onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-21 10:47:16 +01:00
Code Issues Releases Wiki Activity
fwbuilder/doc/ReleaseNotes_2.1.12.txt
Vadim Kurland fcfedad398 Initial import into v3 branch
2007-12-25 22:25:59 +00:00

312 lines
17 KiB
Plaintext
Raw Blame History

Firewall Builder Release Notes
Version 2.1.12
Released 06/24/2007
GUI and compilers v2.1.12 require API library libfwbuilder version 2.1.12
Summary
This release comes with support for Cisco IOS access lists and ability to
import existing iptables and IOS access lists configurations. Multiple bug
fixes are included as well.
For those who wish to build from source, instructions are outlined in the
document "Install and Build instructions" on our web site here
Support for Cisco IOS access lists
Policy compiler for Cisco IOS Access lists has been implemented as part of
the Firewall Builder GUI as of version 2.1.12. The first functional build
were importer worked on all supported OS was build 270 (May 22, 2007)
Features implemented in this version:
* The compiler generates extended ACLs using "ip access-list extended"
command. ACL names are automatically generated using abbreviated
interface names and direction symbols to make it easy to figure out
which ACL is which. Compiler uses rather minimal set of options of the
"ip access-list" command and should generate code that will work for
IOS 12.x. I did not test with 11.x but I am pretty sure it will work,
at least with the latest versions of 11.x.
* Compiler can also add commands to configure logging.
* The GUI includes built-in installer for routers which works just like
installer for PIX. Both installers were updated however to improve
support for the automatic roll-back feature in case you lose connect
with the firewall or the router because of an error in the policy. Now
you can make installer schedule reboot in a few minutes, then upload
new policy or ACLs and then cancel reboot if upload was successful.
While before auto-rollback option was only available if you installed
in the test mode, now you can always use it. Test mode means that
installer does not save configuration in the permanent memory, as
before.
* All three installation methods that were available for PIX are now
available for routers: you can make it clear all access lists and then
load new ones or just update access lists without clearing. The last
method (the "safety net" method) creates temporary acl to permit
communication with the management station, assigns it to the interface
marked as management interface, then clears all access lists and loads
new ones and in the end swaps proper list on the management interface.
This helps prevent locking yourself out of the router in the middle of
the installation process in case of an error in the ACL and at the
same time does not leave the router with no acls for the time it takes
to install new policy. In combination with automatic roll-back,
installation process is pretty reliable.
* New option has been added to the interface object, called
"unprotected". This allows you to mark some interfaces to be skipped
by the compiler when it picks interfaces for ACL rules. This should be
useful when you have routers with many interfaces and only want to add
ACLs to some of them. Also, you can explicitly put interface objects
into policy rules and specify direction if you want to do this
manually.
* Since router ACLs have no state, all rules should be created in the
policy pretty much like you do it on the router, including rules that
permit reply packets. New option has been added to the TCP Service
object, called "established". This makes compiler use option
"established" in rules it generates if it is supported by the firewall
platform. Compilers for iptables, ipfilter, pf and PIX can not use
objects with this option and treat it as an error because
corresponding platforms do not support it. IPFW, on the other hand,
supports it so compiler fwb_ipfw can use it.
Shortcomings of this version:
* "tos", "precedence" and "time-range" options are not supported
* "igmp" access lists can no be generated
Policy import iptables configurations (v2.1.12, build 281 and later)
Policy importer has been implemented as part of the Firewall Builder GUI
as of version 2.1.12. The first functional build were importer worked on
all supported OS was build 270 (May 22, 2007)
Policy importer uses ANTLR lexer and parser ( http://www.antlr.org/ )
Version 2.7.7 is used in Firewall Builder v2.1.12 ( http://www.antlr2.org/
)
Firewall Builder needs ANTLR C++ runtime header files and library and
include these in the source tree under src/antlr. Unless you want to
change the grammar (*.g files) you don't need to install ANTLR separately.
All relevant ANTLR files are included in the package. For more information
on ANTRL see: http://www.antlr2.org
Features implemented in this version :
* Importer can parse iptables config saved using iptables-save utility.
Because of the huge variety of iptables modules, Importer can only
interpret basic iptables configuration and a subset of modules.
Currently the following modules are supported:
* state
* multiport
* limit
* mark
* Importer creates firewall object with all interfaces. It can not
assign object name for the firewall object nor add IP and MAC
addresses to interfaces because this information is not present in
iptables-save file.
* option "Assume firewall is part of 'any'" is off in the created
firewall object. Import is done this way in order to preserve logic of
chains INPUT, OUTPUT and FORWARD in the recreated fwbuilder rules.
Rules that had chain INPUT in the imported script will have firewall
object in "destination" in the corresponding fwbuilder rules. Firewall
object is placed in "Source" for rules with chain OUTPUT. For rules
with chain FORWARD rule elements "Source" and "Destination" are
populated with objects created using options "-s" and "-d" of the
original rules or left empty ("any").
* all recognized iptables rules are imported and interface and direction
are set in all rules appropriately. Interface objects are created as
parser finds them in the script.
* targets ACCEPT, DROP, REJECT, MARK and others are converted to the
corresponding fwbuilder policy rule actions. Unrecognized targets and
converted to branching rules, where the name of the target becomes the
name of the branch.
* SNAT, DNAT, MASQUERADING, REDIRECT and NETMAP targets and their
parameters are recognized in the NAT rules.
* Address and service objects are created in the process for all
addresses and ports used in all rules.
* iptables rules can refer to tcp/udp ports both by name or by number.
Importer can properly interpret both formats using system function
getservbyname() to convert service name to the port number. Since the
result of this function depends on the OS, some port names may not
convert on some systems. For example, Windows can convert more limited
set of service names compared to Linux or BSD.
* targets LOG and ULOG are converted to the "logging" option in
fwbuilder rules with action "Continue". This is an empty action that
does not affect packet flow through the firewall but can be used in
combination with "logging" option to log the packet. If such empty
(logging-only) rule is undesired, it must be manually merged with some
other rule in the policy.
* "--log-prefix", and "--log-level" options of the LOG target are
recognized
* "--ulog-prefix" option of the ULOG target is recognized. Other options
of the ULOG target are not.
* Address and service objects are reused in the process of import.
* in case when importer fails to parse some part of the iptables-save
file, corresponding policy rule is colored red and appropriate
diagnostic message added to its comment. The problem must be corrected
manually.
* comments ("#") found inside access lists are ignored.
Shortcomings of this version:
* user-defined chains in table "nat" are not supported
* no import of time intervals
* no MAC address matching import
Policy import of Cisco IOS access lists (v2.1.12, build 270)
Features implemented in this version :
* Importer can parse router config saved using "show run" command.
Although importer can only interpret a subset of IOS configuration
commands, other commands that it does not understand will be ignored
and should not affect operation. No manual editing of the config is
required prior to import.
* Importer creates firewall object with all interfaces
* firewall object name is assigned if "hostname" command is found in the
configuration. If this command is not present, the name remains
generic "New Firewall"
* interface addresses are assigned if command "ip address" is found
(multiple addresses per interface are supported). Interfaces without
"ip address" in the configuration are marked as "unnumbered" in the
firewall builder object tree.
* all access lists are imported and interface and direction are set in
all rules appropriately
* Address and service objects are created in the process for all
addresses and ports used in access lists
* IOS access lists can define ip protocol, icmp code and type, and
tcp/udp ports both by name or by number. Importer can properly
interpret both formats.
* "log", "log-input", "fragments", "established" keywords are supported
and translated into rule or object options as appropriate.
* Address and service objects are reused in the process of import.
* in case when importer fails to parse some part of the access-list
command, corresponding policy rule is colored in red and appropriate
diagnostic message added to its comment. The problem must be corrected
manually.
* "remark" commands found inside access lists are translated into rule
comments
* comments ("!") found inside access lists are ignored.
Shortcomings of this version:
* importer does not use address and service objects that existed in the
tree before the operation has started, it creates new ones.
Deduplication only works for objects created in the process of import.
* the following keywords available in extended access lists are not
supported at this time: tos, precedence, time-range.
* igmp access lists are not parsed.
----------------------------------------------------------------------
New object types and improvements in the base API
* TCPService object now has flag "established". Policy comilers for
platforms that have special keyword for this flag can recognize this
flag in TCPService object.
* TCPService object "All TCP established" has been added to the Standard
objects library.
* Interface of the firewall has new flag "unprotected", currently only
used in compiler for Cisco IOS access lists. Compiler skips interfaces
marked as "unprotected" when it decides which interface a policy rule
should be assigned to.
Improvements and bug fixes in the GUI
* dialogs and resource files for Cisco IOS access lists.
* Policy installer for Cisco routers
* fixed long-standing problem with size of the built-in installer
options dialog. The dialog was too big and did not properly resize
itself when some options were hidden.
* PIX and Cisco routers (IOS) : built-in installer can schedule reboot
of the firewall before activating new policy, then cancel it if the
policy has been activated successfully.
* note about built-in installer on windows. Installer seems to have
broke with upgrade of QT to 3.3.8. Specifically, in
SSHSession::readFromStdout(), proc->readStdout() returns a byte array
that contains actual output from the device, with some garbage
appeneded to it. The garbage is included in the size() count of
QByteArray returned by readStdout so it gets included into the QString
which we append to stdoutBuffer. This happens only on win32; reverting
to QT 3.3.7 fixes the problem.
* the GUI is compiled with ANTLR C++ run-time, used for policy importer
* Policy importer: can read and import iptables rules from the
iptables-save file and Cisco IOS access lists from the router
configuration saved using "show run" command. See README.policy_import
file for more details.
* allow for object group in "Interface" rule element
* Added support for action "Continue" (an empty action) in the GUI and
compiler for iptables. This action creates a rule that does nothing,
however it generates iptables command with target "-j LOG" if logging
is turned on. This can be useful if one wants only to log packets that
match certain pattern but not make any policy decision in the same
rule.
* After changes made in the compiler to simplify algorithm used to
decide which chain a rule with action Tag should go to, rule action
option "Mark connections in PREROUTING chain" ( "ipt_mark_prerouting"
) has been deprecated.
* fixed bug (no number) where installer failed to properly copy .fwb
file over to the firewall if file name contained whitespace
* fixed bug #1739373: "FWB2111, register Routing not printed". Tab
"Routing" was not included in the printed copy of firewall policies
Improvements and bug fixes in policy compiler for iptables
* fixed bug 1737733: "install script doesn't detect BROADCAST if eth is
NO-CARRIER". If firewall script runs before network interface comes up
(i.e. is still in NO-CARRIER state), script failed to add virtual
addresses for NAT.
* fixed bug #1711595: "ip6tables DROPs". Compiler adds rules to permit
any-to-any on loopback interface for ipv6 in addition to rules that
set default policy to DROP for all chains in ipv6
* streamlined algorithm that assigns chain to a rule with action Tag.
The goal is to always use chain PREROUTING for rules with direction
Inbound or Both and a combination of OUTPUT and POSTROUTING for rules
with direction Outbound and Both.
* Added support for action "Continue" (an empty action) in the GUI and
compiler for iptables. This action creates a rule that does nothing,
however it generates iptables command with target "-j LOG" if logging
is turned on. This can be useful if one wants only to log packets that
match certain pattern but not make any policy decision in the same
rule.
* fixed bug #1718791: "Bug with more than one router". This bug affected
routing rules.
* fixed bug #1720022: "Fail to load modules .ko.gz".
* fixed bug #1720480: '"-A POSTROUTING -i interface" in branching
rules'. Compiler should not generate iptables commands in POSTROUTING
chain with "-i interface" clause.
* bug (no number): compiler used to not set unique internal id for rules
in branches, which lead to chain names like 'C.0' in generated script.
* bug (no number): when a rule number is inserted into a log record in
place of macro %N, it should be formatted as "N/M" for rules in a
branch.
* bug (no number): setting chain for Classify action only if it has not
been set before. Setting chain to POSTROUTING always broke things if a
rule with action 'Classify' was used in a branch (so the chain has
been set to that of the branch)
* bugs #1676635: "no way to match on state if the action is drop" and
#1671910: "2.1.8 In 'Branch' acton compiler doesn't insert NEW
stanza". Rely only on rule option 'stateless' to decide whether the
rule should have "-m state --state NEW". Rule option 'stateless' is
automatically set when user changes rule action so it becomes anything
except 'Accept', 'Tag' or 'Route'. This option is also automatically
cleared when action is switched to any of these three actions. The
user can override these default settings by checking or unchecking the
option in the rule options dialog.
Improvements and bug fixes in policy compiler for PF
* fixed bug #1727715: "Policy Installer failed but indicates succes".
Activation script for PF exits with non-zero return code if script
activation fails.
* fixed bug #1740545: "AddressTable in NAT section". Policy compiler for
PF crashed if AddressTable object was used in TDst element of a NAT
rule.
Improvements and bug fixes in policy compiler for ipfw
* new TCPService object flag "established" in compiler for ipfw.
*
Reference in New Issue View Git Blame Copy Permalink