fwbuilder/doc/ReleaseNotes_2.0.7.txt

                         Firewall Builder Release Notes

Version 2.0.7

   Released 05/08/2005
   GUI and compilers v2.0.7 require API library libfwbuilder version 2.0.7

Summary

   This is a bug fix release

   For those who wish to build from source, instructions are outlined in the
   document "Install and Build instructions" on our web site here

What's new

     * Improvements in the GUI

          * implemented feature req. #1151220: "Close" button should change
            is caption/title to "Install". When user clicks "Install" toolbar
            button or main menu item, the "Close" button in the pop-up window
            that displays compiler progress changes its text caption to
            "Install"
          * implemented feature request #1151206: "Search for IP Addresses".
            "Find" dialog searches for objects by a combination of name and
            one of the following attributes: address, tcp/udp port, ip
            protocol number or icmp message type. Regular expressions can be
            used for both name and attribute.
          * Support for SNMP operations has been added in Windows packages of
            Firewall Builder

     * Improvements in built-in installer:

       User can specify additional command line parameters for ssh that
       built-in installer runs to access firewall. This allows for
       alternative ssh port or alternative ssh identity to be used when
       accessing firewall. Parameters can be added in the "Installer" tab of
       firewall settings dialog for all platforms.

     * Improvements in compiler for ipfilter fwb_ipf

       Added support for dynamic addresses in ipfilter. Actual address of
       dynamic interface is now determined at run-time in the policy
       activation script <firewall_name>.fw generated by fwbuilder. If
       dynamic interface is used somewhere in the policy or nat rules, it
       will be replaced with its actual address by activation script before
       configuration is sent to ipf or ipnat for activation. This run-time
       substitution is done only if a checkbox is checked in the "Script
       options" tab of firewall settings dialog. Default behavior is to use
       "any". This is because ipfilter configuration files
       <firewall>-ipf.conf and <firewall>-nat.conf that rely on run-time
       substitution of dynamic interface address can not be loaded using
       standard activation scripts that come with FreeBSD.

       Generated script uses function getaddr() to determine address of
       dynamic interface. This function falls back to 0.0.0.0/32 if dynamic
       interface has not been assigned an address yet or is down. Ipfilter
       policy using run-time substitution of dynamic interface addresses will
       be functional even if these interfaces are down or do not have IP
       address.

     * Improvements in compiler for iptables fwb_ipt

       Generated iptables script sets default policies to DROP in all ipv6
       filter chains. More detailed control can be implemented using prolog
       or epilog scripts.

       Note that this changes behavior of the generated iptables script with
       respect to IPv6. Until now, the script just ignored IPv6 but some
       people felt this leaves a hole in the firewall and asked me to make
       the script close it. Generated shell code will check if ip6tables is
       installed on the system and if it actually works before setting
       default policies to DROP. This means it won't try to do it if
       ip6tables is not installed or if it is present, but IPv6 is not
       compiled into the kernel (so ip6tables does not work and generates
       errors).

     ----------------------------------------------------------------------

Bugs fixed in GUI:

     * bug #1151052: "Not external interfaces marked as external". Dialog for
       an interface object that belongs to a host should not show checkbox
       "external (insecure) interface"
     * bug #1151212: "Collapsed sub-objects shouldn't be added if they are
       hidden". When user selects multiple objects in the tree some of which
       have child objects, those child objects used to be also selected and
       added to groups in addition to their parent objects via drag-and-drop
       operation.
     * bug #1151243: "Maintain format of description text". The GUI ignored
       text formatting in object comment when displayed it in the info panel
       (lower left corner of the main windows)
     * bug #1155163: "print does not print group contents". The program
       printed only number of objects contaned in object or service groups.
       Now it prints lists of member objects for all groups used in rules. If
       groups contain other groups, they are printed recursively.
     * bug #1172620: "Add tcp service object for icslap". Added this object
       to the objects library "Standard".
     * bug #1184791: "can not copy/paste multiple objects into a group"

Bugs fixed in API:

     * bug #1158870: "mutexes are not properly created on FreeBSD". Mutexes
       gethostbyname_mutex and gethostbyaddr_mutex were never created but
       used on OS where thread-safe resolver is not available.
     * bug #1151219: "New Host creation window is not well dimensioned".
       Fixed wrong dialog page layout in the new host wizard.
     * bug #1157976: "patches to make fwbuilder compile under NetBSD 1.6".
       Applied patches.
     * bug #1173801: '"&" character in prolog/epilog'. Needed to call
       xmlEncodeSpecialChars to encode special characters in firewall options

Bugs fixed in policy compiler for iptables fwb_ipt:

     * bug #1123748: "busybox grep -E". Busybox in floppyfw is compiled
       without support for egrep (or grep -E). Switched to using "plain"
       grep.
     * bug #1160186: 'IPTables Compiler - Multiport Issue'. When 16 or 31
       ports were used in a single rule, compiler generated command with
       conflicting options "-m multiport --dport"
     * bug #1176890: "block IPv6". Generated iptables script sets default
       policies to DROP in all ipv6 filter chains. More detailed control can
       be implemented using prolog or epilog scripts.

       Note that this changes behavior of the generated iptables script with
       respect to IPv6. Until now, the script just ignored IPv6 but some
       people felt this leaves a hole in the firewall and asked me to make
       the script close it. Generated shell code will check if ip6tables is
       installed on the system and if it actually works before setting
       default policies to DROP. This means it won't try to do it if
       ip6tables is not installed or if it is present, but IPv6 is not
       compiled into the kernel (so ip6tables does not work and generates
       errors).
     * bug #1176890: "block IPv6". Generated iptables script sets default
       policies to DROP in all ipv6 filter chains. More detailed control can
       be implemented using prolog or epilog scripts.
     * bug #1179103: 'compiled rules can not be installed'. Generated
       iptables script could not be used on systems with non-English locale
       where timezone name used local characters because these characters
       were printed as hex ( "&#21488;" ) and '&' caused problems with shell.
       Now using single quotes to make shell ignore any characters in the
       string. Will deal with proper printing of localazed timezone later.
     * bug #1181359: "Missing traling space in "INVALID state" syslog
       message"
     * bug #1195201: "getaddr function return error ip address". Yet another
       change in the way we use grep to find IP addresses of an interface on
       Linux. We can't use regex (bug #1123748) and need to filter out
       secondary addresses from the "ip addr show" output. It looks like
       "grep -v :" neatly solves the problem without using regex.

Bugs fixed in policy compiler for pf fwb_ipf:

     * bug #1173067: "support for port ranges in NAT rules (ipfilter)" -
       policy compiler for ipfilter should split DNAT rules (rdr) that use
       TCP or UDP objects with port ranges. A warning is issued if more than
       20 rules are created.
     * bug #1173064: "support for dynamic interfaces in ipfilter". Actual
       address of dynamic interface is now determined at run-time in the
       policy activation script <firewall_name>.fw generated by fwbuilder. If
       dynamic interface is used somewhere in the policy or nat rules, it
       will be replaced with its actual address by activation script before
       configuration is sent to ipf or ipnat for activation. This run-time
       substitution is done only if a checkbox is checked in the "Script
       options" tab of firewall settings dialog. Default behavior is to use
       "any". This is because ipfilter configuration files
       <firewall>-ipf.conf and <firewall>-nat.conf that rely on run-time
       substitution of dynamic interface address can not be loaded using
       standard activation scripts that come with FreeBSD.

       This also fixes another problem in fwb_ipf where it generated rdr and
       nat commands with address 0.0.0.0/32 if dynamic interface was used in
       a NAT rule.

Bugs fixed in policy compiler for pf fwb_pf:

     * bug #1176051: "incorrect rule generated for TCP service ftp-data". If
       a rule used several TCP or UDP service objects and one of them has
       source port range configured, generated PF filter rule incorrectly
       matched on a combiantion of that source port range _and_ destination
       port ranges from all other service objects. This bug affected
       compilers for OpenBSD PF and ipfilter