                         Firewall Builder Release Notes

Version 2.0.4

   Released 12/02/04
   GUI and compilers v2.0.4 require API library libfwbuilder version 2.0.4

Summary

   For those who wish to build from source, instructions are outlined in the
   document "Install and Build instructions" on our web site here

What's new

     * Improvements in the GUI

          * improved error handling: if the GUI is started with a file on the
            command line or is configured to open a file automatically on
            startup and RCS can not check the file out, the GUI will come up
            empty (with only standard objects loaded). Previously in a
            situation when the GUI was configured to open a file
            automatically, but the file could not be checked out, there was
            no way to cancel this automatic file open operation since the GUI
            would never come up.
          * Added Japanese translation by Tadashi Jokagi <elf@elf.no-ip.org>
          * Added Russian translation by RusBusinessSecurity Co. Ltd.,
            Russia. This translation is fairly complete but is still
            considered preliminary. Bug reports and suggestions are very
            welcome.

     * Improvements in the built-in policy installer

          * Built-in installer checks exit status of the script it runs on
            the firewall and aborts installation sequence if it detects an
            error. OS resource files have been updated accordingly so they
            return exit status '1' in case of error and '0' when they
            succeed.
          * Added an option to push PIX configuration to a standby firewall
            at the end of install.
          * Added support in installer for new configuration script formats
            for PIX:

              1. basic or old format when access lists are cleared and added
                 from scratch
              2. Access lists have unique names each time policy is
                 recompiled, lists are added without clearing.
              3. Access lists are added with temporary names and assigned to
                 interfaces, then the same lists are added with permanent
                 names, lists are swapped and temporary lists cleared

            Last two methods provide for instantaneous access list swap so
            that the firewall never runs with empty lists. This helps
            maintain access to the firewall if configuration is installed
            remotely.

     * Improvements in policy compiler for iptables:

          * implemented Feature Request #1021201: "output iptables-restore
            compatible config from fwb_ipt". Policy compiler for iptables can
            use iptables-restore to activate firewall policy.
            Iptables-restore provides for atomic policy load and allows to
            load large policy much faster. Atomic load means the whole filter
            or nat table is activated at once, and if there is an error,
            nothing is changed. Compiler generates script in three possible
            formats:

              1. the ususal shell script that adds rules one at a time by
                 executing iptables command with an "-A" flag to add a rule;
              2. commands are fed to iptables-restore, this format is used
                 when all interfaces of the firewall have static IP addresses
                 and script does not need to determine addresses at run time;
              3. script determines IP addresses of interfaces and discovers
                 dynamic interfaces that were defined as a "wildcard"
                 interface in fwbuilder (e.g. 'ppp*'); code that is sent to
                 iptables-restore is generated dynamically by the script at
                 run time.

            Using iptables-restore is optional and is controlled by the
            checkbutton in the "Script options" tab of firewall settings
            dialog. Path to iptables-restore utility can be set in the
            "Paths" tab of the host settings dialog.

          * policy installation via iptables-restore has been tested with old
            versions of iptables (1.2.6a). Script need to include "-m tcp",
            "-m udp" or "-m icmp", otherwise iptables-restore does not
            understand options "--dport", "--tcp-flags" and some others. Also
            had to use "--tcp-flags SYN,RST,ACK SYN" instea dof "--syn" for
            better backwards compatibility.
          * A change in the script generated by fwb_ipt: if iptables-restore
            is not used to load policy, generated shell script purges
            existing firewall policy (all tables and chains) and sets default
            chain policies after it configures interfaces of the firewall.
            Previously, it would flush tables and set default policy before
            it configured interfaces.
          * removed code that added iptables command to the "drop" table to
            drop and log all dropped packets. This rule used obsoleted
            patch-o-matic patch "drop" which is not available anymore.
          * moved rule permitting backup ssh access from the management
            station to the firewall to the top of the script. This helps
            maintain ssh session, otherwise it may stall or break because
            stdout buffer is filled with diagnostic or progress output from
            the script that is printed after all chains are flushed but
            before rule permitting ssh to the firewall is added. If stdout
            buffer is full, ssh stops and tries to send the text to the
            management station but times out because firewall blocks it.

     * Improvements in policy compiler for pf:

          * Activation script for PF flushes only information about rules,
            nat, source and tables (it used to flush "all"). This preserves
            queue entries and states.

     * Improvements in policy compilers for all platforms:

          * added support for prolog and epilog scripts for all firewall
            platforms. This was available for PIX for some time, now it has
            been added for all platforms. "Prolog/Epilog" tab of the firewall
            settings dialog allows for editing of two blocks of commands that
            will be added to the generated firewall script verbatim. Prolog
            block is added on top, while epilog block is added at the bottom.
            Both prolog and epilog are expected to be shell scripts and are
            added to the generated shell script that activates firewall. For
            iptables and ipfw all compiler generates is this shell script and
            prolog and epilog commands are inserted into it. These commands
            may execute some actions, as well as add any policy or nat
            commands. For ipf and pf prolog and epilog commands are added to
            the activation shell script ( .fw file); prolog is added
            immediately after the command that flushes all rules. This way
            user may either execute shell commands or add policy and/or nat
            rules by loading them from external file.
          * all policy compilers properly detect an error when the output
            file can not be created or overwritten and print error message to
            warn the user.
          * Added element "Target/family" to all OS resource XML files.
            Compilers use "family" resource element to determine if host OS
            is supported. User may want to copy host OS resource file to
            modify installer scriptlets; as long as the family element is
            kept the same, compiler will accept new resource file.

     ----------------------------------------------------------------------

Bugs fixed in GUI:

     * bug #1077072: "CrossPlatform Firewall Builder Crash" - pressing arrow
       down key on the keyboard right after the GUI started with no firewall
       objects defined caused crash.
     * bug (no num): if a library was assigned a name with non-ascii
       characters, it would appear distorted in the pull-down list in object
       dialogs.
     * bug (no number) introduced in 2.0.3 when GUI crashed if user tried to
       choose pull-down menu item in the firewall list after the very first
       firewall object has been created.
     * bug (no number): group object dialog corrupted object names if they
       contained non-ascii characters.
     * bug #1046345: "ipfw - no option to specify ipfw executable". Added GUI
       control to let user specify alternative path to "ipfw" on FreeBSD.
       Control like that was previously available only for Mac OS X
     * bug #1028866: "incorrect order when several rules copied using
       copy/paste". Pasting multiple rules into an empty policy caused rules
       to be inserted in the wrong order.
     * bug (no number): Policy installer failed if the following conditions
       were met: - it was running on Linux, FreeBSD or Mac OS X - working
       directory configured in the "General" tab of the Preferences dialog
       did not exist and could not be created or its permissions did not
       allow user that runs the GUI to access it
     * Added #include <errno.h> to make code compile with gcc 3.4.2 and glibc
       2.3.3
     * bug (no number): GUI could not find names of the object libraries in
       external library files that user added for automatic load in the
       Preferences dialog on Windows. It would find the name of the library
       in the first file, but failed to find library names in subsequent
       files and used the name from the first file. Since this library was
       only present in the first file, object tree was getting corrupted when
       the program attempted to load this library from every file configured
       for automatic pre-load. This only happened on Windows.

Bugs fixed in API:

     * bug #1077496 ] Error compiling libfwbuilder in FreeBSD: The problem
       was caused by changed major version number of libnetsnmp library in
       the latest net-snmp port (v5.2)
     * bug #1055937: "Any->all_multicasts not in INPUT Chain". Need to check
       if network objects are multicasts; assume that multicast always
       matches firewall object (e.g fwb_ipt will put rule with such network
       object in destination in INPUT chain)
     * bug #1040773: need to match network address as well as broadcast.
       Packets sent to the network address (192.168.1.0 for net
       192.168.1.0/24) go in the broadcast frame and behave just like IP
       broadcast packets (sent to 192.168.1.1255 for the same net)
     * bug (no number): rule shadowing algorithm now assumes that IPService
       object with protocol number '0' shades any other service just like
       'any' does.
     * bug (no num): rule shadowing algorithm checks for IP flags in IP
       service object. IP service object with protocol 0 shades anything only
       if its flags are cleared. Two IP services shade each other only if
       they are completely equal (protocols and all flags settings are the
       same). However, IP service with protocol 0 shades other IP service
       with protocol !=0 if all flags settings are the same.
     * change in the object database merge algorithm: when an object database
       we are trying to merge has non-empty "Deleted objects" library,
       deleted objects from this library should be ignored (they used to be
       deleted from the current tree). Likewise, when current tree has
       non-empty "Deleted objects" library and objects in it match objects
       being merged in, objects should be removed from "Deleted objects"
       library to avoid creating duplicate IDs with objects being merged in.
     * bug (no number): program crashed on FreeBSD 5.3 when using SNMP to
       obtain parameters for hosts and interfaces. Crash occurred because of
       use of uninitialized mutex variables in module dns.cpp
     * bug (no number): The API used to corrupt CustomService object while
       saving data to the XML file if service code included special
       characters such as '&'

Bugs fixed in policy compiler for iptables fwb_ipt:

     * bug #1073491: incorrect code for rules using two interfaces with
       negation. If a rule had two (or more) interfaces of the firewall in
       the destination, with negation, the code generated by compiler would
       check one interface's address in INPUT chain and another in FORWARD
       chain. It should check addresses of all interfaces from the
       corresponding rule element in the INPUT chain and also check addresses
       and possibly services from other rule elements in the FORWARD chain.
       This bug affected rules with two or more interfaces both in source and
       destination.
     * bug #1040788: fwb_ipt and user name. Compiler used to read environment
       variable "USER" to find out user's name. Sometimes this variable is
       not set, which caused compiler to abort. Using env variable LOGNAME in
       addition to USER.
     * bug #1040599: "unnecessary FORWARD rules". If ip forwarding is turned
       off in the host settings dialog of the linux-based firewall, compiler
       should not generate rules in FORWARD chain.
     * bug (no number): compiler placed extra quote '"' at the end of each
       NAT command in the script using iptables-restore; this happened only
       if all interfaces of the firewall had static addresses.
     * bug (no number) in fwb_ipt that caused no-nat rules with firewall in
       OSrc to be placed only in OUTPUT chain. Packets originating on the
       firewall go into OUTPUT and POSTROUTING chains, so no-nat rules must
       be placed in both. Other minor improvements for NAT of the locally
       originated connections have been done as well.
     * bug (no number) where compiler for iptables used option
       "--destination-port" with module "multiport" for versions of iptables
       that do not understand it (1.2.6 and later, as well as default version
       setting 'any'). The option should be "--destination-ports" or
       "--dports".
     * bug #1063953: "Wrong accept/multiport rule generated". Compiler
       generated wrong code for rules using multiple service objects of
       different types (TCP and UDP, or TCP and ICMP etc), multiple addresses
       in src or dst with option that requires using TCP RST for action
       REJECT. This bug was introduced in build 453
     * bug (no number): policy compiler for iptables used "tail -1" in the
       shell script that read actual IP addresses of interfaces of the
       firewall. This shell code failed to determine correct address of an
       interface that was configured with a secondary address. Reverted to
       using grep (I switched to tail when ran into limitations of one of the
       beta builds of Sveasoft Linksys firmware that did not have grep)
