fwbuilder/doc/ReleaseNotes_2.0.8.html

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
    <link rel="stylesheet" type="text/css" href="http://www.fwbuilder.org/pages/fwbuilder.css">
  </head>
  <body>
    <h1>		Firewall Builder Release Notes </h1>
    <br>
    <h2> Version  2.0.8   </h2>
    <br>
    <p>
      Released 07/08/2005
      <br>
      <b>GUI and compilers v2.0.8 require API library libfwbuilder version 2.0.8</b>
      <br>
    <h2>Summary </h2>
    <p>
      This is a bug fix release
    <p>
      <b>For those who wish to build from source, instructions are outlined
        in the document "Install and Build instructions" on our web site <a
          href="http://www.fwbuilder.org/archives/cat_installation.html">here</a></b>

    <h2>What's new</h2>
    <ul>
      <li>Improvements in the GUI
        <p>
        <ul>
          <li>Included updated German translation by Hans Peter
          Dittler &lt;hpdittler at braintec-consult.de&gt;
          </li>

          <li>implemented Feature Request #1145666: "Print RCS
          Log". File/Properties dialog can now print RCS log. Thanks
          to "Ilya V. Yalovoy" &lt;yalovoy@pilot.aip.mk.ua&gt; for the
          patch.</li>

          <li>Some code changes were made to make the code comiple and
          work on Solaris. In particular, tests and emulation for
          forkpty and cfmakeraw functions were added. Currently this
          still remains largely untested.</li>

        </ul>
      </li>

      <li>Improvements in policy compilers for pf, ipf, ipfw
        <p>
        <ul>
          <li>implemented support for subnets for backup ssh access for
            pf,ipf,ipfw. Subnet can be defined using either full netmask or
            bitlength: both "192.168.1.0/255.255.255.0" and "192.168.1.0/24"
            are acceptable. Single host address works too, both as
            "192.168.1.10" and as "192.168.1.10/255.255.255.255" or
            "192.168.1.10/32". Incorrect address or netmask cause compiler
            to abort processing.</li>
        </ul>
      </li>

      <li>Improvements in compiler for ipfw
        <p>
        <ul>
          <li>using rule sets to atomically swap old and new
          rules. New rules are loaded in the set 1 and then swapped
          into set 0. If there is an error in a new rule set, it is
          caught while loading rules into inactive set 1, at which
          point script stops without changing old firewall rules.</li>

          <li>added "established" rule on top of the regular backup
          ssh access rule; this allows to maintain management ssh
          session after the policy is reloaded. both "ipfw -f" and
          swapping sets flushes all states, so the ssh session used to
          upload and activate new policy breaks. A rule with
          "established" keyword maintains this session.</li>
        </ul>
      </li>


    </ul>

    <br>
    <br>
    <hr>


    <br>
    <br>
    <h2>Bugs fixed in the Standard Objects library:</h2>
    <ul>
      <li>bug #210518: 'Incorrect ending day in the standard object
      "weekends"'. This object defined time interval ending at 23:59
      on Monday instead of Sunday</li>

    </ul>


    <br>
    <br>
    <h2>Bugs fixed in scripts and tools:</h2>
    <ul>
      <li>bug #1200902: "fwb_compile_all does not work in 2.0". Script
      fwb_compile_all broke because of changes in data file
      format</li>

    </ul>


    <br>
    <br>
    <h2>Bugs fixed in GUI:</h2>
    <ul>
      <li>bug #1072842: "fwbuilder: Solaris and forkpty". We need
      forkpty fr built-in installer but this function is not awailable
      on Solaris. I am adding re-implementation, but it hasn't been
      tested since I do not have Solaris machine.</li>

      <li>bug #1201406: "shutdown messages should be
      suppressed". Installation scriptlet tries to kill shutdown
      process, if there is one, to cancel pending shutdown that might
      have been left over from test install. If there is none, the
      script prints an error message "shutdown process not found" or
      similar, which confuses user. Needed to suppress these error
      messages.</li>

      <li>bug #1204067: "incorrect timezone handling in RCS". Windows
      version of RCS incorrectly converts check-in time when time zone
      is east of GMT. This caused the GUI to incorrectly show checkin
      time of files in the "Open File" dialog if the program was
      running in locale East of GMT, for instance in Japan. </li>

      <li>bug #1207983: "incorrect size of "I" and "L" buttons in the
      group view dialog". Tested with large font and cleaned up layout
      in many dialogs.</li>

      <li>bug #1212121: "sudo shutdown doesn't work".</li>

      <li>bug #1212123: "executing file below /tmp as root". Avoiding
      world-writable directory /tmp/ while activating policy in the
      test mode.  This change makes installer use subdirectory "tmp"
      under directory specified in the "intaller" tab of firewall
      settings dialog. That directory is expected to have proper
      permissions; subdirectory "tmp" can be created manually,
      otherwise installer creates it. Either way, it is not
      world-writable, therefore unauthorized users can not create
      scripts in it.</li>

      <li>bug #1212179: "tool tips for TCP services cuts off some
      services". The gui would show very long tooltip for large
      groups; if the group was too large, the tooltip did not fit on
      the screen.</li>

      <li>bug #1213361: "PF on FreeBSD-5.4R". Bug description is
      misleading, the probem was caused by built-in installer rather
      than by compiler for PF. Installer would not copy generated
      script over ssh if the script was longer than some threshold and
      the gui was running on FreeBSD.</li>

    </ul>

    <br>
    <br>
    <h2>Bugs fixed in policy compiler for iptables:</h2>
    <ul>
      <li>bug #191423: "Weekend Time restriction not created
      correctly". Rules with time restriction spanning from Saturday
      to Sunday were generated with incorrect "--day" option
      </li>

      <li>bug #1205665: "Error with summer time when compiling
      script". Sometimes timezone name has "'" in it which confuses
      shell and causes an error when generated script prints
      "Activating firewall policy..." log message</li>

      <li>bug #1215279: "rate limiting rule logs everything".  Rule
      utlilizing "limit" module to rate limit packets with logging
      logged every packet and dropped those that exceeded the
      limit. The fix makes it apply the limit first and then log only
      packets that were dropped.</li>
    </ul>


    <br>
    <br>
    <h2>Bugs fixed in policy compiler for iptw:</h2>
    <ul>
      <li>bug #1155351: "Remote install of FW rulset fails due to race
      condition". Generated ipfw firewall script could not be ran
      reliably over ssh session because "ipfw -f" flushes all rules
      and all state, which breaks ssh session. As soon as the script
      needed to print anything, it got I/O error from the system
      because TCP session for ssh was blocked; this stopped the script
      and did not let it activate new firewall policy. Using rule sets
      and "established" rule for the backup ssh access solved the
      problem.
      </li>

    </ul>
    



  </body>
</html>