Firewall Builder Release Notes
Version 2.0.2
Released 08/31/04
GUI and compilers v2.0.2 require API library libfwbuilder version 2.0.2
Summary
Firewall Builder GUI v2.0.2 is a maintenance release that includes
fixes for bugs discovered since 2.0.1 has been released.
For those who wish to build from source, instructions are outlined
in "Install
and Build instructions"
General
- Updated FreeBSD ports, tested on 5.3-BETA
New standard objects
- added new service objects to the Standard objects library:
"xmas scan" (old object renamed "xmas scan - full"), rsync,
distcc, cvspserver, cvsup, afp, whois, bgp, radius and radius
acct, SSDP and UPnP.
New template objects
- added template firewall objects for Linksys firewall and a
web server.
New features in policy compiler for PF
- Implemented support for all timeout settings in pf:
tcp.first,tcp.opening,tcp.established,
tcp.closing,tcp.finwait,tcp.closed,udp.first,udp.single,udp.multiple,
icmp.first,icmp.error,other.first,other.single,other.multiple,
including adaptive timeout scaling options adaptive.start and
adaptive.end
- Added support for options "max", "max-src-nodes" and
"max-src-states" in pf. These allow to limit number of
concurrent state table entries ("max"), number of source
addresses that can simultaneously have state table entries
("max-src-nodes") and number of simultaneous state entries per
source address ("max-src-states") per rule.
Bugs fixed in libfwbuilder API:
- : added element physAddress to list of child elements of
Library (bug #1011617)
- bug #1012733: "configure --libdir=DIR will be ignored at
installation". Needed to use macro _libdir to specify target
directory for libraries. Used it in configure, qmake.in,
libfwbuilder-config-2 and a .spec file. Code should compile and
install in correct place on 64-bit systems.
Bugs fixed in GUI:
- bug #1019691: "040829 nightly build doesn't add paths for
linksys"
- bug #1013177: "deleting multiple hosts causes crash"
- bug #1009345: "Can only move one host object at a time
between libraries"
- bug #1013018: "host OS settings" dialog is missing for
linksys. Added host OS settings dialog for
linksys/Sveasoft. Dialog provides entry fields for paths to
iptables, lsmod, modprobe, logger tools and two shell prompt
string patterns, this should help to work around changes in the
shell prompt on Linksys.
- bug #1013022: "can not install policy script on linksts
Alchemy pre-5.2". Built-in installer uses shell prompt string
patterns configured in the host OS settings dialog for
linksys.
- bug #1008956: "Existing .fwb file gets overwritten if has
wrong extension". If the GUI needs to rename a data file with
old extension .xml to .fwb, it checks if a file with new
extension exists and offers user a chance to choose a different
name. It also treats symlinks in a special way: if user creates
a symlink with extension .xml pointing at a file with extension
.fwb, the GUI simply follows the link and works with .fwb
file. This should work with Windows shortcuts, too.
- bug #1013485: "File/Import should allow to import .fwb
file". Function File/Import offers a choice of .fwl, .fwb and
"all files" in the open file dialog.
- bug #1011248: "need two xmas scan service objects".
- bug #1013957: "incorrect NAT rule in firewall created from
template #3". The problem was caused by incorrect ip address of
interface "dmz" in the template object #3.
- bug #1014725: "adding new ICMP types". If user created
service group with the name "ICMP", the GUI would place new ICMP
objects under this group instead of the standard folder
"ICMP". There was the same problem with other object types, too.
- bug #1015884: "Export more than one library fails with 0
references". Export library operation failed if user exported
two libraries with groups or rules in one library referencing
objects in the other.
Bugs fixed in iptables policy compiler fwb_ipt:
- bug #1005148: "MAC matching - space missing". Space was
missing between MAC address and custom service code.
- avoiding grep in the script generated for Linksys/Sveasoft
firewall - Sveasoft Alchemy pre-5.2.3 does not have grep
- bug #1019943: "Missing ip addresses in the rule using
interfaces"
Last modified: Tue Aug 31 20:38:55 PDT 2004