Firewall Builder Release Notes
Version 2.0.4
Released 12/02/04
GUI and compilers v2.0.4 require API library libfwbuilder version 2.0.4
Summary
For those who wish to build from source, instructions are outlined
in the document "Install and Build instructions" on our web site here
What's new
- Improvements in the GUI
- improved error handling: if the GUI is started with a
file on the command line or is configured to open a file
automatically on startup and RCS can not check the file out,
the GUI will come up empty (with only standard objects
loaded). Previously in a situation when the GUI was
configured to open a file automatically, but the file could
not be checked out, there was no way to cancel this
automatic file open operation since the GUI would never come
up.
- Added Japanese translation by Tadashi Jokagi
<elf@elf.no-ip.org>
- Added Russian translation by RusBusinessSecurity Co. Ltd.,
Russia. This translation is fairly complete but is still
considered preliminary. Bug reports and suggestions are very
welcome.
- Improvements in the built-in policy installer
- Improvements in policy compiler for iptables:
- Improvements in policy compiler for pf:
- Activation script for PF flushes only information about
rules, nat, source and tables (it used to flush "all"). This
preserves queue entries and states.
- Improvements in policy compilers for all platforms:
- added support for prolog and epilog scripts for all
firewall platforms. This was available for PIX for some
time, now it has been added for all
platforms. "Prolog/Epilog" tab of the firewall settings
dialog allows for editing of two blocks of commands that
will be added to the generated firewall script
verbatim. Prolog block is added on top, while epilog block
is added at the bottom. Both prolog and epilog are expected
to be shell scripts and are added to the generated shell
script that activates firewall. For iptables and ipfw all
compiler generates is this shell script and prolog and
epilog commands are inserted into it. These commands may
execute some actions, as well as add any policy or nat
commands. For ipf and pf prolog and epilog commands are
added to the activation shell script ( .fw file); prolog is
added immediately after the command that flushes all
rules. This way user may either execute shell commands or
add policy and/or nat rules by loading them from external
file.
- all policy compilers properly detect an error when the
output file can not be created or overwritten and print
error message to warn the user.
- Added element "Target/family" to all OS resource XML
files. Compilers use "family" resource element to determine
if host OS is supported. User may want to copy host OS
resource file to modify installer scriptlets; as long as the
family element is kept the same, compiler will accept new
resource file.
Bugs fixed in GUI:
- bug #1077072: "CrossPlatform Firewall Builder Crash" -
pressing arrow down key on the keyboard right after the GUI
started with no firewall objects defined caused crash.
- bug (no num): if a library was assigned a name with
non-ascii characters, it would appear distorted in the pull-down
list in object dialogs.
- bug (no number) introduced in 2.0.3 when GUI crashed if user
tried to choose pull-down menu item in the firewall list after
the very first firewall object has been created.
- bug (no number): group object dialog corrupted object names
if they contained non-ascii characters.
- bug #1046345: "ipfw - no option to specify ipfw
executable". Added GUI control to let user specify alternative
path to "ipfw" on FreeBSD. Control like that was previously
available only for Mac OS X
- bug #1028866: "incorrect order when several rules copied
using copy/paste". Pasting multiple rules into an empty policy
caused rules to be inserted in the wrong order.
- bug (no number): Policy installer failed if the following
conditions were met: - it was running on Linux, FreeBSD or Mac
OS X - working directory configured in the "General" tab of the
Preferences dialog did not exist and could not be created or its
permissions did not allow user that runs the GUI to access
it
- Added #include to make code compile with gcc 3.4.2
and glibc 2.3.3
- bug (no number): GUI could not find names of the object
libraries in external library files that user added for
automatic load in the Preferences dialog on Windows. It would
find the name of the library in the first file, but failed to
find library names in subsequent files and used the name from
the first file. Since this library was only present in the first
file, object tree was getting corrupted when the program
attempted to load this library from every file configured for
automatic pre-load. This only happened on Windows.
Bugs fixed in API:
- bug #1077496 ] Error compiling libfwbuilder in FreeBSD:
The problem was caused by changed major version number of libnetsnmp library
in the latest net-snmp port (v5.2)
- bug #1055937: "Any->all_multicasts not in INPUT Chain". Need
to check if network objects are multicasts; assume that
multicast always matches firewall object (e.g fwb_ipt will put
rule with such network object in destination in INPUT
chain)
- bug #1040773: need to match network address as well as
broadcast. Packets sent to the network address (192.168.1.0 for
net 192.168.1.0/24) go in the broadcast frame and behave just
like IP broadcast packets (sent to 192.168.1.1255 for the same
net)
- bug (no number): rule shadowing algorithm now assumes that
IPService object with protocol number '0' shades any other
service just like 'any' does.
- bug (no num): rule shadowing algorithm checks for IP flags
in IP service object. IP service object with protocol 0 shades
anything only if its flags are cleared. Two IP services shade
each other only if they are completely equal (protocols and all
flags settings are the same). However, IP service with protocol
0 shades other IP service with protocol !=0 if all flags
settings are the same.
- change in the object database merge algorithm: when an
object database we are trying to merge has non-empty "Deleted
objects" library, deleted objects from this library should be
ignored (they used to be deleted from the current
tree). Likewise, when current tree has non-empty "Deleted
objects" library and objects in it match objects being merged
in, objects should be removed from "Deleted objects" library to
avoid creating duplicate IDs with objects being merged in.
- bug (no number): program crashed on FreeBSD 5.3 when using
SNMP to obtain parameters for hosts and interfaces. Crash
occurred because of use of uninitialized mutex variables in
module dns.cpp
- bug (no number): The API used to corrupt CustomService
object while saving data to the XML file if service code
included special characters such as '&'
Bugs fixed in policy compiler for iptables fwb_ipt:
- bug #1073491: incorrect code for rules using two interfaces
with negation. If a rule had two (or more) interfaces of the
firewall in the destination, with negation, the code generated
by compiler would check one interface's address in INPUT chain
and another in FORWARD chain. It should check addresses of all
interfaces from the corresponding rule element in the INPUT
chain and also check addresses and possibly services from other
rule elements in the FORWARD chain. This bug affected rules with
two or more interfaces both in source and destination.
- bug #1040788: fwb_ipt and user name. Compiler used to read
environment variable "USER" to find out user's name. Sometimes
this variable is not set, which caused compiler to abort. Using
env variable LOGNAME in addition to USER.
- bug #1040599: "unnecessary FORWARD rules". If ip forwarding
is turned off in the host settings dialog of the linux-based
firewall, compiler should not generate rules in FORWARD
chain.
- bug (no number): compiler placed extra quote '"' at the end
of each NAT command in the script using iptables-restore; this
happened only if all interfaces of the firewall had static
addresses.
- bug (no number) in fwb_ipt that caused no-nat rules with
firewall in OSrc to be placed only in OUTPUT chain. Packets
originating on the firewall go into OUTPUT and POSTROUTING
chains, so no-nat rules must be placed in both. Other minor
improvements for NAT of the locally originated connections have
been done as well.
- bug (no number) where compiler for iptables used option
"--destination-port" with module "multiport" for versions of
iptables that do not understand it (1.2.6 and later, as well as
default version setting 'any'). The option should be
"--destination-ports" or "--dports".
- bug #1063953: "Wrong accept/multiport rule
generated". Compiler generated wrong code for rules using
multiple service objects of different types (TCP and UDP, or TCP
and ICMP etc), multiple addresses in src or dst with option that
requires using TCP RST for action REJECT. This bug was
introduced in build 453
- bug (no number): policy compiler for iptables used "tail -1"
in the shell script that read actual IP addresses of interfaces
of the firewall. This shell code failed to determine correct
address of an interface that was configured with a secondary
address. Reverted to using grep (I switched to tail when ran
into limitations of one of the beta builds of Sveasoft Linksys
firmware that did not have grep)