                         Firewall Builder Release Notes

Version 2.1.13

   Released 07/22/2007
   GUI and compilers v2.1.13 require API library libfwbuilder version 2.1.13

Summary

   This is bugfix release; its main focus is better support for new features
   available in PF in OpenBSD 4.1

   For those who wish to build from source, instructions are outlined in the
   document "Install and Build instructions" on our web site here

Improvements and bug fixes in the GUI

     * fixed bug #1740766: "lock not saved". This method now copies the value
       of "ro" attribute (read-only). Clear it in the caller if neccessary.
       Method duplicate() clears it after calling shallowDuplicate in order
       to be able to modify the object, then restores this attribute to its
       original value.
     * fixed bug #1743117: "crash while editing any". Added check, user
       should not be able to unlock Standard objects library
     * fixed bug #1753188: "policy activation fails on PIX and IOS".
       Installer failed if account used to authenticate to the router or PIX
       went straight to 'enable' mode after login.
     * added simple template object for Cisco router 36xx

Improvements and bug fixes in policy compiler for iptables

     * fixed bug #1746257: "fwbuilder breaks IPv6". Added an option to the
       firewall settings dialog for iptables that controls whether compiler
       should skip generation of the code to set default policy of all ipv6
       chains to DROP. This option is off by default, that is compiler puts
       the code in. This helps maintain backwards compatibility with old data
       files that do not have this option, which is equivalent to this option
       being "off".
     * fixed bug #1747332: "missing CONNMARK/ restore mark in Output Chain"
     * compiler permits setting direction in the rule while interface field
       is "All". This generates iptables command in chain INPUT or OUTPUT
       with "-i +" or "-o +" interface specification to match all interfaces.

Improvements and bug fixes in policy compiler for PF

     * fixed bug #1747828: "anchors generation - "log" not supported". "Log"
       keyword is not allowed in "anchor" rules; compiler should not generate
       it even if user turned logging on in a rule with action 'Branch'
     * implemented support for PF limit options "src-nodes", "tables" and
       "table-entries". Feature Req. #1674919: "Support "set limit
       table-entries""
     * better compliance with PF 4.x. Feature Req. #1679793: "add 'no state'
       and 'flags any'". If version is set to 4.x, compiler skips "flags S/SA
       keep state" for rules mathcing tcp services. However, according to the
       section "1.2. Operational changes" in PF FAQ at
       http://www.openbsd.org/faq/upgrade41.html , there should be a way to
       add "keep state" explicitly for rules on interface enc0. Added this
       option to the rule options dialog.
     * Added support for "set skip on " command for PF. If an interface is
       marked as "unprotected" in the GUI, compiler generates this command
       for it. This is useful for loopback or other virtual interfaces.

Improvements and bug fixes in policy compilers for Cisco IOS ACL

     * Fixed bug that caused compiler to exit abnormally while compiling a
       rule with interface field "all". Compiler should generate ACL lines
       for all interfaces of the router (except those marked "unprotected")
