1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
|
Firewall Builder Release Notes
Version 0.9.6
For the first time in this release the code has been split into three
major parts: general API, GUI and compilers. Having base classes in a
separate API library helps us maintain cleaner code and will simplify
development of policy compilers for different firewall platforms.
This release also fixes bugs reported during testing of Firewall Builder
v0.9.5
What's new in this release:
* Internal code reorganization has been done. Base classes have been
moved to a separate API library. Note that API library has its own
version number which is differnet from that of fwbuilder. If you use
pre-built binary packages, please make sure you download and install
three packages:
* libfwbuilder
* fwbuilder
* fwbuilder-iptables
Those who want to compile from source will need to download and unpack
two tar.gz archives: libfwbuilder-0.10.0.tar.gz and
fwbuilder-0.9.6.tar.gz. Each package needs to be compiled and
installed separately using standard procedure "./configure; make; make
install"
* Firewall Builder Tutorial has been published on the web site. See it
here
* GUI now features "Find" function which provides a way to quickly find
and open an object by its name and type.
* Per feature request #427061, GUI now can show properties of objects in
the tree view. The properties display can be turned on and off in the
global Options dialog
* Objects in the tree are now separated onto two groups: objects created
by user and standard objects coming with Firewall Builder. These two
groups appear in two separate trees.
* GUI has been tested on systems with different screen size and
resolution, different standard font sizes and different GTK themes.
Many dialogs have been corrected
* Few obscure bugs were fixed in GUI, where user could accidentally move
object in unusual place in the tree using Copy/Paste mechanism
* "Host OS" option is now supported for Firewall objects. Depending on
chosen host OS, user can set various kernel options and parameters in
the "Network" dialog tab. Policy compiler includes appropriate code
for the target OS at the beginning of the firewall script.
* Changes to network discovery algorithm:
* Option controlling whether crawler will cross point-to-point
links added
* Algorithm which detects virtual addresses has been improved
* Crawler now correctly detects interfaces which are in
"administratively down" state
* Minor adjustments in the "Objects Discovery" Druid
* New parameters added to iptables options list:
* Option "load modules" is back in iptables options in the firewall
dialog. Our testing showed that some iptables modules do not get
loaded automatically by the kernel and require manual pre-load.
Checking this option on will cause policy compiler to generate
code loading modules "ip_conntrack_ftp", "ip_nat_ftp".
* "Accept established TCP sessions after firewall restart" provides
a way to control whether TCP packets never seen by the firewall
before and missing SYN flag would be accepted. This option is ON
by default, meaning that the firewall would accept TCP sessions
established before firewall restart.
* Now user can set PATH environment variable in the script
generated by Firewall Builder. This may be useful in environments
where iptables is installed in non-standard directory.
* Changes to policy compiler for iptables:
* support has been added for the new options mentioned above
* iptables policy compiler code which generates commands to add ARP
entries for static NAT has been improved. Now it adds ARP entries
for both SNAT and DNAT translations using "other" IP addresses
* iptables compiler now does not add spaces to the custom log
prefix. Spaces in the log prefix break iptables-save /
iptables-restore
* General info is now added on top of the generate sctipt in the
form of shell comment. The info includes warning saying that the
script is automatically generated and should not be modified by
hand, timestamp, user name of user who ran the program and
version of Firewall Builder used
Bugs fixed in iptables compiler:
* #448693 and #453966: setting rule options did not make any difference
in iptables code produced by policy compiler. In particular, setting
limit on rule did not work
* #449638 and #452070: port mapping did not work in iptables
* #464628: incorrect handling of negations in NAT rules
Bugs fixed in GUI:
* #449133: GUI used to hang if very long word was entered in the comment
field in the policy rule
* #454812: GUI allowed duplicates in policy rules elements
* fixed bug where incorrect manipulation of clipping rectangles in
policy item widget caused strange effects to happen with other GUI
widgets under some GTK themes
Known issues in this release
* Checkbox "Turn off stateful inspection for this rule" in the rule
options dialog in fact only turns of detection of "NEW" sessions.
Module ip_conntrack, if loaded, will keep track of state anyway and
rule matching "ESTABLISHED,RELATED" sessions will match regardless of
the state of this checkbox. We are working on this issue and expect to
fix it in the next release.
|
