Firewall Builder  Release Notes


Version 0.9.0


What is new in this version:


General design changes, new features and news
---------------------------------------------

 - new XML DTD. This is by far the most important one. Our idea is to
develop standard XML DTD for firewall policy description which could
potentially be used not only in Firewall Builder, but in other similar
products as well. This opens interesting possibilities, for example
someone could develop another user interface piece to use with our
policy compilers, or another implementation of policy compilers could
be used with our user interface part.

This means that the data format has changed and data files created by
fwbuilder v0.8.7 can not be directly used with the new version. We
provide built-in automatic upgrade mechanism using XSLT transformation
script which converts data files "on the fly".


 - We had to drop ipchains. It does not mean that someone else can
not implement ipchains compiler using our XML DTD as a format for
input data, but we do not have time to do it. We had to reduce load
and ipchains seems least valuable platform at this point.

 
 - ipfilter compiler is lagging behind. We will work on it, but we
will release v0.9 with iptables only at this time.


 - many bug fixes in different areas.


 - Firewall object has platform-specific options which can be used by
compiler. Each policy rule can also have platform-specific options;
this allowed us to implement features like individual logging prefix
for the given rule and some other useful things.


 - We now support firewalls with dynamic IP addresses
 
 - "Contrib" file distribution area created on Sourceforge. We are
going to distribute scripts, packages, rpm's and so on contributed to
the project via this area.




Firewall Builder GUI
--------------------

  
 - Policy presentation does not have columns "Target" and "Direction"
anymore. These were confusing since our compilers always could
implement correct policy without user entering direction or
interface. Since compilers were guessing values for these
parameters, having them in GUI created confusion and made compilers
more complex if we were to respect values entered by user. Now
compilers correctly generate firewall code using source/destination
combination and can correctly guess direction using that.

 
 - For rules which can not be implemented without explicitly
specifying interface and direction, there is another little policy
attached to the interface. The idea is that this little policy will
hold only anti-spoofing and other rules like that, with the rest of
the rules being in the "main" policy. 


 - New and much better interactive Druid. The idea is that GUI
provides good control for those who understand what they are doing and
what needs to be done, but others who don't will call Driud and get
decent policy for simple standard cases.


 - You will need libxml2 and libxslt to compile Firewall Builder from
sources.. See file "Requirements" for information on where you can get
these. The binary RPMs are linked statically, so those who install
binary distribution won't need to install libxml2
 

 - Old preferences file ( $HOME/.fwbuilder.xml ) split into two parts:
user preferences and resources. Resources file gets installed by rpm
and can not be changed by user


 - Flying mouse cursor over object in the firewall policy shows brief
summary of the object's definition (sort of like tooltips)


 - All objects dialogs, including dialog for firewall policy and NAT
rules, have now buttons "Apply" and "Cancel". This provides for simple
one-level "undo" function for everything, including editing policy and
NAT.

 - Printing of objects or policies. Printing is done by running XML
data representation through XSLT transformation script. Transformation
result is then stored in the temporary file which then gets
printed. Print dialog allows printing using standard Unix printing
facility (via lpr) or to file. We provide two transformations: to HTML
and plain text format. We hope to make Postscript transformation in
the future too.

 - Bug-buddy support, both versions 1.2 and 2.0. Now, if GUI crashes,
user can click on "Submit a bug report" button, fill the forms and bug
report will be automatically generated and sent to us.





Policy compiler for iptables
-----------------------------

 - a lot better implementation overall. Code is cleaner and more
correct.

 - Compiler generates correct code for rules with "negation" in
source, destination or service.

 - Compiler creates separate chain for each rule defined in GUI. This
simplifies implementation of logging and provides a path for future
implementation of accounting

 - Features supported via rule options dialog in GUI: custom logging
prefix, limit, different actions on reject for each rule. In the logging
prefix we now support pseudo format sequences:

 '%N' will be replaced with rule number
 '%A' will be replaced with rule action


 - Compiler generates rules for INPUT and OUTPUT chains for object
"Any" since "Any" should cover firewall itself too. This can be turned
off though via firewall's platform-dependent options dialog

 - --tcp-options, --tcp-sequence, --ip-options, --syn, -f are now supported