fwbuilder/doc/ReleaseNotes_2.1.13.html

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<link rel="stylesheet" type="text/css" href="http://www.fwbuilder.org/pages/fwbuilder.css">
</head>
 <body>
<h1>		Firewall Builder Release Notes </h1>
<br>
<h2> Version  2.1.13   </h2>
<br>
<p>
Released 07/22/2007
<br>
<b>GUI and compilers v2.1.13 require API library libfwbuilder version 2.1.13</b>
<br>
<h2>Summary </h2>
<p>
This is bugfix release; its main focus is better support for new
features available in PF in OpenBSD 4.1.

<p>
<b>For those who wish to build from source, instructions are outlined
in the document "Install and Build instructions" on our web site <a
href="http://www.fwbuilder.org/archives/cat_installation.html">here</a></b>



<h2>Improvements and bug fixes in the GUI</h2>
<ul>

  <li>fixed bug #1740766: "lock not saved". This method now copies the
    value of "ro" attribute (read-only).  Clear it in the caller if
    neccessary. Method duplicate() clears it after calling
    shallowDuplicate in order to be able to modify the object, then
    restores this attribute to its original value.</li>

  <li>fixed bug #1743117: "crash while editing any". Added check, user
    should not be able to unlock Standard objects library</li>

  <li>fixed bug #1753188: "policy activation fails on PIX and
    IOS". Installer failed if account used to authenticate to the
    router or PIX went straight to 'enable' mode after login.</li>

  <li>added simple template object for Cisco router 36xx </li>
</ul>

<h2>Improvements and bug fixes in policy compiler for iptables</h2>
<ul>

  <li>fixed bug #1746257: "fwbuilder breaks IPv6". Added an option to
    the firewall settings dialog for iptables that controls whether
    compiler should skip generation of the code to set default policy
    of all ipv6 chains to DROP. This option is off by default, that is
    compiler puts the code in. This helps maintain backwards
    compatibility with old data files that do not have this option,
    which is equivalent to this option being "off".</li>

  <li>fixed bug #1747332: "missing CONNMARK/ restore mark in Output
  Chain"</li>

  <li>compiler permits setting direction in the rule while interface
    field is "All". This generates iptables command in chain INPUT or
    OUTPUT with "-i +" or "-o +" interface specification to match all
    interfaces.</li>

</ul>


<h2>Improvements and bug fixes in policy compiler for PF</h2>
<ul>
  <li>fixed bug #1747828: "anchors generation - "log" not
    supported". "Log" keyword is not allowed in "anchor" rules;
    compiler should not generate it even if user turned logging on in
    a rule with action 'Branch'</li>

  <li>implemented support for PF limit options "src-nodes", "tables"
    and "table-entries". Feature Req. #1674919: "Support "set limit
    table-entries""</li>

  <li>better compliance with PF 4.x. Feature Req. #1679793: "add 'no
    state' and 'flags any'". If version is set to 4.x, compiler skips
    "flags S/SA keep state" for rules mathcing tcp services. However,
    according to the section "1.2. Operational changes" in PF FAQ at
    http://www.openbsd.org/faq/upgrade41.html , there should be a way
    to add "keep state" explicitly for rules on interface enc0. Added
    this option to the rule options dialog.</li>

  <li>Added support for "set skip on <ifspec>" command for PF. If an
      interface is marked as "unprotected" in the GUI, compiler
      generates this command for it. This is useful for loopback or
      other virtual interfaces.</ifspec>


</ul>

<h2>Improvements and bug fixes in policy compilers for Cisco IOS ACL</h2>
<ul>
  <li>Fixed bug that caused compiler to exit abnormally while
    compiling a rule with interface field "all". Compiler should
    generate ACL lines for all interfaces of the router (except those
    marked "unprotected")</li>
</ul>

 </body>
</html>