Firewall Builder Release Notes
Version 2.1.16
Released 12/20/2007
GUI and compilers v2.1.16 require API library libfwbuilder version 2.1.16
Summary
Unfortunate bug introduced in 2.1.15 that broke generated firewall
script for iptables in case option "use iptables-restore" was on is
fixed in this release. Additional checks were added to the generated
script for iptables to improve error detection and make sure the GUI
properly detects when it terminates with error. Support for load
balancing with PF was also added.
For those who wish to build from source, instructions are outlined
in the document "Install and Build instructions" on our web site here
The GUI code is in the freeze for QT4 conversion. I will fix bugs in
policy compilers but will try to avoid changes in the GUI. New GUI
based on QT4 will be released next spring when KDE4 is included in all
major Linux distributions and FreeBSD. There will be bugfix releases
for v2.1 if necessary.
Improvements and bug fixes in the GUI
- patch #1849500: "tooltip patch for
tcpservicedialog_q.ui". Additional tooltips in the TCP Service
dialog to explain function of tcp flags masks and settings.
- fixed bug #1850346: "GUI has 2 views on which actions should be
stateless". Even though GUI made rules with action Route stateful
by default, code that determined if combination of options of a
given policy rules was default thought these rules should be
stateless.
- applied patch #1850368: 'PF 3.7 has support for "set skip
on"'. Patch by tomjudge@users.sourceforge.net extends support for
"set skip on" option to pf 3.7.
- fixed bug #1850352: "Install script wrongly completes
successful". Added more checks to the installer scriptlet to make
it properly terminate with non-zero error code if iptables-restore
returned error. Previously "echo" in the end of the generated
masked error code returned by iptables-restore and made the GUI
report successfull install even when it terminated with an
error. Also added test for the presence of pkill on the system so
that the script does not try to run it if it is not
available.
Improvements and bug fixes in the policy importer for iptables
- fixed bug #1849328: "iptables restore unusable in 2.1.15". This
bug was introduced by the change for the bug #1812295. If option
"use iptables-restore to activate policy" is on, we always
generate script that prints iptables commands using echo and sends
them to the input of iptables-restore via pipe.
- fixed bug 1848204: "ULOG-Setting ignored for invalid packets",
applied patch #1848609 provided by reporter. Code that matched and
logged packets in state INVALID always used target LOG, which was
a problem for iptables installations that only come with target
ULOG.
- Applied patch 1835308: "Patch for adding "-q" option to
fwb_ipt". Option "-q" suppresses timestamp that is normally
included in the generated script. This way, if no objects or rules
changed in the firewall builder, generated script will be exactly
the same. Timestamps made generated script different even if
nothing really changed in the objects, which made external version
control systems detect changes when there were none.
- bug #1850352: "Install script wrongly completes
successful". Storing exit status of iptables-restore so that
generated firewall script can return the same status after it
executes commands that set kernel parameters and runs user-defined
epilog code.
- fixed bug #1851166: "Installscript does not test for destination
ip address". The problem affected specific case of a firewall with
two (or more) interfaces that get their address dynamically and a
policy rule that has one such interface in source and another in
destination. Generated iptables script retrieves actual addresses
of both interfaces and assigns them to variables, then uses these
variables in actual iptables rules. Special check is provided in
case some interface did not obtain any ip address at a time of
execution of the script. Previously such test was only done for
one dynamic interface per rule. This change makes the script check
for both.
Improvements and bug fixes in the policy importer for PF
- applied patch #1850368: 'PF 3.7 has support for "set skip
on"'. Patch by tomjudge@users.sourceforge.net extends support for
"set skip on" option to pf 3.7.
- applied patch #1850357: "Add support fo load balancing with pf
to PolicyRule::Route" by Tom Judge
(tomjudge@users.sourceforge.net) that adds support for load
balancing rules in PF. Extended the patch adding support for
address/netmask format of the next hop. Added checks for illegal
IP addresses and netmasks in the next hop.