Firewall Builder Release Notes
Version 2.1.11
Released 04/29/2007
GUI and compilers v2.1.11 require API library libfwbuilder version 2.1.11
Summary
This is bugfix release.
For those who wish to build from source, instructions are outlined
in the document "Install and Build instructions" on our web site here
Improvements and bug fixes in the GUI
- redesigned TimeService object dialog
- minor redesign of the interface object dialog to make network
zone more prominent and easier to set when network and group
objects have long names.
- fixed bug #1685741: "GUI crash: click on an empty part of obj
tree, then desktop"
- fixed bug #1692411: "can't set accouting rule name (fwbuilder
2.1.11)"
- fixed bug #1684334: "RCS should use $LOGNAME when commit"
- fixed bug #1701971: "Enabeling test mode doent activate the
reboot interval". Checking "Test mode" checkbox in the
installer options dialog should enable widgets that configure
automatic reboot timeout.
- fixed bug #1702830: "fwbuilder does not detect errors during
policy install". Built-in installer detects error messages
printed by iptables and iptables-restore and aborts
installation process. Summary page shown in the end reflects
this as failed install.
Improvements and bug fixes in policy compiler for iptables
- Added support for --datestart and --datestop options for module
'time' in compiler for iptables
- fixed bug #1672191: "Time limit generates unexpected iptables
command"
- fixed bug #1695481: "compliation error with lower end
port". Before, user could enter start port range number
greater than the end port range number. Neither the GUI nor
compiler noticed this, which resulted in the incorrect
firewall configuration. This fix adds check in the GUI to not
let the user enter port ranges like that.
- fixed bug 1699483: "hashlimit-htable-expire not set". Added GUI
controls and compiler support for hashlimit module options
"--hashlimit-name", "--hashlimit-htable-size",
"--hashlimit-htable-max", "--hashlimit-htable-expire" and
"--hashlimit-htable-gcinterval"
- fixed bug #1703954: "Mark target in postrouting chain". Packets
that originate on the firewall should be marked in the OUTPUT
chain. According to the netfilter packet flow diagram at
http://www.shorewall.net/NetfilterOverview.html , rerouting
happens after OUTPUT hook but before POSTROUTING hook. So in
order to be able to reroute packet originated on the firewall,
they should be marked in OUTPUT
Improvements and bug fixes in policy compiler for PF
- fixed bug #1674940: "if max-src-conn == 0: syntax
error". Options max-src-conn and max-src-states can not have
value '0'
Improvements and bug fixes in policy compiler for ipfilter
- fixed bug #1678410: "Ipfilter compiler uses wrong keyword for
"fragment""
- fixed bug #1676845: "lsrr option not compiling"