onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-22 03:07:20 +01:00
Code Issues Releases Wiki Activity
fwbuilder/doc/ReleaseNotes_2.0.4.html
Vadim Kurland fcfedad398 Initial import into v3 branch
2007-12-25 22:25:59 +00:00

382 lines
16 KiB
HTML
Raw Blame History

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<link rel="stylesheet" type="text/css" href="http://www.fwbuilder.org/pages/fwbuilder.css">
</head>
<body>
<h1> Firewall Builder Release Notes </h1>
<br>
<h2> Version 2.0.4 </h2>
<br>
<p>
Released 12/02/04
<br>
<b>GUI and compilers v2.0.4 require API library libfwbuilder version 2.0.4</b>
<br>
<h2>Summary </h2>
<p>
<p>
<b>For those who wish to build from source, instructions are outlined
in the document "Install and Build instructions" on our web site <a
href="http://www.fwbuilder.org/archives/cat_installation.html">here</a></b>
<h2>What's new</h2>
<ul>
<li>Improvements in the GUI
<p>
<ul>
<li>improved error handling: if the GUI is started with a
file on the command line or is configured to open a file
automatically on startup and RCS can not check the file out,
the GUI will come up empty (with only standard objects
loaded). Previously in a situation when the GUI was
configured to open a file automatically, but the file could
not be checked out, there was no way to cancel this
automatic file open operation since the GUI would never come
up.</li>
<li>Added Japanese translation by Tadashi Jokagi
&lt;elf@elf.no-ip.org&gt;</li>
<li>Added Russian translation by RusBusinessSecurity Co. Ltd.,
Russia. This translation is fairly complete but is still
considered preliminary. Bug reports and suggestions are very
welcome.
</li>
</ul>
<li>Improvements in the built-in policy installer
<p>
<ul>
<li>Built-in installer checks exit status of the script it
runs on the firewall and aborts installation sequence if it
detects an error. OS resource files have been updated
accordingly so they return exit status '1' in case of error
and '0' when they succeed.</li>
<li>Added an option to push PIX configuration to a standby
firewall at the end of install.</li>
<li>Added support in installer for new configuration script
formats for PIX:
<p>
<ol>
<li>basic or old format when access lists are cleared
and added from scratch</li>
<li>Access lists have unique names each time policy is
recompiled, lists are added without clearing.</li>
<li>Access lists are added with temporary names and
assigned to interfaces, then the same lists are added
with permanent names, lists are swapped and temporary
lists cleared</li>
</ol>
<p>Last two methods provide for instantaneous access list
swap so that the firewall never runs with empty
lists. This helps maintain access to the firewall if
configuration is installed remotely.
</li>
</ul>
</li>
<li>Improvements in policy compiler for iptables:
<p>
<ul>
<li>implemented Feature Request #1021201: "output
iptables-restore compatible config from fwb_ipt". Policy
compiler for iptables can use iptables-restore to activate
firewall policy. Iptables-restore provides for atomic policy
load and allows to load large policy much faster. Atomic
load means the whole filter or nat table is activated at
once, and if there is an error, nothing is changed. Compiler
generates script in three possible formats:
<p>
<ol>
<li>the ususal shell script that adds rules one at a
time by executing iptables command with an "-A" flag to
add a rule;</li>
<li>commands are fed to iptables-restore, this format is
used when all interfaces of the firewall have static IP
addresses and script does not need to determine
addresses at run time;</li>
<li>script determines IP addresses of interfaces and
discovers dynamic interfaces that were defined as a
"wildcard" interface in fwbuilder (e.g. 'ppp*'); code
that is sent to iptables-restore is generated
dynamically by the script at run time.</li>
</ol>
<p>Using iptables-restore is optional and is controlled by
the checkbutton in the "Script options" tab of firewall
settings dialog. Path to iptables-restore utility can be
set in the "Paths" tab of the host settings dialog.
</p>
</li>
<li>policy installation via iptables-restore has been tested
with old versions of iptables (1.2.6a). Script need to
include "-m tcp", "-m udp" or "-m icmp", otherwise
iptables-restore does not understand options "--dport",
"--tcp-flags" and some others. Also had to use "--tcp-flags
SYN,RST,ACK SYN" instea dof "--syn" for better backwards
compatibility.</li>
<li>A change in the script generated by fwb_ipt: if
iptables-restore is not used to load policy, generated shell
script purges existing firewall policy (all tables and
chains) and sets default chain policies after it configures
interfaces of the firewall. Previously, it would flush
tables and set default policy before it configured
interfaces.</li>
<li>removed code that added iptables command to the "drop"
table to drop and log all dropped packets. This rule used
obsoleted patch-o-matic patch "drop" which is not available
anymore. </li>
<li>moved rule permitting backup ssh access from the
management station to the firewall to the top of the
script. This helps maintain ssh session, otherwise it may
stall or break because stdout buffer is filled with
diagnostic or progress output from the script that is
printed after all chains are flushed but before rule
permitting ssh to the firewall is added. If stdout buffer is
full, ssh stops and tries to send the text to the management
station but times out because firewall blocks it.</li>
</ul>
<br><br>
</li>
<li>Improvements in policy compiler for pf:
<p>
<ul>
<li>Activation script for PF flushes only information about
rules, nat, source and tables (it used to flush "all"). This
preserves queue entries and states. </li>
</ul>
<p>
</li>
<li>Improvements in policy compilers for all platforms:
<p>
<ul>
<li>added support for prolog and epilog scripts for all
firewall platforms. This was available for PIX for some
time, now it has been added for all
platforms. "Prolog/Epilog" tab of the firewall settings
dialog allows for editing of two blocks of commands that
will be added to the generated firewall script
verbatim. Prolog block is added on top, while epilog block
is added at the bottom. Both prolog and epilog are expected
to be shell scripts and are added to the generated shell
script that activates firewall. For iptables and ipfw all
compiler generates is this shell script and prolog and
epilog commands are inserted into it. These commands may
execute some actions, as well as add any policy or nat
commands. For ipf and pf prolog and epilog commands are
added to the activation shell script ( .fw file); prolog is
added immediately after the command that flushes all
rules. This way user may either execute shell commands or
add policy and/or nat rules by loading them from external
file. </li>
<li>all policy compilers properly detect an error when the
output file can not be created or overwritten and print
error message to warn the user.</li>
<li>Added element "Target/family" to all OS resource XML
files. Compilers use "family" resource element to determine
if host OS is supported. User may want to copy host OS
resource file to modify installer scriptlets; as long as the
family element is kept the same, compiler will accept new
resource file.</li>
</ul>
<p>
</li>
<br>
</ul>
<br>
<br>
<hr>
<br>
<br>
<h2>Bugs fixed in GUI:</h2>
<ul>
<li>bug #1077072: "CrossPlatform Firewall Builder Crash" -
pressing arrow down key on the keyboard right after the GUI
started with no firewall objects defined caused crash.</li>
<li>bug (no num): if a library was assigned a name with
non-ascii characters, it would appear distorted in the pull-down
list in object dialogs.</li>
<li>bug (no number) introduced in 2.0.3 when GUI crashed if user
tried to choose pull-down menu item in the firewall list after
the very first firewall object has been created. </li>
<li>bug (no number): group object dialog corrupted object names
if they contained non-ascii characters.</li>
<li>bug #1046345: "ipfw - no option to specify ipfw
executable". Added GUI control to let user specify alternative
path to "ipfw" on FreeBSD. Control like that was previously
available only for Mac OS X </li>
<li>bug #1028866: "incorrect order when several rules copied
using copy/paste". Pasting multiple rules into an empty policy
caused rules to be inserted in the wrong order.</li>
<li>bug (no number): Policy installer failed if the following
conditions were met: - it was running on Linux, FreeBSD or Mac
OS X - working directory configured in the "General" tab of the
Preferences dialog did not exist and could not be created or its
permissions did not allow user that runs the GUI to access
it</li>
<li>Added #include <errno.h> to make code compile with gcc 3.4.2
and glibc 2.3.3</li>
<li>bug (no number): GUI could not find names of the object
libraries in external library files that user added for
automatic load in the Preferences dialog on Windows. It would
find the name of the library in the first file, but failed to
find library names in subsequent files and used the name from
the first file. Since this library was only present in the first
file, object tree was getting corrupted when the program
attempted to load this library from every file configured for
automatic pre-load. This only happened on Windows.</li>
</ul>
<br>
<br>
<h2>Bugs fixed in API:</h2>
<ul>
<li>bug #1077496 ] Error compiling libfwbuilder in FreeBSD:
The problem was caused by changed major version number of libnetsnmp library
in the latest net-snmp port (v5.2)</li>
<li>bug #1055937: "Any->all_multicasts not in INPUT Chain". Need
to check if network objects are multicasts; assume that
multicast always matches firewall object (e.g fwb_ipt will put
rule with such network object in destination in INPUT
chain)</li>
<li>bug #1040773: need to match network address as well as
broadcast. Packets sent to the network address (192.168.1.0 for
net 192.168.1.0/24) go in the broadcast frame and behave just
like IP broadcast packets (sent to 192.168.1.1255 for the same
net)</li>
<li>bug (no number): rule shadowing algorithm now assumes that
IPService object with protocol number '0' shades any other
service just like 'any' does.</li>
<li>bug (no num): rule shadowing algorithm checks for IP flags
in IP service object. IP service object with protocol 0 shades
anything only if its flags are cleared. Two IP services shade
each other only if they are completely equal (protocols and all
flags settings are the same). However, IP service with protocol
0 shades other IP service with protocol !=0 if all flags
settings are the same.</li>
<li>change in the object database merge algorithm: when an
object database we are trying to merge has non-empty "Deleted
objects" library, deleted objects from this library should be
ignored (they used to be deleted from the current
tree). Likewise, when current tree has non-empty "Deleted
objects" library and objects in it match objects being merged
in, objects should be removed from "Deleted objects" library to
avoid creating duplicate IDs with objects being merged in.</li>
<li>bug (no number): program crashed on FreeBSD 5.3 when using
SNMP to obtain parameters for hosts and interfaces. Crash
occurred because of use of uninitialized mutex variables in
module dns.cpp</li>
<li>bug (no number): The API used to corrupt CustomService
object while saving data to the XML file if service code
included special characters such as '&'</li>
</ul>
<br>
<br>
<h2>Bugs fixed in policy compiler for iptables fwb_ipt:</h2>
<ul>
<li>bug #1073491: incorrect code for rules using two interfaces
with negation. If a rule had two (or more) interfaces of the
firewall in the destination, with negation, the code generated
by compiler would check one interface's address in INPUT chain
and another in FORWARD chain. It should check addresses of all
interfaces from the corresponding rule element in the INPUT
chain and also check addresses and possibly services from other
rule elements in the FORWARD chain. This bug affected rules with
two or more interfaces both in source and destination.</li>
<li>bug #1040788: fwb_ipt and user name. Compiler used to read
environment variable "USER" to find out user's name. Sometimes
this variable is not set, which caused compiler to abort. Using
env variable LOGNAME in addition to USER.</li>
<li>bug #1040599: "unnecessary FORWARD rules". If ip forwarding
is turned off in the host settings dialog of the linux-based
firewall, compiler should not generate rules in FORWARD
chain.</li>
<li>bug (no number): compiler placed extra quote '"' at the end
of each NAT command in the script using iptables-restore; this
happened only if all interfaces of the firewall had static
addresses.</li>
<li>bug (no number) in fwb_ipt that caused no-nat rules with
firewall in OSrc to be placed only in OUTPUT chain. Packets
originating on the firewall go into OUTPUT and POSTROUTING
chains, so no-nat rules must be placed in both. Other minor
improvements for NAT of the locally originated connections have
been done as well.</li>
<li>bug (no number) where compiler for iptables used option
"--destination-port" with module "multiport" for versions of
iptables that do not understand it (1.2.6 and later, as well as
default version setting 'any'). The option should be
"--destination-ports" or "--dports".</li>
<li>bug #1063953: "Wrong accept/multiport rule
generated". Compiler generated wrong code for rules using
multiple service objects of different types (TCP and UDP, or TCP
and ICMP etc), multiple addresses in src or dst with option that
requires using TCP RST for action REJECT. This bug was
introduced in build 453</li>
<li>bug (no number): policy compiler for iptables used "tail -1"
in the shell script that read actual IP addresses of interfaces
of the firewall. This shell code failed to determine correct
address of an interface that was configured with a secondary
address. Reverted to using grep (I switched to tail when ran
into limitations of one of the beta builds of Sveasoft Linksys
firmware that did not have grep)</li>
</ul>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink