onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-21 18:57:14 +01:00
Code Issues Releases Wiki Activity
fwbuilder/doc/ReleaseNotes_2.0.3.html
Vadim Kurland fcfedad398 Initial import into v3 branch
2007-12-25 22:25:59 +00:00

307 lines
13 KiB
HTML
Raw Blame History

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<link rel="stylesheet" type="text/css" href="http://www.fwbuilder.org/pages/fwbuilder.css">
<title>Release Notes 2.0.3</title>
</head>
<body>
<h1> Firewall Builder Release Notes </h1>
<br>
<h2> Version 2.0.3 </h2>
<br>
<p>
Released 09/30/04
<br>
<b>GUI and compilers v2.0.3 require API library libfwbuilder version 2.0.3</b>
<br>
<h2>Summary </h2>
<p>
Firewall Builder GUI v2.0.3 is a maintenance release that includes
fixes for bugs discovered since 2.0.2 has been released.
<p>
<b>For those who wish to build from source, instructions are outlined
in <a
href="http://www.fwbuilder.org/archives/cat_installation.html">"Install
and Build instructions"</a></b>
<ul>
<li>This release improves support for the PF firewall by always
using tables in policy rules; it also uses syntax " !
&lt;tbl&gt;" for negation, assignes "rdr" rules to interfaces
and adds "flags S/SA" to policy rules that keep state. </li>
<li>This release significantly improves optimizer for iptables
and adds an automatically generated rule to block packets that
correspond to an INVALID state</li>
<li>Built-in policy installer can compress firewall policy
script before it is installed in flash memory on
Linksys/Sveasoft firewall; this allows for much larger policy to
be used on Linksys. Script compression is optional.</li>
<li>Built-in policy installer can be used to test new policy
rules with automatic roll-back to the previous version of the
policy after specified interval of time. This feature helps to
work around errors in the policy that block access to the
firewall from the management workstation.
</ul>
<p>
<h2>Caveats</h2>
<p>New version (as of build 421) completely changes the way it
loads and activates firewall script on linksys. Old version put
the whole script in variable rc_firewall. New one puts script in
variable fwb and puts a one-line command in rc_firewall to read
the script from fwb and execute it. This was done because of the
need to uncompress it when linksys executes command stored in
rc_firewall, in other words, rc_firewall needs to be a little
script that uncompresses and runs the main firewall script. This
is why scripts were separated and rc_firewall has changed compared
to the previous versions of fwbuilder.
<p>Reverting from v2.0.3 (build 421 and later) to v2.0.2 requires
you to erase nvram variable "fwb" which holds the whole script in
the new builds.
<p>
<br>
<h2>New features in the built in policy installer</h2>
<ul>
<li>added an option for test run. When this option is activated,
policy script is pushed to the firewall and is executed but is
not stored there permanently. Firewall reverts to the last
working configuration after reboot.</li>
<li>implemented compression of the firewall script for
Linksys/Sveasoft combo. Using gzip and uuencode/uudecode to
compress the script and store it in flash variable
'fwb'. Installer prints flash memory stats after commiting
changes. Installer uses scp to copy firewall script to the
firewall and autogenerated prompt to detect when it logged in;
it does not depend on Linksys shell prompt anymore.</li>
<li>added an option to schedule automatic firewall reboot in
specified time (in minutes) after policy activation. <b>This
option is available for all firewall platforms but PIX</b>. This
option only works if user requested policy activation in a test
mode, in which case policy is copied and activated on the
firewall but not stored in the permanent location. After reboot
the firewall reverts to the previous version of the policy. To
cancel scheduled reboot, run installer again with "test run"
option turned off. Installer stores the policy in the permanent
location, activates it and cancels scheduled reboot. The
commands used to schedule reboot and cancel it depend on the
host os of the firewall. On Linux, it will use "shutdown -r +NN"
and "shutdown -c". On *BSD systems it uses "shutdown -r +NN" and
a combination of ps and awk to find and kill shutdown when
reboot is canceled. Installer uses "reboot" and kills it with
"killall" on linksys.</li>
<li>All manipulations that installer does on the firewall are
programmed in little one-line scripts stored in resource file
for each supported OS the firewall is running. These are in
/usr/share/fwbuilder/os on Linux/*BSD or in
C:\FWBuilder\resources\os on Windows. Users can hack commands
in these files to make installer work with host OS that is not
supported by default. Currently, the GUI only looks for the
OS-specific resource files in the system-wide directory. Future
versions will also look in a predefined directory in users'
home. Directory path to be defined later.</li>
<li>Added option "output file name" to firewall settings dialogs
for all platforms. User can specify the name for the output
file; this name is then used by built in installer in place of a
macro %FWSCRIPT%.</li>
</ul>
<p>
<br>
<br>
<h2>New features in policy compiler for iptables</h2>
<ul>
<li>implemented feature request #1023430: "add checkbox for
INVALID support in fw settings". Added two checkboxes to the
firewall settings dialog: one adds a rule to drop INVALID
packets and another adds logging to the rule.</li>
<li>rules that permit packets associated with
ESTABLISHED,RELATED states moved to the beginning of the script
before NAT rules.</li>
<li>bug #1022216: "negated time produces incorrect iptables
rule". Implemented negation for the "Time" rule element for
iptables</li>
<li>using abbreviated versions of "--dport", "--sport",
"--dports", "--sports" options to make generated iptables script
smaller. Also changed the name of the variables used to hold IP
address of dynamic interface from "interface_&lt;ifname&gt;" to
"i_&lt;ifname&gt;". All this should help to fit larger policies into
small flash on linksys. These changes shrunk my test script from
7964 bytes to 7430 bytes</li>
<li>Generated iptables script flushes only secondary ip
addresses on interfaces during initialization phase if option
"configure interfaces" is on. This should fix a bug that caused
linksys/sveasoft unit to lose default route upon reboot if
external interface has static IP address.</li>
<li>Generated script checks if /usr/sbin/ip exists on the
firewall before it tries to use it to verify interfaces and
configure IP addresses. This check is only performed if user
activated options that use this tool. An error message
"Interface eth0 does not exist" was generated if package
iproute2 was not installed on the firewall, which was
confusing.</li>
</ul>
<br>
<br>
<h2>New features in policy compiler for PF</h2>
<ul>
<li> A NAT rule of type DNAT (rdr rule) is assigned to an
interface of the firewall if interface object or its address
object is used in ODst. To get rdr rule without interface
assignment, use an Address or a Host object that has the same IP
address as that of firewall's interface but that is not a child
of an interface. This is the same approach that is used in
iptables.</li>
<li>Compiler for pf always uses tables; this breaks
compatibility with older OpenBSD systems (3.2 and 3.3)</li>
<li>Compiler for pf puts interface name in a table for rules
that use multiple objects in src or dst and one of these objects
is dynamic interface of the firewall that is being
processed. Using dynamic interface of another object in a rule
is still considered an error. Compiler puts the name of dynamic
interface in a table verbatim, without brackets '(' ')' since pf
does not replace dynamic interface with its address dynamically
if it is used in a table (pfctl issues an error if interface is
put in brackets)</li>
<li>added an option to permit tcp sessions opened prior to
firewall restart. This is needed now since compiler generates
"flags S/SA" for the "keep state" and "modulate state" rules
which means firewall won't permit TCP sessions unless it saw
opening SYN packet.</li>
<li>bug #1028973: fwb_pf: missing "flags S/SA" in front of
"modulate state". Compiler adds "flags S/SA" to policy rules
that use either "keep state" or "modulate state" options.</li>
<li>bug #1028980: "need an option to turn logging on on fallback
rule". Option has been added.</li>
</ul>
<p>
<br>
<br>
<h2>Bugs fixed in libfwbuilder API:</h2>
<ul>
<li>bug #1022788: "GUI corrupts XML file after creating a second
firewall". Global object ID counter was getting reset every time
new FWObjectDatabase object was created. This lead to the ID
collision if user quickly created and deleted complex objects
(such as Firewall) and used database merge. This should also fix
bug #1022785: "GUI corrupts XML file after creating a host
entry"</li>
<li>fixed bug (no number): all references to the interfaces, as
well as their IP and MAC addresses, in policy and NAT rules
should be replaced when Firewall object is duplicated. Until now
only references to the firewall object itself and to its
interfaces were replaced with references to the newly created
copies of object. References to IP and MAC addresses still
pointed at the old objects.</li>
</ul>
<p>
<br>
<br>
<h2>Bugs fixed in GUI:</h2>
<ul>
<li>bug (no number): after deleting a library firewall objects
that belong to it were not removed from the pull-down list</li>
<li>bug #1026945: '"Save As" does not work if current file is in
RCS'</li>
<li>bug #1028078: "options.png is not displayed for "Assume
firewall is part..."</li>
<li>bug #1035132: "compile errors with default Linksys firewall
object". This bug has been introduced in build 435. When user
created a new firewall object using one of the template objects,
the GUI would add bunch of garbage to the firewall options. This
garbage violated XML DTD, so compilers and the GUI would not
accept the data file anymore.</li>
<li>bug #1035130: 'Persistent "Save" dialog box'. Certain
combination of actions on user's part used to lead to an
indefinite loop of "do you want to save the data" dialogs. The
problem was triggered if user skipped choosing a name for the
new file in startup dialog.</li>
</ul>
<br>
<br>
<h2>Bugs fixed in iptables policy compiler fwb_ipt:</h2>
<ul>
<li>bug #1024861: "optimizer is broken in fwb_ipt". Used idea
and a patch by Mark Vevers <mark@vevers.net>. Fixed compiler
fwb_ipt generates more efficient iptables script for rules with
multiple objects in all rule elements. The script is smaller and
eliminates unnecessary comparisons for packet attributes. Every
attribute (i.e. source address, destination address, protocol
and port numbers) is checked by the script only once. This
should help reduce load on firewalls with lots of complex
rules.</mark>
<li>bug #1026509: "incorrect rules generated for dual negation
with time". Compiler generated incorrect iptables commands for
rules that had negation in two or more rule elements, one of
which was Time.</li>
<li>bug #1026794: multiple SRC ntwks --> "iptables: invalid
argument". Recent changes in optimizer introduced this
bug. Rules with multiple objects in src or dst, TCP service,
action Reject and option "reject with TCP RST" would generate
iptables command that used option "--reject-with tcp-reset"
without "-p tcp"</li>
</ul>
<br>
<br>
<h2>Bugs fixed in iptables policy compiler fwb_pf:</h2>
<ul>
<li>bug #1006906: "Negated network causes pass on
network". Compiler for pf uses native negation syntax that is
now available in pf</li>
<li>bug (no num): "firewall settings" dialog for OpenBSD pf did
not save option "Use tables". Since compiler is always using
tables, this option was removed from the dialog.</li>
</ul>
<hr>
<!-- Created: Fri Aug 6 21:40:42 PDT 2004 -->
<!-- hhmts start -->
Last modified: Thu Sep 30 20:16:23 PDT 2004
<!-- hhmts end -->
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink