                         Firewall Builder Release Notes

Version 2.1.19

   Released 05/17/2008
   GUI and compilers v2.1.19 require API library libfwbuilder version 2.1.19

Summary

   This version includes compilers for Cisco PIX and IOS access lists which
   were released under GPL.

   For those who wish to build from source, instructions are outlined in the
   document "Install and Build instructions" on our web site [1]here

   The GUI code is in the freeze for QT4 conversion. I will fix bugs in
   policy compilers but will try to avoid changes in the GUI. New GUI based
   on QT4 will be released next spring when KDE4 is included in all major
   Linux distributions and FreeBSD. There will be bugfix releases for v2.1 if
   necessary.

Reminder: Improvements and changes in the packaging

     * Starting with v2.1.18, all policy compilers come as part of the
       "fwbuilder" RPM. This inludes compilers fwb_ipt, fwb_ipf, fwb_ipfw,
       fwb_pf, fwb_iosacl and fwb_pix. Instead of 6 RPMs (libfwbuilder,
       fwbuilder and 4 RPMs for individual compilers) I now build only two:
       libfwbuilder and fwbuilder. For example, for Fedora C8 only these two
       RPMs will be built form now on: libfwbuilder-2.1.18.fc8.i386.rpm and
       fwbuilder-2.1.18.fc8.i386.rpm

Improvements and bug fixes in the GUI

     * fixed bug #1949103: "manpage slightly broken". Minor fixes in
       fwbedit.1 man page.
     * fixed bug #1949438: "parser expects decimal - hex is not accepted".
       Importer for iptables should be able to process "--set-mark" with hex
       argument.
     * fixed bug #1562726: "policy print rule cut-off". Long rulesets would
       not print correctly on Windows, the bottom of the ruleset table was
       just printed solid grey with no rules visible.

Improvements and bug fixes in the policy compiler for iptables

     * bug #1938985: Rate in hashlimit in local language
     * fixed bug# 1940504: "Clamp MSS to MTU". Iptables command that invokes
       "-j TCPMSS --clamp-mss-to-pmtu" in FORWARD chain should go before the
       one that matches "--state ESTABLISHED,RELATED" in order to work for
       the packets in these states.
     * partial fix for bugs #1789059 "shadow issue when using action chain"
       and #1945149: "Shadowing test for rules with action chain". The
       mechanism for rule shadowing detection we have at this time can only
       detect shadowing of one rule by another. In case of branching it is a
       combination of the branching rule and rules inside the branch that may
       shadow other rules. I plan to redesign this part of the code in the
       future, but it won't happen in upcoming v3. Meanwhile, I am fixing it
       in 2.1 by making compiler ignore rules with action Branch.

Improvements and bug fixes in the policy compiler for PF

     * fixed bug #1821573: "Rule options limits allow for multiple overload
       tables". PF allows only for one "overload" option per rule.
     * fixed bug #1961202: "Pf Timeouts overriden by Optimization". Compiler
       should generate "set optimization" command before "set timeout"
       commands.

References

   Visible links
   1. http://www.fwbuilder.org/guides/firewall_builder_installation.html
