1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
</head>
<body>
<h1> Firewall Builder Release Notes </h1>
<h3> Version 0.9.6 </h3>
<br>
For the first time in this release the code has been split into three
major parts: general API, GUI and compilers. Having base classes in a
separate API library helps us maintain cleaner code and will
simplify development of policy compilers for different firewall
platforms.
<p>
This release also fixes bugs reported during testing of Firewall
Builder v0.9.5
<br>
<h3>What's new in this release: </h3>
<br>
<ul>
<li>Internal code reorganization has been done. Base classes have been
moved to a separate API library. Note that API library has its own
version number which is differnet from that of fwbuilder. If you use
pre-built binary packages, please make sure you download and install
three packages:<p>
<ul>
<li>libfwbuilder</li>
<li>fwbuilder</li>
<li>fwbuilder-iptables</li>
</ul>
<p>Those who want to compile from source will need to download and unpack two
tar.gz archives: libfwbuilder-0.10.0.tar.gz and fwbuilder-0.9.6.tar.gz. Each
package needs to be compiled and installed separately using standard procedure
"./configure; make; make install"
<p>
</li>
<li><b>Firewall Builder Tutorial</b> has been published on the web site.
See it <a href="http://www.fwbuilder.org/pages/documents.html">here</a></li>
<li>GUI now features "Find" function which provides a way to quickly
find and open an object by its name and type.</li>
<li>Per feature request #427061, GUI now can show properties of objects
in the tree view. The properties display can be
turned on and off in the global Options dialog</li>
<li>Objects in the tree are now separated onto two groups: objects created
by user and standard objects coming with Firewall Builder. These two groups
appear in two separate trees. </li>
<li>GUI has been tested on systems with different screen size and
resolution, different standard font sizes and different GTK
themes. Many dialogs have been corrected</li>
<li>Few obscure bugs were fixed in GUI, where user could accidentally
move object in unusual place in the tree using Copy/Paste mechanism</li>
<li>"Host OS" option is now supported for Firewall objects. Depending on
chosen host OS, user can set various kernel options and parameters
in the "Network" dialog tab. Policy compiler includes appropriate
code for the target OS at the beginning of the firewall script.</li>
<li>Changes to network discovery algorithm:</li>
<ul>
<li>Option controlling whether crawler will cross point-to-point links added</li>
<li>Algorithm which detects virtual addresses has been improved</li>
<li>Crawler now correctly detects interfaces which are in "administratively
down" state</li>
<li>Minor adjustments in the "Objects Discovery" Druid</li>
</ul>
<li>New parameters added to iptables options list:</li>
<ul>
<li>Option "load modules" is back in iptables options in the firewall dialog.
Our testing showed that some iptables modules do not get loaded automatically
by the kernel and require manual pre-load. Checking this option on will
cause policy compiler to generate code loading modules "ip_conntrack_ftp",
"ip_nat_ftp".</li>
<li>"Accept established TCP sessions after firewall restart" provides
a way to control whether TCP packets never seen by the firewall before
and missing SYN flag would be accepted. This option is ON by default,
meaning that the firewall would accept TCP sessions established before
firewall restart.</li>
<li>Now user can set PATH environment variable in the script generated
by Firewall Builder. This may be useful in environments where iptables
is installed in non-standard directory.</li>
</ul>
<li>Changes to policy compiler for iptables:</li>
<ul>
<li>support has been added for the new options mentioned above</li>
<li>iptables policy compiler code which generates commands to add ARP
entries for static NAT has been improved. Now it adds ARP entries for both
SNAT and DNAT translations using "other" IP addresses</li>
<li>iptables compiler now does not add spaces to the custom log
prefix. Spaces in the log prefix break iptables-save / iptables-restore</li>
<li>General info is now added on top of the generate sctipt in the
form of shell comment. The info includes warning saying that the script is
automatically generated and should not be modified by hand, timestamp,
user name of user who ran the program and version of Firewall Builder
used</li>
</ul>
</ul>
<br>
<br>
<h3>Bugs fixed in iptables compiler: </h3>
<br>
<ul>
<li>#448693 and #453966: setting rule options did not make any
difference in iptables code produced by policy compiler. In
particular, setting limit on rule did not work</li>
<li>#449638 and #452070: port mapping did not work in iptables</li>
<li>#464628: incorrect handling of negations in NAT rules</li>
</ul>
<br>
<h3>Bugs fixed in GUI:</h3>
<ul>
<li>#449133: GUI used to hang if very long word was entered in
the comment field in the policy rule</li>
<li>#454812: GUI allowed duplicates in policy rules elements</li>
<li>fixed bug where incorrect manipulation of clipping rectangles
in policy item widget caused strange effects to happen with other
GUI widgets under some GTK themes</li>
</ul>
<br>
<br>
<h3>Known issues in this release</h3>
<br>
<ul>
<li>Checkbox "Turn off stateful inspection for this rule" in the rule
options dialog in fact only turns of detection of "NEW"
sessions. Module ip_conntrack, if loaded, will keep track of state
anyway and rule matching "ESTABLISHED,RELATED" sessions will match
regardless of the state of this checkbox. We are working on this issue
and expect to fix it in the next release.
</ul>
<br>
</body>
</html>
|
