Firewall Builder Release Notes
Version 1.0.9
GUI and compilers v1.0.9 require API library libfwbuilder version 0.10.13
Summary
For those who wish to build from source, instructions are outlined
in the document "Install and Build instructions" on our web site here
What's new
- General improvements:
- added support for unnumbered interfaces in all policy
compilers. Feature req. #546881: "Unnumbered Interfaces cause bad
compile".
- added support for physAddress (MAC address) as a separate
object in the GUI and compilers.
- moved user's preferences from the file $HOME/.fwbuilder.xml
to $HOME/.fwbuilder/prefs.xml
- Firewall Builder compiles and works on Mac OS X. We can build
fink packages now.
- changed term 'shading' to 'shadowing' everywhere.
- Added a page to the "New Firewall" druid that allows
administrator to assign security levels to interfaces. This should
reduce risk of user error or misunderstanding and ensure that new
firewall object is created with all necessary information.
- "New Firewall" druid can discover interfaces of the new
firewall using SNMP.
- Improvements in policy compiler for iptables:
- implemented feature Req. #651268: network rules should include
firewall. fwb_ipt now generates commands for INPUT/OUTPUT chains
for rules using network to which interface of the firewall
belongs.
- Improvements in policy compiler for pf:
- Compiler puts NAT and policy rules into the same file with
extension .conf. Just copy this file to the firewall machine as
/etc/pf.conf to load firewall policy from the standard rc
scripts.
- "Scrub" option is now processed through the global firewall
option (checkbox in "Firewall" tab of the Firewall object dialog).
- Added support for "fragment" option for IP service objects
with "short_fragment" or "fragment" options.
Bugs fixed in the GUI:
- fixed bug#617904: snmp does not get multiple addresses. The
crawler and the tool that discovers host's interfaces using SNMP
finds and creates appropriate IPv4 objects for interfaces that have
multiple addresses.
- fixed bug #659782: Wrong netmask in standard object
net-192.168.0.0
- fixed bug #637154: seg fault on snmp get / undo.
- fixed bug #673261: Printouts do not show negation. Printing
transformations should show negated objects and skip disabled
rules.
Bugs fixed in iptables policy compiler fwb_ipt:
- fixed bug #645127: DNAT with MAC address. Now compiler for
iptables supports MAC address matching in NAT rules.
- implemented fix suggested in bug report #653250: Order of match
option in ULOG target (target -j ULOG put in the output script after
limit options).
- fixed bug #659201: Problems with "busybox modprobe". Generated
script should check if netfilter module is already loaded before
calling modprobe to load it.
- fixed bug #662465: problem in rules with negation if fw has
dynamic interface. fwb_ipt generated incorrect code for rules where
firewall object was part of the rule element with negation and one
of the firewall's interfaces had dynamic address. The new algorithm
properly handles this situation using OUTPUT/INPUT chains, although
it generates slightly redundand code.
- fixed bug #663506: wrong chain if address range includes
firewall interface. Compiler used to chose wrong chain if address
range object was used in source or destination of the rule and
address range started with the address of the interface of the
firewall. The generated code was also incorrect if range did not
start with the address of the firewall, but included it in the
middle.
- improved fix for bug #662465 - rules where firewall object used
with negation now use combination of INPUT/OUTPUT and FORWARD chains
and do not use firewall's addresses at all.
- fixed bug #664810: Compiler generates wrong multiport
list. Compiler used to add extra comma at the end of the list of
port numbers for module multiport if objects "Any UDP" or "Any TCP"
were used.
- fixed bug #662132: ver 1.0.8 does not create the virtual ip for
the nats. Now compiler creates virtual addresses using all Address
objects of the firewall interfaces in addition to addresses used in
the NAT rules. If the address it is trying to add already exists, it
just skips it.
- fixed bug #676828: Missing "NONE" keyword in rules built for
TCP objects matching on packets with no TCP flags.
Bugs fixed in iptables policy compiler fwb_ipf:
- fixed bug #671623: bad syntax for NAT proxies. Ipfilter does not
like destination port specification when it is given together with
proxy specification.
Bugs fixed in iptables policy compiler fwb_pf:
- fixed bug #649195: "name of dynamic interfce appears in
rules". In order to fix this bug, we have introduced a new type of
the interface - an unnumbered interface. Unnumbered interface can
never have IP address and won't appear in the policy rules, however
it can have a policy associated with it.