Bug Tracking System

Report a bug

Ask User

Send Email

Technical support
support@fwbuilder.org

Firewall Builder Release Notes

v3.0.7
v3.0.6
v3.0.5
v3.0.4
v3.0.3
v3.0.2
v3.0.1
v2.1.19
v2.1.18
v2.1.17
v2.1.16
v2.1.15
v2.1.14
v2.1.13
v2.1.12
v2.1.11
v2.1.10
v2.1.9
v2.1.8
v2.1.7

Firewall Builder Release Notes

Version 3.0.7

Released 09/18/2009
GUI and compilers v3.0.7 require API library libfwbuilder version 3.0.7

Summary

Most notable changes in this release:

Fixed security issue with temporary file handling in the generated iptables script. The problem only affects Linux systems where Firewall Builder is used to generate static routing configuration. The problem exists in Firewall Builder versions 3.0.4, 3.0.5, 3.0.6
Improved performance of the batch compile operation

For those who wish to build from source, instructions are outlined in the document "Install and Build instructions" on the web site at here

Improvements and bug fixes in the GUI

bug #2847263 "Batch compiling incrementally slow". The time it took to add a log line to the progress window in the "Compile" dialog slowed down a lot as amount of text in QTextEditor increased.
bug #2845667 "Crash after find object". When host object was found using "Find object" function while searching by ip address, clicking on the selected host in the tree caused crash.
bug #2844596: "Crash during newFirewallDialog". GUI crashed if user clicked "next" in the new firewall dialog to open page with templates, then clicked "Back" and then "Next" again.

Improvements and bug fixes in the policy compiler for iptables

Fixed security issue with temporary file handling in the generated iptables script. The problem only affects Linux systems where Firewall Builder is used to generate static routing configuration. The problem exists in Firewall Builder versions 3.0.4, 3.0.5, 3.0.6

Improvements and bug fixes in the policy compiler for PF

applied patch per #2844561: "PF Compiler Direction Both Duplicate for Route Action". Need to split the rule if direction is Both and action is Route.
bug #2710034 "PF Compiler in 3.0.3 Unprotected Interface Bug". When we expand "interface" rule element which uses negation, skip unprotected interfaces.

Improvements and bug fixes in the policy compiler for Cisco IOS ACL

bug (no #): policy compiler for Cisco IOS ACL did not add icmp type to the generated ipv6 access-list statements for rules that matched ICMPv6 services.

Firewall Builder Release Notes

Version 3.0.6

Released 08/18/2009
GUI and compilers v3.0.6 require API library libfwbuilder version 3.0.6

Summary

Most notable new features in this release:

Bug fixes in the GUI to improve stability and fix problems with policy printing
Additional optimizations in generated iptables script
Improvements in the policy compiler for PF to streamline generated configuration

For those who wish to build from source, instructions are outlined in the document "Install and Build instructions" on our web site here

Improvements and bug fixes in the GUI

bug #2807724: "Print out FWB still not ok". Rule groups were always printed expanded, even if they were collapsed by the user in the GUI.
bug #2823668: "MDI window glitch". If the GUI had two or more MDI windows and user moved rules in one of them, the GUI switched to another after the operation was complete.
bug #2835193: "Modulate state doesnt work for PF". The name Xml attribute used to hold the value of "module state" option was entered incorrectly in the dialog.

Improvements and bug fixes in the policy compiler for iptables

bug #2820840: "IPT: prolog script+iptables-restore silent incompatibility". With this fix the GUI does not allow for the prolog script to be placed after policy reset if iptables-restore is used to activate iptables rules. Also policy compiler for iptables checks for this condition and aborts with an error message if prolog place is set to "after reset" but iptables-restore is used to activate policy. Configuration may end up with this combination of options if user set prolog place to "after reset" first and switched activation method to iptables-restore later.
bug #2821050: "loading new fw rules on iptables 1.4.3.2+ gives warnings". starting with v1.4.3.1 iptables started giving warnings when negation ("!") is used after --option. This fix adds version "1.4.3" to the list of recognized iptables versions in fwbuilder and makes compiler generate extrapositioned version of the option such as "! --option arg".
bug #2819901: "sub-optimal expansion of negated interface". Policy rules with single interface object in "interface" rule element with negation should generate iptables commands using "-i ! itf" or "-o ! itf" rather than multiply the rule using all other interfaces of the firewall. Note that for iptables v1.4.3 and later, extrapositioned syntax is used, such as "! -i itf".
bug #2822098: "IPT: adds useless "-i +" iin some cases". Added optimization to remove redundant "-i +" and "-o +" if chain is INPUT or OUTPUT.
bug #2823951: "unnecessary rules in FORWARD chain". Policy rules that have interface object in "Interface" column and direction "Both" generate unnecessary iptables commands in the FORWARD chain when destination matches one of the addresses that belong to the firewall.
Implemented a better way to do optimization for "-i +", "-o +" for bug #2822098: check for interfaceStr equal to "*" instead of re->isAny()
bug #2836321: "SNAT rule that changes Trans Src and Trans Port does not work". Dual translation rules that change source address and destination port are now supported.

Improvements and bug fixes in the policy compiler for PF

bug #2820162 "Bad sysctl name for OpenBSD pf" - the sysctl argument for IPv6 forwarding was incorrect.
Implemented change per bug #2828602: "PF Compiler Direction Both no Duplication Patch". PF rules with direction "both" used to be split to make two rules, one with direction "inbound" and another with direction "outbound". This was an artefact of old rule generation model where user could choose to permit everything outbound and only generate inbound rules, or generate both inbound and outbound rules. Since we now always generate both in abd out rules and PF matches both directions when neither "in" or "out" is specificed, this splitting has become redundant.
Applied patch per bug report #2828633: "Patch: Warning when changing rule direction in compiler". This adds warning when rule direction is changed by the compiler because object in source or destination was firewall itself.
remove extra white space after tcp port spec if source port match was not used in the rule.
bug #2835193: "Modulate state doesnt work for PF". Check variable "modulate state" in rule optiopns and global firewall options. If checkbox is turned on in the firewall options, then we always use "modulate state". This option can also be turned on for an individual rule using rule options dialog.

Improvements and bug fixes in the policy compiler for Cisco IOS ACL

bug #1778536 "IOSACL - remark command". Remarks now include rule comments; if comment consists of several lines, each line is added using separate remark statement. This works for both IOS ACL and PIX platforms.

Improvements and bug fixes in the policy compiler for Cisco ASA (PIX)

Improvements and bug fixes in libfwbuilder

fixed bug #2820152: "Address ranges and other such need IPv4/v6 typing". AddressRange object should be recognized and removed from the rule if it is used in ipv6 rule set. To do this, add virtual method hasInetAddress() (should return true) to indicate that this object has an address. This works since virtual method getAddressPtr() has been implemented anyway.
bug #2823424: "Deleting UserService object breaks data file format". When user deleted UserService object, it was moved to the "Deleted Objects" library which broke XML file because DTD did not allow UserService element as a child of Library

Firewall Builder Release Notes

Version 3.0.5

Released 06/17/2009
GUI and compilers v3.0.5 require API library libfwbuilder version 3.0.5

Summary

Most notable new features in this release:

Bug fixes in the GUI improve stability
Added built-in help pages for all rule actions and options
When opening a file that is tracked by RCS, the dialog that shows revisions allows sorting by revision number or date and can display revisions either in the tree form or in a list form
Improvements in the parser of iptables policies, it can now handle rules that match protocol and state ESTABLISHED
Improvements in the support for iptables: SNAT rules that translate only ports can be generated, fixes in ipv6 support.
Added support for "sloppy" state tracking for PF
Support for NAT rules that translate only ports for PF and other fixes
Generated IOS ACL can be commented using "remark"

For those who wish to build from source, instructions are outlined in the document "Install and Build instructions" on our web site here

Improvements and bug fixes in the GUI

fixed bug #2744798 "dependency checking failed". In case when an object was used in a group and group used in a rule of a firewall, the program failed to properly update "last modified" attribute of the firewall when the object was changed.
fixed bug #2781952: "fwbuilder (3.0.4-b794) crashes when creating a new group". The GUI crashed if user clicked and dragged mouse inside empty list of group members in the dialog of the new group object.
fixed bug #2782289: "Crashes when deleting unused host object". Added safeguards to make it impossible to delete objects in the Standard library, as well as for a few other cases.
fixes bug #2783780: "Tree objects not sorted in 3.0.4". Automatically re-sort object branch when new host or firewall object is created so that the new object is positioned in the alphabetic sorting order. Using QTreeWidget::sortItems() instead of sortByColumn to sort objects in the tree.
fixed bug #2785671 "Menu 'Import Policy' opens wizard with wrong option checked". The "discovery druid" dialog would open on the first page (where user makes a choice which discovery method to use) even when called via main menu "File/Import Policy" and radio button for the SNMP discovery was activated.
fixed bug #2787857: "b847 crashes on Start". v3.0.5 build 847 links with QtDBus framework as part of the future development but the framework file was not included in the bundle. This caused crash on Mac OS X.
fixed bug #2787932 "External install script is not supported for PIX".
Change in the print parameters dialog: Using slider widget to set table scaling factor; now user can choose any scaling factor between 1 and 200%. This fixes bug #2789903: "Table scaling when printing in 3.0.4"
fixed bug #2794484 "Crash after click in the "Options" col of rule group title".
Added support for the built-in help page for all objects dialogs, including rule actions and options dialog. Implemented help pages for actions "Route", "Branch", "Tag", "Classify" and rule options dialogs for iptables and pf. Button "Help" is greyed out if corresponding help page is unavailable.
fixed bug #2794827 "crash when pasting from a Library in a another file". The GUI crashed if user tried to copy/paste an object from one data file into a rule in another.
fixed the algorithm used to determine directory offered to the user when they use main menu File/Open to open a file:
- if "work directory" is configured in preferences, always use it first;
- if it is blank, use the same directory where currently opened file is located;
- if this is the first file to be opened, use the same directory user used last time they ran the program (saved in user settings).
fixed bug #2793144 "Context menu item for the new User Service object is missing".
fixed bug (no #): the GUI did not allow to copy/paste an address from one interface to another. This should be possible.
implemented feature req. #2796238 "3.0.4 - FEAT REQ: Sort order for RCSFilePreview". RCS file preview dialog (the one that shows RCS revisions and RCS log records) can display revisions in the tree or list view style, controlled by radio-buttons. Style setting is saved in user preferences and persists from session to session. In both cases the view can be sorted by revision number or data. Sort column choice is also saved in preferences. By default program sorts by date and selects the latest revision.
fixed bug #2797791: "Display error when duplicating an object".
better fix for the bug #2796760 "Display error when adding new FW with multiple interfaces".
fixed bug #2799174: "Multiple instance crashes a bug". The GUI crashed if user tried to drag and drop an object between two different running copies. Copy/Paste and Drag&Drop between separate copies are not supported at this time.
fixed bug #2799163: "crash on correcting an error". The GUI crashed if user tried to add, then delete interfaces in the new firewall wizard. The crash occurred when the last interface was deleted on the page where interfaces can be configured manually.
fixed bug #2799254 "Erratic behavior when rule is removed from the group". If user tried to remove a rule from the middle of a group of rules, the GUI behaved erratically. It showed two groups with the same name, each of these two groups claimed to have more rules than it really did. Also only one of these two groups could be collapsed at the time. Other weird things also happened. The fix is to not allow removing a rule from the rule group if the rule is in the middle.
fixed bug #2799315 "Find object" cant find object in rules of opened firewall. If scope was set to "policy of the opened firewall", "Find object" function could not find anything. It worked when scope was set to "policy of all firewalls".
fixed the same error reported in bug #2799163: "crash on correcting an error". The GUI crashed if user tried to add, then delete interfaces in the new firewall wizard. The crash occurred when the last interface was deleted on the page where interfaces can be configured manually. This needed to be fixed in both "new firewall" and "new host" dialogs.
fixed bug #2800625 "recursive groups cause infinite loop and crash in compiler". When a group included itself, compiler used to go into infinite loop and crash. The fix in this function also takes care of the situation when group A referenced group B, which in turn referenced group A again.
fixed bug #2801362 "Iptables policy import does not handle rules with ESTABLISED". Policy importer for iptables should properly handle rules that use combination of a "-p protocol" and match state "RELATED,ESTABLISHED". Example:
```
-A INBOUND -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
```
This rule should translate into fwbuilder rule using CustomService object with code "-m state --state RELATED,ESTABLISHED" and protocol spec "tcp".
fixed bug #2801545 "IP Service object: lsrr, ssrr, rr options not saved".

Improvements and bug fixes in the policy compiler for iptables

fixed bug #2356131: "Iptables-restore option broken for multiple policy sets". Compiler inserted redundant line "echo COMMIT" to the iptables script if iptables-restore was used and there were no rules in the mangle table.
fixed bug #2792888: "interface with only v4 address is used in v6 rules". Compiler should drop rule if it is associate with an interface that does not have address that belongs to the address family declared for the rule set. If interface has only ipv4 address, it will never see ipv6 packets and therefore rules that have this interface in the "interface" rule element should not be included in the output generated for the ipv6 or combined ipv4+ipv6 rule sets.
fixed bug #2801548 "fwb_ipt should issue error for ipsrv with options for ipv6". Since IP options lsrr, ssrr, rr do not exist in ipv6, compiler should refuse to compile rules that request matching these options.
Added support for SNAT rules that translate only source port of udp or tcp packets. This rule generate "-j SNAT --to-source :" with no address part.
Improved support for NAT rules that translate both source and destination: now a rule like this can translate both source and destination addresses and at the same time source and destination port ranges. Compiler generates two iptables commands, one with SNAT and another with DNAT translation for a rule like this.

Improvements and bug fixes in the policy compiler for PF

fixed bug #2790927: "Add support for "sloppy" state tracking for PF".
fixed bug #2791950 "no way to generate "pass out" rule with no interface". Compiler created two rules "pass out" and "pass in" for rules with no interface and direction "in" or "out". It should create one rule with direction defined by the rule in the GUI.
fixed bug (no #): policy compiler for pf crashed when dynamic interface was used in source or destination of a policy rule.
fixed bug #2801544 "missing space after tos option in pf config"
fixed bug (no #): compiler for PF did not remove rules using IPv4 objects while compiling policy set to be "combined IPv4 and IPv6" for IPv6 and vice versa. As the result, it used to double some rules because the would appear both in IPv4 and IPv6 sections of generated .conf file.
fixed bug #2803702 "NAT rule with source port range in TSrv is broken for PF". NAT rules matching source port ranges and translating source port ranges should be possible.

Improvements and bug fixes in the policy compiler for Cisco IOS ACL

fixed bug #2801547 "fwb_iosacl should issue an error for ipservice with options". IOS access lists can not match source routing options set in IPService object, compiler should issue an error and abort processing when an object like this is encountered in a rule.
implemented feature request #1778536: "IOSACL - remark command". This adds support for the "remark" command in generated IOS ACL configuration. Controlled by the checkbox "Add ACL remarks" in the "Script" tab of the firewall object settings dialog.

Improvements and bug fixes in the policy compiler for Cisco ASA (PIX)

fixes bug #2782645: "Can't compile for FWSM platform". Routing compiler for PIX should accept firewall object with platform "fwsm" as well as "pix".

Improvements and bug fixes in libfwbuilder

set security level to 0 (insecure) by default. This makes all interfaces of the newly created firewall be "external" or "insecure" unless they were assigned labels or addresses from the private address space in which case guessSecurityLevel() assigns level 100. This addresses bug #2796760 "Display error when adding new FW with multiple interfaces".
fixed bug #2803689 "NAT rule matching dport but chaning sport is broken". NAT rules that match destination port but translate source port should be possible (and the opposite too).

Firewall Builder Release Notes

Version 3.0.4

Released 03/29/2009
GUI and compilers v3.0.4 require API library libfwbuilder version 3.0.4

Summary

Most notable new features in this release:

Main menu item "File/Open recent" has been added.
Rule actions icons have been changed to make them recognizeable for the red-green color blind users.
IPv6 addresses of firewall interfaces can now be discovered via SNMP. SNMP discovery also works on Windows.
Generation of static routing commands is now supported for Cisco IOS and PIX platforms.
CustomService object can now specify protocol and address family
Rule sets can be only ipv4, only ipv6 or combined. In the latter case the program intelligently chooses which objects used in rules it should use to generate firewall configuration and produces configs for both address families from the same rule set.
Built-in policy installer can work over IPv6
Built-in policy installer recognizes sudo password prompt. There is no need to configure password-less sudo rights for the firewall management account anymore.
We now generate universal Mac OS X packages

For those who wish to build from source, instructions are outlined in the document "Install and Build instructions" on our web site here

Improvements and changes in packages

bug #2474194 "Please Provide MacOS X PowerPC Builds". Now Mac OS X PPC packages are "universal" and will work on both Intel and PPC Mac architectures. Unfortunately they only work on Leopard though.

Improvements and bug fixes in the GUI in the built-in policy installer

New feature: built-in installer can now enter sudo password. There is no need to configure firewall management account for password-less sudo access anymore.
built-in installer periodically "pings" the other end to keep ssh session alive. This helps recreate state in the firewall state table if it is cleared when rules are reloaded, which in turn prevents installer from hanging.
bug #2474949: "External install script: trailing spaces". Trimming leading and trailing white spaces in the external installation script and its arguments before running it.
bug #2618686 "built-in installer can not handle ipv6 management address". Built-in installer did not properly for scp and ssh command like when it had to use IPv6 address to communicate with firewall.
bug #2618772 "'test install' option does not work". If "test install" checkbox was checked in the installer options dialog, the program copied file to directory /etc/fw on the firewall but tried to find it in /etc/fw/tmp to run.
bugfix (bug was introduced in build 768). If user entered alternative activation command in the "installer" tab of the firewall object settings dialog, the program confused it with destination directory and tried to execute incorrect command to copy files to the firewall. This build (770) fixes this problem.

Improvements and bug fixes in the GUI

feature request #2431602: "Feature request: Unified policies (IPv4/v6)". RuleSet object now has two variables that define which address family it should be compiled for - ipv4 or ipv6. It is possible to have both set, in which case the same ruleset will be compiled for both address families.
bug #2412310: "Umlauts in group names". The GUI should properly handle non-ascii characters in the rule group names
feature request #2412323: "feature request: command line flag to skip RCSFilePreview". New command line switch "-r" makes the GUI automatically open RCS head revision of the file given on command line if the file is in RCS. If the file is not in RCS, the new switch does nothing and the file is opened as usual.
bug #2388067: "Print out FWB 3.0.3 not ok". File/Print function failed to print objects used by rules of the firewall.
feature requests #1111267 "CustomService should specify protocol and parameters for it" and #2463048 "custom services should have IPv4/v6 setting". Added corresponding input elements to the CustomService object dialog.
bug #2478528: "Crash when copying multiple policy rules". GUI crashed if user tried to copy/paste several rules, some of which belonged to rule group and some did not.
Routing ruleset view shows column "interface" only for platforms that require it. Currently IOS does not require it, while other platforms for which routing commands generation is supported require it (iptables and PIX).
bug #2023261 "IPv6 - SNMP discovery of interfaces not working for IPv6". SNMP discovery can now read IPv6 addresses of interfaces using IP-MIB RFC4293. Not all snmp agents support this MIB, for example only recent versions of net-snmp support it.
starting with v3.0.4 build 739 snmp discovery is supported on Windows.
fixed bug #2486558 "firewall platform "unknown" should support basic actions".
Applied patch by Paul@Auroragrp.Com that fixes problems with printing long rule sets. If rule set printout exceeded the length of the page, some rules at the bottom were cut off and lost. The patch corrects the problem by taking into account printer dpi while calculating position for page breaks.
bug (no #): the GUI crashed if user tried to use File/Print function when no ruleset was opened in the right hand panel.
bug #2499569: "fwbuilder crashes after some hours". The auto-save function now saves data file only if it has been modified. Frequent saves exasperate small memory leaks that appear in some old versions of libxml2.
Added menu Files/Open Recent. This implements feature req. #2499615 "open last used file".
bug (no #): the GUI used to check ip address entered for the network object whenever user switched focus from the address input widget in the network object dialog to another widget or even a different application to look up the address. This caused the program to show error dialog if this happened when the address was incomplete. This change makes the program verify the address only when user clicks "Apply".
bug #2412334: "feature request: where used -> directly". There has been a change in the "Where used" function in v3.0 compared to the implementation in v2.1. New version showed not only rule elements and groups that referred to the given object, but also found all groups that referred to other groups that referred to the given object. Such recursive action was not always obvious to the user and was inconvenient when the function was used to find all places where given object was used with the goal to replace it with some other object. This fix reverts to the old behavior where only direct usages are reported by the "Where used" function. Elements of UI in this function have also been cleaned up and further unified with confirmation dialog shown when user tries to delete an object that is used in some groups and rules.
code refactoring: made it possible to translate ruleset table column names ("Source", "Destination" etc.). Currently only Russian translation is provided.
Added CustomService object "ESTABLISHED ipv6" which defines code for iptables, ipfw and IOS extended access lists for IPv6.
bug #2565164 "Colorblind friendly Accept & Deny Icons". Accept and Deny icons were indistinguishable for red-green colorblind people. New icons incorporate standard symbolics for the "Aceept" and "deny" functions to make them sufficiently different besides the color.
bug #2597949 "GUI crash in IOS ACL "advanced" settings dialog". GUI crashed upon click OK in the firewall settings dialog for the IOS ACL firewall.
bug #2656815 "Copy/paste does not work properly". Fixed Copy/Paste problem with policy rules and crash reported in this bug report.
bug (no #): if user selected some rules that belonged to a group and few other rules that did not belong to any group at the same time and used context menu to place all these rules in a new group, the GUI would crash.
bug #2689958 "Error changing properties of a IPv6 address". Button "Apply" would stay greyed out when user changed network prefix length in IPv6 address dialog.
bug #2689987: "Typo in 'script options' tab in 'Firewall settings'".
bug #2710300 "Bug in gui/platforms.cpp". there was a discrepancy between the list of route-to options for PF and UI elements.
bug #2710309: "Bug in gui/DialogData.cpp when not using mapping.". There was a bug in DialogData.cpp that when setting the value of a combobox and not using a mapping array the requested value would not be selected. Applied patch provided by Tom Judge ( tomjudge )

Improvements and bug fixes in components common for all policy compilers

Feature Request #2431602: support for rulesets configured as "dual address family", that is, rulesets that should be compiled for both ipv4 and ipv6. Compiler processes rulesets like this twice, first for ipv4 and then for ipv6. On each pass it will only use address and service objects that match address family it uses for the ruleset. This also applies to "compile-time" DNSName objects, that is, it will use getaddrinfo() to get AF_INET address on ipv4 pass and AF_INET6 on ipv6 pass.

Rules with "any" in rule elements in the "dual address family" ruleset yield iptables commands for both families. This was the reason I made setting exclusive in the first place. This means that users who do not want fwbuilder to generate ipv6 policy for them and want all ipv6 accepted, should not use "dual address family" setting. If they do, the bottom catch-all rule will install ip6tables command to block all ipv6 automatically even if all rules have absolutely no ipv6 objects at all.

Improvements and bug fixes in the policy compiler for iptables

feature req. #2353737 "use -m iprange". Using module iprange for AddressRange objects if iptables version is set to >=1.2.11.
feature req. #1111267 "CustomService should specify protocol and parameters for it". Support for protocol string in Custom Service in the compiler for iptables.
bug #2477775: "Clamp MTU doesn't work in ip6tables". iptables target TCPMSS is available in ip6tables only in 1.3.8 and later.
bug #2526173: "fwb_ipt crashes due to old-broadcast". This bug was introduced when support for module iprange was sadded. Need special check for AddressRange objects where start and end of range addresses are equal.
bug #2507239: "length of iptables rule chain names not checked". Iptables does not allow chain names longer than 30 characters; policy compiler fwb_ipt should check for this.
bug #535146: "firewall script: exit code for ip6tables overwrites iptables". If generated iptables script used iptables-restore to activate the policy and contained both ipv4 and ipv6 iptables policies, return code from iptables-restore was overwritten with return code from ip6tables-restore and only the latter was returned as the return code of the script. To fix this, prolog and epilog commands were moved to shell functions prolog_commands and epilog_commands which are called from various places in the script. Script checks return code of iptables-restore and ip6tables-restore and if an error is detected from either, it runs epilog_commands and terminates, returning error code obtained from iptables-restore (or ip6tables-restore). In case of error, we always run epilog but do not turn ip forwarding on in the kernel. Also, if prolog place is set to "After iptables reset" in the GUI and script uses iptables-restore, prolog commands are executed just before iptables rules are sent to iptables-restore. This means if iptables-restore is used, position "after iptables reset" is equivalent to position "on top of the script". If iptables-restore is not used and prolog position is "after iptables reset", then prolog commands are executed right after the script flushes all chains in all tables and sets deault policy for all chains. Other positions of prolog commands in the script (on top and after interface configuration) are naffected and work as before.
bug #2550074: "Automatic rules for filter table included twice in iptables". If user had two policy ruleset objects marked as "top" rule set, then automaitc rules were added twice.
add empty line after user's code in prolog and epilog shell functions to make sure shell syntax is not violated if user does not end prolog or epilog code with linefeed.
bug #2568819 "generated script created on windows is not executable". If the GUI runs on Windows, produced .fw script lacks executable permission bit ('x') when it is copied over to the firewall with pscp.exe. Because of this, activation command "sudo -S /etc/fw/script.fw" can not run it and installation fails. Need to run "chmod" as part of the activation sequence. (We used to run chmod as part of the copy sequence when copying was done with ssh/plink.exe. Now that the copy is done with scp/pscp.exe, there is no way to change permissions bits on the firewall side during copy).
bug #2597959 "rules disappear in ipv6 policy unless ipv4 forwarding is on". Example: IPv6 policy, rule where fw object and internal network are in source, destination is "any". If option "assume firewall is part of any" was turned off and ipv6 forwarding was on but ipv4 forwarding was off, this rule did not yield any iptables commands in generated script.
bug (no #): if generated firewall script detects an error from one of the commands that install routing rules and runs function that restores previous routing entries, it should also run epilog commands.
bugs #2540389: "Routing Broken from 2.1 to 3.0.3" and #2356151 "Routing broken when default route has a 0 metric". Generated script preserved default route when it deleted route entries before installing new ones. This was different in v2.1 where default was deleted together with other routing entries. The reason for this change (made some time in summer of 2008) was that if user did not define default route in their routing ruleset, the script would delete existing default without installing new one, leaving firewall with no default route at all. Now the script deletes default if there is new one to install and preserves it otherwise.

Also, redirecting script output to a file for the time when we remove static routing entries and add new ones to prevent ssh session from stalling. Restore output back to the terminal when script finishes or when an error is detected. Idea suggested by Heiko Helmle <helman@gmx.de>
bug #2666971 "fwb_ipt crashes when Address Range object in routing rule". Policy compiler for iptables crashed if Address Range object was used in "Destination" of a routing rule.

Improvements and bug fixes in the policy compiler for PF

New feature: Added support for anchor names with "/*" suffix for PF. Now the user can create policy ruleset with name e.g. "ftp-proxy/*" and then set up branching rule pointing to this ruleset. This ruleset is treated by the program in a special way. First, it allows characters "/" and "*" in the name of the ruleset (but only for PF firewalls). Second, compiler does not create a .conf file with rules from this ruleset, assuming that it will be controlled by external program such as ftp-proxy. See man page ftp-proxy(8) for examples.

Also, if policy ruelset name ends with "/*", the program assumes it is controlled by external means and does not compile rules in it and does not create .conf file from it.
feature req. #1111267 "CustomService should specify protocol and parameters for it". Support for protocol string in Custom Service in the compiler PF.
Compiler can add command "pfctl -F states" after command "pfctl -f file.conf" to flush states that existed in memory from sessions opened prior to the policy reload. The reason is that some of these sessions might be denied by the new policy, but if state is not flushed, they will still work after policy reload. This is optional and is controller by checkbox in the "Script" tab of the "advanced" settings dialog for the PF firewall.
Deprecated options "generate commands for both in and out" and "pass all outgoing" in compiler for PF. Before, user could choose whether compiler was to generate only commands to match inbound packets or both inbound and outbound. The distinction between these two modes became very minimal in the recent versions of fwbuilder because algorithm was mostly controlled by the setting of "direction" in the policy rules. Now these two options have been removed completely, the behavior of the compiler is as if option "generate both in and out" was used.
bug (no #): compiler for pf added code provided in the "prolog" section while option was set to "add after table definitions" in the incorrect place.
bug #2712514: "Bug in PF NAT Writer - 'tagged' keyword". Keyword 'tagged' is only allowed on the left hand side of '->' in nat and rdr rules.

Improvements and bug fixes in the policy compiler for ipfw

feature req. #1111267 "CustomService should specify protocol and parameters for it". Support for protocol string in Custom Service in the compiler ipfw.
fixed behavior or policy compiler for ipfw which was broken in rev714 - it should print protocol "tcp" when custom service object that adds option "established" is used. This compiler worked like that before attribute "protocol" was added to the CustomService object.

Improvements and bug fixes in the policy compiler for ipfilter

feature req. #1111267 "CustomService should specify protocol and parameters for it". Support for protocol string in Custom Service in the compiler ipfilter.

Improvements and bug fixes in the policy compiler for Cisco IOS ACL

support for the CustomService in compiler for IOS ACL, including support for address family, protocol and code string parameters.
Added support for generation of "ip route" commands for Cisco IOS. Variant of Cisco IOS "ip route" command where gateway is the name of one of the interfaces of the router is also supported. To get this, put interface object in the "gateway" column of the routing rule.
bug #2662290: "fwb_iosacl crash after firewall converted from iptables". If user changed platform setting of the firewall object, the program preserved its old version which was invalid for the new platform.
bug (no #): compiler for IOS ACL used not to ignore netmasks of IPv4 and IPv6 objects and added them to the generated access list with netmask wildcard bits 255.255.255.255 which was equivalen to 'any'.
few bugs (no #) in policy compiler for Cisco IPv6 ACLs, reported in email:
- The "extended" keyword is not supported by IOS for IPv6 ACLs
- keyword "established" is only valid in combination with protocol tcp. If standard CustomService objects "ESTABLISHED" and "ESTABLISHED ipv6" are used in a rule, enforce protocol to "tcp".
- command to clear ipv6 access lists should be "no ipv6 access-list ipv6_management_in"
- command to assign ipv6 acl to interface should be "ipv6 traffic-filter ipv6_acl in"
bug #2689978: "IOS ACL 'safety net' doesn't support IPv6?". Compiler did not process properly ipv6 address entered in the "safety net" install script option parameter.
bug #2694432 "IOS ACL syntax error with IPv6 host addresses & 'safety net'": temporary access list created for IOS when option "safety net install" is used and ipv6 address is provided should use keyword "host" if provided address does not specify netmask.
bug #2694440 "Multiple policies cause multiple temporary ACLs": when "safety net install" option is used, temporary access list must be generated only once even when firewall object has multiple rulesets.
bug #2694146: "IPv6 temporary ACL blocks ICMPv6". Temporary ipv6 access list created for the "safety net install" should permit icmp.
bug #2701593 "gui problem". Adding a rule to a policy with rule groups caused weird rule display - a rule immediately above rule group header would appear empty, with only "Source" showing.

Improvements and bug fixes in the policy compiler for Cisco ASA (PIX)

applied patch by Steven Mestdagh <steven@openbsd.org> that adds support for static routing configuration for PIX. Patch tested and applied in r726. The patch was improved to make it a foundation of the routing compiler for both PIX and IOS ACL.
bug (no #): routing compiler for pix refused to add more than one routing rule with an error saying that other rules were duplicates. Error was introduced in build 732.

Improvements and bug fixes in libfwbuilder

because of internal changes in libfwbuilder in v3.0.4, bumping up so version to 8.2.0
bug #2431602: "Feature request: Unified policies (IPv4/v6)". RuleSet object now has two variables that define which address family it should be compiled for - ipv4 or ipv6. It is possible to have both set, in which case the same ruleset will be compiled for both address families. Compilers already drop address objects that do not match address family of the ruleset, this means ruleset can contain a mix of ipv4 and ipv6 objects and compiler can produce two correct policies from the same rules. New attribute of the RuleSet object is "implied" in XML DTD for backward compatibility.
feature requests #1111267 "CustomService should specify protocol and parameters for it" and #2463048 "custom services should have IPv4/v6 setting". Added attributes "protocol" and "address_family" to the CustomService object. Corresponding XML attributes are "#IMPLIED", this helps avoid having to provide XSLT auto-upgrade script for this version. Class CustomService returns "any" for the protocol and "ipv4" for address family if these attributes are missing.
bug #2412334: "feature request: where used -> directly". Function FWObjectDatabase::findWhereObjectIsUsed returns a set of pointers FWObject*. These pointers can be either parent of the given object, or FWReference objects pointing to it. Note the change: in previous versions this function tried to clean up returned set and replaced references with pointers to the group or rule that owns those references. This substitution is in fact task-specific and should be done in the caller.
bug #2462927: "ip6tables: objects with netmask /32 lose netmask in script". InetAddrMask::dimension() returned incorrect value for ipv6 addresses with mask <= 32.
bug #2023261 "IPv6 - SNMP discovery of interfaces not working for IPv6". SNMP discovery can now read IPv6 addresses of interfaces using IP-MIB RFC4293. Not all snmp agents support this MIB, for example only recent versions of net-snmp support it.
bug #2526193: "typo in error message"
bug #2609796 "internal object Management does not accept ipv6 address". Class Management should accept ipv6 address. The problem was that if an interface of the firewall had only ipv6 address and was marked as "management" interface, saving such configuration to .fwb file created broken data file that could not be loaded back. The error was:
```
	The program encountered error trying to load data file.
	The file has not been loaded. Error:
	Exception: Invalid IP address: 'aaaa:bbbb:cccc::1'
	XML element : Management
```
where aaaa:bbbb:cccc: is ipv6 address.
Code refactoring in many places to improve readability and in some cases performance. See libfwbuilder/docs/ChangeLog for more details.
bug #2712575: "NAT RuleSetView allows TagService to be in Translated Svc". TagService object should not be allowed in "Translated Service" in NAT rules.

Improvements and bug fixes in fwbedit

fwbedit: properly saving data file after "checktree" operation

Firewall Builder Release Notes

Version 3.0.3

Released 12/09/2008
GUI and compilers v3.0.3 require API library libfwbuilder version 3.0.3

Summary

Most notable new features in this release:

Fixed problems with IPv6 addresses on FreeBSD
Improved stability of the GUI on operations of copy of multiple objects between different data files
Proper support for non-ASCII characters in RCS commit comments
Improvements in the importer of Cisco IOS configurations

For those who wish to build from source, instructions are outlined in the document "Install and Build instructions" on our web site here

Improvements and bug fixes in the GUI in the built-in policy importer

fixed bug #2334007: "Problem parsing Cisco config". Parser now recognizes IOS configuration lines "certificate", "ip community-list", "controller ... description". These lines are recognized and ignored, they should not stop parser from processing the rest of the configuration.
Changes in grammar for iptables: removed ambiguitiesin parser; added lexer rules for elements of ipv6 address. Rules for IPV6 address parsing do not work yet, commented out as work in progress. No new functionality in the parser for iptables, only clean-up and preparations for ipv6.

Improvements and bug fixes in the GUI

fixed bug (no #): GUI crashed if user closed internal window so no object files were left open, then closed application using "close" button in the main window title bar.
fixed bug (no #): need to check if object in the object editor panel has been modified and needs to be saved when user closes internal window using "close" button in its title bar.
changes to speed up GUI when user copies many objects between different data files (do not reload and redraw object tree widget until last object is copied). Refactoring of the pasteObj to keep the same object ID mapping table for the duration of the bulk paste operation, this helps deduplicate objects. Also using the same ".copy_of_NNNN" object attribute to deduplicate objects.
fixed bug #2405909: "Umlauts in RCS log". RCS log is stored in RCS file in Utf8, need to convert it back from Utf8 on read. Technical note: rcs tools on windows do not seem to process properly rcs comments converted with toLocal8Bit, comment text comes out as '????' when inspected with rlog.exe from the command line. Comment text stored in Utf8, on the other hand, appears intact even though it can not be read in the output of rlog.exe.
fixed bug #2407141 "label markers". Color label text set in Preferences was not used in the contet menus where user can actually apply those colors to rules.

Improvements and bug fixes in components common for all policy compilers

Improvements and bug fixes in the policy compiler for iptables

fixed bug #2378672: "fwb 3.0.2 build 676 iptables script is not executable". Generated .fw file should have executable permissions.

Improvements and bug fixes in libfwbuilder

Implemented additional check for object duplicates while copying objects. The problem happened when several object were copied in a batch operation (e.g. when user selected several objects in the GUI and then used copy/paste to copy them all). If some of these objects were groups that referred to other objects from the same batch, the program would copy the object and then create another copy of it when it copied the group using it. To avoid such multiplication it now creates special hidden attribute in the object when it makes a copy to keep track of the original object. When the same original object needs to be copied again, the program can find its copy in the target data tree using this attribute. This creates another problem because the attribute used to track original object is persistent for the duration of the program run. The scenario that leads to this is as follows: user copies object A, modifies it and then copies group B using the orignal of A. The end result is that the program does not recognize that the copy of A has changed and makes copy of group B use it anyway. This means the new group points at modified object A. This can not be easily fixed because we do not have "last_modified" attribute in each object.
fixed bug #2375327: "Crash copying multiple groups between different data files". Using better algorithm to copy objects between different data files.
Should use bits==128 because inet_net_ntop_ipv6 on FreeBSD applies mask constructed from the bits argument to the result, so with bits==0 it always returned "::/0"

Firewall Builder Release Notes

Version 3.0.2

Released 11/23/2008
GUI and compilers v3.0.2 require API library libfwbuilder version 3.0.2

Summary

Most notable new features in this release:

Built-in installer uses scp (pscp.exe on Windows) to copy files to the firewall, this makes it work much faster.
Data file compression (optional)
Support for pure mangle table rule sets for iptables
Significant improvement in the speed of the shadowing detection for all compilers (up to 5 times on large linear policies)
Numerous improvements in the built-in policy importer for iptables (but no support for IPv6 yet)
Russian and Japanes translations

For those who wish to build from source, instructions are outlined in the document "Install and Build instructions" on our web site here

Internationalization

Added Japanese translation by Tadashi Jokagi ( elf2000 )
Added Russian translation. Not 100% but usable.

Improvements and bug fixes in the GUI in the built-in policy installer

Redesign of the built-in installer. Code refactoring to make it more manageable.
Built-in installer now usies scp (pscp.exe on windows) to copy files to the firewall. This helps improve performance of the installer. This fixes bug #2135827: "Store a copy of fwb file..." very slow
fixed crash in built-in installer that happened when existing PIX configuration was saved before loading new one.
A fix in the built-in installer to make sure it finds all generated files when user specifies alternative name (possibly full path) for the generated script.
fixed bug #2194829: "the gui can not locate data file in non-ascii directory". This seems to have happened only on Windows and Mac; if data file was located in the directory with the name with non-ascii characters, the gui generated incorrect command line for the compiler when user tried to compile the data file more than once.
fixed a bug introduced some time earlier and reported in the bug report #2135827: policy installer would only copy .fwb file to the firewall when "Store data file on the firewall" was activated and skipped actual generated policy file(s) (.fw). This only happened on Windows.
Check to make sure paths to ssh and scp utilities are properly configured in Preferences before running install. Show aprropriate error dialog to the user if path to ssh or scp is not configured.
installer for Cisco routers and PIX could not find generated file because variable conffile is now always a full absolute path. This bug was introduced earlier during installer rewrite for v3.0.2. Tested installer for router and PIX using default generated file name, as well as custom generated file name, defined both as absolute and as relative path. Tested batch install of combination of a router and a pix in one batch (the same user account, then same enable password on both)

Improvements and bug fixes in the GUI in the built-in policy importer

fixed bug (no #): policy importer for iptables used to create separate Policy objects for chains INPUT, FORWARD, OUTPUT.
policy importer for iptables correctly imports user-defined chain, configures rule with action "Chain" and establishes association between it and ruleset created for the user-defined chain. Multiple rules with this action can point at the same ruleset.
policy importer for iptables properly creates TagService objects and places them into action of the rule finds iptables rule with target "-j MARK"
a temporary fix for the problem in ANTLR that causes crash on import of very large config files. This affected import of both iptables and Cisco IOS configurations and depended just on the file size.
applied patch for gcc 4.4 from bug# 2282828 "patch for gcc-4.4"
minimal support for iptables module "comment" in importer. Module is recognized but comment string is not imported yet

Improvements and bug fixes in the GUI

fixed crash that happened when user opened PIX firewall "advanced" settings dialog and then tried to save changes by clicking OK.
Several build problems fixed for FreeBSD.
fixed bug #2158561: "Solaris fwb 3.0.2-b599 build prob" Fixed build problems on FreeBSD and Solaris
Added GUI control in the Preferences dialog for the path to scp utility used by built-in policy installer
added support for data file compression. This fixes bug# 2130128: "Option to compress the FWB file".
Added tab "Data File" to the Preferences dialog; added checkbox "Enable data file compression" to this tab. If this checkbox is turned on, the GUI will compress data file when it is saved to disk.
fixed bug #2149585 "Deleting Routing object breaks file". The GUI should not allow the user to delete "Routing" ruleset object, as well as any other top-level ruleset object. This applies to both deleting them via context menu item or Delete key stroke.
fixed bug #2149503: ever since attribute "read-only" of FWObject has been converted from a dictionary entry to a member variable, the GUI could not properly check if an object is read-only and could not update context menu and icon in the object tree. This lead to unstable behavior when an object was set read-only because the GUI could not show corresponding icon to indicate its status change, did not switch context menu items and permitted operations that should not have been permitted.
Added attribute to the Policy object for iptables to indicate that this policy ruleset should be compiled into filter and mangle tables or only for the mangle table. This makes sense (and is only shown) for iptables firewalls. By default the attribute is set to "filter+mangle" which means compiler will try to figure out which table each rule should go to. However some combinations of service objects and actions are ambiguous and can be used in both filter and mangle tables. In cases like these, user can help by creating separate Policy ruleset that will be translated only into iptables rules in the mangle table.
fixed bug: object editor panel resized itself erratically when user switched between objects while editor was open. This happened on Windows and Mac OS X.
fixed object type icon in the RuleSet and Interface object dialogs.
fixed bug #2187094: "fwbuilder does not use system colors for text boxes". Some dialogs would not properly pick up KDE theme. This was especially visible if theme used dark background colors and white font, in which case many input fields in dialogs would use white text on white background.
more fixes for bug #2194829: use toLocal8Bit() instead of toLatin1() in all calls to libfwbuilder functions that deal with files (FWObjectDatabase::load() etc.), as well as system functions such as unlink(), rename(), access(). Now I can open, save, check out and check in file if it is in directory with non-ascii name and also can use non-ascii characters in RCS checkin log records.
making sure no rule operations are allowed when rule set or parent firewall object are read-only. This fixes GUI crash that happened when user tried to remove rule from a group in the read-only firewall.
fixed bug #2209210 "crash in fwbuilder: ObjectIconView.cpp:90:". The GUI crashed if user moved mouse cursor over object icons in a group object editor when tooltips were activated.
fixed bug #2255591 Adding new ipv6 policy is always type "mangle". When user added new Policy object to the iptables firewall and made and saved any changes in the object editor (switched to "top rule set" or toggled setting "filter+mangle"="mangle only"), the setting of the ruleset would switch to "mangle only" and stick there. There was no way to switch it back to "filter+mangle". This is fixed in build 641.
fix bug #2303486: "Operation of duplicating firewall should switch policy". When firewall object is duplicated, the GUI should automatically open policy of the new object rather than keep policy of the original open. At the same time, reset lastModified, lastCompiled, lastInstalled of the new firewall instead of keeping copies from the original.
better layout of the first page of Preferences dialog to make sure long path to the working directory fits in the input widget.
fixed printing from command line which was broken some time ago (perhaps in 3.0.1). When user prints firewall policy from command line using "fwbuilder -f file -P fw_object" all rule groups are always printed expanded.
fixed printing with QT 4.4. QT 4.4 correctly sets physical resolution of the printer and sets its logical resolution to 1200dpi. This caused rulesets to be printed incorrectly on Windows and Mac where we use QT 4.4.1. This fix restores printing on these platforms.
Improved Mac OS X bundle: included qt.conf file to make it look only inside the bundle for QT libraries and plugins, this eliminated warnings about QT libraries being loaded from two places if the system where fwbuilder GUI was running had QT installed on it. Now packaging QT accessibility plugin library, this should make the GUI run with acessibility features if accessibility aids are turned on system-wide.
fixed bug #2353052 "fwbuilder crashes on import without open object file". Fixed in rev 676.

Improvements and bug fixes in components common for all policy compilers

All compilers: firewall object can be specified by its ID in addition to by name. Command line option "-i" tells compiler that the last parameter of the command line is object ID. This works reliably when firewall object name contains non-ascii characters and the program runs under locale using 8 bit characters. Built-in installer now uses this method while calling all policy compilers.
change in the algorithm used to decide which interfaces of the host or firewall object to use in a rule when this host or firewall object is found in source or destination. Previously, compiler would skip loopback interface unless user associated the rule with loopback by putting it in the "Interface" rule element. This made it impossible to create rules with address 127.0.0.1 in destination but attached to interface other than loopback (such rule is used for transparent proxy configuration). Now if user explicitly put loopback interface object into rule element, we always keep it. However when compiler expands interfaces from a host or firewall object, it will skip loopback as before, unless the rule is attached to loopback interface.
getHostByName() used to insert duplicate IP addresses into the list of the results. Now making sure ip addresses in the result are unique.
Using internal caching to speed-up shadowing detection. This cuts time of shadowing detection almost in half for large policies with many rules.
Optimisations in the code that detects rule shadowing. Combined with improvements in classes Rule and RuleElement, this yields speed-up in shadowing detection by a factor of about 5.

Improvements and bug fixes in the policy compiler for iptables

Compiler for iptables uses QT functions to properly process non-ascii file names and firewall object names. Compiler correctly creates generated script when its file name contains non-ascii characters on all supported OS. The GUI can find the file and built-in installer can copy it to the firewall and activate it there. QT helps manage encodings and locales in OS-independent manner. Caveats:
- Dependency on QT libraries means compilers can not be deployed on the firewall separately from the GUI.
- pscp.exe on Windows does not seem to be able to pick up file with non-ascii characters in name when program runs on Windows with standard English locale. Could not test on Windows running with national locale. As a workaround, user can specify alternative name for the generated script in the firewall settings dialog (tab "Compiler").
- Support for non-ascii firewall object and generated script names is currently only available in compiler for iptables
fixed bug #2151898: "use of "--icmp-type any" iptables 1.2.6a". Iptables v1.2.6a and older do not have option "-m icmp --icmp-type any".
fixed bug #2148378: "Negation does not work on Tag Service". Policy compiler for iptables should be able to use "!" single-object negation for TagService obejcts
Added attribute to the Policy object for iptables to indicate that this policy ruleset should be compiled into filter and mangle tables or only for the mangle table. This makes sense (and is only shown) for iptables firewalls. By default the attribute is set to "filter+mangle" which means compiler will try to figure out which table each rule should go to. However some combinations of service objects and actions are ambiguous and can be used in both filter and mangle tables. In cases like these, user can help by creating separate Policy ruleset that will be translated only into iptables rules in the mangle table.
Always placing rules with action "Accept" in table mangle in chain PREROUTING
fixed bug (no #): policy compiler for iptables would crash with assertion when AddressTable or DNSName object was used in a rule in pure mangle table ruleset. This could be related to crash reported in bug #2157121.
Explicitly use "\n" instead of endl to avoid implicit conversion to "\r\n" on Windows (generated script is for iptables which can only run on Linux, so it is safe to use "\n" instead of endl).
added support for single object negation in OSrc and ODst in NAT rules. This provides for more compact iptables script in the often used case where single object is used with negation in these elements of a NAT rule. Other improvements in handling NAT rules with negation.
fixed bug (no #): policy compiler for iptables did not handle correctly rules where a host that has multiple addresses was a single object in a rule element and had negation.
while processing single object negation, consider hosts and firewalls with one normal interface and loopback interface eligible (i.e. ignore loopback address even though formally such object has at least two ip addresses).
fixed bug #2180556: "broken support for the "old" time module for iptables". Compiler generated incorrect parameters for the "time" module for versions <1.4.0
fixed bug #2186568 "Again User service - group/negate". Compiler for iptables did not support groups and negation of the UserService objects.
More for bug #2186568: support for groups of user service with negation. Now have a framework to keep track of chain "descendants", so that compiler can tell if some chain can be traced back to INPUT or OUTPUT through the sequence of chains calling each other.
fixed bug #2318639: "bug in logging (rule number)". Added logging prefix macro %R that gets expanded to the ruleset name. This can be useful in logging prefixes for rules in branch rulesets.
fixed bug 2356131 "Iptables-restore option broken for multiple policy sets". If firewall was configured to use iptables-restore to activate policy and if it had two or more policy rule sets, compiler used to put "echo COMMIT" line at the bottom of each ruleset. This was incorrect, iptables-restore expects only one COMMIT line at the end of each table. Fixed in rev 675.

Improvements and bug fixes in the policy compiler for ipfilter

fixed bug #2328330: "basic_string::erase error in fwb_ipf". Compiler for ipfilter aborted processing with error "basic_string::erase" when compilation was launched from the GUI.

Improvements and bug fixes in the policy compiler for PIX

fixed bug #2158407: "iosacl and pix install probs"

Improvements and bug fixes in the policy compiler for Cisco IOS ACL

fixed bug #2154906 "Post script is missing / Cisco ACL handling". Prolog/epilog sections were not added to the generated script for Cisco IOS ACLs.
fixed bug #2158407: "iosacl and pix install probs"

Improvements and bug fixes in libfwbuilder

fixed bug# 2293052 "Saving file with empy AddressTable produces corrupt XML". When new AddressTable object is created, its "filename" attribute is empty. If data file was saved right after such new AddressTable object was created, resultant file could not be loaded back into the program becaise it violated XML DTD.
Fixed FreeBSD pr 129204 - the GUI crashed on FreeBSD 7.0-RELEASE when user tried to create Network IPv6 object. This required change in the method InetAddr::toString because on FreeBSD the program links with inet_net_ntop function from libc which has slightly different semantics of arguments compared with the copy included in libfwbuilder source code. Comment in the code and in ChangeLog provide more details. This is fixed in rev 673.

Firewall Builder Release Notes

Version 3.0.1

Released 10/04/2008
GUI and compilers v3.0.1 require API library libfwbuilder version 3.0.1

Summary

This is first minor release in the v3.0 series. This release includes numerous usability improvements and stability fixes.

For those who wish to build from source, instructions are outlined in the document "Install and Build instructions" on our web site here

Improvements and bug fixes in libfwbuilder

Filter addresses of IPv4 objects and strip leading and trailing whitespaces and other non-digit characters before converting to InetAddr. This will help with annoying problem where v2.1 allowed such characters in address attributes of Address objects but v3.0 applies strict checks during file load and rejects such data files.
generate unique string object id on demand instead of in the call to generateUniqeueId. This helps speed up compiler operations by a factor of about 3 because we generate unique int ID every time object is created or copied, yet string ID is only needed when object is stored in external XML file. Also using sprintf to assemble string ID, it works faster than ostringstream.
converted attribute "ro" (read-only) from a dictionary variable to the member variable of class FWObject. We check read-only status of objects very often and dictionary lookups were slowing compiler down considerably.
set netmask to /32 when new Network object is created. This used to be the default in fwbuilder v2.1. New default of 0.0.0.0 appears to be confusing and error-prone, by user's requests changing default back to /32. This fixes bug #2125542: New Address objects added with netmask of "0.0.0.0"

Improvements and bug fixes in the GUI

bugfix: if user called "Save As" and then hit Cancel in the dialog where they choose file name, internal RCS object used to be deleted anyway.
bug #2091507: "Create New Firewall problem.". If user created new data file using File/New main menu item, items in the main menu File used to stay disabled and file could only be saved using "File/Save As" (which did not make sense because the name has already been assigned to the file during File/New operation).
bug #2091520: "Crash FWB". The GUI crashed if user closed mdi window showing just standard objects and then tried to close the main window.
bug #2099700 "Association of the .fwb and .fwl file types with app on Mac". Implemented support for the association of the application and data file type on Mac OS X. Double-clicking on .fwb and .fwl files in Finder will now open application and load files automatically. User can open several files by selecting them in Finder and double-clicking.
fixed "usage" in fwbedit, command line option that specifies object attributes for the command "new" is "-a", not "-o". Also fixed this in the man page.
bug #2099631 "GUI should rememver firewall object that was opened last". The program remembers opened ruleset between sessions.
bug #2091225: "Can objects in the left pane remember last state.". The program saves state of the object tree branches (expanded or collapsed) between sessions.
bug (no #): added ability to copy/paste rule set objects.
bug #2100415: "cannot re-create or clone Routing object". The GUI does not let the user to delete Routing object. Policy and NAT objects can be deleted as long as there is at least one more left. Also "top" rule set objects can not be deleted at all.
bug (no #): if the name of the plink.exe program was specified in upper case in Preferences dialog, built-in installer failed to provide correct command line options to it.
Additional checks for operations with rules and ruleset on the deleted Policy or NAT object. User should not be able to change anything in rule set object that has been deleted because it does not have parent firewall object.
bug #2106229 "Disable-Icon bad position in rule group". Icon that indicates that a rule is disabled used to be drawn in the wrong row of the ruleset table.
bug #2106280: "option to change color of rule group head". Made rule group head colored in "medium dark", actual color depends on chosen QT theme.
bug #2106124: "Crash after deletion of (last rule in + whole) rule group".
bug #2105111: "use color for compiler status and errors". Compilation and installation status is color coded in the left panel of compile/install dialog (Error is red, Success is green). Also coloring compiler error messages red in the compiler progress panel. Note that this feature is subject to QT bug #212207. This QT bug was introduced in QT 4.4.1. Because of this bug, text labels using non-default color or font disappear unless they are selected. This does not happen with QT 4.3.x or 4.4.1 and later.
bug #2107004: "Fwbuilder crashes while deleting objects in groups". I could only reproduce the crash when there were two identical objects in the group and I was trying to delete both. v3.0 does not allow the user to add the same object twice to the group so this condition should not be possible.
bug #2090332: "Where used search function does not always work.". WhereUsed function could not find firewall if it was used in its own rules.
bug #2099631: there used to be object "icmpv6 unreachables" in the Deleted Objects library in the file of standard objects that comes with the package.
bug # 2109432: "double click on results in "Where used" list opens wrong rule."
bug #2109431: "context menu item "Where used" is missing for rulesets".
bug #2109660: "Compiler Progress: bar is incomplete". Compiler progress bar failed to show full length bar when operation was complete for some firewall platforms.
bug #2109675: "file Title bar contains redundant info". Internal page title should be coordinated with items in the Windows main menu. There is also no need to add "Firewall Builder" to the title of internal windows.
bug #2109833: "Crash on right mouse click in the object group".
bug #2099700 "Association of the .fwb and .fwl file types with app". Implemented support for the association of the application and data file type on Windows and Mac OS X. Double-clicking on .fwb and .fwl files in Explorer or Finder will now open application and load files automatically.
Changed format of the start and stop date fields in the Time Interval object to show year as four digits. Also enabled calendar in these widgets.
change in the logic applied when the program decided which library to open at start time. If a file is opened and there is settings record pointing to the library that was opened in this file last time the program was used, this library is opened. If there is no such settings record, the program tries to find the first not system library in the file but prefers the one named "User". If the program starts without data file, it shows library "User" from the standard objects file.
enable "close" button in the title of several dialog windows (it was not shown on Mac).
Using tabbed presentation of internal subwindows on Mac OS X. This looks much better than standard MDI presentation where internal windows have their own title bar.
workaround for a problem that only appears on Mac: if user uses File/Open but cancels operation, the main window used to switch from the subwindow that was active to another one (usually the empty default window with only standard objects tree).
when the program is started without data file, it shows panel with just default objects, with a title "Untitled". If user opens data file, it is loaded into the same panel and its title changes accordingly. If user makes changes and then saves using "Save As", its title also changes accordingly (and there is still one panel). If user uses "File/New data file" and enters the name of the new data file, it is loaded into the same panel and its title changes accordingly. Still, after this there is only one panel. However if the panel shows contents of some data file, operations "File/Open" and "File/New" load second data file into a new panel.
bug # 2106266: "Save collapse/expand state of groups in policy". The GUI will remember state of the rule groups (expanded/collapsed) between sessions. The state is saved in preferences. Groups are referenced by combination of file name (full path), firewall object name, ruleset name, group name. Since state is saved in preferences rather than in the data file, state of the rule groups is separate for each user.
bug #2123150: "add new rule below inserts at end of rulebase". The program used to append rule at the bottom of the policy when user tried to insert it n the middle when there were rule groups.
bug #2124804: "Policy list "jump" when using groups". Combination of rule groups and very tall rows in the rule set view caused problems with vertical scrolling.
do not print netmask of the IPv4 and IPv6 objects in tooltips and "info" panel unless such object is child of an Interface. This fixes bug #2125542: New Address objects added with netmask of "0.0.0.0"
bug #2126524: "User Service created in the Service Group section" - added missing group UserServices to the standard objects file.
fixed GUI crash that happened when user made modifications in the default object tree but did not save the changes and then tried to exit the program.
Network and NetworkIPv6 object dialogs accept CIDR notation in the "address" input field. Netmask input field is filled automatically using "/NN" entered as part of the address when user hits Return or Tab or switches to another input element using mouse click.
fixed bug #2128261: "fwbuilder thinks the file has changed when opened read-only". Operation "find where used" triggered "dirty" flag on the object tree even though it does not change anything.
bug #2105977: "Viewing firewall settings change state to edited". Opening firewall "advanced" settings dialog triggered internal flag that signalled that something in the object tree has changed.
Added tooltip in the rule set view for the column showing rule group handle, the tooltip shows group name and number of rules.
bug related to #2123152 "Fwbuilder 3.0.0 Gui very slow and doesn't refresh properly". There seems to be a bug in QT 4.4.1 (not sure of 4.4.0, definitely not in 4.3.x) which causes the last row of the rule set view table to come out blank when the table is redrawn. This happens when rows have very different height and looks like the last row comes out blank when user scrolls the table up. The last row is finally redrawn when most of it is already visible.
bug #2129726: "Where Used" not working on collapsed groups.
constructors of rule set view classes (PolicyView, NATView, RoutingView) used to set "dirty" flag in the object database which caused the GUI to ask the user if they wanted to save modifications before exisitng the program even when there were no modifications made. This change fixes this annoying problem.
fixed icon for rule action "Mark"
fixed crash that happened on Ubuntu with QT 4.3.x because of recursive call to updateGeometries()
bug #2125604: "Cancel button does not kill the installer". Cancel button of the installer wizard in fact kills background process. Second issue raised in this bug report is that "Finish" button was always enabled. This is now fixed.
bug #2144114 "fwbuilder * exits if the last object file is closed". The GUI will not terminate after the last window is closed but instead will just show empty main window.
bug #2144358 "Double check with 'save as'". The GUI used to ask twice if user wants to overwrite the file in Save As operation if file with given name already existed.
bug #2144122 "Segfault when trying to add an address to a group"
making sure all modules store settings under the same path prefix "3.0/" (applies to all OS).

Improvements and bug fixes in command line tool fwbedit

bug #2143961: a typo in the man page fwbedit.1
bug #2143894: "fwbedit list does not show objects". Command "fwbedit list -f file" did not print anything unless option "-F" was supplied. This change adds default value for this option so that when it is missing, the command prints object path.

Improvements and bug fixes in the policy compiler for iptables

bug (no #): compiler for iptables used date entered for the beginning of the interval in "Time" object both for the beginning and for the end.
fixed compiler error "Error (iptables): The object "eth0" used as interface in the routing rule 0 (main) is not a child of the firewall the rule belongs to!" that also happened because Routing ruleset object being processed is disconnected from the firewall parent at the time compiler works with it.
fixed crashes in RoutingCompiler that happened because Routing ruleset object being processed is disconnected from the firewall parent at the time compiler works with it.
bug #2141911: "no ULOG for ip6tables". ULOG target has not been implemented for ip6tables yet, so the compiler should fall back to LOG target while compiling ipv6 policy.

Improvements and bug fixes in the policy compiler for PF

fixed bug (no #): policy compiler for PF used to insert both "inet" and "inet6" into generated pf.conf lines for the IPv6 policy.

Improvements and bug fixes in the policy compiler for ipfw

Basic suport for IPv6 for ipfw. IPv6 rules should be kept in a separate policy, just like for all other platforms. Branching rules are not supported so there is no support for multiple policies (although there is no check for that at this time either). Both ipv4 and ipv6 rules are loaded into the same ipfw set "1" with globally unique increasing rule numbers. The order in which ipv4 and ipv6 policies are processed is controlled by an option in firewall settings dialog. Note that this is not complete yet, for example ICMPv6 is not supported. More complete implementation should be done as part of ipfw2 support.

Improvements and bug fixes in the policy compiler for PIX

fixed crash in compiler for PIX that happened when compiler tried to merge "global" commands and some of the interfaces of the firewall had dynamic address.

Firewall Builder Release Notes

Version 2.1.19

Released 05/17/2008
GUI and compilers v2.1.19 require API library libfwbuilder version 2.1.19

Summary

This version includes compilers for Cisco PIX and IOS access lists which were released under GPL.

For those who wish to build from source, instructions are outlined in the document "Install and Build instructions" on our web site here

The GUI code is in the freeze for QT4 conversion. I will fix bugs in policy compilers but will try to avoid changes in the GUI. New GUI based on QT4 will be released next spring when KDE4 is included in all major Linux distributions and FreeBSD. There will be bugfix releases for v2.1 if necessary.

Reminder: Improvements and changes in the packaging

Starting with v2.1.18, all policy compilers come as part of the "fwbuilder" RPM. This inludes compilers fwb_ipt, fwb_ipf, fwb_ipfw, fwb_pf, fwb_iosacl and fwb_pix. Instead of 6 RPMs (libfwbuilder, fwbuilder and 4 RPMs for individual compilers) I now build only two: libfwbuilder and fwbuilder. For example, for Fedora C8 only these two RPMs will be built form now on: libfwbuilder-2.1.18.fc8.i386.rpm and fwbuilder-2.1.18.fc8.i386.rpm

Improvements and bug fixes in the GUI

fixed bug #1949103: "manpage slightly broken". Minor fixes in fwbedit.1 man page.
fixed bug #1949438: "parser expects decimal - hex is not accepted". Importer for iptables should be able to process "--set-mark" with hex argument.
fixed bug #1562726: "policy print rule cut-off". Long rulesets would not print correctly on Windows, the bottom of the ruleset table was just printed solid grey with no rules visible.

Improvements and bug fixes in the policy compiler for iptables

bug #1938985: Rate in hashlimit in local language
fixed bug# 1940504: "Clamp MSS to MTU". Iptables command that invokes "-j TCPMSS --clamp-mss-to-pmtu" in FORWARD chain should go before the one that matches "--state ESTABLISHED,RELATED" in order to work for the packets in these states.
partial fix for bugs #1789059 "shadow issue when using action chain" and #1945149: "Shadowing test for rules with action chain". The mechanism for rule shadowing detection we have at this time can only detect shadowing of one rule by another. In case of branching it is a combination of the branching rule and rules inside the branch that may shadow other rules. I plan to redesign this part of the code in the future, but it won't happen in upcoming v3. Meanwhile, I am fixing it in 2.1 by making compiler ignore rules with action Branch.

Improvements and bug fixes in the policy compiler for PF

fixed bug #1821573: "Rule options limits allow for multiple overload tables". PF allows only for one "overload" option per rule.
fixed bug #1961202: "Pf Timeouts overriden by Optimization". Compiler should generate "set optimization" command before "set timeout" commands.

Firewall Builder Release Notes

Version 2.1.18

Released 04/06/2008
GUI and compilers v2.1.18 require API library libfwbuilder version 2.1.18

Summary

This version includes compilers for Cisco PIX and IOS access lists which were released under GPL.

For those who wish to build from source, instructions are outlined in the document "Install and Build instructions" on our web site here

Improvements and changes in the packaging

Now all policy compilers come as part of the "fwbuilder" RPM. This inludes compilers fwb_ipt, fwb_ipf, fwb_ipfw, fwb_pf, fwb_iosacl and fwb_pix. Instead of 6 RPMs (libfwbuilder, fwbuilder and 4 RPMs for individual compilers) I now build only two: libfwbuilder and fwbuilder. For example, for Fedora C8 only these two RPMs will be built form now on: libfwbuilder-2.1.18.fc8.i386.rpm and fwbuilder-2.1.18.fc8.i386.rpm

Improvements and bug fixes in the GUI

fixed bug #1908351: "rcs does not save log message and file remains locked"

Improvements and bug fixes in the policy compiler for PF

fixed bug #1899914: "Script to apply the new rules." It is enough to execute "pfctl -f file.conf" to load PF policy. There is no need to purge filter and nat rules first, then reload it.

Improvements and bug fixes in the libfwbuilder API library and all policy compilers

fixed bug #1905718: "Group of DNS Name objects considered empty"

Firewall Builder Release Notes

Version 2.1.17

Released 02/20/2008
GUI and compilers v2.1.17 require API library libfwbuilder version 2.1.17

Summary

This is a bug-fix release. It improves stablility of the policy importer on 64-bit platforms, supports import of iptables policies that use TCPMSS target, fixes problems with built-in RCS on windows when user does not have administrator's rights and comes with nearly 100% Brazilian Portugese translation

For those who wish to build from source, instructions are outlined in the document "Install and Build instructions" on our web site here

Improvements and bug fixes in the GUI

Updated Brazilian Portuguese translation by Jose Carlos Medeiros <jose@psabs.com.br>
more for the bug #1816798: "Installing policy on PIX 501 fails". The fix that was made for v2.1.16 did not cover test-mode install, which is now fixed too. Command "terminal pager " is valid only for PIX 7.x and caused error while installing policy on PIX 6.3. Removed this command from the install sequence, it was not essential.
fixed bug #1849392: "RCS using windows 2003 without administrator rights". Pass TMP and TEMP environment variables to RCS tools
Fixed bug 1883536: "fwbuilder segfaults when importing iptables conf". Added support for TCPMSS target with option --clamp-mss-to-pmtu in iptables importer; also made importer upderstand option --tcp-option but skip it since it is not supported in fwbuilder.
fixed bug #1886570: Diagnostic related to Edit->Preferences. Removed harmless but annoying error message that appeared on stderr when user opened Preferences dialog.
fixed crash of the policy importer on 64-bit systems. This fixes bug #1886575: "Seg Fault on reading vanilla Fedora iptables file". See comment in module CircularQueue.hpp for details.

Firewall Builder Release Notes

Version 2.1.16

Released 12/20/2007
GUI and compilers v2.1.16 require API library libfwbuilder version 2.1.16

Summary

Unfortunate bug introduced in 2.1.15 that broke generated firewall script for iptables in case option "use iptables-restore" was on is fixed in this release. Additional checks were added to the generated script for iptables to improve error detection and make sure the GUI properly detects when it terminates with error. Support for load balancing with PF was also added.

For those who wish to build from source, instructions are outlined in the document "Install and Build instructions" on our web site here

Improvements and bug fixes in the GUI

patch #1849500: "tooltip patch for tcpservicedialog_q.ui". Additional tooltips in the TCP Service dialog to explain function of tcp flags masks and settings.
fixed bug #1850346: "GUI has 2 views on which actions should be stateless". Even though GUI made rules with action Route stateful by default, code that determined if combination of options of a given policy rules was default thought these rules should be stateless.
applied patch #1850368: 'PF 3.7 has support for "set skip on"'. Patch by tomjudge@users.sourceforge.net extends support for "set skip on" option to pf 3.7.
fixed bug #1850352: "Install script wrongly completes successful". Added more checks to the installer scriptlet to make it properly terminate with non-zero error code if iptables-restore returned error. Previously "echo" in the end of the generated masked error code returned by iptables-restore and made the GUI report successfull install even when it terminated with an error. Also added test for the presence of pkill on the system so that the script does not try to run it if it is not available.

Improvements and bug fixes in the policy importer for iptables

fixed bug #1849328: "iptables restore unusable in 2.1.15". This bug was introduced by the change for the bug #1812295. If option "use iptables-restore to activate policy" is on, we always generate script that prints iptables commands using echo and sends them to the input of iptables-restore via pipe.
fixed bug 1848204: "ULOG-Setting ignored for invalid packets", applied patch #1848609 provided by reporter. Code that matched and logged packets in state INVALID always used target LOG, which was a problem for iptables installations that only come with target ULOG.
Applied patch 1835308: "Patch for adding "-q" option to fwb_ipt". Option "-q" suppresses timestamp that is normally included in the generated script. This way, if no objects or rules changed in the firewall builder, generated script will be exactly the same. Timestamps made generated script different even if nothing really changed in the objects, which made external version control systems detect changes when there were none.
bug #1850352: "Install script wrongly completes successful". Storing exit status of iptables-restore so that generated firewall script can return the same status after it executes commands that set kernel parameters and runs user-defined epilog code.
fixed bug #1851166: "Installscript does not test for destination ip address". The problem affected specific case of a firewall with two (or more) interfaces that get their address dynamically and a policy rule that has one such interface in source and another in destination. Generated iptables script retrieves actual addresses of both interfaces and assigns them to variables, then uses these variables in actual iptables rules. Special check is provided in case some interface did not obtain any ip address at a time of execution of the script. Previously such test was only done for one dynamic interface per rule. This change makes the script check for both.

Improvements and bug fixes in the policy importer for PF

applied patch #1850368: 'PF 3.7 has support for "set skip on"'. Patch by tomjudge@users.sourceforge.net extends support for "set skip on" option to pf 3.7.
applied patch #1850357: "Add support fo load balancing with pf to PolicyRule::Route" by Tom Judge (tomjudge@users.sourceforge.net) that adds support for load balancing rules in PF. Extended the patch adding support for address/netmask format of the next hop. Added checks for illegal IP addresses and netmasks in the next hop.

Firewall Builder Release Notes

Version 2.1.15

Released 12/10/2007
GUI and compilers v2.1.15 require API library libfwbuilder version 2.1.15

Summary

This is another bugfix release. Several problems with policy installer running in batch mode have been fixed, also this release resolves compatibility issues with Windows Vista and Mac OS X Leopard.

For those who wish to build from source, instructions are outlined in the document "Install and Build instructions" on our web site here

Improvements and bug fixes in the GUI

fixed bug #1811781: "Batch Install". Built-in installer used address of the first firewall of the batch to communicate with all firewalls in the "batch install" mode.
fixed bug #1826558: "OSX 10.5 font problem". This problem appeared only in Mac OS X Leoprard (10.5) build, other platforms were unaffected.
Starting with build 320 Windows packages install on Vista
Added Brazilian Portuguese translation by Jose Carlos Medeiros <jose@psabs.com.br>
fixed bug #1821576: "Rule option tracking gives inavlid config with default value". Compiler should skip max-src-nodes when it is set to default '0' in the GUI.

Improvements and bug fixes in the policy importer for iptables

fixed bug #1812295: "Can't use runtime address tables AND iptabels-restore". Script generated by fwb_ipt used "here document" if the option "use iptables-restore to activate policy" was turned on. This did not work in case policy used any tun-time address table objects. Now generated script always uses "echo" to generate iptables commands that it sends to th standard input of iptables-restore.

Improvements and bug fixes in the policy importer for ipfilter

applied patch by to add support for Kerberos rcmd and Kerberos ekshell proxies in ipfilter NAT rules.

Improvements and bug fixes in the policy importer for pf

fixed bug #1800875 "'keep state' missing from pass out going traffic rule". Compilers for pf, ipf and ipfw were affected.

Firewall Builder Release Notes

Version 2.1.14

Released 09/10/2007
GUI and compilers v2.1.14 require API library libfwbuilder version 2.1.14

Summary

This is another bugfix release, it comes with numerous improvements in the iptables policy importer and fixes for gcc 4.2 and 4.3

For those who wish to build from source, instructions are outlined in the document "Install and Build instructions" on our web site here

Improvements and bug fixes in libfwbuilder library

fixed bug #1761373: "libfwbuilder doesn't build on Mandriva cooker". Applied fixes to make the code compile with gcc 4.2

Improvements and bug fixes in the policy importer for iptables

fixed bug #1764988: "iptables import -> GUI crash":
- iptables policy importer recognizes and parses target RETURN
- iptables policy importer recognizes and parses TCP flag parameters ALL and NONE
- syntax for TCP flag matching in iptables-save should allow for more than 2 flags in 'comp' part
fixed bug (no num): iptables policy importer should properly parse numeric protocol specification (e.g. "-p 47").
added missing supprot for "--log-tcp-sequence", "--log-tcp-options" and "--log-ip-options" options for target LOG to iptables policy importer
added a workaround for a situation when several iptables commands pass control to the same user-define chain in the iptables-save file. As of fwbuilder v2.1, branch ruleset is a child object of PolicyRule. This means two different rules can not point at the same branch ruleset. This is unfortunate but it is hard to fix in the current version because it requires changes XML DTD and API. Will do this in 3.0. Meanwhile, checking if branch ruleset with requested name already exists and change the name by adding suffix '1', '2' etc to make it different. Imported rule is marked as 'bad' (red background) and gets a comment explaining this.
fixed bug (no num): importer for iptables should properly assign rule options when it finds "-m limit" and "--limit" options in the input file.

Improvements and bug fixes in the GUI

configure.in: another patch by Carlos Silva <r3pek@r3pek.org> to add third parameter to AC_DEFINE_UNQUOTED
fixed bug reported in Debian Bug report #417685 - added missing #include to make code compile with gcc 4.3
applied patch by Carlos Silva <r3pek@r3pek.org> to make configure.in use ANTLR C++ run-time installed on the system if it can find one; otherwise it uses copy in src/antlr
fixed bug #1772722: "installer should recognize when it uses plink 0.60". We detect when installer uses plink on Windows by checking the name of the configured ssh client. The check should be case-insensitive.
fixed bug #1764971: "allowed value range for burst limit". Iptables "--limit-burst" option should not be limited in the GUI.

Firewall Builder Release Notes

Version 2.1.13

Released 07/22/2007
GUI and compilers v2.1.13 require API library libfwbuilder version 2.1.13

Summary

This is bugfix release; its main focus is better support for new features available in PF in OpenBSD 4.1.

For those who wish to build from source, instructions are outlined in the document "Install and Build instructions" on our web site here

Improvements and bug fixes in the GUI

fixed bug #1740766: "lock not saved". This method now copies the value of "ro" attribute (read-only). Clear it in the caller if neccessary. Method duplicate() clears it after calling shallowDuplicate in order to be able to modify the object, then restores this attribute to its original value.
fixed bug #1743117: "crash while editing any". Added check, user should not be able to unlock Standard objects library
fixed bug #1753188: "policy activation fails on PIX and IOS". Installer failed if account used to authenticate to the router or PIX went straight to 'enable' mode after login.
added simple template object for Cisco router 36xx

Improvements and bug fixes in policy compiler for iptables

fixed bug #1746257: "fwbuilder breaks IPv6". Added an option to the firewall settings dialog for iptables that controls whether compiler should skip generation of the code to set default policy of all ipv6 chains to DROP. This option is off by default, that is compiler puts the code in. This helps maintain backwards compatibility with old data files that do not have this option, which is equivalent to this option being "off".
fixed bug #1747332: "missing CONNMARK/ restore mark in Output Chain"
compiler permits setting direction in the rule while interface field is "All". This generates iptables command in chain INPUT or OUTPUT with "-i +" or "-o +" interface specification to match all interfaces.

Improvements and bug fixes in policy compiler for PF

fixed bug #1747828: "anchors generation - "log" not supported". "Log" keyword is not allowed in "anchor" rules; compiler should not generate it even if user turned logging on in a rule with action 'Branch'
implemented support for PF limit options "src-nodes", "tables" and "table-entries". Feature Req. #1674919: "Support "set limit table-entries""
better compliance with PF 4.x. Feature Req. #1679793: "add 'no state' and 'flags any'". If version is set to 4.x, compiler skips "flags S/SA keep state" for rules mathcing tcp services. However, according to the section "1.2. Operational changes" in PF FAQ at http://www.openbsd.org/faq/upgrade41.shtml , there should be a way to add "keep state" explicitly for rules on interface enc0. Added this option to the rule options dialog.
Added support for "set skip on " command for PF. If an interface is marked as "unprotected" in the GUI, compiler generates this command for it. This is useful for loopback or other virtual interfaces.

Improvements and bug fixes in policy compilers for Cisco IOS ACL

Fixed bug that caused compiler to exit abnormally while compiling a rule with interface field "all". Compiler should generate ACL lines for all interfaces of the router (except those marked "unprotected")

Firewall Builder Release Notes

Version 2.1.12

Released 06/24/2007
GUI and compilers v2.1.12 require API library libfwbuilder version 2.1.12

Summary

This release comes with support for Cisco IOS access lists and ability to import existing iptables and IOS access lists configurations. Multiple bug fixes are included as well.

For those who wish to build from source, instructions are outlined in the document "Install and Build instructions" on our web site here

Support for Cisco IOS access lists

Policy compiler for Cisco IOS Access lists has been implemented as part of the Firewall Builder GUI as of version 2.1.12. The first functional build were importer worked on all supported OS was build 270 (May 22, 2007)

Features implemented in this version:

The compiler generates extended ACLs using "ip access-list extended" command. ACL names are automatically generated using abbreviated interface names and direction symbols to make it easy to figure out which ACL is which. Compiler uses rather minimal set of options of the "ip access-list" command and should generate code that will work for IOS 12.x. I did not test with 11.x but I am pretty sure it will work, at least with the latest versions of 11.x.
Compiler can also add commands to configure logging.
The GUI includes built-in installer for routers which works just like installer for PIX. Both installers were updated however to improve support for the automatic roll-back feature in case you lose connect with the firewall or the router because of an error in the policy. Now you can make installer schedule reboot in a few minutes, then upload new policy or ACLs and then cancel reboot if upload was successful. While before auto-rollback option was only available if you installed in the test mode, now you can always use it. Test mode means that installer does not save configuration in the permanent memory, as before.
All three installation methods that were available for PIX are now available for routers: you can make it clear all access lists and then load new ones or just update access lists without clearing. The last method (the "safety net" method) creates temporary acl to permit communication with the management station, assigns it to the interface marked as management interface, then clears all access lists and loads new ones and in the end swaps proper list on the management interface. This helps prevent locking yourself out of the router in the middle of the installation process in case of an error in the ACL and at the same time does not leave the router with no acls for the time it takes to install new policy. In combination with automatic roll-back, installation process is pretty reliable.
New option has been added to the interface object, called "unprotected". This allows you to mark some interfaces to be skipped by the compiler when it picks interfaces for ACL rules. This should be useful when you have routers with many interfaces and only want to add ACLs to some of them. Also, you can explicitly put interface objects into policy rules and specify direction if you want to do this manually.
Since router ACLs have no state, all rules should be created in the policy pretty much like you do it on the router, including rules that permit reply packets. New option has been added to the TCP Service object, called "established". This makes compiler use option "established" in rules it generates if it is supported by the firewall platform. Compilers for iptables, ipfilter, pf and PIX can not use objects with this option and treat it as an error because corresponding platforms do not support it. IPFW, on the other hand, supports it so compiler fwb_ipfw can use it.

Shortcomings of this version:

"tos", "precedence" and "time-range" options are not supported
"igmp" access lists can no be generated

Policy import iptables configurations (v2.1.12, build 281 and later)

Policy importer has been implemented as part of the Firewall Builder GUI as of version 2.1.12. The first functional build were importer worked on all supported OS was build 270 (May 22, 2007)

Policy importer uses ANTLR lexer and parser ( http://www.antlr.org/ ) Version 2.7.7 is used in Firewall Builder v2.1.12 ( http://www.antlr2.org/ )

Firewall Builder needs ANTLR C++ runtime header files and library and include these in the source tree under src/antlr. Unless you want to change the grammar (*.g files) you don't need to install ANTLR separately. All relevant ANTLR files are included in the package. For more information on ANTRL see: http://www.antlr2.org

Features implemented in this version :

Importer can parse iptables config saved using iptables-save utility. Because of the huge variety of iptables modules, Importer can only interpret basic iptables configuration and a subset of modules. Currently the following modules are supported:
- state
- multiport
- limit
- mark
Importer creates firewall object with all interfaces. It can not assign object name for the firewall object nor add IP and MAC addresses to interfaces because this information is not present in iptables-save file.
option "Assume firewall is part of 'any'" is off in the created firewall object. Import is done this way in order to preserve logic of chains INPUT, OUTPUT and FORWARD in the recreated fwbuilder rules. Rules that had chain INPUT in the imported script will have firewall object in "destination" in the corresponding fwbuilder rules. Firewall object is placed in "Source" for rules with chain OUTPUT. For rules with chain FORWARD rule elements "Source" and "Destination" are populated with objects created using options "-s" and "-d" of the original rules or left empty ("any").
all recognized iptables rules are imported and interface and direction are set in all rules appropriately. Interface objects are created as parser finds them in the script.
targets ACCEPT, DROP, REJECT, MARK and others are converted to the corresponding fwbuilder policy rule actions. Unrecognized targets and converted to branching rules, where the name of the target becomes the name of the branch.
SNAT, DNAT, MASQUERADING, REDIRECT and NETMAP targets and their parameters are recognized in the NAT rules.
Address and service objects are created in the process for all addresses and ports used in all rules.
iptables rules can refer to tcp/udp ports both by name or by number. Importer can properly interpret both formats using system function getservbyname() to convert service name to the port number. Since the result of this function depends on the OS, some port names may not convert on some systems. For example, Windows can convert more limited set of service names compared to Linux or BSD.
targets LOG and ULOG are converted to the "logging" option in fwbuilder rules with action "Continue". This is an empty action that does not affect packet flow through the firewall but can be used in combination with "logging" option to log the packet. If such empty (logging-only) rule is undesired, it must be manually merged with some other rule in the policy.
"--log-prefix", and "--log-level" options of the LOG target are recognized
"--ulog-prefix" option of the ULOG target is recognized. Other options of the ULOG target are not.
Address and service objects are reused in the process of import.
in case when importer fails to parse some part of the iptables-save file, corresponding policy rule is colored red and appropriate diagnostic message added to its comment. The problem must be corrected manually.
comments ("#") found inside access lists are ignored.

Shortcomings of this version:

user-defined chains in table "nat" are not supported
no import of time intervals
no MAC address matching import

Policy import of Cisco IOS access lists (v2.1.12, build 270)

Features implemented in this version :

Importer can parse router config saved using "show run" command. Although importer can only interpret a subset of IOS configuration commands, other commands that it does not understand will be ignored and should not affect operation. No manual editing of the config is required prior to import.
Importer creates firewall object with all interfaces
firewall object name is assigned if "hostname" command is found in the configuration. If this command is not present, the name remains generic "New Firewall"
interface addresses are assigned if command "ip address" is found (multiple addresses per interface are supported). Interfaces without "ip address" in the configuration are marked as "unnumbered" in the firewall builder object tree.
all access lists are imported and interface and direction are set in all rules appropriately
Address and service objects are created in the process for all addresses and ports used in access lists
IOS access lists can define ip protocol, icmp code and type, and tcp/udp ports both by name or by number. Importer can properly interpret both formats.
"log", "log-input", "fragments", "established" keywords are supported and translated into rule or object options as appropriate.
Address and service objects are reused in the process of import.
in case when importer fails to parse some part of the access-list command, corresponding policy rule is colored in red and appropriate diagnostic message added to its comment. The problem must be corrected manually.
"remark" commands found inside access lists are translated into rule comments
comments ("!") found inside access lists are ignored.

Shortcomings of this version:

importer does not use address and service objects that existed in the tree before the operation has started, it creates new ones. Deduplication only works for objects created in the process of import.
the following keywords available in extended access lists are not supported at this time: tos, precedence, time-range.
igmp access lists are not parsed.

New object types and improvements in the base API

TCPService object now has flag "established". Policy comilers for platforms that have special keyword for this flag can recognize this flag in TCPService object.
TCPService object "All TCP established" has been added to the Standard objects library.
Interface of the firewall has new flag "unprotected", currently only used in compiler for Cisco IOS access lists. Compiler skips interfaces marked as "unprotected" when it decides which interface a policy rule should be assigned to.

Improvements and bug fixes in the GUI

dialogs and resource files for Cisco IOS access lists.
Policy installer for Cisco routers
fixed long-standing problem with size of the built-in installer options dialog. The dialog was too big and did not properly resize itself when some options were hidden.
PIX and Cisco routers (IOS) : built-in installer can schedule reboot of the firewall before activating new policy, then cancel it if the policy has been activated successfully.
note about built-in installer on windows. Installer seems to have broke with upgrade of QT to 3.3.8. Specifically, in SSHSession::readFromStdout(), proc->readStdout() returns a byte array that contains actual output from the device, with some garbage appeneded to it. The garbage is included in the size() count of QByteArray returned by readStdout so it gets included into the QString which we append to stdoutBuffer. This happens only on win32; reverting to QT 3.3.7 fixes the problem.
the GUI is compiled with ANTLR C++ run-time, used for policy importer
Policy importer: can read and import iptables rules from the iptables-save file and Cisco IOS access lists from the router configuration saved using "show run" command. See README.policy_import file for more details.
allow for object group in "Interface" rule element
Added support for action "Continue" (an empty action) in the GUI and compiler for iptables. This action creates a rule that does nothing, however it generates iptables command with target "-j LOG" if logging is turned on. This can be useful if one wants only to log packets that match certain pattern but not make any policy decision in the same rule.
After changes made in the compiler to simplify algorithm used to decide which chain a rule with action Tag should go to, rule action option "Mark connections in PREROUTING chain" ( "ipt_mark_prerouting" ) has been deprecated.
fixed bug (no number) where installer failed to properly copy .fwb file over to the firewall if file name contained whitespace
fixed bug #1739373: "FWB2111, register Routing not printed". Tab "Routing" was not included in the printed copy of firewall policies

Improvements and bug fixes in policy compiler for iptables

fixed bug 1737733: "install script doesn't detect BROADCAST if eth is NO-CARRIER". If firewall script runs before network interface comes up (i.e. is still in NO-CARRIER state), script failed to add virtual addresses for NAT.
fixed bug #1711595: "ip6tables DROPs". Compiler adds rules to permit any-to-any on loopback interface for ipv6 in addition to rules that set default policy to DROP for all chains in ipv6
streamlined algorithm that assigns chain to a rule with action Tag. The goal is to always use chain PREROUTING for rules with direction Inbound or Both and a combination of OUTPUT and POSTROUTING for rules with direction Outbound and Both.
Added support for action "Continue" (an empty action) in the GUI and compiler for iptables. This action creates a rule that does nothing, however it generates iptables command with target "-j LOG" if logging is turned on. This can be useful if one wants only to log packets that match certain pattern but not make any policy decision in the same rule.
fixed bug #1718791: "Bug with more than one router". This bug affected routing rules.
fixed bug #1720022: "Fail to load modules .ko.gz".
fixed bug #1720480: '"-A POSTROUTING -i interface" in branching rules'. Compiler should not generate iptables commands in POSTROUTING chain with "-i interface" clause.
bug (no number): compiler used to not set unique internal id for rules in branches, which lead to chain names like 'C.0' in generated script.
bug (no number): when a rule number is inserted into a log record in place of macro %N, it should be formatted as "N/M" for rules in a branch.
bug (no number): setting chain for Classify action only if it has not been set before. Setting chain to POSTROUTING always broke things if a rule with action 'Classify' was used in a branch (so the chain has been set to that of the branch)
bugs #1676635: "no way to match on state if the action is drop" and #1671910: "2.1.8 In 'Branch' acton compiler doesn't insert NEW stanza". Rely only on rule option 'stateless' to decide whether the rule should have "-m state --state NEW". Rule option 'stateless' is automatically set when user changes rule action so it becomes anything except 'Accept', 'Tag' or 'Route'. This option is also automatically cleared when action is switched to any of these three actions. The user can override these default settings by checking or unchecking the option in the rule options dialog.

Improvements and bug fixes in policy compiler for PF

fixed bug #1727715: "Policy Installer failed but indicates succes". Activation script for PF exits with non-zero return code if script activation fails.
fixed bug #1740545: "AddressTable in NAT section". Policy compiler for PF crashed if AddressTable object was used in TDst element of a NAT rule.

Improvements and bug fixes in policy compiler for ipfw

new TCPService object flag "established" in compiler for ipfw.

Firewall Builder Release Notes

Version 2.1.11

Released 04/29/2007
GUI and compilers v2.1.11 require API library libfwbuilder version 2.1.11

Summary

This is bugfix release.

For those who wish to build from source, instructions are outlined in the document "Install and Build instructions" on our web site here

Improvements and bug fixes in the GUI

redesigned TimeService object dialog
minor redesign of the interface object dialog to make network zone more prominent and easier to set when network and group objects have long names.
fixed bug #1685741: "GUI crash: click on an empty part of obj tree, then desktop"
fixed bug #1692411: "can't set accouting rule name (fwbuilder 2.1.11)"
fixed bug #1684334: "RCS should use $LOGNAME when commit"
fixed bug #1701971: "Enabeling test mode doent activate the reboot interval". Checking "Test mode" checkbox in the installer options dialog should enable widgets that configure automatic reboot timeout.
fixed bug #1702830: "fwbuilder does not detect errors during policy install". Built-in installer detects error messages printed by iptables and iptables-restore and aborts installation process. Summary page shown in the end reflects this as failed install.

Improvements and bug fixes in policy compiler for iptables

Added support for --datestart and --datestop options for module 'time' in compiler for iptables
fixed bug #1672191: "Time limit generates unexpected iptables command"
fixed bug #1695481: "compliation error with lower end port". Before, user could enter start port range number greater than the end port range number. Neither the GUI nor compiler noticed this, which resulted in the incorrect firewall configuration. This fix adds check in the GUI to not let the user enter port ranges like that.
fixed bug 1699483: "hashlimit-htable-expire not set". Added GUI controls and compiler support for hashlimit module options "--hashlimit-name", "--hashlimit-htable-size", "--hashlimit-htable-max", "--hashlimit-htable-expire" and "--hashlimit-htable-gcinterval"
fixed bug #1703954: "Mark target in postrouting chain". Packets that originate on the firewall should be marked in the OUTPUT chain. According to the netfilter packet flow diagram at http://www.shorewall.net/NetfilterOverview.shtml , rerouting happens after OUTPUT hook but before POSTROUTING hook. So in order to be able to reroute packet originated on the firewall, they should be marked in OUTPUT

Improvements and bug fixes in policy compiler for PF

fixed bug #1674940: "if max-src-conn == 0: syntax error". Options max-src-conn and max-src-states can not have value '0'

Improvements and bug fixes in policy compiler for ipfilter

fixed bug #1678410: "Ipfilter compiler uses wrong keyword for "fragment""
fixed bug #1676845: "lsrr option not compiling"

Firewall Builder Release Notes

Version 2.1.10

Released 02/17/2007
GUI and compilers v2.1.10 require API library libfwbuilder version 2.1.10

Summary

This is bugfix release.

For those who wish to build from source, instructions are outlined in the document "Install and Build instructions" on our web site here

Improvements and bug fixes in the GUI

fixed bug #1661140: "built-in installer broken in 2.1.9 for PF". Installer incorrectly set name for files it copied to the firewall if generated configuration consisted of several files. Affected platforms are PF and ipfilter because normally for these platforms compiler generates two files.
fixed bug #1659832: "No compile with QT without STL support"
a workaround for the bug 1629461: "Policy tabs do not scroll @ window extent on OSX". The tab widget used to show policy, nat, routing and policy branch rulesets does not switch to a "folded" mode on Mac OS X when it needs to show more tabs that fit in the window. Since I can't figure out a way to force it to do that, I am dropping "Policy/" from the tab titles for branches to make them shorter. This will help users with policies with many branches, however it does not solve the problem because as they keep adding branches, at some point they won't fit in the window again.
added an item "Where used" to the context menu associated with objects in rules

Firewall Builder Release Notes

Version 2.1.9

Released 02/10/2007
GUI and compilers v2.1.9 require API library libfwbuilder version 2.1.9

Summary

This is bugfix release.

For those who wish to build from source, instructions are outlined in the document "Install and Build instructions" on our web site here

Improvements and bug fixes in the GUI

New feature: new operation "Tools/Find Conflicting Objects in Two Data Files". This operation inspects two data files (either .fwb or .fwl) and finds conflicting objects. Conflicting objects have the same internal ID but different attributes. Two data files can not be merged, or one imported into another, if they contain such objects. This operation also helps identify changes made to objects in two copies of the same data file. This operation does not find objects present in one file but not in the other, such objects present no problem for merge or import operations. This operation works with two external files, neither of which needs to be opened in the program. Currently opened data file is not affected by this operation and objects in the tree do not change. In the process of this operation user is presented with series of dialogs showing conflicting objects side by side. In the end the program can generate report and write it to a text file.
installOptionsDialog was too large and did not fit on some laptop screens. Doing tricks to make sure the dialog properly resized after unused GUI elements are hidden.
bug #1629521: "can't delete empty chain/policy tab"
bug #1619842: "prolog "script editor" opens behind other windows"
bug #1620206: "RuleOptions' "Apply" button greyed-out until menu selection"
bug 1619930: "Prolog tab's ScriptEditor's import fails to overwrite"
bug #1617501:"Install fails after compile". The GUI got confused when user enter full path to the policy file in the "Output file name" input field in the "Compiler" tab of firewall object dialog. Making sure we always strip directory path from the file name if user specified full path for the policy file in the "Output file name" input field in the "Compiler" tab of firewall object dialog. Need to strip path when macro "%FWSCRIPT%" is substituted in installation scriptlets and in some other places.
"Apply" and "Close" buttons in the objct editor panel should be of fixed size horizontally
bug #1624577: "group window doesn't stay open on multiple-adds". Using special flag to tell ObjectTreeView that it should ignore MouseReleaseEvent it gets after d&d operation, so it wont switch object in the editor panel. Note the bug triggered only on Mac OS X.
bug (no num.): GUI used show fanthom 'Policy', 'NAT' and 'Routing' tabs when user deleted objects from the Deleted Objects library, provided some of these objects were previously deleted firewalls.
bug #1620284: "conflict when adding library to Preferences/Libraries". When the user tried to add a library to the list in Preferemces/Libraries when a data file with the same object library was loaded, the GUI detected the conflict and showed error dialog.
bug #1650369: "[patch] please add support for GNU/kFreeBSD". Applied patch to make code compile on kFreeBSD.

Compiler for iptables

bug #1623338: "Can not disable rules in a branch". Compiler for iptables ignored flag 'disabled' on rules in a branch.
bug #1623113: 'connlimit fails in compiled "address table" rules' Module connlimit can only be used in iptables rules matching TCP services. Such iptables commands have "-p tcp" and/or "-m tcp" options. If a rule in fwbuilder uses TCP Service and connlimit option and has multiple objects in src and dst, optimizer used to split it to minimize matches. It however preserved connlimit option in all subrules, even though some of them did not have TCP service after the split. This lead to generation of incorrect iptables commands.
bug #1620925: "compile-time AddressTable object with empty file". Compile-time AddressTable object that uses file with no addresses should be treated as an empty group according to the "Ignore empty groups" option.
bug #1618381: "CLASSIFY/MARK are non-terminating". This bug report in fact reported several problems.
- For action Branch with option to add branching rule to the mangle table: we now generate rules in PREROUTING, POSTROUTING, INPUT, OUTPUT and FORWARD chains. This is because some targets can only work in PREROUTING or POSTROUTING chains but we do not know what rules will user put in the branch. So we need to branch in all chains
- For rules in mangle table with direction set to Inbound or Outbound force chain to PREROUTING or POSTROUTING respectively early. This eliminates duplicates such as the same rule in PREROUTING and INPUT chains. Also since most (all?) targets that require mangle table go into either PREROUTING or POSTROUTING chains, it should be enough to use these two chains.
- Non-terminating rules shadow each other "backwards", that is more general rule shadows other rules _above_ it. Added flag 'reverse' to the method find_more_general_rule and added new rule processor DetectShadowingForNonTerminatingRules that finds such cases of 'reverse' shadowing. Using it for rules in the mangle table for iptables.
- Adding iptables rule with target ACCEPT to emulate terminating behavior for Tag and Classify actions. Emulation is controlled by a global option in the "Compiler" tab of the firewall properties dialog (default is "off"). This means emulation can be turned on and off for all rules that might require it at once. It is impossible to mix such rules with terminating and non-termninating behavior. The reason for this is that shadowing detection algorithm can only work with either terminating or non-terminating rules, not with the mix.
bug #1628989: "run-time-loaded rules don't accept ";" as line comment"
bug #1632054: "Runtime AddressObjects FAIL to load if "Name:" contains "."". Compiler checks if the name of the run-time AddressTable object contains characters that have special meaning in sheel and relaces them with '_' when it generates the name of the temporary shell variable.
bug (no num.): data files used for run-time AddressTable objects can have empty lines, the script should skip them.

Firewall Builder Release Notes

Version 2.1.8

Released 12/02/2006
GUI and compilers v2.1.8 require API library libfwbuilder version 2.1.8

Summary

For those who wish to build from source, instructions are outlined in the document "Install and Build instructions" on our web site here

Installation

Optinon poll ran on the fwbuilder-discussion mailing list showed that majority of users are not interested in ability to install and run both fwbuilder 2.0 and 2.1 on the same machine at the same time. Hence we are reverting to the old naming schema without suffix '21' for the binaries and man pages in this release.

Improvements and bug fixes in the GUI

The user can search for objects using regular expressions matching their names or attributes.
Fixed bug #1592130: "Policy Chaining Issues". The GUI should properly display nested branch rulesets. The user can create policy branches within other branches.

All compilers

Fixed bug #1590746 "problem with using "DNS Names" objects on MS Windows". Compiler failed to convert DNSName objects set to resolve at compile time into IP addresses.

Compiler for iptables

fixed bug #1593221: "iptables filtering bridge problem - PHYSDEV: no physdev opti..." Some times rules were generated with "-m physdev" but witout "--physdev-in" or "--physdev-out" options.

Compiler for Cisco PIX

fixed a bug (no num, support req. #1604103: "fwb_pix policy compiler dies when SNMP or NTP hosts defined". Compiler did not print error message when it could not find an interface with network zone matching IP address of NTP or SNMP server (it just printed the address without explanation of what went wrong)
Experimental utility fwb_pix_diff has been added to the package. This utility takes two PIX configurations on the command line and produces the 'diff' that consists of a set of commands that should bring the firewall from the state defined by the first config to the state defined by the second. Only PIX 7.0 is supported. This utility will be incorporated into policy installer in the future to make policy updates simpler and faster, especially when small changes are made to the large set of access lists and nat rules.

Firewall Builder Release Notes

Version 2.1.7

Released 10/31/2006
GUI and compilers v2.1.7 require API library libfwbuilder version 2.1.7

Summary

For those who wish to build from source, instructions are outlined in the document "Install and Build instructions" on our web site here

Installation

Packages of Firewall Builder 2.1 are built in a such way that you should be able to install them on the same machine with Firewall Builder 2.0.X. All binaries have names that end with "21", e.g. "fwbuilder21" or "fwb_ipt21". On Windows the binary name is the same but the package installs in directory c:\FWBuilder21 which is different from the default directory for Firewall Builder 2.0; all registry entries are also located in different subtrees. All this is done to ensure the user can run Firewall Builder 2.1 while still using stable version 2.0.12 on the same machine.

Improvements and changes in the GUI

The GUI works much faster with very large object trees. Tested using a data file with over 3000 objects)
"Where used" menu item has been added to quickly find and show all groups and firewall rules that reference given object. Confirmation dialog that is shown when user tries to delete an object also shows all groups and rules that use it.
By popular request, built-in installer can now save a copy of .fwb file to the firewall.
Compile/install dialog is now an independent window instead of a modal dialog, this means the user can look at the policy and objects while compilation and/or installation is going on. This is especially convenient as it allows one to inspect the rules after failed compilation while still having compiler error on screen.
Network discovery driud is back, ported from fwbuilder 1.0. As before, it supports reading object definitions from a file in /etc/hosts format, can read DNS zone and also can crawl the network using SNMP queries.
Startup wizard ("Welcome to Firewall Builder") has been removed. The GUI now starts either into an empty database or opens data file specified on the command line.
Keeping track of dependencies between objects. This is useful when many firewalls in the tree use the same set of objects. Each firewall object keeps track of objects it depends on, so if any object is modified, all firewalls that use it in their rules are marked with bold font to indicate that they need to be recompiled. Object dependencies are tracked not only when objects are directly used in rules, but also when they apepar there indirectly, as members of groups
Added bulk compile and install operations. This is useful when there are many firewalls in the tree that need to be compiled and installed in one go. Bulk install operation is only possible if all firewalls use the same user name and password for authentication. If this is not the case, built-in installer can be instructed to ask for the authentication information before it touches each firewall.
All object dialogs have been converted into built-in panels that appear in the right hand part of the main window. This simplifies navigation ( pop-up dialogs used to obscure parts of the main window). Objects open in the editor on a single mouse click in the tree and rules.
Improvements in "Find" function: administrator can now drag an object into a well in the find dialog panel to make it search for this particular object. This is useful if the name of the obejct is not unique. Search by object's name or a value of its attribute is also possible.
In addition to the "Find" function, the "Find and replace" operation has been implemented. Objects can be found and replaced in groups and firewall rules

New object types, new rule types and rule elements, new actions and other new features

AddressTable This object resolves to a set of IP addresses defined in an external file. The object can be configured to read the file at compile time or at run time. For each compile-time AddressTable object defined in the object tree compiler tries to find and read the file specified in the object configuration. Compiler aborts processing if the file can not be found or can not be read. If the file is in place and can be read, such AddressTable object behaves as if it was a group of IP address objects, that is, all addresses are explicitly copied into generated configuration, although compiler may use target firewall syntax that helps to group such sets of addresses into tables. Compilers for iptables, ipfw, ipf and PIX generate bunch of rules matching each address read from the file. Compiler for PF creates a table and also lists all IP addresses it reads from the file; it uses the name of the AddressTable object for the name of the table it creates.
Run-time AddressTable objects are only supported by compilers for iptables and PF. Compiler for iptables generates shell code to read the contents of the file when firewall configuration is activated. Compiler for PF uses native "table <name> persist file <file_name>" syntax. Here also the name of the table is the same as the name of the AddressTable object it was created for.
DNSName: This object resolves a host name to the IP address using DNS. Object can be confgiured to do so at compile time or run time. Resolution is done using system call gethostbyaddr() to read DNS A records for the name. System resolver should take care of recursion and CNAME records, if any. If the name resolves to several IP addresses, all addresses are used in the generated firewall configuration. Run-time DNSName objects rely on the target firewall software to be able to convert symbolic names used in rules into actual IP addresses at a time when policy is activated. Not all platforms provide means to support run-time DNSName objects.
TagService: This object matches tags set by action Tag. It is translated into --mark <mark_code> for iptables and tag option for PF. This service object is only supported by compilers for iptables and PF.
Interface objects can now have an attribute to mark them as bridge ports, used for bridging firewalls.
Support for routing rules has been implemented using patch provided by Tidei Maurizio <fwbuilder-routing at compal.de> Support for routing rules is only implemented in compiler for iptables. See file README.routing included in fwbuilder2 package.

NOTE: I can only provide very limited support for this feature, please direct your questions and bugreports to the author
Global policy and interface policies have been merged. Each policy rule now has rule element "Interface". Administrator can drag and drop interface object of the firewall into this rule element field. Policy compilers support multiple interfaces and negation in "Interface" rule element. Rule element "direction" that previously was only part of the interface policy rules is now part of all policy rules.
Policy rules can have the following new actions:
- Queue: This action passes the packet to user space process for inspection, it is translated into QUEUE for iptables and divert for ipfw. This action is only supported by compilers for iptables and ipfw..
- Custom: This action allows administrator to define arbitrary piece of code to be used in place of an action. Supported by compilers for iptables, ipf and ipfw
- Branch: This action is used to create a branch in the rule set. It works on target platforms that provide suitable syntax and allow control to return to the higher level rule set if the branch can not make final decision about the packet. For iptables this action is translated into user-defined chain. The name of the chain is the name of the branch choosen by administrator. For PF this action is translated into an anchor with the name the same as the name of the branch defined by the administrator. This action is only supported by compilers for iptables and PF.
  
  Fig.1 Rule #0 of the global policy creates a branch with the name rule0_branch
- Tag: This action associates internal tag with the packet. Tag can later be inspected using service object TagService. This action is translated into MARK target with corresponding --set-mark parameter and optionally additional rule with CONNMARK --save-mark target for iptables. If option that activates CONNMARK target is used, compiler also adds a rule at the very top of the policy to restore the mark. Rules are placed in INPUT,OUTPUT and FORWARD chain of the "mangle" table, this ensures that DNAT happens before rules placed in the mangle table see the packet. PREROUTING chain in mangle table is executed before PREROUTING chain in the nat table, so placing tagging rules in the PREROUTING chain would make them fire before DNAT. POSTROUTING chain of the mangle table, as well as its FORWARD and OUTPUT chains, work before corresponding chains of the nat table. In all cases the goal is to make sure DNAT rules process the packet before, and SNAT rules process it after filtering and tagging rules.
  For PF this action is translated into tag. Supported only by compilers for iptables and PF.
  
  Fig.2 Example of a rule utilizing action Tag. To illustrate policy branches, this rule belongs to the branch with the name rule0_branch
- Classify: This action allows the firewall to define QoS class for the packet that matches the rule. It is translated into CLASSIFY for iptables, with parameter --set-class. For PF it is translated into queue; compiler for ipfw can use pipe, queue or divert depending on how the action is configured by the administrator in the GUI. This action is only supported by compilers for iptables, PF and ipfw.
- Route: This action makes the firewall to route the packet that matches the rule through an interface or a gateway specified in the parameters of the action. This action is translated into ROUTE target for iptables and route option for PF and ipfilter. Compilers for PF and ipfilter support fastroute, route-to, reply-to and dup-to options.
  
  Fig.3 Rules #0 and #1 tag packets entering the firewall through interfaces eth0 and eth2; rules #3 and #4 help route reply packets back through the same interfaces
The GUI uses different names for the new actions depending on the target firewall platform to simplify adoption. For example, new action that created branch in rule set is called Chain for iptables firewalls and Anchor for PF fierwalls.
Firewall object now has an attribute "inactive". Firewall marked as inactive will not be picked by the GUI for the bulk compile and install operations even if the timestamps indicate that this firewall object needs to be recompiled

Compiler for iptables

Support for address tables loaded from external files at compile or run time
Support user defined chains with predefined names (using special action )
Support for CLASSIFY, MARK, CONNMARK, QUEUE, ROUTE targets
Support for physdev module for bridging firewalls
additional optimization of rules i INPUT and OUTPUT chain: now removing firewall object from src or dst to simplify rule if it uses OUTPUT or INPUT chain. Doing this only if original rule did not have negation and we do not add any virtual addresses for NAT. After removal the rule collapses to a simple command like this:
```
	iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
      
```
this works fine except if we have added virtual addresses for NAT. It is assumed that firewall object in rules represents combination of addresses configured in its interfaces in the GUI. Virtual addresses added for NAT are considered to be a side effect and connections should not be implicitly permitted to them by a rule with fw object in destination. The same applies to fw object in source. See bug #685947 for discussion. To avoid inadvertently opening holes in the firewall by a rule like that, we remove fw object only when it is safe to do so.
support for modules connlimit and hashlimit. There is an option to generate commands for the latter module using name dstlimit because older versions of iptables included this module under this (now obsolete) name.

Compiler for PF

Support for load balancing rules
Support for tag and route options
Support for address ranges and networ objects in TSrc in NAT rules
Support for pool types in NAT rules ('bitmask', 'random', 'source-hash', 'round-robin'), as well as 'static-port' option.
Supprot for anchors (by way of a special action)
Support for tables with predefined names (using AddressTable object)
Support for packet 'tagging' (by way of a special action and service object TagService)

Compiler for ipfilter

Support for PPTP and IRC proxies
Support for route option

API

internal object ID is augumented with process ID of the program that creates an object. This allows fwbedit to quickly create objects and still ensure their IDs are unique

fwbedit

Fwbedit can now create objects and repair broken object database. This tool can now be used to populate object database using shell scripts or other automation. For example, to create an address object in object library 'Test' one could run it like this:

fwbedit -f filename.fwb -t IPv4 -n newAddress -L Test -o 192.0.2.1

       Firewall Builder:  general purpose object tree editing tool
       Version 2.1.5-b
       Usage: fwbedit21 -f filename.fwb -u [-a obj,grp] [-r obj,grp] [-d obj] [-s] [-l path] [(-p parent|-L library) -t objtype -n objname [-o object attributes]] 

       -t objtype : create an object of this type
       -L library : specify library when creating a new object
       -p obj     : specify parent object when creating a new object
       -n name    : specify a name of the new object
       -o attribute1[,attribute2...]  :  specify attributes when creating a new object
       -a obj,grp :  create reference to object 'obj' in the group 'grp'
       -r obj,grp :  remove reference to object 'obj' from the group 'grp'
       -d obj     :  delete object 'obj' and remove references to it from
       all rules and groups
       -l path    :  print list of objects for 'path'
       -s         :  test and repair object tree structure
       -u         : autoupgrade of file

       An object and a group can be defined by their ID or 
       by the full path and name in the XML tree

       Object creation syntax:

       -t Firewall -n obj_name -L User -o platform, host OS
       -t IPv4 -n obj_name -L User -o IP address
       -t DNSName -n obj_name -L User -o DNS record,run time
       -t AddressRange -n obj_name -L User -o start address, end address
       -t ObjectGroup
       -t Network -n obj_name -L User -o address,netmask
       -t Interval -n obj_name -L User -o start time,start date,start day,end time, end date, end day
       -t Interface -n obj_name -L User -o security level,address type (dynamic or unnumbered),management
       -t Host
       -t TCPService -n obj_name -L User -o source port range start,end,Destination port range start,end,UAPRSF,UAPRSF
       -t UDPService -n obj_name -L User -o source port range start,end,Destination port range start,end
       -t ICMPService -n obj_name -L User -o ICMP type,ICMP code
       -t IPService -n obj_name -L User -o protocol number,lsrr/ssrr/rr/ts/fragm/short_fragm

FirewallBuilder

Bug Tracking System

Ask User

Send Email

Firewall Builder Release Notes

Firewall Builder Release Notes

Version 3.0.7

Summary

Improvements and bug fixes in the GUI

Improvements and bug fixes in the policy compiler for iptables

Improvements and bug fixes in the policy compiler for PF

Improvements and bug fixes in the policy compiler for Cisco IOS ACL

Firewall Builder Release Notes

Version 3.0.6

Summary

Improvements and bug fixes in the GUI

Improvements and bug fixes in the policy compiler for iptables

Improvements and bug fixes in the policy compiler for PF

Improvements and bug fixes in the policy compiler for Cisco IOS ACL

Improvements and bug fixes in the policy compiler for Cisco ASA (PIX)

Improvements and bug fixes in libfwbuilder

Firewall Builder Release Notes

Version 3.0.5

Summary

Improvements and bug fixes in the GUI

Improvements and bug fixes in the policy compiler for iptables

Improvements and bug fixes in the policy compiler for PF

Improvements and bug fixes in the policy compiler for Cisco IOS ACL

Improvements and bug fixes in the policy compiler for Cisco ASA (PIX)

Improvements and bug fixes in libfwbuilder

Firewall Builder Release Notes

Version 3.0.4

Summary

Improvements and changes in packages

Improvements and bug fixes in the GUI in the built-in policy installer

Improvements and bug fixes in the GUI

Improvements and bug fixes in components common for all policy compilers

Improvements and bug fixes in the policy compiler for iptables

Improvements and bug fixes in the policy compiler for PF

Improvements and bug fixes in the policy compiler for ipfw

Improvements and bug fixes in the policy compiler for ipfilter

Improvements and bug fixes in the policy compiler for Cisco IOS ACL

Improvements and bug fixes in the policy compiler for Cisco ASA (PIX)

Improvements and bug fixes in libfwbuilder

Improvements and bug fixes in fwbedit

Firewall Builder Release Notes

Version 3.0.3

Summary

Improvements and bug fixes in the GUI in the built-in policy importer

Improvements and bug fixes in the GUI

Improvements and bug fixes in components common for all policy compilers

Improvements and bug fixes in the policy compiler for iptables

Improvements and bug fixes in libfwbuilder

Firewall Builder Release Notes

Version 3.0.2

Summary

Internationalization

Improvements and bug fixes in the GUI in the built-in policy installer

Improvements and bug fixes in the GUI in the built-in policy importer

Improvements and bug fixes in the GUI

Improvements and bug fixes in components common for all policy compilers

Improvements and bug fixes in the policy compiler for iptables

Improvements and bug fixes in the policy compiler for ipfilter

Improvements and bug fixes in the policy compiler for PIX

Improvements and bug fixes in the policy compiler for Cisco IOS ACL

Improvements and bug fixes in libfwbuilder

Firewall Builder Release Notes

Version 3.0.1

Summary

Improvements and bug fixes in libfwbuilder

Improvements and bug fixes in the GUI

Improvements and bug fixes in command line tool fwbedit

Improvements and bug fixes in the policy compiler for iptables

Improvements and bug fixes in the policy compiler for PF

Improvements and bug fixes in the policy compiler for ipfw

Improvements and bug fixes in the policy compiler for PIX

Firewall Builder Release Notes

Version 2.1.19

Summary

Reminder: Improvements and changes in the packaging