1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
|
Firewall Builder Release Notes
Version 0.9.7
----------------------------------------------------------------------
What's new in this release:
* We now support single floppy router/firewall "floppyfw"
(http://www.zelow.no/floppyfw/index.html) See file README.floppyfw in
the doc directory for instructions. We provide install script for
floppyfw, so generated firewall script can be conveniently written to
floppfw floppy disk just with a few clicks of a mouse. Install script
and documentation are packed in a separate RPM called
fwbuilder-floppyfw
* Changes in data structures.
The following new attributes have been added to XML DTD:
* Attribute "label" which provides a way to assign alternative name
to Interface. This attribute allows for assigning descriptive
labels to interfaces, such as "inside", "outside", "dmz"
* Each interface now is has new attribute called "security_level".
Security level is described by integer number between 0 and 100,
where 0 represents least secure and 100 most secure one. Some
firewall platforms (namely Cisco PIX) use this concept. Old flag
"external" corresponds to security zone "0". Conversion from old
data format to the new one is transparent and happens
automatically when data file is loaded in fwbuilder GUI v0.9.7
for the first time
* Attribute "physAddress" added to Interface. This attribute
represents physical address of the interface. For Ethernet this
is its MAC address
* New options and features added for iptables:
* "Clamp MSS to MTU" is supported
* New macro for custom log prefix: "%I" is replaced with interface
name
* code for adding static ARP entries uses /sbin/ip tool. Package
iproute seems to be a standard in all major Linux distributions
so this should not be a problem
* firewall script generated by fwb_iptables turns off ip forwarding
before removing all rules and turns it on only after all rules
have been added
* implemented filtering by MAC addresses (feature request #478087)
* firewall script makes log record when activated (feature request
#476517)
* compiler can now optimize generated script for repeating source
or destination addresses. It generates special user-defined
chain, so source or destination address is checked only once in
INPUT/OUTPUT/FORWARD chains. If there are multiple rules with the
same source or destination address, all further checks are done
in dedicated chain
* compiler can also use "multiport" module to collapse multiple
script lines together if all parameters are the same and only
port numbers are different
* compiler adds implied iptables rule to accept ESTABLISHED and
RELATED packets only if checkbox in firewall dialog called
"Accept ESTABLISHED and RELATED packets" is checked. This implied
rule is always added on top of the policy script and inspects all
the packets before any other rule defined by user. If this
behavior is undesired, the checkbox "Accept ESTABLISHED and
RELATED packets" should be unchecked and rule using service
"ESTABLISHED" should be added to the policy by hand. This rule
can be placed in any appropriate place in the policy, so it won't
match packets matched by rules above it.
* Predefined standard service called "ESTABLISHED" is now part of
stadard objects database coming with Firewall Builder. This
service object is added to existing xml files when file is loaded
in the GUI v0.9.7 for the first time. This service adds rule
which matches with ESTABLISHED and RELATED packets, as defined by
ip_conntrack module
* New functions and features in GUI:
* GUI can copy rules between Global and Interface policies and
between different firewall objects
* Added basic support for foreighn locales
* Implemented alternative object quick view method: flying mouse
over object's icon in the policy can show its properties either
on status bar or in a tooltip window
* Object "Host" has new parameter - its MAC address.
* Dependency on Gnome libraries has been eliminated completely;
Firewall Builder now needs only GTK and GTK--. This makes it
possible to port Firewall Builder to other OS, including MS
Windows. This also should make it lot easier to run it on Linux
systems with KDE.
Bugs fixed in iptables compiler:
* #478444: Implemented workaround for a bug in iptables 1.2.3 which
caused error when log level was specified by name. Now log level can
be specified either by name or by number
* #475155: compiler generated incorrect code for REDIRECT NAT rules with
negation
* #476520, #480473: avoid duplicates while adding static arp entries or
alias addresses for certain NAT rules
* #480410: optimizer used to remove NAT rules with the same address in
both source and destination. This caused problems in certain network
configurations where SNAT rule was necessary to support translation
for connects from internal net to the server on the same net, using
its external URL
* #480658: code optimization can now be turned off for NAT rules
* #480801: removed memory leak in compiler; tested on policy with lots
of rules
Bugs fixed in GUI:
* #472344: icon for negated service was corrupted
* #472677: object properties shown in the tree should have changed when
object has been edited
* #472678: pop-up menu and object quick view overlap
|
