
more information on ANTRL see: http://www.antlr2.org
<p>
  <b> Features implemented in this version :</b>

<ul>
<li> Importer can parse iptables config saved using iptables-save
   utility.  Because of the huge variety of iptables modules, Importer
   can only interpret basic iptables configuration and a subset of
   modules. Currently the following modules are supported:
  <p>
    <ul>
    <li> state
    <li> multiport
    <li> limit
    <li> mark
    </ul>
  </p>
<li> Importer creates firewall object with all interfaces. It can not
   assign object name for the firewall object nor add IP and MAC
   addresses to interfaces because this information is not present in
   iptables-save file.

<li> option "Assume firewall is part of 'any'" is off in the created
   firewall object. Import is done this way in order to preserve logic
   of chains INPUT, OUTPUT and FORWARD in the recreated fwbuilder
   rules. Rules that had chain INPUT in the imported script will have
   firewall object in "destination" in the corresponding fwbuilder
   rules. Firewall object is placed in "Source" for rules with chain
   OUTPUT. For rules with chain FORWARD rule elements "Source" and
   "Destination" are populated with objects created using options "-s"
   and "-d" of the original rules or left empty ("any").

<li> all recognized iptables rules are imported and interface and
   direction are set in all rules appropriately. Interface objects are
   created as parser finds them in the script.

<li> targets ACCEPT, DROP, REJECT, MARK and others are converted to the
   corresponding fwbuilder policy rule actions. Unrecognized targets
   and converted to branching rules, where the name of the target
   becomes the name of the branch.

<li> SNAT, DNAT, MASQUERADING, REDIRECT and NETMAP targets and their
    parameters are recognized in the NAT rules.

<li> Address and service objects are created in the process for all
   addresses and ports used in all rules.

<li> iptables rules can refer to tcp/udp ports both by name or by
   number. Importer can properly interpret both formats using system
   function getservbyname() to convert service name to the port
   number. Since the result of this function depends on the OS, some
   port names may not convert on some systems. For example, Windows
   can convert more limited set of service names compared to Linux or
   BSD.

<li> targets LOG and ULOG are converted to the "logging" option in
   fwbuilder rules with action "Continue". This is an empty action
   that does not affect packet flow through the firewall but can be
   used in combination with "logging" option to log the packet. If
   such empty (logging-only) rule is undesired, it must be manually
   merged with some other rule in the policy.

<li> "--log-prefix", and "--log-level" options of the LOG target are
   recognized

<li> "--ulog-prefix" option of the ULOG target is recognized. Other
   options of the ULOG target are not.

<li> Address and service objects are reused in the process of import.

<li> in case when importer fails to parse some part of the iptables-save
   file, corresponding policy rule is colored red and appropriate
   diagnostic message added to its comment. The problem must be
   corrected manually.

<li> comments ("#") found inside access lists are ignored.
</ul>

<b>Shortcomings of this version:</b>

<ul>
<li> user-defined chains in table "nat" are not supported
<li> no import of time intervals
<li> no MAC address matching import
</ul>

<p>


  <h2>Policy import of Cisco IOS access lists (v2.1.12, build 270)</h2>
<p>

  <b> Features implemented in this version :</b>

<ul>
<li> Importer can parse router config saved using "show run"
   command. Although importer can only interpret a subset of IOS
   configuration commands, other commands that it does not understand
   will be ignored and should not affect operation. No manual editing
   of the config is required prior to import.

<li> Importer creates firewall object with all interfaces

<li> firewall object name is assigned if "hostname" command is found in
   the configuration. If this command is not present, the name remains
   generic "New Firewall"

<li> interface addresses are assigned if command "ip address" is found
   (multiple addresses per interface are supported). Interfaces
   without "ip address" in the configuration are marked as
   "unnumbered" in the firewall builder object tree.

<li> all access lists are imported and interface and direction are set
   in all rules appropriately

<li> Address and service objects are created in the process for all
   addresses and ports used in access lists

<li> IOS access lists can define ip protocol, icmp code and type, and
    tcp/udp ports both by name or by number. Importer can properly
    interpret both formats.

<li> "log", "log-input", "fragments", "established" keywords are
   supported and translated into rule or object options as
   appropriate.

<li> Address and service objects are reused in the process of import.

<li> in case when importer fails to parse some part of the access-list
   command, corresponding policy rule is colored in red and
   appropriate diagnostic message added to its comment. The problem
   must be corrected manually.

<li> "remark" commands found inside access lists are translated into
   rule comments

<li> comments ("!") found inside access lists are ignored.
</ul>
<p>

  <b>Shortcomings of this version:</b>

<ul>
<li> importer does not use address and service objects that existed in
   the tree before the operation has started, it creates new
   ones. Deduplication only works for objects created in the process
   of import.

<li> the following keywords available in extended access lists are not
   supported at this time:  tos, precedence, time-range.

<li> igmp access lists are not parsed.
</ul>

<p>
<hr>
<p>

<h2>New object types and improvements in the base API</h2>

<ul>

  <li>TCPService object now has flag "established". Policy comilers
  for platforms that have special keyword for this flag can recognize
  this flag in TCPService object.</li>

  <li>TCPService object "All TCP established" has been added to the
    Standard objects library.</li>

  <li>Interface of the firewall has new flag "unprotected", currently
  only used in compiler for Cisco IOS access lists. Compiler skips
  interfaces marked as "unprotected" when it decides which interface a
  policy rule should be assigned to.
</ul>


<h2>Improvements and bug fixes in the GUI</h2>
<ul>

  <li>dialogs and resource files for Cisco IOS access lists.</li>

  <li>Policy installer for Cisco routers</li>

  <li>fixed long-standing problem with size of the built-in installer
    options dialog. The dialog was too big and did not properly resize
    itself when some options were hidden.</li>

  <li>PIX and Cisco routers (IOS) : built-in installer can schedule
    reboot of the firewall before activating new policy, then cancel
    it if the policy has been activated successfully. </li>

  <li>note about built-in installer on windows. Installer seems to
    have broke with upgrade of QT to 3.3.8. Specifically, in
    SSHSession::readFromStdout(), proc->readStdout() returns a byte
    array that contains actual output from the device, with some
    garbage appeneded to it. The garbage is included in the size()
    count of QByteArray returned by readStdout so it gets included
    into the QString which we append to stdoutBuffer. This happens
    only on win32; reverting to QT 3.3.7 fixes the problem.</li>

  <li>the GUI is compiled with ANTLR C++ run-time, used for policy
  importer</li>

  <li>Policy importer: can read and import iptables rules from the
  iptables-save file and Cisco IOS access lists from the router
  configuration saved using "show run" command. See
  README.policy_import file for more details.</li>

  <li>allow for object group in "Interface" rule element</li>

  <li>Added support for action "Continue" (an empty action) in the GUI
    and compiler for iptables. This action creates a rule that does
    nothing, however it generates iptables command with target "-j
    LOG" if logging is turned on. This can be useful if one wants only
    to log packets that match certain pattern but not make any policy
    decision in the same rule.</li>

  <li>After changes made in the compiler to simplify algorithm used to
    decide which chain a rule with action Tag should go to, rule
    action option "Mark connections in PREROUTING chain" (
    "ipt_mark_prerouting" ) has been deprecated.</li>

  <li>fixed bug (no number) where installer failed to properly copy
    .fwb file over to the firewall if file name contained
    whitespace</li>

  <li>fixed bug #1739373: "FWB2111, register Routing not printed". Tab
    "Routing" was not included in the printed copy of firewall
    policies</li>
</ul>

<h2>Improvements and bug fixes in policy compiler for iptables</h2>
<ul>

  <li>fixed bug 1737733: "install script doesn't detect BROADCAST if
    eth is NO-CARRIER".  If firewall script runs before network
    interface comes up (i.e. is still in NO-CARRIER state), script
    failed to add virtual addresses for NAT.</li>

  <li>fixed bug #1711595: "ip6tables DROPs". Compiler adds rules to
    permit any-to-any on loopback interface for ipv6 in addition to
    rules that set default policy to DROP for all chains in ipv6</li>

  <li>streamlined algorithm that assigns chain to a rule with action
    Tag. The goal is to always use chain PREROUTING for rules with
    direction Inbound or Both and a combination of OUTPUT and
    POSTROUTING for rules with direction Outbound and Both.</li>

  <li>Added support for action "Continue" (an empty action) in the GUI
    and compiler for iptables. This action creates a rule that does
    nothing, however it generates iptables command with target "-j
    LOG" if logging is turned on. This can be useful if one wants only
    to log packets that match certain pattern but not make any policy
    decision in the same rule.</li>

  <li>fixed bug #1718791: "Bug with more than one router". This bug
    affected routing rules.</li>

  <li>fixed bug #1720022: "Fail to load modules .ko.gz".</li>

  <li>fixed bug #1720480: '"-A POSTROUTING -i interface" in branching
    rules'. Compiler should not generate iptables commands in
    POSTROUTING chain with "-i interface" clause.</li>

  <li>bug (no number): compiler used to not set unique internal id for
    rules in branches, which lead to chain names like 'C.0' in
    generated script.</li>

  <li>bug (no number): when a rule number is inserted into a log
    record in place of macro %N, it should be formatted as "N/M" for
    rules in a branch.</li>

  <li>bug (no number): setting chain for Classify action only if it
    has not been set before. Setting chain to POSTROUTING always broke
    things if a rule with action 'Classify' was used in a branch (so
    the chain has been set to that of the branch)</li>

  <li>bugs #1676635: "no way to match on state if the action is drop"
    and #1671910: "2.1.8 In 'Branch' acton compiler doesn't insert NEW
    stanza". Rely only on rule option 'stateless' to decide whether
    the rule should have "-m state --state NEW".  Rule option
    'stateless' is automatically set when user changes rule action so
    it becomes anything except 'Accept', 'Tag' or 'Route'. This option
    is also automatically cleared when action is switched to any of
    these three actions. The user can override these default settings
    by checking or unchecking the option in the rule options dialog.

  </li>

</ul>


<h2>Improvements and bug fixes in policy compiler for PF</h2>
<ul>
  <li>fixed bug #1727715: "Policy Installer failed but indicates
    succes". Activation script for PF exits with non-zero return code
    if script activation fails.</li>

  <li>fixed bug #1740545: "AddressTable in NAT section". Policy
    compiler for PF crashed if AddressTable object was used in TDst
    element of a NAT rule.</li>

</ul>


<h2>Improvements and bug fixes in policy compiler for ipfw</h2>
<ul>
  <li>new TCPService object flag "established" in compiler for
  ipfw.</li>

  <li></li>

</ul>



 </body>
</html>