Firewall Builder Release Notes
Version 2.0.5
Released 01/07/05
GUI and compilers v2.0.5 require API library libfwbuilder version 2.0.5
Summary
This is a bugfix release; its main focus is on internationalization and usability
For those who wish to build from source, instructions are outlined
in the document "Install and Build instructions" on our web site here
What's new
- Improvements in the GUI
- Fixed lots of places were strings were not properly
marked for localization, this lead to GUI showing '????'
instead of a text in some menu items and dialogs in
non-english locales
- properly synchronizing state of the items main menu with
state of corresponding items in the pop-up menu that appears
when user right-mouse-clicks on an object in the tree
- fixes for non-localized text strings in dialogs (mostly
"Continue", "Yes"/"No" etc. in many places)
- proper localization of the human-readable version number
text for iptables; also made info window print readable text
instead of "lt_1.2.6"
- cosmetic changes in some dialogs layout to make the look
better when localized text makes strings much longer
- firewall object dialog tab "Templates" has been hidden. It
is unlikely that this feature will be implemented in 2.0.X
series.
- Streamlined logic in the object editor dialog. This improves
handling of the situation when user closes dialog by clicking on
[x] while 1) there are unsaved data and/or 2) some of the
object's parameters have illegal values. The dialog behavior
also depends on the setting of the global flag "Autosave" that
causes dialog to automatically save data when user switches
between objects.
- when user opens data file in the old format (fwbuilder
v1.1.x, extension .xml) and after autoupgrade the program
discovers that the same file with extension .fwb already
exists, it offers the user a chance to choose different
name. If user clicks "Cancel" at this point, the program
cancel operation and reverts upgraded data file back to its
original name and version.
- improved behavior of the main menu "Edit" as well as
pop-up menu that appears when user right mouse clicks on an
object in the tree. Menu item "Paste" should only be enabled
if the clipboard is not empty and objects that are stored in
it can be pasted into selected object in the tree.
- when user clicks menu item "File/Open" to open a new
file, the GUI should save and close currently opened file
only after the user chooses new file. If user clicks Cancel
in the File/Open dialog, operation should be cancelled so
the user can continue working with currently opened
file. The same applies to operation File/New.
- implemented feature request: colors that are used to
color rules can be changed in Preferences dialog.
- main menu item "Object/New Object/Address" and
corresponding toolbar button always creates an Address
object under Objects/Addresses folder in the tree. Address
of an interface can be created using pop-up menu item "Add
IP Address"
- Pull-down menu "On startup" in the "General" tab of the
preferences dialog now has three items: "Load standard
objects", "Load last edited file" and "Ask user what to
do". The last item is default.
- Updated Japanese and Russian translations
Bugs fixed in GUI:
- bug (no num): the GUI crashed when user tried to add a
library file for auto-load in Preferences/Libraries and the
first library object in that file had a name using non-ascii
characters
- bug (internal #34) the program should issue a warning when
user tries to add a library file (.fwl) that contains object
library that already exists in the opened data file.
- bugfixes for the behavior of the object editor
dialogs. Dialog should ask if user wants to save data and then
validate it when user clicks on [x] to close editor dialog. It
used to validate the data first, then ask if they want to close
dialog.
- bug (localization): RCS log entries made using non-ascii
characters used to appear as '???' in Open File and
File/Properties dialogs.
- localization was broken on win32 and mac os x because
translation files were not installed properly. Now fixed.
- bug #1092810: "Multiline RCS comments are shown as a single
line on windows". As it turned out, this bug affected all
platforms.
- bug (no num) that caused GUI crash when user created new
firewall object using template with three interfaces.
Bugs fixed in API:
- bug #1068119: "additional whitespace for Rule comments in
.fw file". Added extra space between rule number and interface
spec in rule comments.
Bugs fixed in policy compiler for iptables fwb_ipt:
- bug #1089586: "default --icmp-type value is 0 in iptables <
1.2.9". The problem concerns policy rules using service object
"any ICMP". A rule like this is supposed to match any ICMP
packet. Few versions ago I had to add option "-m icmp" (and "-m
udp", "-m tcp") because I've discovered that iptables-restore on
some systems (linksys sveasoft firmware, iptables v1.2.11)
refused to load rules without it. Now it turns out that iptables
v < 1.2.9 (tested on 1.2.6a and 1.2.7a) implicitly adds
equivalent of "--icmp-type 0" to rules with "-p icmp -m icmp"
and without "--icmp-type" option. Since type 0 is actually icmp
echo reply, a rule like this does not match "any ICMP" as it was
supposed to do. Iptables 1.2.9 implicitly adds "--icmp-type 255"
which matches any icmp type. Using "--icmp-type 255" on iptables
1.2.6 and 1.2.7 does not work (a rule does not match icmp
packets with type different from 255). The fix generates "-p
icmp -m icmp --icmp-type any" for iptables 1.2.9 and later, as
well as when iptables version is not specified in the firewall
object settings. It generates just "-p icmp" for versions <
1.2.9.
- bug #1092141: "irritating FORWARD rule for established
connections". Need rule in FORWARD chain only if ip forwarding
is on or set to "no change"
- bug #1059393: "function getaddr failed for
eth1.0020". Generated script can now work with interfaces that
have a dot in their name (such as "eth1.0020" - vlan interface)
Bugs fixed in policy compiler for ipfw fwb_ipfw:
- bug #1089866: "multiple services in one rule confuses ipfw
compiler". If several UDP or TCP objects were used in the same
policy rule and these service objects had source port ranges
defined, the compiler would produce incorrect code by combining
source port range specifications together in the same ipfw
command.
- bug #1093461: "problem with 'established' in ipfw". Ipfw
requires protocol to be set to 'tcp' if option 'established' is
used in a rule.
- bug #1093472: "ipfw port range(s) errors". There can only be
one port range in a single ipfw rule.
- bug #1093620: "path (to ipfw) with spaces fails". Generated
script failed if path to ipfw contained space. I only worked
around this problem for ipfw; paths to sysctl and logger must be
standard and never contain spaces.