                         Firewall Builder Release Notes

Version 2.0.5

   Released 01/07/05
   GUI and compilers v2.0.5 require API library libfwbuilder version 2.0.5

Summary

   This is a bugfix release; its main focus is on internationalization and
   usability

   For those who wish to build from source, instructions are outlined in the
   document "Install and Build instructions" on our web site here

What's new

     * Improvements in the GUI

          * Fixed lots of places were strings were not properly marked for
            localization, this lead to GUI showing '????' instead of a text
            in some menu items and dialogs in non-english locales
          * properly synchronizing state of the items main menu with state of
            corresponding items in the pop-up menu that appears when user
            right-mouse-clicks on an object in the tree
          * fixes for non-localized text strings in dialogs (mostly
            "Continue", "Yes"/"No" etc. in many places)
          * proper localization of the human-readable version number text for
            iptables; also made info window print readable text instead of
            "lt_1.2.6"
          * cosmetic changes in some dialogs layout to make the look better
            when localized text makes strings much longer
          * firewall object dialog tab "Templates" has been hidden. It is
            unlikely that this feature will be implemented in 2.0.X series.
          * Streamlined logic in the object editor dialog. This improves
            handling of the situation when user closes dialog by clicking on
            [x] while 1) there are unsaved data and/or 2) some of the
            object's parameters have illegal values. The dialog behavior also
            depends on the setting of the global flag "Autosave" that causes
            dialog to automatically save data when user switches between
            objects.
          * when user opens data file in the old format (fwbuilder v1.1.x,
            extension .xml) and after autoupgrade the program discovers that
            the same file with extension .fwb already exists, it offers the
            user a chance to choose different name. If user clicks "Cancel"
            at this point, the program cancel operation and reverts upgraded
            data file back to its original name and version.
          * improved behavior of the main menu "Edit" as well as pop-up menu
            that appears when user right mouse clicks on an object in the
            tree. Menu item "Paste" should only be enabled if the clipboard
            is not empty and objects that are stored in it can be pasted into
            selected object in the tree.
          * when user clicks menu item "File/Open" to open a new file, the
            GUI should save and close currently opened file only after the
            user chooses new file. If user clicks Cancel in the File/Open
            dialog, operation should be cancelled so the user can continue
            working with currently opened file. The same applies to operation
            File/New.
          * implemented feature request: colors that are used to color rules
            can be changed in Preferences dialog.
          * main menu item "Object/New Object/Address" and corresponding
            toolbar button always creates an Address object under
            Objects/Addresses folder in the tree. Address of an interface can
            be created using pop-up menu item "Add IP Address"
          * Pull-down menu "On startup" in the "General" tab of the
            preferences dialog now has three items: "Load standard objects",
            "Load last edited file" and "Ask user what to do". The last item
            is default.
          * Updated Japanese and Russian translations

     ----------------------------------------------------------------------

Bugs fixed in GUI:

     * bug (no num): the GUI crashed when user tried to add a library file
       for auto-load in Preferences/Libraries and the first library object in
       that file had a name using non-ascii characters
     * bug (internal #34) the program should issue a warning when user tries
       to add a library file (.fwl) that contains object library that already
       exists in the opened data file.
     * bugfixes for the behavior of the object editor dialogs. Dialog should
       ask if user wants to save data and then validate it when user clicks
       on [x] to close editor dialog. It used to validate the data first,
       then ask if they want to close dialog.
     * bug (localization): RCS log entries made using non-ascii characters
       used to appear as '???' in Open File and File/Properties dialogs.
     * localization was broken on win32 and mac os x because translation
       files were not installed properly. Now fixed.
     * bug #1092810: "Multiline RCS comments are shown as a single line on
       windows". As it turned out, this bug affected all platforms.
     * bug (no num) that caused GUI crash when user created new firewall
       object using template with three interfaces.

Bugs fixed in API:

     * bug #1068119: "additional whitespace for Rule comments in .fw file".
       Added extra space between rule number and interface spec in rule
       comments.

Bugs fixed in policy compiler for iptables fwb_ipt:

     * bug #1089586: "default --icmp-type value is 0 in iptables < 1.2.9".
       The problem concerns policy rules using service object "any ICMP". A
       rule like this is supposed to match any ICMP packet. Few versions ago
       I had to add option "-m icmp" (and "-m udp", "-m tcp") because I've
       discovered that iptables-restore on some systems (linksys sveasoft
       firmware, iptables v1.2.11) refused to load rules without it. Now it
       turns out that iptables v < 1.2.9 (tested on 1.2.6a and 1.2.7a)
       implicitly adds equivalent of "--icmp-type 0" to rules with "-p icmp
       -m icmp" and without "--icmp-type" option. Since type 0 is actually
       icmp echo reply, a rule like this does not match "any ICMP" as it was
       supposed to do. Iptables 1.2.9 implicitly adds "--icmp-type 255" which
       matches any icmp type. Using "--icmp-type 255" on iptables 1.2.6 and
       1.2.7 does not work (a rule does not match icmp packets with type
       different from 255). The fix generates "-p icmp -m icmp --icmp-type
       any" for iptables 1.2.9 and later, as well as when iptables version is
       not specified in the firewall object settings. It generates just "-p
       icmp" for versions < 1.2.9.
     * bug #1092141: "irritating FORWARD rule for established connections".
       Need rule in FORWARD chain only if ip forwarding is on or set to "no
       change"
     * bug #1059393: "function getaddr failed for eth1.0020". Generated
       script can now work with interfaces that have a dot in their name
       (such as "eth1.0020" - vlan interface)

Bugs fixed in policy compiler for ipfw fwb_ipfw:

     * bug #1089866: "multiple services in one rule confuses ipfw compiler".
       If several UDP or TCP objects were used in the same policy rule and
       these service objects had source port ranges defined, the compiler
       would produce incorrect code by combining source port range
       specifications together in the same ipfw command.
     * bug #1093461: "problem with 'established' in ipfw". Ipfw requires
       protocol to be set to 'tcp' if option 'established' is used in a rule.
     * bug #1093472: "ipfw port range(s) errors". There can only be one port
       range in a single ipfw rule.
     * bug #1093620: "path (to ipfw) with spaces fails". Generated script
       failed if path to ipfw contained space. I only worked around this
       problem for ipfw; paths to sysctl and logger must be standard and
       never contain spaces.
