Firewall Builder 5.1.0 Release Notes

SourceForge: Tickets

Summary

Starting with 5.1.0, packages for Windows and Mac OS X are released under the terms of GPL. The source code tree includes all files necessary to build on Linux, *BSD, Windows and Mac OS X.

---

GUI Updates

• fixes #2685 "Clicking "Manage Members" in a vlan subinterface of a cluster causes crash".

Changes in support for iptables

• fixed SF bug #3468358 "change in rule-compilation between 5.0.0 and 5.0.1". Rule with cluster interface in "Destination" should compile into matching ip addresses assigned to the cluster interface object and corresponding member firewall's interface object, but in v5.0.1 it only matched member interface address. This bug triggered when iptables version was set to 1.2.11 or greater. This was a regression from v5.0.0

• fixes #2686 "automatic rules for heartbeat are not generated for vlan subinterfaces"

• fixes #2684 "fix address deletion in configlet update_addresses". This only applies to Linux firewalls and configurations where an interface has two or more ip addresses. If user deleted one of the addresses that happens to be the "primary" address of the interface in the GUI, generated script deleted both addresses on the firewall machine instead of just one and left interface with no addresses at all. The fix is to use /proc variable /proc/sys/net/ipv4/conf/all/promote_secondaries that makes the kernel "promote" secondary address to a "primary" status when primary address is deleted. Default behavior in Linux kernel is to delete all addresses when primary address is deleted.

• using mktemp to create temporary directory in the generated script. If mktemp is not available, fall back onto less secure but guaranteed to work method where I generate randomized the name of the temporary directory using process ID.

• fixes SF bug 3489096 "dd-wrt-jffs: all routes are deleted if there is an error". The problem affects all supported Linux-like systems. Shell code that restores old static routing table entries in case of an error with commands adding new routing entries was broken and left the machine with no routes at all.

Other changes

• fix for SF bug #3468802. Need to define macro __STDC_FORMAT_MACROS. This still needs to be tested on all build machines.

• running autoconf, configure as part of windows build. Merged qmake .pro and .inc files for Windows, Mac and Linux builds. Moved files needed for Windows and Mac packaging to the "packaging" directory.

Firewall Builder 5.0.1 Release Notes

SourceForge: Tickets

Summary

v 5.0.1 is a minor bug fix release.

---

GUI Updates

• moved "batch install" button from the main installer wizard to the dialog where user enters their password. Now user can start in a non-batch install mode but continue in batch install mode at any time if all their firewalls authenticate with the same user name and password.

• see #2628 fixed crash that happened if user create new firewall object from a template and changed one of the ip addresses, while another firewall object created from the same template already existed in the tree.

• see #2635 Object type AttachedNetworks is not allowed in the "interface" rule element.

• The drop-down list of interfaces for the "route-through" rule option for PF and iptables should include not only cluster interfaces, but also interfaces of all members. This way, we can make compiler generate configuration "pass in quick on em0 route-to { ( em0 10.1.1.2 ) } ... " for a rule of a PF cluster. Here "em0" is an interface of a member, not the cluster.

• fixes #2642 "GUI crashes if user cancels newFirewall dialog".

• fixes #2641 "newFirewall dialog does not accept ipv6 addresses with long prefixes". The dialog did not allow ipv6 addresses of inetrfaces with netmask > 64 bit.

• fixes #2643 "GUI crashes when user cuts a rule, then right-mouse click in any rule element of another"

• added check to make sure user does not enter netmask with zeroes in the middle for the IPv4 network object. Netmasks like that are not supported by fwbuilder.

• fixes #2648 "right mouse click on firewall object in "Deleted objects" library causes GUI crash"

• fixes SF bug 3388055 Adding a "DNS Name" with a trailing space causes failure.

• fixes SF bug 3302121 "cosmetic mis-format in fwb Linux paths dialog"

• fixes SF bug 3247094 "Nomenclature of IP address edit dialog". Network ipv6 dialog says "Prefix length".

• see #2654 fixes GUI crash that occured if user copied a rule from file A to file B, then closed file B, opened file C and tried to copy the same rule from A to C'

• see #2655 Interface names are not allowed to have dash "-" even with interface verification off. We should allow "-" in the interface name for Cisco IOS

• see #2657 snmp network discovery crashed if option "Confine scan to network" was used.

• fixes #2658 "snmp network discovery creates duplicate address and network objects"

• enable fwbuilder to take advantage of GSSAPIAuthentication with openssh using suggestion by Matthias Witte witte@netzquadrat.de

• fixed a bug (no number): if the file name user entered in "Output file name" field in the "advanced settings" dialog of a firewall object ended with a white space, policy installer failed with an error "No such file or directory"

• fixed SF bug #3433587 "Manual edit of new service Destination Port END value fails". This bug made it impossible to edit the value of the end of the port range because as soon as the value became less than the value of the beginning the range, the GUI would reset it to be equal to the value of the beginning of the range. This affected both TCP and UDP service object dialogs.

• fixes #2665 "Adding text to comment causes rule to go from 2 rows to 1 row". Under certain circumstances, editing rule comment caused the GUI to collapse corresponding row in the rule set view so that only the first object of each rule element that contained several objects was visible.

• fixes #2669 "Cant inspect custom Service object in Standard objects library".

Changes in policy importer for all supported platforms

Changes that affect import of PIX configurations

• changed token name from "ESP" to "ESP_WORD" to avoid conflict with macro "ESP" that happened during build on OpenSolaris

• see #2662 "Crash when compiling ASA rule with IP range". Need to split address range if it is used in "source" of a rule that controls telnet, ssh or http to the firewall itself and firewall's version is >= 8.3. Commands "ssh", "telnet" and "http" (those that control access on the corresponding protocols to the firewall itself) accept only ip address of a host or a network as their argument. They do not accept address range, named object or object group. This is so at least as of ASA 8.3. Since we expand address ranges only for versions < 8.3 and use named object for 8.3 and later, we need to make this additional check and still expand address ranges in rules that will later convert to "ssh", "telnet" or "http" command. Compiler still generates redundant object-group statement with CIDR blocks generated from the address range but does not use this group in the rule. This does not break generated configuration but the object-group is redundant since it is never used. This will be rectified in future versions.

• fixes #2668 Remove "static routes" from the explanation text in ASA/PIX import dialog. We can not import PIX/ASA routing configuration at this time.

• fixes #2677 Policy importer for PIX/ASA could not parse command "nat (inside) 1 0 0"

• fixes #2679 Policy importer for PIX/ASA could not import "nat exemption" rule (for example: "nat (inside) 0 access-list EXEMPT")

• fixes #2678 Policy importer for PIX/ASA could not parse nat command with parameter "outside"

Changes and improvements in the API library libfwbuilder

• function InetAddr::isValidV4Netmask() checks that netmask represented by the object consists of a sequence of "1" bits, followed by the sequence of "0" bits and therefore does not have zeroes in the middle.

• fixed bug #2670. Per RFC3021 network with netmask /31 has no network and direct broadcast addresses. When interface of the firewall is configured with netmask /31, policy compilers should not treat the second address of this "subnet" as a broadcast.

Changes in support for iptables

• see #2639 "support for vlan subinterfaces of bridge interfaces (e.g. br0.5)". Currently fwbuilder can not generate script to configure vlan subinterfaces of bridge interfaces, however if user did not request this configuration script to be generated, compiler should not abort when it encounters this combination.

• fixes #2650 "rules with address range that includes firewall address in Src are placed in OUTPUT chain even though addresses that do not match the firewall should go in FORWARD"

• fixes SF bug #3414382 "Segfault in fwb_ipt dealing with empty groups". Compiler for iptables used to crash when an empty group was used in the "Interface" column of a policy rule.

• see SF bug #3416900 "Replace `command` with `which`". Generated script (Linux/iptables) used to use "command -v" to check if command line tools it needs are present on the system. This was used to find iptables, lsmod, modprobe, ifconfig, vconfig, logger and others. Some embedded Linux distributions, notably TomatoUSB, come without support for "command". Switching to "which" that is more ubuquitous and should be available pretty much everywhere.

• fixed #2663 "Rule with "old-broadcast" object results in invalid iptables INPUT chain". Compiler was choosing chain INPUT with direction "outbound" for rules that had old broadcast address in "Source", this lead to invalid iptables configuration with chain INPUT and "-o eth0" interface match clause.

• fixed bug in the rule processor that replaces AddressRange object that represents single address with an IPv4 object. Also eliminated code redundancy.

• fixes #2664 Update error message when "which" command fails. Generated iptables script uses "which" to check if all utilities it uses exist on the machine. We should also check if "which" itself exists and issue meaningful error message if not.

• SF bug #3439613. physdev module does not allow --physdev-out for non-bridged traffic anymore. We should add --physdev-is-bridged to make sure this matches only bridged packets. Also adding "-i" / "-o" clause to match parent bridge interface. This allows us to correctly match which bridge the packet comes through in configurations using wildcard bridge port interfaces. For example, when br0 and br1 have "vnet+" bridge port interface, iptables can still correctly match which bridge the packet went through using "-o br0" or "-o br1" clause. This can be useful in installations with many bridged interfaces that get created and destroyed dynamically, e.g. with virtual machines. Note that the "-i br0" / "-o br0" clause is only added when there is more than one bridge interface and bridge port name ends with a wild card symbol "+"

• fixed SF bug #3443609 Return of ID: 3059893": iptables "--set" option deprecated". Need to use --match-set instead of --set if iptables version is >= 1.4.4. The fix done for #3059893 was only in the policy compiler but needs to be done in both policy and nat compilers.

Changes in support for PF (FreeBSD, OpenBSD)

• see #2636 "carp : Incorrect output in rc.conf.local format". Should use create_args_carp0 instead of ifconfig_carp0 to set up CARP interface vhid, pass and adskew parameters.

• see #2638 "When CARP password is empty the advskew value is not read". Should skip "pass " parameter of the ifconfig command that creates carp interface if user did not set up any password.

• fixed SF bug #3429377 "PF: IPv6 rules are not added in IPv4/IPv6 ruleset (anchor)". Compiler for PF did not inlcude rules generated for IPv6 in generated PF anchor configuration files.

• fixed SF bug 3428992: "PF: rules order problem with IPv4 and IPv6". Compiler for PF should group ipv4 and ipv6 NAT rules together, before it generates ipv4 and ipv6 policy rules.

• Several fixes in the algorithms used to process rules when option "preserve group and addresses table object names" is in effect

• fixes #2674 NAT compiler for PF crashed when AttachedNetworks object was used in Translated Source of a NAT rule.

Changes in support for Cisco IOS ACL

• fixes #2660 "compiler for IOSACL crashed when address range appears in a rule AND object-group option is turned ON"

• fixed SF bug 3435004: "Empty lines in comment result in "Incomplete Command" in IOS".

Changes in support for ipfw

• fixed SF bug #3426843 "ipfw doesn't work for self-reference, in 5.0.0.3568 version".

Changes in support for Cisco ASA (PIX, FWSM)

• see #2656 "Generated Cisco ASA access-list has duplicate entry". Under certain circumstances policy compiler fwb_pix generated duplicate access-list lines.

Other changes

• see #2646 and SF bug 3395658: Added few ipv4 and ipv6 network objects to the Standard objects library: TEST-NET-2, TEST-NET-3 (RFC 5735, RFC 5737), translated-ipv4, mapped-ipv4, Teredo, unique-local and few others.

Firewall Builder 5.0 Release Notes

SourceForge: Tickets

Summary

In addition to bug fixes and minor enhancements, v 5.0 includes the following new features:

• User defined system folders
• Keywords for tagging objects
• Dynamic Group Objects with Smart Filters
• Multiple operations per filter Rule
• New Attached Networks Object
• Improved GUI layout and behavior
• Import of PF configurations

User Defined System Folders

Users can now create their own subfolders in the object tree. To add a subfolder right-click on a system folder, for example Firewalls, and select "New Subfolder". You can move objects into the subfolder by dragging-and-dropping them from the parent folder in the object tree to the subfolder. You can only delete empty subfolders, so if you want to delete a subfolder first move all the objects in that subfolder to the parent folder and then you can delete the subfolder.

Keywords for Tagging Objects

This feature gives users the ability to apply keywords to objects and then use the filter box to search for objects that match a keyword.

Dynamic Groups with Smart Filters

A new type of group, called a Dynamic Group, has been added to the Group object in the object tree. Right-click the Group object and select "New Dynamic Group" to create a new group. You can use both Keywords and Object Type to create filters of objects that should be included in the Dynamic Group. There is a preview window that displays all the objects that match the filter.

You can use Dynamic groups in rules just like you would use a regular Group object. When Firewall Builder compiles a rule that includes a Dynamic Group it will expand the group into all its member objects.

Multiple Operations per Filter Rule

The actions for Tag, Classify and Route have been moved to the rule Options. This allows a user to define a primary action, like Accept, and then define additional actions that should be taken on traffic that matches the rule.

This is only supported for iptables and PF platforms. For PF setting multiple actions will result in a single rule with multiple actions defined. For iptables this will result in multiple rules ordered so that all actions are performed correctly.

New Attached Networks Object

There is a new child object for interfaces that represents all the networks that are "attached" to the interface. This means that for each IP address that is configured on an interface the associated network for that IP address will be included in the Attached Networks object.

Improved GUI layout and behavior

There are a number of changes that have been made to make the mouse click behavior more consistent and the layout of the GUI has been updated to make things simplier.

Import of PF configurations

Firewall Builder can now import PF configurations in pf.conf format. To import a pf.conf configuration go to File -> Import Firewall and follow the prompts.

---

GUI Updates

• "Crash when selecting New Firewall and existing firewall has interface that is locked". Fixed GUI crash that happened on some operations if an object in the tree was locked. For example, if the user locked an interface of one of the firewall objects that then proceeded to create new firewall object, the GUI would crash. The problem was not limited to locking specifically interface objects.

• part of the GUI usability improvements, its behavior when user double clicks on "any" in a rule has changed. Now the program opens object "any" in the editor and shows prompt text that explains its behavior. The editor stays read-only and should appear grayed-out if palette is set up for that.

• when user double clicks on a firewall object to open it in the editor, rule set view panel switches to the rule set of that firewall. To decide which rule set to show, the program scans history of the objects the user opened before in the same GUI session and shows that firewall's rule set they opened last. If user never opened any rule sets of this firewall, then the first Policy object is shown.

• fixed several GUI crashes that happened when user performed various operations on the object tree that contained locked objects.

• implementation of keywords associated with objects in the GUI; ability to filter by keywords, dialog layout changes to add GUI controls for keywords.

• Removed obsolete localization files (Russian and Japanese). These were incomplete and have never been updated for v4.

• Removed transfer agent code. This eliminates dependency on DBus framework.

• Added support for creating user-defined subfolders. The subfolders exist purely in the display and are not reflected in the FWObject tree, in order to keep changes in the back-end to a minimum. New attribute "subfolders" on a system folder tells the gui what additional child elements to display in the tree, and attribute "folder" on any FWObject tells gui which child tree element to put it in.

• Added feature : directory location caching. Use FWBSettings::{get|set}OpenFileDir() any time we use QFileDialog so that the directory you navigated to last time shows up in the next file dialog. This behavior is overridden by setting a working directory. If the directory no longer exists, gracefully fall back to something sensible.

• "Add context menu to move an interface to be a child of another interface". New context menu (submenu) allows user to move an interface in the tree to make it a subinterface of another interface.

• Implemented support for address table alternate paths. There's a "data directory" setting under user preferences. If the user selects an address table file using "choose file" and that file is "inside" the data directory, then the appropriate part of the path is replaced with %DATADIR% as a variable. If the address table is marked "run-time" then the path is taken from the firewall data directory option.

• Fixed bug: save the expanded/collapsed state of the tree when the user starts typing something into the quick filter. When the quick filter is cleared, re-expand any items that started off expanded (so we get the union of expanded items displayed by quick filter plus what the user started with expanded).

• "Attempting to copy-and-paste a tag service results in an error". Pasting of a TagService object to the "Tag Services" group did not work.

• "Enhance Find to include searching for IP addresses in ranges". Function "find" now finds ip addresses inside address ranges.

• "Expanded set of options the user can change to pre-set parameters in the new policy rules they create". Now user can set default values for action ("Deny" or "Accept"), direction, the "stateless" flag and logging.

• fixes bug "If file doesn't exist when clicking 'edit file', then you have to hit save button twice". The bug affected "edit file" function in the Address Table object dialog.

• "Remove Back and Forward buttons". We have decided behavior of the GUI was too complicated since user can both act on objects directly and navigate backwards and forwards to the objects found in their browsing history. Navigation using browsing history was broken when quick filter was in use, too. All in all, it feels the value of "back" and "forward" buttons was relatively low.

Changes in policy importer for all supported platforms

Changes that affect import of PF configurations

• This version implements import of pf.conf configuration with the following limitations:

  • anchors are not imported. Anchor rules are imported but rules inside anchors are not.
  • only pf.conf configurations designed with the use of keyword "quick" can be imported.
  • Macros are expanded during import and are not recreated as objects. Tables are imported as run-time AddressTable obejcts configured with the file name, or object groups.
  • User has to specify host OS and PF version number during import process because interpretation of rules with default settings of some parameters is version-dependent.
  • Import of IPv6 addresses and ICMPv6 matches in pf.conf is not supported at this time.
  • Import of TCP flag matches for flags 'E' and 'W' is not supported.
  • Import of "include" clause is not supported
  • Import of "user" and "group" matches is not supported
  • as of v4.2 we can not generate optional parameters for the "source-hash" pooltype. "sticky-address" is not supported either. This options are not imported.
  • Interface group names are not recognized
  • commands "set ruleset-optimization", "set loginterface", "set block-policy", "set state-defaults", "set require-order", "set fingerprints", "set reassemble", "set hostid" are not supported.

Fixes and improvements in import of iptables configurations

• Implemented import of iptables rules with target CLASSIFY.

Changes and improvements in the API library libfwbuilder

• New object type "Attached Networks": network object that automatically matches subnets an interface is attached to. The object can be a child of an interface. The object is optional and is not created automatically for all interfaces; user can add it using context menu associated with an interface. Dialog for this object allows editing of the name and comment. List of network addresses represented by this object is always generated automatically. Compiler for PF translates this object to "en0:network" construct that is supported by PF. Compiler for iptables expands it to the list of ipv4 and ipv6 networks defined by the addresses of the parent interface if interface has static addresses. If interface is confgiured as "dynamic" and has no address in fwbuilder, then compiler treats AttachedNetworks object as run-time and uses shell function to determine network addresses during activation of the firewall script. Compilers for other firewall platforms always treat this object as compile-time and abort if it is used with dynamic interface.

• New object type "Dynamic Group". Dynamic group automatically expands to a set of objects using matching rules that at this time can match object types and keywords.

• Updated error message that appears when user tries to open .fwb file created by the future version of fwbuilder.

common changes that affect policy compilers for all platforms

• fixed bug "Compile fails if firewall has locked interface that is set to dynamic".

Changes in support for iptables

• 'Mixing Actions "Accept" and "Classify" results in incorrect rules', and 'Mixing Actions "Accept" and "Tag" results in incorrect ruleset'. After we made Tag, Classify and Route rule options instead of actions, rules that mix these options with actions "Accept" and others, except for "Continue", should be treated differently. The action are now implemented using iptables rules in the table "filter" and additional rules in table "mangle" is used to implement only tagging, classification or routing. Generated script does not change default action in table "mangle" and assumes it is "ACCEPT" so adding rules with target ACCEPT in mangle table should not be necessary. Another change because of this affects branching rules that use option "create branch in mangle table in addition to the filter table". These rules used to duplicate the same action and logging rules in mangle. Now they dont do this and only create rules in mangle if branch rule set performs tagging, classification or routing.

• "Deprecating Route option for iptables". This target is not included in any of the popular Linux distributions (checked in Ubuntu, Fedora and CentOS). The GUI dialog and all support in the compiler will be removed in future version of fwbuilder. Beginning with 4.3.0, compiler aborts with an error when it encounters a rule using this option. In older versions of fwbuilder (4.2.x and before) this option was presented as an action "Route".

• "Tag action should be done in PREROUTING so it can be acted on later". If a rule has both tagging and classification options, the rule should be split so that iptables command doing tagging goes in PREROUTING and rule doing classification goes into POSTROUTING chain.

• "Tag and classify actions dont work properly with branches". When branching rule points to a rule set that has rules with Tag and Classify options, branching should occur in mangle table even when checkbox "create branch in mangle table" is not checked. The fix in this change is tentative as it creates branch in chains PREROUTING, POSTROUTING and OUTPUT. Since target CLASSIFY is only allowed in POSTROUTING, this may create conflict. Need to test more.

• Added support for single object negation in "Inbound Interface" and "Outbound Interface" columns in compiler for iptables.

• fixed SF bug 3371301 "Error compiling with VLAN and masquerade". Iptables NAT rules with vlan interface configured as "dynamic" and no ip address in Translated Source caused compiler crash.

Changes in support for PF (FreeBSD, OpenBSD)

• "PF compiler should use 'self' keyword where appropriate". Compiler for PF now uses keyword 'self' in rules where firewall object is used in Source or Destination.

• Added support for single object negation in "Interface" rule element of PF NAT rules. Now compiler can produce PF commands such as "nat on ! em0 ... " (for PF <4.7) or "match on ! em0 ..." (for PF >= 4.7)

• NAT Compiler for PF should use "(interface)" syntax to the right of "->" in NAT rules. This now works for all interfaces, including those that have ip addresses in fwbuilder configuration, when interface object appears in "Translated Source" in a nat rule. When firewall object appears in "Translated Source", it gets replaced with a set of its interfaces which also get translated into "-> (interface)".

• fixed bug "PF compiler crashes when ipv4+ipv6 NAT rule uses only ipv4 address". This has been reported as SF bug 3305234.

• 'avoid " {tcp udp icmp} " in place of protocol'. NAT compiler for PF does not need to generate protocol match "proto {tcp udp icmp}" when service object used in the NAT rule is "any". The reason this was done this way is lost in the mist of time; it's been like this since very early versions of fwbuilder.

• "Update generated route-to configuration for PF versions 4.7 and later", SF bug 3348931. The "route-to" parameter moved to the end of pass rules in PF 4.7

• "Crash when compiling a route with table object". Compiler for PF crashed when run-time AddressTable object was used in RDst of a routing rule.

• "Group and Address Table name persistence in generated config". Compiler for PF can now preserve names of object groups, dynamic groups, compile-time AddressTable and compile-time DNSName objects in the generated pf.conf file. This is optional and is controlled by a checkbox in the firewall settings dialog.

• fixes bug "Run-time dns name or address table in routing policy -> crash". Compiler for PF crashed if user placed run-time DNSName object in "destination" of a routing rule.

• fixes bug "PF: NAT compiler fails when run-time address table object is used in a rule"

Other changes

• applied patch to provide configure command line option to specify path to ccache. Thanks to user "a. k. huettel " on SourceForge.

• applied two patches by Vadim Zhukov persgray@gmail.com to replace calls to sprintf with safer calls to snprintf and fix some compiler warnings.