Shortcuts

Firewall Builder Release Notes

Release Notes for Firewall Builder 4.2.2
Release Notes for Firewall Builder 4.2.1
Release Notes for Firewall Builder 4.2.0
Release Notes for Firewall Builder 4.1.3
Release Notes for Firewall Builder 4.1.2
Release Notes for Firewall Builder 4.1.1
Release Notes for Firewall Builder 4.1.0
Release Notes for Firewall Builder 4.0.1
Release Notes for Firewall Builder 4.0.0

Firewall Builder 4.2.2 Release Notes

v4.2.2 is a minor bug-fix release

SourceForge: Tickets for V4

GUI Updates

fixes #2395 "Crash when setting installer directory location" and fixes #2396 "Crash when changing firewall name". These two bug reports where the manifestation of the same problem that was introduced by the fix for #2380. When user hitsOK in the newFirewallDialog and new firewall object was added to the object tree, any editing of the parameters of this new object would cause GUI to crash.

Firewall Builder 4.2.1 Release Notes

v4.2.1 is a minor bug-fix release

SourceForge: Tickets for V4

GUI Updates

Fix for SF bug 3169045 "Batch installer lists IPv4 address as management address". Built-in installer wanted to use management interface address in batch mode even when alternative address or putty session name was provided. This happens only in batch mode install.
fixes #2370, #2371 "broken signals in network discovery wizard". Network discovery wizard was not correctly initializased and did not work.
fixes #2368 and SF bug 3294457 "External install script". External install script name and arguments weren't saved for IOS firewall objects.
fixes #2360 "Sometimes fwbuilder opens with object tree scroll bar centered so folders are not visible"
fixes #2385 "PF action Classify uses wrong parameter". This change fixes a bug introduced in 4.2.0 that affects rules with action Classify in PF firewalls. The bug causes the following problems:

For users who built their rules before v4.2.0:
- rules compile normally, both in the single rule compile and when the whole firewall is compiled
- if they opened the action of one of such rules in the action editor, the classification string would look empty
- if they entered new classification string in the editor, compiler kept using the old one (which they can not see or change in the editor)
For users who tried to build rules with action Classify with v4.2.0:
- no matter what classification string they enter in the action dialog, generated code does not use it

Firewall Builder 4.2.0 Release Notes

In addition to bug fixes and minor enhancements, Firewall Builder V4.2 adds the following new features:

Import
- Import of Cisco ASA and PIX configurations
- Object de-duplication during the import process
- Automatic platform and version detection during import process
- Ability to use fwbedit command line utility to import configurations
BSD Updates
- Support for configuring bridge interfaces and static routes on BSD systems
- Ability to generate FreeBSD platform configurations in rc.conf style format
Cisco ASA/PIX/FWSM Updates
- Configuration generation for Cisco ASA and PIX devices running versions v8.0 - v8.4 including support for new NAT syntax in v8.4
- Cisco ASA/PIX/FWSM rules use named objects where possible
- Ability to define Inbound and Outbound Interfaces in NAT rules
iptables Updates
- Ability to define Inbound and Outbound Interfaces in NAT rules
All Platforms
- Address Table objects can now be edited in a text window directly in Firewall Builder

Summary of Technical Changes

This is the first version to merge libfwbuilder and fwbuilder packages. The libfwbuilder library is now in the src/libfwbuilder subtree inside fwbuilder code tree.

RPM .spec files and DEB .control files are now located in the directory "packaging" inside fwbuilder code tree.

Changes in the versioning format: build number is going to be used as part of the long version number, composing complete version as "4.2.0.3425". The "-n" suffix in rpm and deb package names will be used for package release number and most of the time will be "-1". This suffix should reflect minor differences in the package that do not affect the code.

We have stopped making builds on Ubuntu Hardy. Old Qt (4.4.1) means more and more parts of the code do not compile and require workarounds, sometimes with loss of functionality in the GUI. v4.1.3 will be the last officially released version of fwbuilder to work on Hardy.

This release adds interfaces to the NAT rule model. There are two interfaces per NAT rule: "inbound interface" and "outbound interface". DTD version changes to "18", old data files need to be upgraded. Inbound and outbound interfaces in NAT rules are supported for iptables, ASA/PIX/FWSM and PF, but in the case of PF GUI exposes only one interface to the user since PF commands can not match two interfaces simultaneously.

This release adds support for ASA 8.0 - 8.3 configuration generation, including named objects and "new" style nat commands in ASA 8.3

This release comes with numerous improvemends in support for FWSM 2.x, 3.x and 4.x configuration generation.

This release implements import of PIX, ASA and FWSM configurations. Host name, version, interface configuration, object groups, named objects, access lists as well as commands "global", "nat" and "static" can be imported. There is no support for import of the "new" ASA 8.3 "nat" commands just yet. Also there is no support for import of standby configuration, which means PIX clusters can not be created automatically by importing existing configuration.

This release adds ability to generate initialization script in rc.conf fromat for FreeBSD. Only FreeBSD is currently supported (not OpenBSD). Generated script includes variables to configure interfaces and their IPv4 and IPv6 addresses, vlans, CARP and pfsync interfaces, as well as variables that initialize PF.

This release adds ability to automatically detect firewall platform from the format of the imported configuration file. Import is supported for iptables, Cisco IOS or Cisco ASA/PIX/FWSM. The program detects firewall platform, version and host name (if possible) from the contents of the configuration and shows platform-specific warning to explain what parts of the config can and can not be imported. Importer wizard has been reimplemented using QWizard and QWizardPage classes and its workflow significantly improved.

Starting with this release the program can optionally re-use existing objects from both Standard Objects and user-defined libraries when it imports existing firewall configuration. This works for any firewall platform for which we support policy import. Objects are matched by attributes such as address, netmask, port etc. Object name and comment are not taken into account. Importing the same configuration file twice creates two firewall objects with the same interfaces and rules but re-uses address and service objects created on the first import.

Deduplication algorithm is as follows:

ASA/PIX/FWSM configuration import:

ASA configuration language supports named objects and object groups. On import, fwbuilder creates objects and groups with the same names and uses them in rules. Objects created from in-line address/netmask and port specifications found inside object-group, access-list, filter or nat commands are condidered "anonymous" objects. These get automatically generated names and are deduplicated using only their relevant attributes but not names. Objects created from PIX named object ("object network foo", "object service bar") statements are considered "named" objects. They get the name matching the name in corresponding PIX config line and are deduplicated using both relevant attributes and the name.
iptables:

Fwbuilder can only import iptables configuration saved with "iptables-save" command. This format does not support variables or named objects, therefor all objects created from address and port specifications are "anonymous" and get automatically generated names. They are deduplicated using their address, netmask, port numbers and other relevant attributes but not their names.

TCP and UDP service objects in fwbuilder that define port ranges assume port ranges are inclusive, that is, range boundaries are included in the match. This is the behavior of port range matches in iptables and PF, however policy compilers for Cisco IOS ACL and PIX used to convert these objects into ios and PIX access list configurations that excluded port range boundaries from the match. This behavior made TCP and UDP service objects with port ranges incompatible between firewall platforms, that is, the same object could not be used in rules of firewall objects of different platforms because generated configurations would behave differently. This change makes port ranges inclusive in generated IOS and PIX configurations. Users should verify their configurations and adjust port range boundaries in TCP and UDP service objects if necessary.

GUI Updates

fixed #1872: "vlan interface does not appear in the list of interfaces for route-to action for PF".
context menu item that opens object in the editor should be named "Inspect" when the object is read-only because the editor would not allow the user to change it.
fixed #1926 "Crash when moving object in Standard library". Context menu item "Move" should be disabled when the object is located in the read-only library.
see #1976 "Crash when deleting firewall object from rule after export / import library" Crash occurred as the result of the following sequence of actions in the GUI: 1) use context menu item "Cut" to delete an object in the tree, 2) open object group or rule and use context menu item "Paste" to add it, 3) export library to an external file, 4) import this library into different data file, 5) save the data file. Saved data file is invalid XML since it has unsatisfied reference and some operations on it cause crash. The problem is that since it is a reference to the object that is being added in case of both groups and rules, we end up with a group or rule with a reference to an object that is located in Deleted Objects library. Deleted Objects library is not included when a library file is merged into data file and this leads to a dangling reference. The fix is to not allow Paste if object in the clipboard has been deleted.
see #1980 "Objects from Deleted Objects should not be allowed to be used in rules". Added checks to not allow drag-and-drop of an object from Deleted Objects library into rules and groups.
see #1994 "Crash when compiling a firewall in an imported Library". To prevent crash, added check to make sure firewall object is not read-only before an attempt to update its "last compiled" or "last installed" timestamp.
fixes #1993 "V4.2 on Windows - export Library shows the file type as Firewall Builder 2"
fixes #1992 " V4.2 on Windows - installer error can't find Secure Shell utility"
fixed #1989 "variables respath and librespath are redundant and copy Constants::getTemplateDirectory()". Got rid of global variables sysfname, tempfname, librespath, respath and localepath; will now use class Constants to keep this information.
fixes #1998 "Crash after running find-and-replace then closing file". Specific sequence of actions and only on Mac OSX caused GUI to crash. To fix, I clear editor panel when user closes project window using MDI window title menu item "Close" or "Close" button.
see #1996 "Crash when finding and replacing a large number of objects". When "find and replace" function was used to replace large number of objects in a rule set, it generated stream of calls to updateLastModifiedTimestampForAllFirewalls() which caused corresponding stream of events to update various parts of the GUI, both in the tree and rule set views. This caused weird corruption and crash on Windows. Trying to resolve the issue by optimizing the part that updated "last modified" timestamp on the firewall since all parts of the rule set updated in one call to "find and replace" function belong to the same firewall.
fixes #2000 "New dialog window in New Firewall wizard for ASA / PIX - Network Zone explanation". Added page to the new firewall wizard to let the user configure network zones of interfaces when chosen firewall platform supports network zones (only PIX/ASA right now).
fixes #1983 "ASA multiple interfaces have the same security level". Using table widget with spin-boxes to let the user edit security levels of interfaces conveniently.
see #2006 "Crash when closing editor panel with find-and-replace". The GUI crashed if user tried to close editor panel at the bottom after closing objects+rules panel and while some object was still displayed in the editor.
See #2015 "Add support for setting names of generated .fw and .conf files separately for PF". Added second input field in the "advanced settings" dialog, tab "Compiler" for the firewall platform "PF". Now user can set the name for both the generated .fw initialization script and .conf PF configuration file, as well as names for both files on the firewall. Support for this is generic and the same functions work for other platforms if corresponding input field in the dialog exists. The name of the initialization script is set as follows: 1) if user provided -o command line switch to the compiler, its argument is used. 2) if -o switch was not present but the name was configured in the firewall settings dialog, it is used. 3) if none of them were present, the name is constructed from the name of the firewall object with suffix .fw. The name of the .conf PF configuration file is taken from the settings dialog, but if it is blank, then it is constructed from the name of the initialization script but with suffix .conf.
fixes #1914 "Address table object file name is not created properly if user clicks outside Editor panel"
fixes #1915 "tooltip shown when mouse is over rule number should be added to the list of suppressed tooltips when 'Advanced user mode' is in effect"
fixes #2064 "CARP interfaces are not properly installed on FreeBSD cluster". I need to populate failover group objects with some reasonable defaults when they are created.
fixes #2067 "Add way to show interface label in object tree". The tree now shows interface name and label if the label is not empty.
fixes #1979 "New firewall created with Cisco c36xx template results in network object in interface column in Policy"
fixes #1895 "Add context menu option to expand all child nodes in object tree". Added menu item "Expand" to the context menu associated with all objects in the object tree. This item recursively expands all tree nodes under the given object and automatically changes to "Collapse" if the item is expanded. Also changed behavior of the double click on the object in tree: before, double click opened object in the editor and expanded or collapsed subtree. Now it only opens object in the editor but does not expand/collapse subtree.
see #2103 "complex vlan/bridge configurations are not supported by the interface validation code". Added checkbox to let the user turn off interface name validation functions in the GUI. Checkbox is located in the global Preferences dialog, tab Objects, subtab Interface. For backwards compatibility, the checkbox is turned on by default. When it is off, the GUI does not validate the name of interfaces and subinterfaces and turns off checks that enforced interface name patterns for VLAN, bridge and bodning interfaces. It also turns off check for the validity of vlan ID derived from vlan interface name and turns off automatic configuration of interface type and vlan ID. These checks sometimes were in the way of building complex configurations that involved multiple vlan interfaces with names not matching their IDs. This also fixes SF bug #3066714 "please dont stop me from creating a new interface" where user wanted to create interface "veth201.0" on Linux but the GUI blocked this operation because the name seemed to match vlan interface pattern.
fixes #2099 "Object list scrolls up to the last edited object". Object tree used to scroll spontaneously when user started dragging an object from it to a rule.
fixes #1971 "Address range can be created with end address lower than start address". Address Range object dialog should not let the user enter range end address which is lower than range start address. Dialog behavior is now similar to the behavior of the tcp and udp service dialog where user can not enter port range end number lower than port range start number.
fixes #1678 "When creating a firewall from template it appears that a default template is selected". When user arrives at the page where they choose template to create new firewall object from, the first template should be automatically selected.
fixes #2135 "Editing table objects". Dialog of the AddressTable object now offers button "Edit" that lets the user edit address table file. This only works if the file is located on the same machine where the GUI is running, so it is probably most useful for compile time objects.
fixes #2139 "Provide "Cancel" button if Address Table file is read-only". If the file configured with Address Table object is read-only, the GUI shows warning when user clicks "Edit" button and offers a choice: open it for viewing read-only or cancel.
see #2140 "Attempting to create new Address Table file results in read-only error". Implemented support for the workflow when user wants to create the file used to feed addresses to the Address Table object.
see #2047 "Inspect generated files button shows different path information". Do not pass full path to the output file as an argument of the "-o" option when the GUI launches policy compiler. Since the "-d" option passes directory path where files sould be saved, actual file names do not need to be absolute path, except if the user entered absolute path for the output file name in the firewall settings dialog.
see #2153 "Add Network Zone explanation and selection dialog to ASA/PIX import". Wizard shows additional page when user imports PIX/ASA config. This page explains concept of network zones and offers UI to let them choose network objects or groups as a network zone of each interface.
fixes #2156 "After import the firewall should be opened in object tree".
see #2163 code that imports addresses from a file in /etc/hosts format moved to its own wizard; using QWizard and QWizardPage classes with correct implementation of page sequencing and validation; old discovery druid has been disabled. SNMP discovery and ios/PIX/iptables configuration import will move to their own wizards later.
fixes #2203 "Crash when attempting to add an object to a locked group".
fixes #2201 "Some fields of locked object are editable". Some input fields of the Custom Service object dialog were editable even when object was locked read-only.
fixed SF bug 3238026: build failure on systems without net-snmp development libraries.
see #2226 fixed GUI crash that happened when user tried to delete or cut an object from locked library.
fixes #2307 "GUI switches to another file after editor panel is closed"
see #2286 "Crash when closing file". The GUI crashed if user imported iptables or PIX configuration, then deleted a rule and tried to close project window.
see #2171 "Undoing delete of rule ends up with rules being created with duplicate rule numbers". Also see #2172 "Crash when deleting rule - related to #2171". When user deleted the last rule in a rule set, then used Undo to restore it, the program lost track of rules in the rule set and became unstable.
see #2335 "GUI switches between data files upon closing editor panel". If user opened two data files in the GUI and was in the process of editing objects in one of them, the GUI would flip to the other file under certin circumstances.
see SF bug 3211769 "Member interfaces not sorted". Sorting interfaces by name in the dialog where user adds them to the cluster member group.
fixed #2287 "Show text description in rule columns" does not persist across sessions
see #2229 "Multiple new objects with the same name". The GUI should automatically choose unique object names for new objects.

Changes in command line tool fwbedit

see #2328 "Add ability to run firewall import from the command line". This has been implemented as a new function "import" in fwbedit. See man page fwbedit(1) and "fwbedit -h" for more details.

Changes in policy importer for all supported platforms

Changes that affect import for all platforms

see #1931 "Update failed import behavior". Added meaningful error messages for when policy importer fails to create firewall object or does not create interface objects or any rules.
see #2161 "import workflow and automatic detection of firewall platform from the config file". When user imports existing firewall configuration, the GUI automatically detects firewall platform from the format of the config file and shows platform-specific warning to explain what parts of the config can and can not be imported. It also detects firewall host name where possible (currently Cisco IOS and ASA/PIX). Importer wizard has been reimplemented using QWizard and QWizardPage classes and its workflow significantly improved.
see #2162 menu item "File / Import Policy" renamed to "File / Import Firewall". This menu item launches wizard that imports existing iptables, Cisco router IOS or Cisco PIX/ASA config.
see #2183 "count errors and warnings generated by the importer and show the numbers in the progress page of the wizard". Configuration import wizard now shows counters of warnings and errors generated by the importer.
see #2189 Policy importer warnings and errors now include line numbers to help find relevant lines in the original configuration file.
see #2189 Program adds the file name and the line number to comments of policy and nat rules it creates during import.
fixed #1548 "Object de-duplication during import process". Also SourceForge 3030072 "remove duplicates during any import". Now the program can optionally re-use existing objects from both Standard Objects and user-defined libraries when it imports existing firewall configuration. This works for any firewall platform for which we support policy import. Objects are matched by attributes such as address, netmask, port etc. Object name and comment are not taken into account. Importing the same configuration file twice creates two firewall objects with the same interfaces and rules but re-uses address and service objects created on the first import.
see #2253 "importer should not creates objects while still in the middle of the wizard". Importer wizard creates new objects in the object tree only when user clicks Finish and abandons results if they click Cancel.

Fixes and improvements in import of iptables configurations

see #2190 "support for import of branches in NAT rules for iptables". Implemented import of NAT rules in user-defined chains for iptables, these translate into branching NAT rules in fwbuilder.
see #2196 "iptables nat rules with target REDIRECT not imported". Iptables NAT rules with target REDIRECT where not imported correctly.
fixes #2195 "incorrect iptables import of nat rule with NETMAP target"
see #2194 "iptables import problem with SNAT rule translating to an address range". NAT rules translating into address range with "-j SNAT --to-source 192.168.1.1-192.168.1.10" did not import correctly
see #2197 "iptables nat rules in chain OUTPUT not imported correctly"
see #2202 importer for iptables creates Custom Service object to match combination of states it does not recognize. This includes "NEW,ESTABLISHED".
see #2336 Importer for iptables recognizes version stored in the top comment by iptables-save and sets version in the firewall object it creates.
see #2206 iptables commands with no "-j TARGET" parameter should be imported using action "Continue".
see #2338 "Empty Mangle Policy object created on import". iptables rules in the table 'mangle' will be imported in the dedicated Policy rule set with name "Mangle". Rules that use chains FORWARD and POSTROUTING in table 'mangle' can not be reproduced and will be marked as "bad" (color red and corresponding comment).
see #2275 Importer for iptables now correctly handles both "intrapositioned" ("-s ! address") and "extrapositioned" ("! -s address") negation.
see #2245 fixed bug in parser for iptables that prevented correct import of iptables rules using module "multiport" with port range matches.

Fixes and improvements in import of Cisco IOS configurations

see #2248 implemented import of Cisco IOS and PIX/ASA service configurations using port operation "neq". Since object model in fwbuilder does not provide direct support for "port not equal to" expression, this configuration is conveted into two tcp or udp service objects with port range extending below and above specified port and these two service objects are then placed in a group.

Fixes and improvements in import of Cisco ASA/FWSM configurations

see #2161 policy import wizard shows the page where user can set up network zones of interfaces if firewall platform was determined to be PIX.
see #2152 "ASA Import - shutdown interfaces". Importer recognizes and skips ASA interfaces in "shutdown" mode.
see #2248 implemented import of Cisco IOS and PIX/ASA service configurations using port operation "neq". Since object model in fwbuilder does not provide direct support for "port not equal to" expression, this configuration is conveted into two tcp or udp service objects with port range extending below and above specified port and these two service objects are then placed in a group.
see #2268 updated list of named TCP and UDP ports recognized by the importer for Cisco ASA.
see #2277 "Create policy objects for ASA access-lists that are not applied in an access-group". Policy rule set will be created and populated with rules found in the corresponding access-list even if this access-list is not applied to an interface with access-group command.
see #2164 fixed import of "ssh" commands and added import of "http" commands for ASA/PIX/FWSM

Changes in the built-in policy installer

see #2039 "Installer reports success even if pfctl can't load config file". Added more pfctl error messages to the list to make code more robust.
fixes #2049 "Installer reports success even if there was an error while creating static routes". Added our own error message generated when command used to add static route fails to the list of error messages recognized by the installer.
fixes #2037 "If there is an error when compiling firewall then installer should be aborted". Compile/install wizard should disable "Next" button after compile phase is done if all firewalls failed to compile with no errors.
fixes #2061 "Installer shows success for failed installed on FreeBSD due to corrupt script file". Added bunch of common shell error messages to make sure installer recognizes them and mark install as a failure even if ssh fails to pass termination code.
fixed SF bug 3169045: "Batch installer lists IPv4 address as management address". The "summary" display in the installer progress log output will now show putty session name if it is used instead of the management address.
see #2073 "Add additional information or workflow when no management inferface configured". The error message shown to the user when no interfaces has been marked as "management" is now more verbose and provides instructions how to do this. Also, if user provided alternative address to be used to communicate with the firewall, the check for the management interface is not performed since it is not needed.
see #2088 "Installer caches putty session". Need to initialize putty_session properly and clear it in clear().
fixes #2129 'deprecate "test install" function'. We have decided to deprecate test install because it is rather heavy-handed on Linux and PIX where it reboots the firewall and plain does not work on *BSD.
see #2239 Added variable "firewall_name" to configlets that define commands installer runs on the firewall to activate new policy (all platforms).
updated filesystem path on FWSM where fwbuilder built-in installer should place generated configuration when it is installed using scp. Currently using path "disk:".
see SF bug 3212988 "external script makes getopt difficult". User-defined parameters for the external script moved to the end of the command line.

Changes and improvements in the API library libfwbuilder

see #1972 Separated object creation and initialization. Some complex objects need to create a set of standard child objects. Previously this was done in a special type of constructor which required pointer to the object tree root (FWObjectDatabase*). This created problems with implementation of the method to register functions that create objects of new types outside of the API. Now all objects have just a basic set of constructors, plus method init() that can initialize them.
see #1972 implemented mechanism that allows me to register new object types created and used outside of libfwbuilder API. This means FWObjectDatabase can then copy and manipulate object trees that use these new object types.
fixes #1937 "RES_DIR macro is defined twice". Got rid of duplicate definition of this macro.
see #1985 added virtual function updateNonStandardObjectReferences() that is supposed to update any references to objects stored as attributes.
fixes #1997 "add removeRef and addRef methods to class NATRule". Now undo and redo correctly remove and restore references to NAT rule sets in NAT rules with action Branch.
fixes #1991 "Undo does not restore object as a parameter of policy rule action Branch or Tag after it was deleted deleted". Now Undo restores references to rule sets and tag services as arguments of corresponding policy rules, as well as references to objects configured as interface network zones.
fixes #1987 "Deleting object that is used as Network Zone for ASA/PIX interface results in inconsistent behavior". When an object that is used as a network zone of an interface is deleted, it should be removed from the interface configuration as well.
fixes #1995 "Crash when compiling a cluster with identical firewalls". Method Cluster::init() must call base class method Firewall::init() to get child Policy, NAT and Routing objects created.
See #2084 "snmp discovery takes forever on devices with large routing tables". This takes very long time on decides with large routing tables. This code was implemented long time ago and apparently routing data was intended to be used to discover "external" interfaces, but it is unclear if this is still done. The concept of external/internal currently exists only for platforms that support security levels (PIX) and there we guess levels by matching addresses against RFC1918 and let the user user adjust levels manually anyway.
see #133 Added interfaces to the NAT rule model. There will be two interfaces per NAT rule: "inbound interface" and "outbound interface". DTD version changes to "18", old data files need to be upgraded.
see #2126 Using snmp sysDescr OID to guess version of the new firewall when it is created using snmp polling.
fixes #2209 "do not allow the same object to be child of different objects in the tree". Method FWObject::add() enforces this. Subsequent clean-up and fixes in many places to follow this logic. This makes code much cleaner, better organized and more reliable.

Changes and improvements in the library of standard objects

#2083 Added new services to the Standard Objects Library: rtmp, xmpp-client, xmpp-server, nrpe

common changes that affect policy compilers for all platforms

fixes #1920 "Setting host interface to unnumbered after it has been assigned IP address doesn't have desired effect". Compiler still used IP addresses that belonged to the interface even if it switchd to "unnumbered". These children address objects should be ignored.
fixes #2124 "some error messages get multiplied when compiler splits rules". Under certain circumstances error messages could appear multiple times in the generated script.
see #2204 "Shadowing detected for rule with action Continue". Policy rules with action "Continue" should not shadow other rules and can not be shadowed.
see #2207 fixed memory leak in policy compilers. The impact of this leak was especially severe on Windows with very large object databases.
see #2212 "Performance improvement in compilers". This change brings significant improvement in compile time on large object trees. The speed-up is especially noticeable in single rule compile where the time before generated firewall configuration appears in the GUI shrank by up to a factor of 10.
sorting objects in rule element after cluster interfaces have been replaced, this helps ensure stable ordering of objects in generated configuration.
sorting objects in the rule element by name after group is expanded, this helps ensure stable ordering of objects in generated configuration.

Changes in support for iptables

fixed #1879 "gui crash". Both GUI and fwb_ipt crashed trying to compile a rule with action Branch that was not configured to point to any rule set.
fixed SF bug #3102044 "Colon in (runtime) Address Table name". Variable used to process addresses in the run-time address table should not use character ":" even if it appears in the Address Table object name.
fixes #1999 "log() does not work" Using built-in utitlity "command" to verify that all the tools generated script needs to function properly are available and can be accessed either via direct full path or are in the PATH variable. This includes the check for the logger tool that is used to make log record when firewall is activated.
see #2097 #133 "support for inbound and outbound interface columns in iptables NAT rules". This also addresses SF feature requests 1954286 "DNAT with interface as condition not possible" and 621023 "manipulating interface in NAT rule".
fixes #2008 "option "--physdev-out" is not allowed in OUTPUT chain". After this change, compiler avoids INPUT/OUTPUT chain if interface in the rule column "Interface" is a bridge port and firewall is bridging firewall (which means we are going to use --physdev-in or --physdev-out option for this rule).
see #2170 "Compiler should generate error for invalid iptables NAT configs". Now that we allow the user to specify inbound and outbound interfaces in iptables NAT rules, compiler should verify that combination of requested "-i" and "-o" interfaces is in fact valid. For example iptables does not allow "-o" interface spec with rules that go into PREROUTING chain (DNAT rules) or "-i" interface spec with rules in POSTROUTING chain (SNAT rules).
see #2181 "Update iptables importer to detect inbound & outbound interfaces in NAT rules". Importer can now import nat rules with "-i" or "-o" interface spec.
see #2230 the GUI should allow limit-burst values of up to 10000
SF bug 3178186 "Add ND/NS allow rules for the FORWARD chain". Rules that are added automatically to IPv6 Linux firewall to permit neighbor discovery packets should be also added to the FORWARD chain if the firewall is a bridge.
see #2324 "NAT + MAC-matching rules not generated properly". iptables NAT rules matching a group of host objects with both IP and MAC addresses each in "Original Source" were not generated properly.
see #2235 "Modified rule action for Continue". Rules with action "Continue" should translate into iptables commands without "-j TARGET" parameter. If such rule also has logging enabled, it should use target "-j LOG" instead of generating additional chain.

Support for PF (FreeBSD, OpenBSD)

see #1890 "Add support for configuring static routes on BSD". Implemented support for simple static routing rules. ECMP and routing via interface (routing to directly reachable subnets) are not supported. Generated script preserves static routing entries that existed before and attempts to recover in case of error.
see #1888 "Add option to generate rc.conf.local file for BSD systems". Added ability to generate initialization script in rc.conf fromat for FreeBSD. Only FreeBSD is currently supported (not OpenBSD). Generated script includes variables to configure interfaces and their IPv4 and IPv6 addresses, vlans, CARP and pfsync interfaces, as well as variables that initialize PF.
fixes #2026 Compiler can now generate static routing configuration in rc.conf format for FreeBSD.
fixes #2032 "support for DHCP interfaces in rc.conf mode". Include dynamic interfaces inin the list of interfaces generated script manages when the script is in rc.conf format. This addds lines similar to 'ifconfig_em0="DHCP"'.
fixes #2038 "pfctl error when firewall settings include scrub option for reassembly". Command "scrub all reassemble tcp" does not allow direction. Tested and verified on OpenBSD 4.2 and FreeBSD 8.1
see #1889, #2043 Added support for bridge interface configuration in BSD.
fixes #2054 "Add support for load anchor PF command". Instead of loading anchors using "pfctl -a anchor -f file" command in the .fw initialization script, now generated PF configuration uses "load anchor" commands in the pf.conf file. This way, we can load anchors correctly when PF configuration is activated from the generated rc.conf.local file where only one pf.conf file can be referenced.
fixes #2042 "add configlet and shell functions to manage bridge interfaces via shell script on OpenBSD and FreeBSD". Bridge interfaces are managed incrementally, that is, the script creates and destroys them as needed, then adds or removes bridge ports, to bring bridge configuration in sync with what is defined in fwbuilder GUI.
fixes #2065 "activation commands on FreeBSD and OpenBSD lose script exit status". Sequence of commands ran by the built-in installer on *BSD firewalls were losing exit status of the script which meant installer always declared installation a "success" even when there were errors.
fixes #2066 "Existing VLAN interfaces are not properly removed from FreeBSD and install script fails"
fixes #2069 "PF: allow multiple objects in ODst of redirecting nat rule". This fixes SF bug 3162862 "NAT - more than one object in original destination"
fixes #2071 "vlandev missing in the vlan definition (when using rc.conf.local )"
fixes #2058 "Ability to configure mtu and metric of regular interfaces". "Advanced settings" dialog of the interface object provides controls to configure MTU and possibly add any additional ifconfig parameters. This is available for OpenBSD and FreeBSD.
see #2078 added verbose error message in a situation when "ifconfig carp0 create" command fails to create CARP interface.
see #1867 "PF: rule with non-terminating action Tag shadows other rules below it". Since action Tag is non-terminating, rules with this action should not shadow other rules.
see #2074 On FreeBSD ifconfig does not understand parameter carpdev
fixes #1866 "support for pf option set state-policy", #1868 "support for pf option set block-policy", #1869 "support for pf option set debug".
fixes #2092 option "stp" should be optional in the ifconfig command that builds bridge interface for FreeBSD. The dialog provides checkbox "Enable STP", parameter "stp" will be added to the ifconfig command only when the checkbox is turned on.
fixes #2091 "ethernet interface options a used twice if the interface is a bridge port". When an interface appeared twice in the firewall configuration, such as when it is used as a bridge port and vlan parent interface, options configured for it in its settings dialog were added twice to the generated configuration.
see #1871 "PF Actions Tag and Classify can be terminating or non-terminating". Added checkbox to the action properties dialog for actions Tag and Classify for PF that lets the user choose if these actions should be terminating or not. Old behavior (Tag was non-terminating and Classify was terminating) is reflected in default settings of the checkboxes. Terminating rules generate "pass quick" commands, while non-terminating rules generate "pass" commands (no "quick" option).
see #1807, #2104: arrange interface configuration commands in the generated script in such order that bridge and carp interfaces are configured after all other interfaces are done.
see #2105: generated script now supports vlan interfaces with names that do not match vlan IDs (OpenBSD, FreeBSD, shell script format).
Making sure we print "ifconfig" commands for mtu and other parameters for all interfaces, including those with no ip addresses and bridge ports (unnumbered interfaces used to be skipped before)
fixes #2100 carp password should be optional parameter
fixes #2096 added support for negation in Interface column for PF NAT rules. Sets of interfaces are converted to complementary sets using complete list of interfaces of the firewall.
fixes #2095 added support for groups and multiple objects in column "Interface" for PF NAT rules. These translate into { em0 em1 em2 } groups in generated pf.conf lines.
fixes #2101 "CARP interfaces are set with same advskew". When new PF cluster is created, master advskew paramerer will be set to 10 and backup to 20 to make it deterministic.
fixes #2116 "When CARP interface IP address can't be assigned error or warning should appear". The problem actually affects any type of interface. Generated script should abort with an error termination code when ifconfig fails to assign IP address to an interface.
fixes #2117 "CARP interfaces in cluster that use VLAN interaces have no interface set to MASTER". When PF cluster configuration was built using vlan interfaces of member firewalls, CARP interfaces were not properly configured with master/slave choice user makes on the first page of the new cluster wizard.
see #2143 "installer should run /etc/rc.d/pf script to reload PF rules on FreeBSD when generated script is in rc.conf format"
see #2224 "FreeBSD - Bridge interfaces with the name vlan don't show as Bridge Port Interfaces". This actually applies to all OS where we support vlan and bridge interfaces. Fwbuilder GUI should allow the user to set subinterface type to both "ethernet" and "vlan" when its parent interface has type "bridge". Setting subinterface type to "ethernet" makes it bridge port, while setting the type to "vlan" signals policy compiler that it should generate code to configure real vlan interface. If the name of the subinterface does not include the name of the parent, such as "vlan101", or when the name does not match vlan ID, such as "vlan8101", global preferences option "Verify interface names and autoconfigure their parameters..." should turned off. The option is located in the Preferences dialog, tab "Objects".

Support for ipfilter

There are no changes in the support for ipfilter in this release

Support for ipfw

There are no changes in the support for ipfw in this release

Changes in support for for Cisco IOS ACL

fixes #1966 "IOSACL: object-group can get name that consists of only suffix". Compiler generated object-group statements with names such as ".src.net.0" in some cases.
see #2252 TCP and UDP service objects that define port ranges assume port ranges are inclusive, that is, range boundaries are included in the match. This is the behavior of port range matches in iptables and PF, however policy compilers for Cisco IOS ACL and PIX used to convert these objects into ios and PIX access list configurations that excluded port range boundaries from the match. This behavior made TCP and UDP service objects with port ranges incompatible between firewall platforms, that is, the same object could not be used in rules of firewall objects of different platforms because generated configurations would behave differently. This change makes port ranges inclusive in generated IOS and PIX configurations. Users should verify their configurations and adjust port range boundaries in TCP and UDP service objects if necessary.
see #2330 "Crash when creating a cluster of IOS router firewalls". Added support for basic IOS router clusters. No failover protocol support at this time, but the cluster can be configured with protocol "None" and fwbuilder will do address substitutions at compile time.

Changes in support for for Cisco ASA and FWSM

FWSM v4.x does not have "fixup" command, instead, we should use policy-map and class commands.
refs #1893 fixes #1883 "inspect IP options in PIX8". Added support for "policy-map type inspect ip-options" command in PIX v8.2 and later. At this time, of all possible types of "policy-map type inspect" command only "ip-options" is implemented.
refs #1882 "Mixed service groups in PIX8". Added PIX versions 8.0 and 8.3; added support for mixed servcie groups in PIX 8.0 and later.
fixed #1892 "move rule processor class separateServiceObject to PolicyCompiler". This rule processor used to be implemented only in the compiler for PF, but since it has very general meaning, the same function was duplicated in other compilers as well. Moved the class to libfwbuilder and reimplemented several other rule processors to inherit from this class to avoid further duplication for code.
fixed #1891 "problems with TCP and UDP services with source ports". Policy compiler for PIX did not generate correct PIX ACL lines when one Policy rule tried to match several TCP and/or UDP objects matching source ports.
fixes #1901 "add destructor to NATCompiler_pix and NATCompiler_asa8". This eliminates memory leak.
refs #1885 "named network and service objects in PIX8". So far, these objects are only used for nat configuration.
fixes #1903 "correct order of clear commands for ASA 8.3"
refs #1886 "new nat configuration in PIX 8.3". Initial support for new style nat configuation.
fixed #1862 "fwb_pix crash". Compiler fwb_pix crashed when DNS Name run-time object was used in a rule, but worked fine and issued an error when used in single-rule compile mode.
fixed #1906 "ASA NAT - Address objects are not properly identified by network zone and have the wrong real interface". The problem should have affected both "old" (PIX 6 and 7) and "new" (ASA 8.3) configuration. When an Address object was used in Original Source of a NAT rule, compiler used wrong interface in the (interface1,interface2) pair in "nat" command.
fixed #1905 "fwbuilder crash when compiling a rule with hosts folder as destination". Compiler issues a warning when an empty group object is used in a rule, but GUI crashed when user tried to compile this rule using single-rule compile function. The change actually affects all policy compilers and makes sure the GUI catches exception and does not crash, and prints any errors generated by the compiler in the compiler output panel when single-rule compile function is used.
refs #1908 "ASA NAT - cannot configure static NAT translations with (inside,outside)". Added NAT rule option to make source nat rules "static". The option is presented to the user as three radio buttons in the NAT rule options dialog which is only enabled when platform is "PIX" and version >= 8.3. Policy compiler generates "twice nat" rules with keyword "static" in the following cases: when TSrc is "original", so the rule translates destination and not source or when numbers of ip addresses represented by OSrc and TSrc are equal. If TSrc is not "original" and represents different number of IP addresses than OSrc, compiler looks at the new rule option. User can use or override automatic algorithm using radio buttons in the NAT rule options dialog.
refs #1902 "Add NAT rule option "translate dns" for PIX". The option is only available for ASA 8.3 or later.
fixed #1909 "ASA NAT - static nat port translation where service is the same for original service and translated service not generated correctly"
fixed #1913 "ASA/PIX rules with logging enabled don't have log set unless user modifies Firewall Settings". Added default log level setting to the resource xml file for platform "PIX", set to "informational". ACL lines now get "log " keyword followed by the log level taken from the rule options, or if that was not configured, from the firewall object settings, or if that is not configured, the default.
refs #1907 "ASA NAT - fwbuilder doesn't support multiple translated sources in a single NAT rule". Compiler uses object-group to translate NAT rules that have multiple objects in Translated Source.
refs #1885 Compiler uses named objects and objects groups to build configurations that use address ranges in TSrc in NAT rules. (only ASA 8.3 and later)
fixed #1917 "Duplicate objects are not detected". Compiler should detect duplicate objects that may be created in a rule element when user combines Address Table object with other address or network objects there.
fixes #1934 "libfwbuilder::getOverlap() incorrectly calculates overlap between IPv4 networks". This should also fix SF bug 3156376 "Can not find interface with network zone that includes address range".
fixes #1932 "Add description field to generated NAT rules for ASA". NAT rules generated for ASA 8.3 and later will have "description" keyword added, with rule label as an argument. Rule label includes word "NAT" and rule number.
Added support for CustomService objects in policy and nat rules for ASA 8.3 using named objects and object-groups. -- see #1942 "ASA NAT - if custom service is included in service group incorrect config generated" -- see #1929 "move map named_objects inside class NamedObjectManager" -- see #1946 "restrict generation of the named objects by PolicyCompiler_pix to ASA 8" -- see #1885 "named network and service objects in PIX8" Note: this has been rolled back. There is no support for CustomService objects in NAT rules.
see #1941 "ASA NAT - compiler complains about range in original destination". NAT rules translating destination allow Address Range objects in ODst or TDst for ASA 8.3
see #1940 "ASA NAT - fwbuilder host objects interface IP is reserved keyword". Added list of reserved words used in IOS and ASA software to make sure generated named objects do not conflict. Will maintain single super-set of reserved words instead of separate set for each version of IOS and ASA.
fixed #1938 "icmp" commands were not generated for ASA 8.x policy rules.
See #1927. Added check for NAT rules that request translation of destination address but have ODst "any". This only applies to ASA 8.3; these rules are prohibited.
fixes #1916 "nat rule must be "static" when subnet is present in TSrc"
see #1942 improved support for CustomService objects for ASA 8.3. Generate separate named object and object-group for these objects, then split policy and nat rules so that only one custom service object is left in each rule and then use object-group to match it. Note: this has been rolled back. There is no support for CustomService objects in NAT rules.
fixes #1948 "incorrect configuration created when a CustomService object is used in a policy rule for PIX/ASA versions prior to 8.3". Since we do not support custom service objects in policy and nat rules for versions older than 8.3, added check to generate fatal error when such object is used.
fixes #1945 "object-group names include ever-growing suffix". Object-groups created by the compiler for PIX/ASA had numerical suffix that was constantly increasing when user used single-rule compile function in the GUI.
fixed #1944 "ASA Policy - duplicate network object groups created for mixed service group with TCP dst and TCP src port range objects". Need to convert address range objects to subnets early, before the rule is split for any reason, to make sure object groups created later match and are reused.
See #1943 "ASA Policy - mixed service group with TCP destination port range and standard TCP object generates invalid config". Protocol word "tcp" was missing after "deny" in the generated rule.
see #1949 "ASA NAT - split objects if OSrc contains objects that are in more than one network zone".
ASA 8.3 see #1942, #1943 fixed generation of the "object-group" statements by adding protocol keyword at the end so that the group can be used in access-list commands. It looks like mixed service groups that have no protocol keyword at the end of the line that defines them cause error "specified object group has wrong type; expecting service type". I am going to avoid using mixed service groups because of this.
see #1953 "ASA NAT - two host objects in the same rule result in incorrect config". Objects that represent addresses of interfaces of a host object created using template will be automatically renamed to follow standard naming convention "host_name:interface_name:ip" to avoid creating duplicate names.
see #1960 add support for CustomService for PIX policy rules. Note that CustomService objects are only supported in Policy rules since nat commands in ASA 8.3 require use of named objects and it is difficult to implement correct named objects and object-groups with protocol parameter and custom services.
See #1959 "ASA Policy - ranges are broken into composite network instead of using range command." Added support for address ranges using named network object with parameter "range" for ASA 8.3 and later. NOTE: if a network or IP address object is used in a nat rule for ASA 8.3, a named object has to be created for it since ASA 8.3 does not accept IP addresses or subnets in "nat" commands. In the situation like this, if the same address or network object is used in any Policy rule, the same named object will be used in the generated access-lists command.
see #1959 Moved generation of the code that defines named objects to class NamedObjectManager. This allows me to put all named object commands on top of the generated policy, nat and routing configurations and make sure each object is defined only once. Still need to do #1963 - move code that generates commands to define object-groups to class NamedObjectManager.
see #1954 "ASA NAT - generate warning if nat rule is split and one of the resulting nat rules have the same real interface and mapped interface". Compiler issues warning when objects used in OSrc and TSrc of a NAT rule make it use the same interface as both real and mapped interface in the generated nat command. This check is only done for ASA 8.3 NAT rules.
see #1963 "move printing of object-group definitions to NamedObjectManager::getNamedObjectsDefinitions()". Consolidated code that works with named objects and object groups in the class NamedObjectManager. This class manages all the objects and in the end generates commands.
Refactored parts that generate "clear" commands to make sure they are printed in the right order at the top of the generated configuration. Previously compiler placed "clear global", "clear static" and "clear nat" commands above the NAT section but below policy section. Since ASA8.3 nat commands can use named objects and object groups, and since I have added support for object groups in ASA 8.3 policy rules, I now need to clear objects and object groups at the very beginning of the generated config. However in order to be able to clear objects and object-groups, I need to clear access-lists and nat commands that might be using them first. So, all clear commands are now grouped at the beginning of the generated configuration. This affects PIX/ASA, iosacl and procurve_acl platforms.
See #1965 "ASA Policy - PIX 6.1 configurations use object groups". Policy compiler for PIX is now aware that object-group statement was introduced in PIX v6.2 and avoids using object-groups when firewall object version is set to 6.1
made names automatically assigned to object-groups in generated PIX configuration shorter by removing interface label prefix.
see #1968, #1972 Class NamedObjectsManager maintains its own copy of object tree that holds object group objects it creates during compiler passes. This allows me to maitain one common set of object groups for both policy and nat compilers and avoid creating duplicate and redundant object-group statements.
see #1968, #1972 class NamedObjectsManager (and derived classes for IOS and PIX) generate "clear" commands. This way, I can generate correct set of "clear" commands that take into account any named objects and object-groups that could be created during both policy and nat compiler passes.
See #1958 "consistently use "exit" to get out of nested context in PIX config". Using "exit" to exit from nested context while adding network or service object in generated PIX/ASA configuraton.
see #1970 "ASA Policy - single IPv6 icmp object allowed in rules". Since we do not support IPv6 for PIX/ASA at this time, policy compiler should drop the rule if IPv6 address or icmpv6 service is used and issue a warning.
see #1981 "ASA / FWSM Policy - Generate warning message if rule will not generate config data"
fixes #1986 "Cisco ASA remarks should be truncated to 100 characters or less". Trimming all lines used for access list remarks to than 100 characters. Remarks can only be less than 101 characters on PIX/ASA and less than 100 characters on IOS.
fixes #1994 "Crash when compiling a firewall in an imported Library". Compilers should reset any read-only flags in the copy of object tree they work with before they make any modifications.
fixes #2060 "Existing configuration objects are not cleared in PIX 6.3". Commands used to clear object groups and objects have different syntax in PIX 6.3 and PIX 7 and later.
see #2098 Added support for user-configurable inbound and outbound interfaces in Cisco PIX/ASA NAT rules. Two new columns appear in the rule set view: "Inbound Interface" and "Outbound Interface". If user leaves one or both columns blank, the GUI shows "Auto" in there and policy compiler picks corresponding interface automatically. Leaving both columns blank ("Auto") triggers backwards-compatible automatic behavior where both interfaces are picked automatically. Multiple interface objects and groups of interfaces are allowed in these columns.
fixes #2113 "ASA/PIX SNMP discovery - assign default labels based on interface description". Added pattern to match Cisco ASA interface description which is different from Cisco PIX interface descriptions as returned via snmp.
see #1990 "Change default value for Cisco ASA/PIX 7+ to generate outbound ACLs". Newly created PIX/ASA firewall objects will now have "generate outbound acl" option turned on by default.
see #2252 TCP and UDP service objects that define port ranges assume port ranges are inclusive, that is, range boundaries are included in the match. This is the behavior of port range matches in iptables and PF, however policy compilers for Cisco IOS ACL and PIX used to convert these objects into ios and PIX access list configurations that excluded port range boundaries from the match. This behavior made TCP and UDP service objects with port ranges incompatible between firewall platforms, that is, the same object could not be used in rules of firewall objects of different platforms because generated configurations would behave differently. This change makes port ranges inclusive in generated IOS and PIX configurations. Users should verify their configurations and adjust port range boundaries in TCP and UDP service objects if necessary.
see #2263 looks like "object-group service" that includes named objects defined as "service-object" can not be used in access-list commands and therefore is useless. Unless I misunderstood and there is a way to use it, I should not generate ASA configuration like this:
```
        object-group service id5102X14531.srv.tcp.0 tcp
          service-object object http.0
          service-object object https.0
    
```
Object-group with "tcp" or "udp" type-suffix in the end does not allow "service-object" statements at all, so this configuration is incorrect anyway. However even without "tcp" in the end to make "service-object" references acceptable, the group can be built but can not be used in access-list statements.

Instead, the group should use port-object statements:
```
	object-group service id5102X14531.srv.tcp.0 tcp
	  port-object eq 80
	  port-object eq 443
    
```
see SF bug 3213019 "FWSM Network zone and IPv6". Currently we do not support IPv6 with PIX/ASA and FWSM. If user creates a group to be used as network zone object and places IPv6 address in it, this address should be ignored while compiling the policy but this should not be an error.
see #2308 "ASA rules with service set to "http" and destination set to ASA firewall object should generate different command syntax". Policy rules that have firewall object in Destination and http object in Service now generate "http" commands. This is similar to how fwbuilder generates "ssh", "telnet" and "icmp" commands to permit corresponding services to the firewall itself.
see #2344 "FWSM install errors for clear commands". Using correct syntax for "clear" commands for FWSM v4.x
see #2343 "Interface nameif error when installing generated config for FWSM". Use correct "nameif" command sytax in FWSM 2.x and 4.x.
see #2345 More fixes for FWSM 4.x: "service resetoutbound", "timeout xlate", "timeout sunrpc"
see #2344 fwbuilder should not generate any "ntp" commands for FWSM because NTP can not be configured on FWSM.
see #2322 If this is FWSM and if manual commit mode is used, need to commit after clearing ACLs before we clear object groups.
see #2347 "FWSM move up the "access-list mode auto-commit" command". Command that configures access list commit mode should be issued before any commands that clear and configure access lists. Also in this change moving commands that set up temporary access list to the top of the script.
see #2348: "Accounting action is not valid for FWSM platform". Actions "Accounting" and "Reject" should not appear in the drop-down list of actions in the GUI if platform is PIX or fwsm.
see #2295 Added FWSM version "3.2". According to Cisco documentation, FWSM version 3.2 matches PIX 7.
see #2351 Security levels of ASA and FWSM interfaces do not have to be unique. Removed check that enforced this.

Support for HP ProCurve

There are no changes in the support for HP ProCurve in this release

Firewall Builder 4.1.3 Release Notes

SourceForge: Tickets for V4

What's new in V4.1.3 ?

V4.1.3 contains a number of bug fixes and usability enhancements.

This version comes with the following usability enhancements:

Added checkbox to the Preferences dialog, this checkbox turns off some tooltips that can be annoying for users who are sufficiently familiar with the GUI
Added a tab "Policy Rule" to the "Objects" page of the global preferences dialog; checkbox in this tab allows the user to choose whether new policy rules should be created with logging turned on or off.

The major bug fixes in this release include:

Fixed installer issue for Windows users that use Putty sessions. Built-in policy installer can use putty session on Windows when it runs pscp.exe utility to copy generated script to the firewall
Fixed bug in the generated iptables script that made it to not configure broadcast address when it added ip addresses to interfaces.
Several bugs that affected cluster configurations were fixed, see details below.

v4.1.3 has been tested, and we believe it to be ready for production use, but if you do find a bug or issue please let us know.

GUI Updates

see #1823 "Add Preference option for Advanced / Power users". Added checkbox to the Preferences dialog, this checkbox turns off some tooltips that can be annoying for users who are sufficiently familiar with the GUI
see #1787 "new fw name input field should have focus when new firewall wizard opens"
code refactoring: see #1822 "refactor all GUI classes into libgui library and link executable with it"
code refactoring: see #1826 "Place all unit tests in one directory". All GUI and other unit tests moved to the directory src/unit_tests
see #1809 "Add Firewall Setting in Logging settings for default log setting on new rules". Added a tab "Policy Rule" to the "Objects" page of the global preferences dialog; checkbox in this tab allows the user to choose whether new policy rules should be created with logging turned on or off.
See #1832, SF bug 3097419 "installer uses bare IP address instead of putty session name". It appears pscp.exe on Windows can use putty session name in place of the host name. This change restores old behavior where session name was used like that but does it for both plink.exe and pscp.exe. This only affects users who run fwbuilder GUI on Windows
fixed #1837 "generated script gets .fw suffix even when user set output file name". Suffix .fw should not be appended to the name entered by the user in the "output file name" input field in the firewall settings dialog.
Fixed SF bug #3106168 "Branch destinations lost when adding to cluster". Since the order in which I copy rule sets is undefined and because they may have references to each other via branching rules, I need to fix references after I create all of them.
Fixes #1858 'Remove "Summary of features" page from the package' and #1857 'Remove "Getting Started" guide from the package'. We have dediced to keep documentation and other content like this on the web site. Button "Watch Getting Started Tutorial" in the Tip of the Day dialog opens tutorial hosted on the web site in a web browser.

Changes and improvements in the API library libfwbuilder

added module uint128 (128-bt arithmetics by Evan Teran). Implemented basic operations with ipv6 addresses using this module. See #1834. Now all policy compilers can correctly compare ipv6 addresses used in rules with ipv6 addresses of interfaces. This helps perform various optimizations and fixes issues with the algorithm used to pick the right interface for the Cisco IOS ACL compiled from a policy rule with an empty "interface" rule element and direction "both".

Changes and improvements in the library of standard objects

added ICMPv6 object "parameter problem" (type 4, any code) per SF feature request 3094743. Also added service group object "ipv6 unreachable messages" that includes ICMPv6 messages "destination unreachable", "packet too big", "parameter problem" and "time exceeded" per SF feature request 3094758

Changes in support for iptables

fix for the SF bug #3095615 "reopen no PREROUTING rule with *-Interface - ID: 3077132". Configlet used wrong shell variable to access ip address of a wildcard interface.
fixed #1820 "skip module "nf_conntrack_ipv6" if generated script has no ipv6 rules" Shell function load_modules should not try to load module nf_conntrack_ipv6 if generated script does not load any ipv6 rules. Loading this module fails if ipv6 has been disabled in the kernel.
fixed SF bug 3091069: "Routing configuration failed". Iptables script generated by fwbuilder did not configure broadcast when it added ip addresses to interfaces. Using "ip addr add ADDR/NM boradcast + dev INTF" syntax to do this.
implemented SF feature request 3094738 "Set the HL to 255 for IPv6 Neighbor Discovery". Neighbor discovery packets must have hop limit of 255 per RFC 2461. Automatically generated rules that match neighbor discovery packets will math hooplimit 255.
fixed SF bug 3094273 "no state needed for ipv6-icmp in ip6tables". Rules that match ICMPv6 objects should be stateless. Compiler will check for this and reset "stateful" flag of a rule and issue warning if the rule was built stateful in the GUI. This could be version-dependent, we may need to revisit this in the future when netfilter fixes the underlying issue. Some resources: https://bugzilla.redhat.com/show_bug.cgi?id=243739 https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/479105
fixed SF bug 3090249 "fwb_ipt ignores -d option ". Documented behavior is for the compiler to create files in the directory specified by the argument of the "-d" command line flag. If flag "-d" is not provided, files should be created in the current directory.
fixed #1824 "should not try to verify wildcard interfaces".
fixed #1838 "function configure_interfaces() does not manage ip addresses of vlan interfaces". This function used to take into account only interfaces that were direct children objects of the firewall. Since vlan interfaces are children of the corresponding physical interface, they were not included.
fixed SF bug 3103582 "Cant create redirect rule in cluster firewall object". Iptables nat rule with target REDIRECT could not be built in a cluster configuration. It should be possible to do this by putting cluster object in Translated Destination.
fixed #1856 "Pemit '-' in Linux interface names". OpenWRT uses name "ppp-dsl" for PPPoE interfaces. In addition to that, Linux bridge interfaces may have names with a "-" such as "br-lan". We will now permit a "-" in Linux interface names.

Support for PF

fixed #1807 "wrong order of address assignment in the generated OpenBSD/PF/CARP cluster configuration". Need to assign ip addresses to regular interfaces before trying to assign them to carp interfaces.

Support for ipfw

fixed #1836 "installer hangs and fails after activation of ipfw policy". As soon as .fw script swapped ipfw sets usig command "ipfw sawp" and deleted temporary set 1, ssh session would hang and eventually break. We optionally add ipfw rules to permit ssh session used to manage the firewall, as well as a rule to permit reply packets but the latter rule was not built correctly. It should match source and destination reversed, as well as match keyword "established" and recreate state with "keep-state". This rule automatically recreates state for the established ssh session over which firewall policy is being managed. Also added a comment to the firewall settings dialog for ipfw to remind the user that address or subnet they use with this automatic rule should be as narrow as possible.

Changes in support for for Cisco IOS ACL

see #1834 Fixed matching algorithm that determins which interface a rule should be associated with for Cisco IOS ACLs. Previously compiler did not compare subnets properly and because of that it interpreted some configurations incorrectly. For example in the case with a network object 10.0.0.0/8 in "source" and an interface with address 10.0.0.1/24 (network should not be considered matching) compiler considered this interface matching and assigned the rule to the interface only with direction "inbound".

Changes in support for for Cisco ASA (PIX)

There are no changes in the support for ASA in this release

Support for HP ProCurve

There are no changes in the support for HP ProCurve in this release

Firewall Builder 4.1.2 Release Notes

SourceForge: Tickets for V4

What's new in V4.1.2 ?

V4.1.2 contains a number of bug fixes and usability enhancements. The usability enhancements are designed to make it easier for new users to learn how to use Firewall Builder.

Enable tool tips by default and add additional tool tips
Simplify interface configuration in new object wizards for New Firewall and New Host
Automatically open firewall Policy object when new firewall objects are created
Additional navigational aids and help strings

The major bug fixes in this release include:

Fixed installer issue for Windows users that use Putty sessions
Fix issue (SF 307732) where wildcard interfaces were not matched in PREROUTING rule
Fixed issued (SF 3049665) where Firewall Builder did not generate proper data file name extensions

v4.1.2 has been tested, and we believe it to be ready for production use, but if you do find a bug or issue please let us know.

GUI Updates

fixed #1703 "importing iptables line with module pkttype causes parser error". We do not have any object with the behavior closely resembling that of iptables module "pkttype" so the importer creates CustomService object with the code taken from the original iptables rule. SF bug 3065435
fixed SF bug 3049665 "Firewall Settings -> Output file name misses .fw extension"
fixed how we append suffix ".fw" to the name of generated script when it is preconfigured in the firewall settings dialog and already includes ".fw" suffix (it was added twice).
Fixed #1699 installation session status was reset from "failure" to "success" in a configuration where fwbuilder gui was running on Windows and talked to Cisco router using pscp.exe and plink.exe and ssh session failed because of authentication failure. This happened because plink.exe terminated with return status "success" even in case of authentication failure.
fixed #1724 . There was a problem with pscp.exe and putty sessions. Plink.exe accepts session name in place of the host name on the command line, but pscp.exe does not. We ask user to enter session name in the "alternative name or address to use to communicate with the firewall" input field in the "Installer" tab of the firewall settings dialog and then use it in place of the host name in the command line for pscp.exe and plink.exe. This works with plink.exe but breaks pscp.exe which interprets it as a host name and fails with an error 'ssh_init: Host does not exist'. The fix checks if what user entered in the "alternative host or address field" is a session name and uses different command line with pscp.exe
fixed #1715 "automatically expand new firewall and new host objects in the tree once they are created"
fixed #1732 "Double clicking on object with child objects should auto expand them". Double clicking on objects and folders in the tree expands and collapses them, as well as opens object in the editor.
fixed #1729 "double clicking a folder in the tree should expand it rather than open it in the editor".
fixed #1738 "Enable tooltips by default"
refs #1731 Change double-clicking on "Any" object behavior. Tooltip shown for the object "any" in rules says "to modify the rule drag and drop an object from the tree here" instead of atributes of the object "any". Double click on "any" in a rule does not try to open object "any" in the tree and editor panel.
fixed #1739 "remove 'tooltip delay' input form preferences dialog". Qt4 does not allow for changing tooltip delay.
fixed #1728 "Update Library drop down menu". Library drop down list shows an item "Object libraries:" at the top that can not be selected and that always stays on top as libraries are added, removed and renamed. The list always stays sorted in ascending order. Library names are indented by 2 spaces to make them visually distinguishable from the prompt item at the top. Implementation uses class ListOfLibrariesModel that inherits QStringListModel.
fixed #1740 "Deleted library remains in the drop-down list". If option "Show deleted objects" was turned off in the Preferences dialog and user deleted a library, it remained in the drop-down list of libraries and its object tree was still displayed in the object tree panel.
fixed #1741 "there is no way to undelete a library object".
fixed #1730 "Add background help text and images to empty policy window". Showing tooltip in the empty space in the rule set view, this tooltip provides hints on how to edit rules which should be useful for the beginners.
fixed #1743 "change default for the option 'Show text descriptions for direction and action'". The option should be on by default.
fixed #1744 "Add tooltip to the rule number". The column in the RuleSetView? where rule number is shown now has a tooltip to remind the user that they can click right mouse button to the the context menu and use keyboard shortcut "x" to compile the rule
Added text to the tooltips shown for the "Direction" and "Action" rule elements to remind user that to change these rule parameters they need to click right mouse button to open list of possible settings
system folders in the tree now have tooltips that explain what kind of objects belong there.
refs #1737 Added "Quick Start Guide" tutorial that demonstrates basic features and key concepts of Firewall Builder. The tutorial is accessible via Help / Tutorials menu and is shown to the first-time user on the GUI startup instead of the "tip of the day" dialog.
refs #1748 "Add dialog about Standard Library when user creates first Service object". First time users will see an informational dialog reminding them about the Standard objects library when they create their first service object.
fixed #1745 "Remove path data from text above rules window that shows firewall name".
fixed #1746 "Force user to change interface name in New Firewall wizard". When user creates interfaces for the new firewall or host using manual method and clicks on the "+" button to add a tab for the new interface in the wizard page, the interface tab is created with blank name. Wizard later checks the name when user clicks Finish to create new firewall or host object and does not let them do this while interface name is still blank. Error dialog reminds that the name of the interface must match the name of the interface on the machine.
fixed #1733 "Add button for video tutorial link". Shortcut button "Watch Getting Started Tutorial" opens page with video tutorials in the standard browser.
added "placeholder" text to the interface name and label input fields. This text is displayed in greyed-out small font inside the imput field but is cleared as soon as user starts their input. The text gives user a prompt as of what is expected in each input field and actual list of example interface names depends on the host OS chosen in the first page of the wizard.. The "placeholder" text support is available only in Qt 4.7 and later so the code is conditional on the version of Qt.
fixed #1718 "Inspect generated files" dialog says "Multiple firewalls" even when there is only one
fixed #1751 "Don't allow interface names to be blank". The GUI should not allow the name of any object to be blank.
fixed #1759 "Use default template library" button seems to do nothing. This button should only be enabled if user switched to their own library of template objects. The button should be disabled if they switched back to the standard template library or never switched to their own one.
fixed #1757 Allow searching by attributes even after an object is dropped into the drop area in search panel.
fixed #1760 'Search by attribute "name" should search by name or label'. The first item in the list of attribute types available for search now reads "Name or label". Searching using this option matches the name or the label of object instead of just the name. Label is only defined for Interface objects.
fixed #1755 "hitting enter after editing search attribute in the Find panel should trigger search"
fixed #1753 "Set interface name hint based on firewall platform and host OS". The placeholder text in the interface name and label input fields in the new firewall wizard will depend on the host OS chosen in the first page of the wizard.
fixed #1761 "blank interface name is possible in new host wizard"
fixed #1763 Implemented basic facility for A/B testing within the GUI
fixed #1765, #1779 Move quick start guide to the web site. The "Quick Start Guide" is now part of the web site and the GUI only shows a dialog-invitation to watch it.
fixed #1776 once new firewall is created, automatically open its Policy
fixed #1767 improved UI in the new firewall and new host dialogs where user chooses file for the custom template library or uses standard template library.
fixed #1791 "Add preference flag to enable / disable the Custom templates button on the New Firewall Wizard". Use of the custom template library to create new firewall object is now optional, controlled by a checkbox in the "Object" tab of the gobal preferenes dialog. New users will have this option turned off by default, however existing users will see it enabled for backwards compatibility.
fixed #1777 "scroll new fw object to the top of the tree view panel once its created". This has side effect in that some other operations that open an object in the tree will also scroll the tree to position this object at the top.
fixed #1778 "main menu Rules should have the same items that context RuleSetView menu when no rules are selected"
fixed SF bug 3039681 "context-menu items inconsistent for Single/Multiple rules". When several rules are selected in rule set, some context menu itmes should turn to plural.

Changes in support for iptables

fixed SF bug #3071667 "Compilation segfault with DNS address in NAT rule". Added rule processors to replace Run-time DNSName and Address Table objects in TSrc and TDst.
fixed #1705 "iptables (v >= 1.4.4) --set option deprecated ..." (SF bug 3059893) Option '--set' has been deprecated and renamed '--match-set' in iptales 1.4.4
fixed SF bug 3057503 "DNAT rule with dynamic IP has a white space, causing error".
fixed SF bug 3060325 "Address table object and prolog script conflict". Generated script should run prolog before checking and loading run-time address tables.
fixed #1707 "call function "prolog_commands" from the main iptables script part instead of function "script_body" when prolog should be executed after iptables reset"
fixed SF bug #3071667 "Compilation segfault with DNS address in NAT rule". Added rule processors to replace Run-time DNSName and Address Table objects in TSrc and TDst.
fixed #1714 "make checking for MODPROBE conditional". There is no need to check if modprobe utility exists on the firewall machine if it is not used by the script.
fixed SF bug 3077132 "no PREROUTING rule with *-Interface". Rules matching addresses of a wildcard interface (e.g. "ppp*") were not properly generated.

Support for PF

fixed SF bug 3061034 "ifconfig definition missing". Script generated for the ipfw firewall on Mac OS X missed definition of variable IFCONFIG.

Support for ipfilter

fixed #1702 "Wrong path in the activation script for ipfilter". Activation command embedded in the generated .fw script used local path to the generated .conf file on the machine where fwbuilder compiler was running.

Changes in support for for Cisco IOS ACL

No changes in support for IOS ACL in this release

Changes in support for for Cisco ASA (PIX)

fixed #1783 "PIX routing entries require interface, but PIX config will compile without interface in Routing rule". Policy compiler for PIX now checks that both "interface" and "gateway" rule elements are not empty.
Collection of template firewall objects now includes an object for PIX 50X (501 and 506)
using command "terminal width 256" to turn off ANSI commands in the PIX command echo.

Support for HP ProCurve

No changes in support for HP ProCurve in this release

Firewall Builder 4.1.1 Release Notes

SourceForge: Tickets for V4

What's new in V4.1.1 ?

This release includes fixes for a number of minor bugs as well being the first release to officially support HP ProCurve ACL configuration. Thanks to a generous donation of several switches from Hewlett Packard we were able to test and finalize the ProCurve support. This release also fixes a critical bug in V4.1 related to Cisco IOS ACL configurations. Some configurations would cause Firewall Builder to incorrectly generate and error with the message "Can not find interface with network zone that includes address A.B.C.D.".

v4.1.1 has been tested, and we believe it to be ready for production use, but if you do find a bug or issue please let us know.

GUI Updates

Built-in policy installer now works with HP Procurve switches. Currently installer can only execute generated configurarion lines one-by-one on the switch; installation method using scp that is available for Cisco routers is not supported yet. This has been tested with Procurve firmware K14.31 on ProCurve J9470A Switch 3500-24. Caveat: manager access should not be configured with user name (that is, no "password manager user-name foo")
fixed #1683 When user creates new firewall using snmp scan, fwbuilder will now guess and assign the type to interfaces that look like vlans for the given platform and host OS.
fixed #1683 class procurveInterfaces interprets interface "DEFAULT_VLAN" as vlan interface with vlan id 1.

Changes in support for iptables

fixed #1693 SF bug 3048516 "NAT rule with 'Use SNAT instead MASQ' doesn't work". NAT rule using combination of the option "Use SNAT instead of MASQ", dynamic address of an interface and source port translation produced iptables command with incorrect syntax.
see #1685 "iptables redirecting NAT rules in the OUTPUT chain". This fix makes it possible to create iptables NAT rule with target REDIRECT in the OUTPUT chain. The rule should have firewall object in OSrc and TDst rule elements.
fixed #1685 "iptables redirecting NAT rules in the OUTPUT chain". NAT rules should be allowed to translate from CustomService to TCP or UDP service, provided CustomService object is configured with matching protocol.
fixed #1686 "can not generate basic NAT branching rule". NAT branching rules were not generated in single rule compile mode because compiler needs information about targets used in the branch rule set rules to decide which chain the branching rule should be placed in. Now it will use PREROUTING and POSTROUTING in single compile mode but issue a warning.

Support for PF

No changes support for PF in this release

Changes in support for for Cisco IOS ACL

fixed #1690 "IOS ACL and Procurve ACL compilers fail because interfaces are not assumed to have network zone any anymore". Compilers for Cisco IOS ACL and Procurve ACL always assumed all interfaces have network zone "any". Recent changes made in 4.1.0 changed that and compilers stopped working for some rule configurations. This bug caused compiler to fail with error message "Can not find interface with network zone that includes address A.B.C.D"

Changes in support for for Cisco ASA (PIX)

No changes in support for PIX in this release

Support for HP ProCurve

fixed #1688 "Procurve ACL remarks should be in quotes if they include space"
fixed #1687 "temporary access list commands syntax is incorrect". Temporary ACL generated for the Procurve platform was incorrect.
Built-in installer has been tested and now works with ProCurve switches.

Firewall Builder 4.1.0 Release Notes

SourceForge: Tickets for V4

What's new in V4.1.0 ?

There are several new features in this version including:

Support for Address Table objects that use the iptables ipset module
Integrated SSH tools (plink.exe and pscp.exe) in Windows installer package
New toolbar shortcut to view complete generated firewall configuration files in the GUI
Shortcut buttons in the main window to help new users get started more easily
Updated many dialog window sizes to work better for users with smaller displays (1024x768)
Added a new mode for stopping the firewall script called 'block'

In addition to providing new functionality one of the goals of this release is to make Firewall Builder easier for new users to learn. There are new buttons in the main window that are shortcuts to common functions that new users need to get started like adding a new firewall and importing policies from existing devices.

The iptables ipset module support provides an efficient way to build iptables rules that match large sets of ip addresses and update these addresses without reloading iptables rules. Please not this function requires that your firewall has the ipset module loaded. You can find more information about how to setup and use Firewall Builder to manage iptables IP sets in the Users Guide section for Address Table objects.

UsersGuide: Address Table Objects

GUI Updates

fixed #1505 move "Clip comments in rules" checkbox to "Appearance" tab.
fixed #1504 Added (optional) text to the toolbar buttons. Text is turned on by default but can be turned off in the global Preferences dialog.
using separate settings object and file in the .ini format to store instance uuid to ensure uuid persistence on windows across upgrades done with complete deinstall. Fixes #1497
fixed #1489 removed unnecessary debugging messages.
fixed #1490 compile problem with Qt 4.7
fixed #1501 call qsrand(seed) to seed random generator before generating new UUID
applied patch from slif@bellsouth.net to fix compiler warnings. Patch applied partially since not all fixes were appropriate. fixes #1510
fixed SF bug #3013532 "file chooser dialog for import policy does not show all files".
fixed SF bug #3013855 "various fixes for run_tests". Applied patch suggested by Michael J. Slifcak (with changes).
fixed SF bug #3013735 "invalid pixmap properties during make". Fixed uic warnings.
fixed #1499 "GroupObjectDialogTest.cpp does not compile with gcc 3.4.6" and SF bug 3015307. There is no reason to make method insertObject() protected which caused problems (and hacky workaround) in the unit test.
added user work flow progress flags for an attempted install and first successful install. Both flags are Boolean true/false indicating that the even occurred. We do not track and do not report any information about the firewall, platform, rules etc. These flags will be used to determine how many users abandon the program before even trying to run install for real because it is too complicated or the UI is not good enough. Fixes #1495
added user work flow flag indicating that ssh/scp have been configured in the Preferences dialog. The flag is Boolean and registers only the fact that something was entered in ssh and scp fields. Actual path and programs used are not registered and reported. Fixes #1496
fixed bug 3016720 "import policy disabled after file close". Menu items "File/Import Library" and "File/Import policy" became disabled after user closed data file using "File/Close" and never became enabled again.
fixed #1521 "GUI crashes upon exit on CentOS 5". This fixes SourceForge bug reports 3016482 "segfault with RHEL5 pre-built packages on CentOS 5.5" and 3015979 "fwbuilder not exiting in centos 5.5"
fixed #1493 "workflow icons in the big empty space". The GUI shows big buttons in the empty space in the right hand side of the main window when no firewall policy is not opened yet. These buttons provide simple shortcuts to the workflow functions useful for the novice users. Currently this includes "Create new firewall", "Import configuration of existing firewall" and "Watch Getting Started Tutorial".
fixed SF bug 3016680 "Vertical scrollbar issue" rules with a lot of objects did not scroll properly vertically.
fixed #1520 ("Comment field display clips comment text"
fixed #1526 "Make sure GUI unit tests work in the environment where user turned off tip of the day dialog". Unit tests now use alternative settings file with all default values and do not depend on user's preferences.
See #1346. Viewer panel that can be used to inspect generated firewall configuration files from within the GUI. The panel can be opened using a button in the mini-toolbar above firewall rules or as a page in the compile and install wizard.
SF bugs 3020381 and 3027284: "Line failure should abort remote firewall install". If network connection is lost during firewall policy activation, policy installer should detect this, disconnect and declare installation session a failure. Prior to this version, installer detected network failures during policy copy (done with scp) or when it could not connect to the firewall at all, but hang if connection was lost in the middle of ssh session used to activate firewall policy. Now using ssh parameter "ServerAliveInterval" to make it detect connection failure. Added an input field that defines inactivity timeout value in seconds to the "Installer" tab of the global preferences dialog. The same timeout value is used to set up ServerAliveInterval parameter for ssh, ConnectTimeout parameter for scp and registry entries required by plink and pscp on Windows using putty session "fwb_session_with_keepalive". Default value defines 30 sec timeout.
All instllation commands should be on the single line in the configlet so they are sent to the firewall as one line. When these commands were on separate lines, linefeed characters between them appeared on the standard input of command "sudo -S" and broke installation process. This only happened in my tests when I ran GUI installer on Windows and looked like some sort of a race. When all commands are on the one line the problem disappeared. Changed only configlets that used sudo as part of installation script.
fixed SourceForge bug 3020761 "printing from command line causes Segmentation fault". Fixes #1533
fixed source forge bug #3028740 "inspect/install does not like spaces in Firewall object name". compiling firewall objects with name that contains white space produces files with spaces in the name which confused "inspect generated files" function and built-in policy installer. Names with spaces are now supported.
sorting of filewall and cluster items in compile/install dialog is now case insensitive.
hiding "Select all" and "Select none" buttons in the first page of the compile/install wizard when there is only one firewall in list.
renamed buttons "All" to "Select all" and "None" to "Select none" in the first page of the compile/install wizard.
fixed SourceForge bug #3027272: "default values taken from unexpected sources". When new firewall object was created using "Import Policy" function, parts of its configuration were taken from default settings of an unexpected host OS.
fixed wrong display of non-ascii symbols in cluster member compilation warning.
firewall names are now resolved to IP address in the SNMP discovery. Added new input element for firewall IP address to use for SNMP interface discovery when firewall object name does not match DNS record..
Added "Cancell All" button to the installer options dialog to stop all firewalls installations and renamed OK button to "Install". The new "Cancel All" button lets user interrupt installation process when they are in the middle of pushing configuration to many firewalls.
fixed #1582 'tree is not refreshed after address substitutions in "new firewall" wizard'
Most dialogs were adjusted to make sure they fit on the screen 1024x768
fixed #1612 "File/Open should create new project panel". If user has some unsaved changes in the default project panel (the one with no associated file) and then uses File/Open menu to open another data file, the file should open in a new project panel.
fixed #1611 "File/New should create new project panel". Like #1612, open new data file in a new project panel if current project panel has no data file associated with it but has unsaved changes.
fixed #1622 "Crash when configuring cluster". The GUI used to crash if user created a cluster copying rules of one of the cluster members while that rule set was opened in the rule set view.
fixed #1632 "dependencies created by branching rule sets should be processed recursively". In the case of multi-level branches the GUI should trace all references to find all firewalls affected by a change of an object used in the rule. This fixes SourceForge bug 3033462 "nested shared branch rules between servers not working".
fixed SF bug 3035426 "canceled save writes .fwb ". The program created file with name ".fwb" if user started with an empty project paje, created some objects, then hit "Compile" but then clicked "Cancel" when offered a chance to save objects into a new data file.

Changes in the policy importer

fixed #1511, SF bug 3012953: iptables import parse error icmp_type any
fixed sourceforge bug 3012953 name of UDP and TCP objects created during import should follow the same pattern and not include "0-0" for the source ports if they are equal to zero.
policy importer for iptables can now parse numerical log levels.
bug 3012953: iptables importer sometimes does not recognize rule with " ESTABLISHED,RELATED ". Parser properly processed iptables rules with state "RELATED,ESTABLISHED" but not when states were in the opposite order.
fixed #1513 iptables importer should check default policy in standard chains. Importer creates rules at the bottom of the policy rule set to reproduce default policies in the built-in chains INPUT,OUTPUT,FORWARD. These rules are added only when default policy in these chains is set to ACCEPT because generated iptables script always sets default policies to DROP. Support for this in the mangle table is limited so far, only default policies in PREROUTING, OUTPUT and POSTROUTING can be implemented. Rules created for the commands that set default policy in chains FORWARD and INPUT will generate commands in PREROUTING chain instead. We will try to address this in the future if there is sufficient demand.
fixed #1516 policy importer for iptables should not use automatic ESTABLISHED rule. (See also SF bug 3012953). Policy importer for iptables always creates explicit rule to match ESTABLISHED,RELATED to make sure it goes into the same chain as the original rule. Also in the same fix, importer creates branch for iptables rules that match both regular service and state ESTABLISHED,RELATED. The service is matched in the main policy rule set, while ESTABLISHED,RELATED state is matched in the branch.
fixed SF bug 3015641 "imported REJECT rule changed during compile". Importer of iptables rules did not handle properly parameters of the REJECT target.
Fixed SF bug 3016779: Policy importer for iptables should understand module iprange
policy importer for iptables replaces --sport and --dport parameters of module multiport with --source-ports and --destination-ports to remove grammar ambiguity that arises from the use of the same parameters --sport and --dport by different iptables modules with different argument syntax.
fixed SF bug 3017084 "compiler adds extra quote characters to log-prefix string".
fixed #1544 "fwbuilder crashes during import of file with rtf formatting data". The fix should prevent crashes in other cases when import was unsuccessful.

Changes in libfwbuilder library

Added framework for creating data files with predictable and repeatable object IDs and references. This is used in unit tests so we can create data files that can be compared.
fixed missing class variable initialization in class CustomService

Changes common for all policy compilers

fixed #1631 "Process branch rule sets recursively". Policy compilers used to look only one level deep while processing branching rules. They should allow for arbitrary nesting and correctly avoid infinite loops if user creates looped branches. Compiler issues a warning when it detects looped bracnhing. This fixes SF bug 3033462 "nested shared branch rules between servers not working".

Changes in support for iptables

fixed #1506 SF bug #3011516: generated iptables script tries to update ip addresses of unnumbered interface.
fixed #1523 "outbound ipv6 rule matching multicast ipv6 destination is not generated". The rule with network object fe80::/10 in source and ipv6 muticast ff00::/8 in destination did not produce correspondign ip6tables command. The change affects other cases with rules using broadcast or multicast objects that should be considered matching the firewall object.
fixed bug 3001228 "v4.0.0 iptables: NAT not creating interface addresses". Iptables script generated by fwbuilder used to include commands to configure virtual ip addresses for NAT only if option "configure interfaces" was turned on. Expected behavior is to generate these commands when option "Add virtual addresses for NAT" is turned on regardless of the setting of the option "configure interfaces".
Added support for iptables module "set" used to generate iptables command for rules with run-time AddressTable objects. This module is only available in iptables 1.4.1.1 and later, however some embedded platforms do not have it even though they ship later versions of iptables (e.g. OpenWRT). Use of this module is controlled by a checkbox in the iptables "advanced" settings dialog which is off by default. This checkbox becomes disabled when iptables version is set to < 1.4.1.1. Supporting shell functions are generated by the configlet run_time_address_tables. This includes shell function that checks if data files used by run time address tables objects are available, a function that loads these files if user activated use of the ipset module using checkbox, a function that checks if command line utility ipset is present and can communicate with the kernel module. This configlet is included in the script generated for all linux-based host os, even though most of them do not support module ipset. If ipset is not supported because iptables version is too old or the module is simply not available for the platform, user can just uncheck the checkbox in the firewall settings dialog and code generated by the configlet will support method of loading addresses from the file at run time based on script variables and a "while" loop.
Implemented support for mixed address lists for run-time address table objects using ipset module. Normally, one ipset set can either contain individual ip addresses or subnets. We create a "setlist" type set that includes two sub-sets, one for ip addresses and the other for subnets. Function reload_address_table in the configlet run_time_address_tables takes care of managing these three sets automatically. Address list file has the same format as for all other supported types of Address Table object: one address per line, subnets are defined using '/bitlength' or '/netmask' syntax, comments start with '#' or ';' character.
fixed #1640 "default policy when the script is stopped should be optional". The "stop" command used to be interpreted by the iptables script generated by fwbuilder in a way that it blocked all connections going to, from and through the firewall. Luc Paulin pointed out that this behavior is incompatible with other firewall management scripts, such as /etc/rc.d/init.d/iptables on Fedora Linux or ufw on Ubuntu, where "stop" means disabling the firewall. In v4.1 the "stop" command flushed all chains in all tables and sets default policy to ACCEPT. New command "block" does what "stop" used to do before, that is, flushes all chains in all tables and sets default policy to "DROP". The option to add a rule to permit ssh access from the management workstation when firewall is stopped now adds this rule when firewall script is run with "block" command instead.
fixed SF bug 3034628 "iptables does not allow target REJECT in mangle table". Iptables does not support target REJECT in mangle table. Added check to the policy compiler to make it detect this situation and issue an error.
fixed #1654 "Support for run-time Address Tables with empty file in iptables". This is an implementation of the same feature we already have for PF. If the file name in the configuration of the run-time Address Table object is blank, policy compiler generates firewall configuration that uses ipset with the name the same as the name of the object but does not generate code to load addresses from a file into it. All control of the ipset is left for the user.
fixed #1652 "support for adding single address to address table in the generated script". Generated iptables script now provides functions "add_to_address_table", "remove_from_address_table" and "test_address_table" that let administrator add or remove single ip address to a given address table. Functions take three arguments: set name, file name and address. Functions add and remove the address both from the set in memory and from the given file so that when firewall reboots and the script reloads the set, it is restored to the desired state. Another new function "test_address_table" is a wrapper around "ipset -T" command and tests if given address belongs to the set. All these functios take the name of the run-time Address Table object used to create sets as an argument and perform actual add, remove and test operations on the subsets created for ip addresses and subnets.

Support for PF

No changes for PF.

Changes in support for for Cisco IOS ACL

No changes for Cisco IOS ACL.

Changes in support for for Cisco ASA (PIX)

fixed #1491 fwb_pix crashes trying to compile simple rule. Compiler should check validity of the object used as network zone of an interface.
do not verify network zones of unprotected interfaces. Compiler does not allow the same obejct to be used as network zone of two different interfaces, which caused problems when a vlan parent interface has zone "Any". Vlan parent interface can not have ACLs attached to it and does not need any meaningful network zone, so "Any" is reasonable fill-in choice. However it coinsides with network zone of the "outside" interface which triggered this check.

Support for HP ProCurve

No changes for HP ProCurve.

Firewall Builder 4.0.1 Release Notes

This release comes with fixes several minor bugs in the GUI and other components, improves policy importer for iptables and introduces support for HP ProCurve ACLs.

Changes in the GUI

fixed #1443 GUI crashes compiling file opened read-only. If a file that was added to RCS was opened read-only and then any firewall object in it compiled, the GUI crashed trying to update "last_compiled" timestamp.
fixed #1444 compile error on FreeBSD-Current Compiler issues error "/usr/include/utmp.h:2:2: error: #error <utmp.h> has been replaced by <utmpx.h>"
fixes #1447: context menu item "Edit" associated with rule set object in the tree opens it in the rule set view and the editor panel. Menu item "Open" only opens it in the rule set view. This eliminates strange behavior where it would open in the rule set view on first click on "Edit" and then in the editor in the second click on "Edit". Double click used to work the same, the first double click opened in rule set view, the second in the editor. Now double click always opens in rule set view and the editor which is more consistent with the behavior for other object types.
fixed #1339 "Logging" icon appears looking the same as "Rule options" icon on Mac
fixed #1460 "when "show icons in rules" is turned off, there is no way to tell when logging is turned on and non-default options are present in a rule".
fixed #1464, SourceForge bug 3004274: "Branch rule set object displays improperly". Branch rule set attribute was not loaded properly into Branch action dialog for rules of PF firewalls.
fixed #1462 "if you do a bulk install, and then want to do a single install, bulk mode is selected"
fixed #1461 Need obvious button to add new rule to the empty rule set. Added button with a "+" icon right above the rule set view, this button adds new rule to the set.
fixes #1457 "tooltips for rule options seem to be broken". Tooltip always includes the line telling of the rule is "stateful" or "stateless", the function almost never returns empty string now. Added missing hashlimit parameters to the rule options tooltip. Some of the more rarely used hashlimit parameters are still not included in the tooltip. Improved tooltip formatting using html table.
fixed #1463 Always show branch rule set name with action "Branch"
fixed #1469 some actions should always display argument, even when text labels for actions and directions is off
applied patch by Vadim Jukov <persgray@gmail.com>, maintainer of OpenBSD port. Patch fixes compile issues on OpenBSD
fixed #1468 Open new object in the editor after it has been created.
see #1466 Implemented instrumentation that should help us improve user experience. Will track few things that new users do (or don't do) and report as a combination of boolean flags at the end of the GUI session. Reporting things such as if user ever looked at the "Getting Started" tutorial, if they created their first firewall object, modified any rules, tried to compile, install or import existing rule set. Information passed in the report is strictly a set of boolean flags, it is not identifiable and does not reveal what firewall platform they are using or anything about their objects and rules. List of flags is listed in the module UserWorkflow.h
fixed #1478 always use included antlr run-time library. Because of the fixes I've made in CircularQueue?.hpp in 2008 for 64 bit systems, we should always link with antlr run-time that is included with fwbuilder code tree rather than attempt to use the one that might be installed with the OS.
fixed #1481 when user changes platform in the firewall object, its version should change too.
added mechanism for one-time announcements that can be pulled from the web site when version check server says there is one. Announcement is shown only once. To do this, I store time stamp when it was shown in settings using hash of the announcement url.
refs #1483 If program detects change in CustomService object and the change just adds code string for a platform that was not in the object in the user's data file, the change is accepted without showing the dialog.
fixes #1484 "paste below" function pastes rules out of order

Changes in the policy importer

See #1450 and SourceForge ticket 3000809: iptables parser can now import "mark" module matches with hexadecimal parameters and "length" module matches. Also added check in the importer for broken iptables-save files where rules for any table are not terminated with "COMMIT".
fixes #1453 "iptables importer should parse multiport module parameter --ports". Module multuport with parameter "--ports" matches either source or destination port numbers. Importer creates two tcp (or udp) service objects to implement this match.
see #1451 "policy importer should support some popular iptables modules". Added support for module "recent" and rules that match standard ip/icmp/udp/tcp protocols and at the same time module "mark", "length", "limit" or "recent". Rules like these are translated into a combination of a branching rule and additional rule in a branch rule set that implements module match.

Changes in the Standard Objects library

fixed #1483 "missing code in the custom service object ESTABLISHED for ProCurve"

Changes in libfwbuilder library

fixed #1485 "dns name object is recognized as an empty group when it appears in shared rule set"

Support for HP ProCurve

Added experimental support for HP ProCurve "intelligent" switches (L3). Code is based on the policy compiler for Cisco IOS extended access lists. Differences include ';' character for comments, different naming convention for Vlan interfaces ("VLAN 2", with a space), requirement to unbind an ACL from interface before it can be cleared, different syntax for vlan ACLs and ACLs bound to switch ports.
At the time of the release of v4.0.1, we were able to test code generation for ProCurve ACL but policy installer remains untested for the lack of hardware. We are going to work on the installer over the next few months to make sure it works in the next point version release of fwbuilder.

Changes in support for iptables

fixed #1455 Function update_addresses() (host OS linux24 and derivatives) uses both ip and ifconfig. Should stick with /sbin/ip so the script works on systems where ifconfig is not installed.
fixed #1458 Should permit interface name "br-lan" for bridge interface on Linux. Bridge interfaces on Linux can have any name, including those with "-". OpenWRT creates bridge interface with the name "br-lan" by default.

Changes in support for DD-WRT

fixes #1448 "need to commit nvram changes on DD-WRT".

Changes in support for for Cisco IOS ACL

Compiler uses new configlet "safety_net" to add temporary ACL for the "safety net" install method.
restored function of the "comment the code" in the "Script options" of the firewall settings dialog for Cisco IOS ACL and ProCurve ACL. When this checkbox is off, comments are not added to generated script.

Firewall Builder 4.0.0 Release Notes

Changes in the GUI
Changes in the Standard Objects library
Common changes in all policy compilers
Support for High Availability configurations
Cluster configuration for PIX
Changes in the support for bridging firewalls
Changes in support for iptables
Support for IPCOP
Support for OpenWRT
Support for DD-WRT
Changes in support for PF
Changes in support for Cisco IOS ACL
Changes in support for Cisco ASA (PIX)
Changes in the command line tool fwbedit

Changes in the GUI

The editor panel and object tree are now detachable. You can "float" these windows and rearrange them on the screen any way you want. There is only one editor panel even when you open several data files at the dame time. Each data file is opened in its own project window with object tree and rules.
Selection of the object in the tree or rules does not automatically open it in the editor anymore. Use double click or context menu item "Edit" to open object in the editor. This helps, for example, when you need to populate large object group and need to switch between libraries to find objects. Switching to another library or accidentally clicking on a wrong object in the tree does not cause editor to switch.
Full implementation of the "undo" facility for all operations in the GUI. You can also monitor undo stack in the "Undo stack window" that you can open using main menu item "View/Undo Stack".
Behavior of all object dialogs has changed. According to the results of the user community opinion poll and discussion, object dialogs are losing button "Apply". All changes made in dialog entry fields are saved into the object immediately. This does not change the data in the .fwb file, only objects in memory. Combined with Undo, this allows for faster object editing and roll back of changes.
"Single rule compile": After you select a rule in policy or NAT rule set, you can compile it and see the result in the editor panel immediately if you hit "X" on the keyboard or use context menu that appears if you click right mouse button. The result is shown in the editor panel immediately. To select a rule click anywhere in it (any rule element, not just rule number).
Error and warning messages generated by the policy compilers are highlighted using red and blue colors in the compiler output panel when you compile single rule. When you compile all rules of the firewall using toolbar buttons or main menu items "Compile" or "Install", errors and warnings are also highlighted in the dialog. Clicking on the error or warning message opens corresponding firewall and selects the rule that caused it.
A new "Filter" input field is located above the object tree. Typing fragment of the name in this field automatically limits set of objects shown in the tree to those that match what was typed. The filter maintain history of strings entered in it for the duration of the session.
Right above the panel showing rules there are now two new buttons. These allow you to compile and install policy for the firewall object shown in the rules panel at the moment. The same functions are available via context menu associated with the firewall or cluster object in the object tree, but these buttons are easier to use.
The GUI can show brief summary of object attributes in the second column in the object tree. This is controlled by a checkbox in the global preferences dialog, tab "Objects". This is off by default. The first column always shows object icon and its name, the second (optional) column shows its attributes. Interface label is shown in the second column. The width of both columns in the tree is set automatically to accommodate all the text, then can be adjusted by the user using mouse. Column width is saved in settings and will be restored upon program restart. Column width is saved per-file, per-library.
Now you can change ip addresses of interfaces of the new firewall created from a template. Templates come preconfigured with some IP addresses which probably do not match addresses used on your networks. When you create new firewall object from a template, the "new firewall" wizard includes interface editor page where you can change addresses and interface types (static or dynamic). The program not only changes addresses of interfaces, it also scans policy and NAT rules of the template looking for network objects that match original template addresses and replaces them with network objects that match new ones.
"Add object to a groups directly from the group dialog". Group object dialog now has a button that shows a menu when clicked, this menu allows you to create new object and add it to the group in one operation.
Password caching: Built-in installer can remember firewall password (and enable password for Cisco) for the duration of the session. Passwords are never stored permanently in any form, encrypted or plain text, they are only kept in memory of working Firewall Builder GUI instance. You need to enter password once when you activate generated policy. If you keep the program open and need to modify and activate policy again, the password fields in the installer dialog can be filled automatically. The feature is optional and is off by default. Cached passwords are associated with the firewall object and account name used to activate policy. To use this feature, turn it on in Preferences and configure user name used to authenticate to the firewall in the "advanced" settings dialog of the firewall object. Warning: using this feature creates certain risk if working Firewall Builder GUI is left unattended on the unlocked workstation. Someone may walk up to the machine and make changes to the firewall using cached password of the administrator who used the same GUI session before. Always lock the screen or exit Firewall Builder GUI when leaving computer.
The program supports new types of interfaces: VLAN, bridge, bonding. This is fully implemented for Linux and partially for other platforms. VLANs are added as child objects of an interface, like so:

The GUI checks the name of the vlan subinterface against naming convention for vlan interfaces on the chosen OS. For example, both "eth0.100" and "vlan100" are supported on Linux, while on Cisco IOS or PIX it should be "FastEthernet0/1.101"

See below for more details on the bridge interfaces implementation.
The program can generate commands to configure vlans, bridges and bonding interfaces on Linux. This is off by default and controlled by checkboxes in the "script" tab of the firewall object dialog. Generated script adds and removes vlans, bridges, bridge ports, bond and bond slaves incrementally. That is, the script analyzes existing vlan interfaces and compares them with vlan interfaces defined in the Firewall Builder GUI and then adds new ones and removes those that do not exist in fwbuilder. The same algorithm is used to create bridges, add or remove bridge ports and create bonds and then add or remove slave interfaces.
Configlets: generated firewall script (for all platforms) is assembled from small fragments we call "configlets". These fragments are located in the "/usr/share/fwbuilder/configlets" (on Linux). Each configlet is a template that uses specially defined macros which the program replaces with actual strings and values when it generates firewall configuration. There are separate templates for different firewall platforms and for different parts of the configuration file to be created. Supported macros include simple variable expansion and conditional "If - then" construct. You can override configlets we provide with your own if you create directory "fwbuilder/configlets" in your home directory and place files with the same name there. You need to retain the structure of subdirectories inside this directory, that is, the directory should be "$HOME/fwbuilder/configlets/linux24" for the configlets installed in "linux24" subdirectory under "/usr/share/fwbuilder/configlets". This way, you can change virtually all aspects of generated configuration file.
Built-in policy installer gets commands that it needs to execute on the firewall from configlets. Two configlets are used for Unix-based firewalls (Linux, OpenWRT, DD-WRT Sveasoft, IPCOP and its variants, OpenBSD, FreeBSD, MacOSX, Solaris): "installer_commands_reg_user" and "installer_commands_root". You can change the behavior of the installer without having to touch C++ code, just create a copy of the configlet file in $HOME/fwbuilder/configlets and modify it.
Terminology for policy rule actions that create branching in the rule set or tag packets has been unified. Now we call these actions "Branch" and "Tag" for all platforms. Before, the name was different and matched original action on each platform, that is for PF it was "Anchor" and "Tag" and for iptables "Chain" and "Mark" respectively.
"Find where used" function can now find all uses of the given object, as well as all uses of its children. For example, if the object is firewall, then this function can find all groups and rules that refer to it directly, or to it and all its interfaces and their addresses. This extension is optional, it is controlled by a checkbox in the "Find" dialog.
Added a place in the global Preferences dialog for options specific for different object types. First parameters include options for DNSName and AddressTable to let the user decide if the newly created objects of these types should be automatically configured with "Compile Time" or "Run Time" mode. Also, added an option that makes DNSName object editor copy the name of the object into the DNS record input field when new object is created or whenever the name changes. This is useful when the user does not want to keep object name and dns record different because they need to enter the name only once.
"Batch install" checkbox moved to the page that shows compiler progress so the user can decide to do batch install right before they perform installations instead of doing this before they start compile.
Standard objects library now comes with new IPv6 Network objects. These objects represent IPv6 networks that should not be routed on the Internet. Included: RFC3849 "Documentation Network" 2001:db8::; RFC4291 "Link local" fe80::/10; RFC4773 "Experimental Network" 2001:0000::/29 to 2001:01F8::/29. Also added a group "ipv6 private" that includes all these networks.
Added GUI elements to support IP option "router-alert" which is now available as an attribute of IPService object.

Changes in the Standard Objects library

Standard objects library now comes with new IPv6 Network objects. These objects represent IPv6 networks that should not be routed on the Internet. Included: RFC3849 "Documentation Network" 2001:db8::; RFC4291 "Link local" fe80::/10; RFC4773 "Experimental Network" 2001:0000::/29 to 2001:01F8::/29. Also added a group "ipv6 private" that includes all these networks.
Added address objects for standard multicast groups: all-hosts, all-routers, all DVMRP, OSPF, RIP, EIGRP, DHCP server / relay agent, PIM, RSVP-ENCAPSULATION, VRRP, IGMP, OSPFIGP-TE, HSRP, mDNS, Link-local Multicast Name Resolution, Teredo.

Common changes in all policy compilers

All compilers issue a warning when the firewall has no top level NAT or Policy rule set. Top rule set is used to generate iptables rules in the built-in chains INPUT/OUTPUT/FORWARD or the rules in the main PF configuration file (not anchors). If the firewall object has other not-top Poluicy and NAT rule sets but no top rule set, packets will never reach any rules. However there are legitimate cases when administrator may want to use fwbuilder to only generate iptables commands for a custom chain or configuration for a custom PF anchor, in which case this is not an error. Compilers generate warning for this condition to bring it to the attention of administrator but continue processing the rules.

Support for High Availability configurations

Test data file cluster.fwb with examples of different cluster configurations is available for download here.

Firewall Builder Users Guide 4.0 has several chapters that offer explanation of the cluster support and provide detailed step by step tutorials that demonstrate how to create cluster configuration in Firewall Builder GUI and show generated firewall configuration.

Chapter that describes firewall cluster configurations: http://www.fwbuilder.org/4.0/docs/users_guide/clusters.shtml

Examples of cluster configurations on Linux with vrrpd and heartbeat: http://www.fwbuilder.org/4.0/docs/users_guide/cluster-cookbook.shtml

New object type "Cluster" (located under Clusters in the tree) represents the HA pair. You configure policy and NAT rules in the rule sets of this object rather than in the actual firewalls.

Here is what you need to do to set up HA configuration:

Create your firewall objects. Assign platform and host OS and name interfaces as usual. Do not add any policy or NAT rules. These are your real (member) firewalls. Interfaces should have their real IP addresses (not CARP or VRRP addresses).
Create a Cluster object which you configure with proper platform and host OS. Use the usual "New Object" menu or toolbar button to create this object. Note that in order for the firewall object to become a member of a cluster, their platform and host OS settings must match.
The program guides you through the process of creation of the new Cluster object using wizard-like dialog. You start with the list of firewall objects where you choose which firewalls should become members of the cluster. Next, the program finds interfaces of the member firewalls that have the same name and can be part of the cluster and creates cluster interfaces with the same name. Not all interfaces are eligible, for example bridge ports, bonding interface slaves or parents of vlan interfaces can not be used for the cluster. Cluster interfaces define failover groups. You can add, remove or rename cluster interfaces, as well as change which interfaces of the member firewalls are used with each one. On the next page of the wizard you can change failover protocols and add, remove or change IP addresses of cluster interfaces. Not all failover protocols require IP addresses, for example VRRP or CARP do but heartbeat or OpenAIS don't. Finally, you can choose to use policy and NAT rules of one of the member firewalls to populate Policy and NAT rule sets of the new cluster. If this is done, all references to the original member firewall and its interfaces in rules are replaced with references to the cluster and its interfaces. The program also creates backup copies of the member firewall objects with the name with suffix "-bak" and clears Policy and NAT rule sets of the member firewall objects used with the cluster before new cluster is created.
OpenBSD or FreeBSD cluster gets carp interfaces. Name them "carp0", "carp1" or whatever indexes they have on your machines. You can add CARP password and ID at the same time, but if you don't, you can add them later.
If you use heartbeat or OpenAIS (on Linux) for failover, cluster interfaces should have the same names as corresponding member firewall interfaces. In this case, cluster interfaces are virtual entities that represent interfaces of the corresponding member firewalls. The program will make substitution when it compiles rules. This is also how it works for PIX failover configuration.
Each cluster interface has child "Failover group" object with the name "firewall:carp0:members" or similar. This is where you configure associated member firewall interfaces. Double click this object in the tree and then click "Manage Members" button in the dialog. Select interfaces of the member firewalls in the panel on the left hand side and click arrow button to add them to the list on the right. Use checkbox to select master. Click OK when done. The platform and host OS of the cluster object and members must match, otherwise firewall objects do not appear in the "members" dialog panel.
Besides interfaces, the Cluster object has a new child object "State Sync Group". This group represents state synchronization protocol. Currently pfsync is supported for OpenBSD and conntrackd for Linux. To configure, double click it in the tree to open it in the dialog and click "Manage Members". Select interfaces of the member firewalls in the panel on the left hand side and click arrow button to add them to the list on the right. Use checkbox to select master. Click OK when done. They should appear in the "members" table in the State Sync Group dialog. The platform and host OS of the cluster object and members must match, otherwise firewall objects do not appear in the "members" dialog panel.
Button "Edit protocol parameters" allows you to edit some parameters for chosen failover protocol. This is where you can configure an address and port for heartbeat and OpenAIS.
There are few new checkboxes in the "Script" tab of the firewall object dialog. These allow you to control whether the program will add shell commands to create and configure bonding, bridge and VLAN interfaces.
Compile by clicking right mouse button on the cluster object and using menu item "Compile". This will in fact compile each member firewall separately so you'll get .fw and .conf files for both of them.
Again, you configure all the rules in the policy and NAT rule sets that belong to the cluster object. If you put cluster's interfaces in rules, the program replaces them with interfaces of the member firewall when it compiles rules. If you put cluster object in a rule, it is like if you put member firewall object there instead, except the program automatically picks the member firewall it compiles the policy for.
First, the program looks at Policy and NAT rule set objects of the cluster and member firewalls and compares their names. If there is rule set object with the same name in both the cluster and member firewall and both have non-zero number of rules, the rule set object from the member is used and the one from the cluster is ignored. The program prints a warning message when this is done. If rule set objects with the same name exist but the one in the member firewall has zero rules, it is ignored and the one from the cluster is used (no warning is issued). Likewise, if there are rule sets with the same name but the one in the cluster has zero rules, it is ignored.
Here is what you need to do if you want to have most rules defined in the cluster so they will translate into rules for all member firewalls, but have some rules defined in the members so you can make configurations of the members slightly different:
- Create separate rule set object in the cluster and in each member. Use name different from "Policy" or "NAT". Lets use name "member_override".
- Create a rule with action "Branch" in the main Policy or NAT rule set of the cluster, drag rule set object "member_override" that belongs to the cluster to the well in the Branch action parameters dialog.
- Leave "member_override" rule set that is a child of the cluster object empty (no rules)
- Add rules to the rule set "member_override" in each member firewall
- Make sure rule set "member_override" is not marked as "Top ruleset" in the cluster and each member. This rule set translates into user-defined chain (iptables) or anchor (PF) and should not be the "top ruleset".
This method works for both policy and NAT rules for all platforms.

Cluster configuration for PIX

Firewall Builder supports PIX "lan based" failover configuration. Unlike in Linux or BSD, where each interface of the firewall runs its own instance of failover protocol, PIX runs one instance of failover protocol over dedicated interface. PIX can also run state synchronization protocol over the same or another dedicated interface. These dedicated interfaces should be connected via separate switch and do not see regular traffic. Here is how this is implemented in Firewall Builder:

Like with all other supported firewall platforms, interface objects that belong to a cluster object serve to establish association between actual interfaces of the member firewalls. Cluster interface object should have the same name as corresponding member firewall interfaces. It should have Failover Group child object which should be configured with interfaces of the member firewalls. You can create Failover Group object using context menu item "Add Failover Group", the menu appears when you right mouse click on the cluster interface object. Here is an example of correct interface mapping between cluster and member firewalls:

The Failover Group object "cluster1:e0.101:members" is configured with interfaces "Ethernet0.101" of both members:

Interface that is configured for the failover on the member firewall should be marked as "Dedicated Failover". Use checkbox with this name in the interface object dialog to do this.
Cluster interface that corresponds to the failover interface of the members should be configured with protocol "PIX failover protocol". Click on the "Edit protocol parameters" button to edit timeout, poll time and the key.
Cluster interfaces that represent regular interfaces of the members also must have failover group objects; that is where you add interfaces of the member firewalls. There is no need to configure protocol in these failover groups because PIX does not run it over these interfaces. Regular interfaces should not be marked as "Dedicated Failover".
Cluster object should have State Synchronization group child object. Create it using context menu "Add State Synchronization Group" item if this object does not exist. In this object you need to configure member interfaces that should be used for state synchronization. You can use separate dedicated interfaces or the same interfaces used for failover. If these are separate, corresponding interface objects of the member firewalls must be marked as "Dedicated Failover".
One of the member firewall interfaces used in the State Synchronization group must be marked as "master". This is where you define which PIX unit is going to be the primary and which is going to be the secondary in the HA pair.
Here is an example of the state synchronization and failover using the same interface Ethernet2:

The State Synchronization Group object "State Sync Group" is configured with interfaces "Ethernet2" of both members:
Dedicated failover interfaces of the member firewalls must have IP addresses and these addresses must be different but belong to the same subnet.

Built-in policy installer treats PIX clusters in a special way:

For the PIX cluster, built-in installer installs generated configuration only on the master PIX unit. It determines which one is the master by looking in the StateSyncGroup object (state synchronization cluster group).
Dialog where user enters authentication credentials and other parameters for the installer has a checkbox that makes installer initiate copy of the configuration to the standby PIX if installation was successful.

Changes in the support for bridging firewalls

Skip this if you do not use Firewall Builder to configure iptables firewalls in bridging configuration. Otherwise, please read on.

Previous versions of Firewall Builder provided an attribute "bridge port" in the dialog of the Interface object. If an interface marked as "bridge port" was used in the "Interface" column of a policy rule, fwbuilder policy compiler used "--physdev-in" or "--physdev-out" option instead of conventional "-i" or "-o" option. The attribute "bridge port" has been deprecated in the new version. You need to make changes to your firewall and interface objects manually in order to make your old configurations compile properly with new version of Firewall Builder.

First, check if you have an interface object to represent the bridge. Usually it will have a name br0 or similar. If you do not have this interface object in the firewall in Firewall Builder, please create it. Regardless whether this object existed before or you just created it, open it in the editor and click "Advanced Interface Settings" button in the dialog. This button and the dialog it opens are new in this version of the program. In the dialog that appears use drop-down menu "Device Type" to set its type to "Bridge". Then click "OK" to close the dialog and save configuration.

Next, find interface objects that should represent bridge ports and simply drag them and drop under the interface br0 (copy/paste works too). In the end, these interfaces become "children" of br0 and should be located in the branch of the tree rooted at br0. The program displays a comment "bridge port" next to the name of an interface like this in the tree. Here is how it looks like:

In this configuration we have bridge interface br0 and two bridge ports eth0 and eth1. Note how eth0 and eth1 are located in the tree under br0, on the same level as its IP address object.

This is it, bridge port interfaces will be recognized by the program again and it will generate proper iptables configuration.

Changes in support for iptables

When an interface with dynamic address is used in a policy or NAT rule, compiler generates shell script to read its ip addresses at the time of execution, assigns them to temporary shell variables and uses them in rules. In previous versions (fwbuilder v2 and v3) only the first IPv4 address of an interface was used. V4 uses all IPv4 and IPv6 addresses of the interface by creating a shell "for" loop in the script. Note that support for dynamic IPv6 addresses was broken in v3 completely, it was fixed in v4.
Policy compiler for iptables can generate shell commands to configure bridge, bonding and vlan interfaces (see above).
Added support for branching rules in NAT.
Added support for option "--random" in SNAT rules
"SNAT instead of MASQUERADE on dynamic interfaces". NAT rule options dialog now has a checkbox that makes compiler use SNAT target instead of MASQUERADING when checked when TSrc has dynamic interface. Apparently MASQ target has problems when iptables NAT is used in combination with policy routing. Using SNAT with a variable that gets interface address solves the problem. By default this option is off, that is compiler uses MASQUERADE target when TSrc has dynamic interface.
Generated script can adjust conntrack kernel module parameters to tune its performance for firewalls that handle heavy traffic.
Generated iptables script now has standard structure per LSB ("Linux Standard Base Core Specification 3.1"). The script has the following actions controlled by the command line arguments: "start", "stop", "reload", "status". Action "start" reconfigured interfaces and then flushes current iptables tables and chains and loads new iptables configuration. Action "stop" flushes all tables and chains and sets default policy in all chains to "DROP" to shut down the firewall to all kinds of traffic. It can also optionally install iptables rules to permit ssh access to the firewall from the management workstation. Action "status" returns return code per LSB specification. Code 0 means the firewall is loaded and is running (but it does not check that the rules it is running with are those defined in fwbuilder). Return code 3 means iptables modules are not loaded or there are no tables. This return code means the firewall is not running or not configured. It also supports additional actions "interfaces" and "test_interfaces". Action "interfaces" only runs commands that manage ip addresses of interfaces, as well as configure vlan, bridge and bonding interfaces. Action "test_interfaces" runs the same commands in the test mode when it prints commands that would be executed but does not actually execute them.
Added support for negation in "-m limit --limit rate" and "-m connlimit --connlimit-above" clauses for iptables.
Option "--random" is now supported in all NAT rules (targets SNAT, DNAT, MASQUERADE)
Option "--persistent" is now supported in all NAT rules (targets SNAT, DNAT) if version is set to 1.4.3 or later in the firewall object.
Algorithm that finds policy rules that shadow each other can now recognize rules configured to use iptables modules "limit", "connlimit" and "hashlimit" and detects shadowing taking into account rate, burst and other parameters for these modules.

Support for IPCOP

Firewall Builder v4.0 comes with experimental integration with IPCOP firewalls. To turn it on, choose platform "iptables" and host OS "IPCOP firewall appliance". Generated script is supposed to be installed on the firewall as /etc/rc.d/rc.firewall.local and restarted by the command "/etc/rc.d/rc.firewall restart". Built-in policy installer in Firewall Builder GUI installs it using this name and runs restart command to activate it. Firewall Builder does not manage interfaces of IPCOP firewall to avoid conflicts with IPCOP itself, use fwbuilder only to generate iptables rules. The program comes with some template objects for IPCOP firewalls, you can use them when you create new Firewall object if you choose to create it from a template.

Support for OpenWRT

Another new host OS supported in Firewall Builder v4.0 is OpenWRT. To use fwbuilder with OpenWRT you need to install the following packages on the firewall using command "ipkg install package.ipk":

ip
ip6tables (if you need IPv6)
iptables-mod-extra
iptables-utils
kmod-ipt-extra

Firewall Builder uses name "fwbuilder.fw" for the generated script for OpenWRT and places it in directory "/etc/init.d/" on the firewall. To make the firewall run it during boot sequence, install the script using built-in policy installer or copy it to this directory manually, then run command

    /etc/init.d/fwbuilder.fw enable

and disable standard firewall script:

    /etc/init.d/firewall disable

To activate the firewall and load policy generated by fwbuilder, use command

    /etc/init.d/fwbuilder.fw start

To stop the firewall and block all traffic use command

    /etc/init.d/fwbuilder.fw stop

An option in the "Compiler" tab of the firewall object in fwbuilder GUI alows you to make the firewall block all traffic when stopped but still permit ssh connections from preconfigured address of the management machine.

This method works both on stable Kamikaze (v7.06) and the latest OpenWRT (v8.09 at the time of Firewall Builder v4.0 release).

In test mode fwbuilder copies generated firewall script to directory /tmp on the firewall.

Support for DD-WRT

This version of Firewall Builder introduces direct support for DD-WRT. There are two options: you can use nvram to install generated firewall policy or you can use jffs (journaling flash file system) on the device and store generated script there. Two host OS settings are provided: "DD-WRT (nvram)" and "DD-WRT (jffs)".

DD-WRT (nvram)

In this mode generated script is somewhat shorter and does not support command line arguments "start", "stop", "status". The script does not try to load iptables modules on the firewall but configures inetrface addresses, vlans, bridge ports and bonding interfaces. Built-in policy installer saves the script in nvram variable "fwb" and configures nvram variable "rc_firewall" to run this script.

DD-WRT (jffs)

First of all, you need to activate JFFS/JFFS2 (Journaling Flash File System) on the firewall. Instructions are provided in the DD-WRT wiki. Once jffs is mounted read-write, you also need to create directory "/jffs/firewall" where fwbuilder will store generated script. This is explained in this article in DD-WRT wiki.

When firewall is configured with host OS "dd-wrt (jffs)", built-in policy installer copies generated script to the file "/jffs/firewall/firewall.fs" on the firewall and configures nvram variable "rc_firewall" to call this script.

Note: recent builds of DD-WRT (tested with v24 and v24SP1) seem to disable JFFS for some reason. If you plan to use jffs method of installing firewall script, check if the version you run supports it.

Changes in support for PF

Added support for branching rules in NAT. Compiler generates keyword "anchor" if PF version is 4.3 or later and "nat-anchor" and "rdr-anchor" for earlier versions.
Optimization: rules that have several interface objects (or a group) in the "Interface" column are compiled using "{ }" grouping to produce only one configuration line instead of several for such rule.
Compiler for PF generates "allow-opts" keyword when IPService object used in the rule has IP options. This includes new option "router-alert".
Added support for pf state tracking options "no-sync" and "pflow". Set version to "4.5" or "4.6" in the firewall object to be able to use these new options.
Implemented support for incremental management of IP addresses of interfaces and VLAN pseudo-interfaces for OpenBSD and FreeBSD. The script analyzes existing vlan interfaces and compares them with vlan interfaces defined in the Firewall Builder GUI and then adds new ones and removes those that do not exist in fwbuilder.
OpenBSD 4.7 has changed the syntax of "nat" and "rdr" PF rules. These keywords are gone, corresponding translations are done using "nat-to" and "rdr-to" options in "pass" or "match" rules. Fwbuilder 4.0 adds support for this. The list of recognized versions for PF has been extended with "4.7", choosing this version number makes policy compiler generate nat and rdr rules using new syntax. Since the "no" keyword has been removed as well, fwbuilder can no longer generate "no nat" rules for 4.7. Policy compiler recognizes this as a fatal error, administrator should use negation to implement exceptions in NAT rule sets.

Changes in support for for Cisco IOS ACL

Built-in installer can use command scp to copy IOS configuration to the router using ssh and then command "copy file running-config" to activate it. This method is much faster than running configuration line by line. The router should be configured with ssh v2 and scp server. This method can be combined with rollback (by reload or EEM). This method can be combined with rollback. To use this method, turn on checkbox in the tab "Installer" of the "advanced settings" dialog of the router object. Since this option is configured separately for each firewall object, you can have a mix of installation methods if some routers do not support scp.
For instructions how to configure scp see Secure Copy. You need to do the following:
- Create RSA keys
- enable ssh v2 using command "ip ssh version 2"
- enable scp server using command "ip scp server enable".
- User account used to copy the policy should have privilege 15: "username vadim privilege 15 password 7 XXXXXXXXXXX".
To troubleshoot when scp is not working:
- Test using command line scp tool rather than fwbuilder installer. Use "scp" on Linux and Mac OS X and "pscp.exe" on Windows like this: "scp file.fw router:nvram:file.fw"
- check that ssh and scp are enabled on the router (see commands above)
- check that user account has privilege 15
- Use command "debug ip ssh" on the router to turn debugging on. Diagnostic messages that it prints to the console and to log may help you identify the problem
Note that installer does not use command "config replace" because configuration created by fwbuilder is incomplete and should be merged with running config rather than replace it.
Built-in policy installer uses EEM (Embedded Event Manager) on IOS 12.4 or later to schedule automatic configuration rollback instead of reloading the router. EEM appears in IOS 12.4 and supports background operations that can be triggered by some events on the router or by timers. In this new feature, fwbuilder creates EEM applet with a countdown timer that executes command "config replace nvram:startup-config force" when timer expires. User has the following options:
- Schedule automatic rollback in a few minutes and install updated ACL configuration. This can be used to test new policy and revert to the original one after some short period of time. This also helps to avoid a situation when updated policy blocks access to the router because of an error; rolling back to the ACL configuration that was running before the update will restore access automatically.
- Schedule rollback in a few minutes, install updated ACL but cancel rollback if installation of the new configuration was successful. This is mostly intended to prevent blocking access to the router in case of an error in the new ACL configuration. If fwbuilder was able to enter all lines of the new configuration all the way to the end, this means new configuration does not block access and installer executes command "no event manager applet fwbuilder-rollback" to cancel scheduled rollback.
Since IOS before 12.4 does not have EEM, automatic rollback on these older versions is implemented by scheduling router reload with command "reload in ". This hasn't changed since Firewall Builder v3.0
Added support for the "dry run" installer option for Cisco routers. When this option is on, installer logs into the router and switches to the enable mode, but does not execute any actual commands. If scp is used to copy configuration to the router, installer will copy the file but will not activate it. This tests ssh session in general, login password, enable password and scp but does not make any changes to the router configuration.
Added support for the object-group statement in generated IOS configuration. This helps reduce size of the geenrated access lists when the router should match long lists of IP addresses or ports. Both "network" and "service" object-groups are supported. This feature is controlled by a checkbox in the "Advanced" settings dialog of the firewall object; it requires IOS v12.4(20)T or later and is off by default. Check if your version of IOS supports "object-group" command before using!
Policy rule option "Add mirrored rule" (controlled by a checkbox in the rule options dialog) makes policy compiler for IOS ACL automatically create a rule with mirrored source and destination addresses and service fields. This can be used to match "reply" packets using address and service parameters matched by this rule. The action of the mirrored rule is the same as that of this one. Firewall Builder recognizes the following services and creates "mirrored" versions as follows:
- UDP service: mirrored service has source and destination port ranges reversed
- TCP service: mirrored service has source and destination port ranges reversed and "established" flag inverted. If TCP service used in this rule does not have "established" flag, the mirrored service gets it, and the other way around. This is designed to simplify creating ACL rules to permit "reply" TCP packets
- ICMP service: ICMP echo request is recognized, mirrored service becomes ICMP echo reply. Other ICMP types are simply copied to the mirrored service
- ICMPv6 service: like with ICMP, ICMP echo request is recognized and other ICMPv6 types are just copied
- IP service: mirrored service is a copy

Changes in support for for Cisco ASA (PIX)

Built-in installer can use command scp to copy generated configuration to the firewall and then command "copy file running-config" to activate it. This method is much faster than running configuration line by line. The firewall should be configured with ssh v2 and scp server. This method can be combined with rollback. To use this method, turn on checkbox in the tab "Installer" of the "advanced settings" dialog of the PIX firewall. Since this option is configured separately for each firewall object, you can have a mix of installation methods if some firewalls do not support scp.

To configure scp on the PIX firewall you need to do the following:
- Create RSA keys
- enable ssh v2 using command "ssh version 2" in configuration mode
- enable scp using command "ssh scopy enable" in configuration mode
- make sure user account used to copy configuration has "privilege 15": "username fwbadmin password XXXXXXX privilege 15"
To troubleshoot when scp is not working:
- Test using command line scp tool rather than fwbuilder installer. Use "scp" on Linux and Mac OS X and "pscp.exe" on Windows like this: "scp file.fw firewall:flash:file.fw"
- check that ssh and scopy are enabled on the firewall
- check that user account has privilege 15
- Use command "debug ssh 10" on PIX to turn debugging on. Diagnostic messages that it prints to the console and to log may help you identify the problem
Note that when fwbuilder uses command "copy file.fw running-config" to activate uploaded policy, the firewall does not print it. If there are errors, they are printed but the lines they refer to are not printed. Some configuration lines trigger lines because they try to configure things that are already configured, such as some parameters of interfaces, global pools etc.

Generated PIX configuration will include commands that enable ssh v2 and enable scopy if this option is turned on to make sure they stay enabled after configuration is reloaded from the file.
When certain PIX configuration commands are executed again during configuration update, PIX detects this as an error. Commands that fall into this category are "inspect", "service-policy" and some "failover" commands, to name a few. To avoid this kind of errors while updating PIX using built-in installer and avoid entering commands for parts of configuration that do not change often, you can use checkbox "Generate only access-list, access-group... commands" in the "Script" tab of the PIX firewall "advanced" options dialog. If this checkbox is on, generated configuration file will only include "access-list", "access-group", "telnet", "ssh", "nat", "global" and "static" commands.

Changes in the command line tool fwbedit

User can now merge objects from two data files together using command line tool fwbedit just like the "Import library" function in the GUI.

FirewallBuilder

Shortcuts

Firewall Builder Release Notes

Firewall Builder 4.2.2 Release Notes

GUI Updates

Firewall Builder 4.2.1 Release Notes

GUI Updates

Firewall Builder 4.2.0 Release Notes

Summary of Technical Changes

GUI Updates

Changes in command line tool fwbedit

Changes in policy importer for all supported platforms

Changes that affect import for all platforms

Fixes and improvements in import of iptables configurations

Fixes and improvements in import of Cisco IOS configurations

Fixes and improvements in import of Cisco ASA/FWSM configurations

Changes in the built-in policy installer

Changes and improvements in the API library libfwbuilder

Changes and improvements in the library of standard objects

common changes that affect policy compilers for all platforms

Changes in support for iptables

Support for PF (FreeBSD, OpenBSD)

Support for ipfilter

Support for ipfw

Changes in support for for Cisco IOS ACL

Changes in support for for Cisco ASA and FWSM

Support for HP ProCurve

Firewall Builder 4.1.3 Release Notes

What's new in V4.1.3 ?

GUI Updates

Changes and improvements in the API library libfwbuilder

Changes and improvements in the library of standard objects

Changes in support for iptables

Support for PF

Support for ipfw

Changes in support for for Cisco IOS ACL

Changes in support for for Cisco ASA (PIX)

Support for HP ProCurve

Firewall Builder 4.1.2 Release Notes

What's new in V4.1.2 ?

GUI Updates

Changes in support for iptables

Support for PF

Support for ipfilter

Changes in support for for Cisco IOS ACL

Changes in support for for Cisco ASA (PIX)

Support for HP ProCurve

Firewall Builder 4.1.1 Release Notes

What's new in V4.1.1 ?

GUI Updates

Changes in support for iptables

Support for PF

Changes in support for for Cisco IOS ACL

Changes in support for for Cisco ASA (PIX)

Support for HP ProCurve

Firewall Builder 4.1.0 Release Notes

What's new in V4.1.0 ?

GUI Updates

Changes in the policy importer

Changes in libfwbuilder library

Changes common for all policy compilers

Changes in support for iptables

Support for PF

Changes in support for for Cisco IOS ACL

Changes in support for for Cisco ASA (PIX)

Support for HP ProCurve

Firewall Builder 4.0.1 Release Notes

Changes in the GUI

Changes in the policy importer

Changes in the Standard Objects library

Changes in libfwbuilder library

Support for HP ProCurve

Changes in support for iptables

Changes in support for DD-WRT

Changes in support for for Cisco IOS ACL

Firewall Builder 4.0.0 Release Notes

Changes in the GUI

Changes in the Standard Objects library

Common changes in all policy compilers

Support for High Availability configurations