1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<link rel="stylesheet" type="text/css" href="http://www.fwbuilder.org/pages/fwbuilder.css">
</head>
<body>
<h1> Firewall Builder Release Notes </h1>
<br>
<h2> Version 2.0.7 </h2>
<br>
<p>
Released 05/08/2005
<br>
<b>GUI and compilers v2.0.7 require API library libfwbuilder version 2.0.7</b>
<br>
<h2>Summary </h2>
<p>
This is a bug fix release
<p>
<b>For those who wish to build from source, instructions are outlined
in the document "Install and Build instructions" on our web site <a
href="http://www.fwbuilder.org/archives/cat_installation.html">here</a></b>
<h2>What's new</h2>
<ul>
<li>Improvements in the GUI
<p>
<ul>
<li>implemented feature req. #1151220: "Close" button should
change is caption/title to "Install". When user clicks
"Install" toolbar button or main menu item, the "Close"
button in the pop-up window that displays compiler progress
changes its text caption to "Install"</li>
<li>implemented feature request #1151206: "Search for IP
Addresses". "Find" dialog searches for objects by a
combination of name and one of the following attributes:
address, tcp/udp port, ip protocol number or icmp message
type. Regular expressions can be used for both name and
attribute.</li>
<li>Support for SNMP operations has been added in Windows
packages of Firewall Builder</li>
</ul>
</li>
<li>Improvements in built-in installer:
<p>
User can specify additional command line parameters for ssh
that built-in installer runs to access firewall. This allows
for alternative ssh port or alternative ssh identity to be
used when accessing firewall. Parameters can be added in the
"Installer" tab of firewall settings dialog for all
platforms.
</p>
</li>
<li>Improvements in compiler for ipfilter fwb_ipf
<p>
Added support for dynamic addresses in ipfilter. Actual
address of dynamic interface is now determined at run-time
in the policy activation script <firewall_name>.fw
generated by fwbuilder. If dynamic interface is used
somewhere in the policy or nat rules, it will be replaced
with its actual address by activation script before
configuration is sent to ipf or ipnat for activation. This
run-time substitution is done only if a checkbox is checked
in the "Script options" tab of firewall settings
dialog. Default behavior is to use "any". This is because
ipfilter configuration files <firewall>-ipf.conf and
<firewall>-nat.conf that rely on run-time substitution
of dynamic interface address can not be loaded using
standard activation scripts that come with FreeBSD.
</p>
<p>
Generated script uses function getaddr() to determine
address of dynamic interface. This function falls back to
0.0.0.0/32 if dynamic interface has not been assigned an
address yet or is down. Ipfilter policy using run-time
substitution of dynamic interface addresses will be
functional even if these interfaces are down or do not have
IP address.
</p>
</li>
<li>Improvements in compiler for iptables fwb_ipt
<p>
Generated iptables script sets default policies to DROP in
all ipv6 filter chains. More detailed control can be
implemented using prolog or epilog scripts.
<p>
Note that this changes behavior of the generated iptables
script with respect to IPv6. Until now, the script just
ignored IPv6 but some people felt this leaves a hole in the
firewall and asked me to make the script close it. Generated
shell code will check if ip6tables is installed on the
system and if it actually works before setting default
policies to DROP. This means it won't try to do it if
ip6tables is not installed or if it is present, but IPv6 is
not compiled into the kernel (so ip6tables does not work and
generates errors).
</p>
</li>
</ul>
<br>
<br>
<hr>
<br>
<br>
<h2>Bugs fixed in GUI:</h2>
<ul>
<li>bug #1151052: "Not external interfaces marked as
external". Dialog for an interface object that belongs to a host
should not show checkbox "external (insecure) interface"</li>
<li>bug #1151212: "Collapsed sub-objects shouldn't be added if
they are hidden". When user selects multiple objects in the tree
some of which have child objects, those child objects used to be
also selected and added to groups in addition to their parent
objects via drag-and-drop operation.</li>
<li>bug #1151243: "Maintain format of description text". The GUI
ignored text formatting in object comment when displayed it in
the info panel (lower left corner of the main windows)</li>
<li>bug #1155163: "print does not print group contents". The
program printed only number of objects contaned in object or
service groups. Now it prints lists of member objects for all
groups used in rules. If groups contain other groups, they are
printed recursively.</li>
<li>bug #1172620: "Add tcp service object for icslap". Added
this object to the objects library "Standard".</li>
<li>bug #1184791: "can not copy/paste multiple objects into a
group"</li>
</ul>
<br>
<br>
<h2>Bugs fixed in API:</h2>
<ul>
<li>
bug #1158870: "mutexes are not properly created on
FreeBSD". Mutexes gethostbyname_mutex and gethostbyaddr_mutex
were never created but used on OS where thread-safe resolver
is not available.
</li>
<li>bug #1151219: "New Host creation window is not well
dimensioned". Fixed wrong dialog page layout in the new host
wizard.</li>
<li>bug #1157976: "patches to make fwbuilder compile under
NetBSD 1.6". Applied patches.</li>
<li>bug #1173801: '"&" character in prolog/epilog'. Needed to
call xmlEncodeSpecialChars to encode special characters in
firewall options</li>
</ul>
<br>
<br>
<h2>Bugs fixed in policy compiler for iptables fwb_ipt:</h2>
<ul>
<li>
bug #1123748: "busybox grep -E". Busybox in floppyfw is
compiled without support for egrep (or grep -E). Switched to
using "plain" grep.</li>
<li>bug #1160186: 'IPTables Compiler - Multiport Issue'. When 16
or 31 ports were used in a single rule, compiler generated
command with conflicting options "-m multiport --dport"</li>
<li>
bug #1176890: "block IPv6". Generated iptables script sets
default policies to DROP in all ipv6 filter chains. More
detailed control can be implemented using prolog or epilog
scripts.
<p>
Note that this changes behavior of the generated iptables
script with respect to IPv6. Until now, the script just
ignored IPv6 but some people felt this leaves a hole in the
firewall and asked me to make the script close it. Generated
shell code will check if ip6tables is installed on the
system and if it actually works before setting default
policies to DROP. This means it won't try to do it if
ip6tables is not installed or if it is present, but IPv6 is
not compiled into the kernel (so ip6tables does not work and
generates errors).
</li>
<li>bug #1176890: "block IPv6". Generated iptables script sets
default policies to DROP in all ipv6 filter chains. More
detailed control can be implemented using prolog or epilog
scripts.</li>
<li>bug #1179103: 'compiled rules can not be
installed'. Generated iptables script could not be used on
systems with non-English locale where timezone name used local
characters because these characters were printed as hex (
"&#21488;" ) and '&' caused problems with shell. Now using
single quotes to make shell ignore any characters in the
string. Will deal with proper printing of localazed timezone
later.</li>
<li>bug #1181359: "Missing traling space in "INVALID state"
syslog message"</li>
<li>bug #1195201: "getaddr function return error ip address". Yet
another change in the way we use grep to find IP addresses of an
interface on Linux. We can't use regex (bug #1123748) and need
to filter out secondary addresses from the "ip addr show"
output. It looks like "grep -v :" neatly solves the problem
without using regex.</li>
</ul>
<br>
<br>
<h2>Bugs fixed in policy compiler for pf fwb_ipf:</h2>
<ul>
<li>bug #1173067: "support for port ranges in NAT rules
(ipfilter)" - policy compiler for ipfilter should split DNAT
rules (rdr) that use TCP or UDP objects with port ranges. A
warning is issued if more than 20 rules are created.
</li>
<li>bug
#1173064: "support for dynamic interfaces in ipfilter". Actual
address of dynamic interface is now determined at run-time in the
policy activation script <firewall_name>.fw generated by
fwbuilder. If dynamic interface is used somewhere in the policy or
nat rules, it will be replaced with its actual address by
activation script before configuration is sent to ipf or ipnat for
activation. This run-time substitution is done only if a checkbox
is checked in the "Script options" tab of firewall settings
dialog. Default behavior is to use "any". This is because ipfilter
configuration files <firewall>-ipf.conf and <firewall>-nat.conf
that rely on run-time substitution of dynamic interface address
can not be loaded using standard activation scripts that come with
FreeBSD.
<p>
This also fixes another problem in fwb_ipf where it generated rdr
and nat commands with address 0.0.0.0/32 if dynamic interface was
used in a NAT rule.</li>
</ul>
<br>
<br>
<h2>Bugs fixed in policy compiler for pf fwb_pf:</h2>
<ul>
<li>bug #1176051: "incorrect rule generated for TCP service
ftp-data". If a rule used several TCP or UDP service objects and
one of them has source port range configured, generated PF
filter rule incorrectly matched on a combiantion of that source
port range _and_ destination port ranges from all other service
objects. This bug affected compilers for OpenBSD PF and ipfilter</li>
</ul>
</body>
</html>
|
