Commit graph

9 commits

Author SHA1 Message Date
sno
6f7368d4db bump revision because of graphics/jpeg update 2009-08-26 19:56:37 +00:00
joerg
f0bbd1517d Remove @dirrm entries from PLISTs 2009-06-14 18:13:25 +00:00
adam
12be2ea8e0 Changes 2.1.19:
* Improvements and bug fixes.
2008-07-15 09:17:27 +00:00
adam
18b56f1131 Changes 2.1.18:
This version includes compilers for Cisco PIX and IOS access lists which
were released under GPL.
2008-04-21 15:43:15 +00:00
adam
7cf5a9029c Changes 2.1.17:
This is a bug-fix release. It improves stablility of the policy importer
on 64-bit platforms, supports import of iptables policies that use TCPMSS
target, fixes problems with built-in RCS on windows when user does not
have administrator's rights and comes with nearly 100% Brazilian Portugese
translation
2008-02-21 17:34:08 +00:00
adam
e3d0110329 Changes 2.1.16:
Unfortunate bug introduced in 2.1.15 that broke generated firewall script
for iptables in case option "use iptables-restore" was on is fixed in this
release. Additional checks were added to the generated script for iptables
to improve error detection and make sure the GUI properly detects when it
terminates with error. Support for load balancing with PF was also added.
2008-01-28 20:34:54 +00:00
adam
ad2a3bc804 Changes 2.1.15:
* Bug fix release
2007-12-12 17:59:20 +00:00
bad
f6e8007fdf Update fwbuilder and libfwbuilder to 2.1.10.
Changes since 2.1.7 are:

Version 2.1.10

Improvements and bug fixes in the GUI
     * fixed bug #1661140: "built-in installer broken in 2.1.9 for PF".
       Installer incorrectly set name for files it copied to the firewall if
       generated configuration consisted of several files. Affected platforms
       are PF and ipfilter because normally for these platforms compiler
       generates two files.
     * fixed bug #1659832: "No compile with QT without STL support"
     * a workaround for the bug 1629461: "Policy tabs do not scroll @ window
       extent on OSX". The tab widget used to show policy, nat, routing and
       policy branch rulesets does not switch to a "folded" mode on Mac OS X
       when it needs to show more tabs that fit in the window. Since I can't
       figure out a way to force it to do that, I am dropping "Policy/" from
       the tab titles for branches to make them shorter. This will help users
       with policies with many branches, however it does not solve the
       problem because as they keep adding branches, at some point they won't
       fit in the window again.
     * added an item "Where used" to the context menu associated with objects
       in rules

Version 2.1.9

Improvements and bug fixes in the GUI
     * New feature: new operation "Tools/Find Conflicting Objects in Two Data
       Files". This operation inspects two data files (either .fwb or .fwl)
       and finds conflicting objects. Conflicting objects have the same
       internal ID but different attributes. Two data files can not be
       merged, or one imported into another, if they contain such objects.
       This operation also helps identify changes made to objects in two
       copies of the same data file. This operation does not find objects
       present in one file but not in the other, such objects present no
       problem for merge or import operations. This operation works with two
       external files, neither of which needs to be opened in the program.
       Currently opened data file is not affected by this operation and
       objects in the tree do not change. In the process of this operation
       user is presented with series of dialogs showing conflicting objects
       side by side. In the end the program can generate report and write it
       to a text file.
     * installOptionsDialog was too large and did not fit on some laptop
       screens. Doing tricks to make sure the dialog properly resized after
       unused GUI elements are hidden.
     * bug #1629521: "can't delete empty chain/policy tab"
     * bug #1619842: "prolog "script editor" opens behind other windows"
     * bug #1620206: "RuleOptions' "Apply" button greyed-out until menu
       selection"
     * bug 1619930: "Prolog tab's ScriptEditor's import fails to overwrite"
     * bug #1617501:"Install fails after compile". The GUI got confused when
       user enter full path to the policy file in the "Output file name"
       input field in the "Compiler" tab of firewall object dialog. Making
       sure we always strip directory path from the file name if user
       specified full path for the policy file in the "Output file name"
       input field in the "Compiler" tab of firewall object dialog. Need to
       strip path when macro "%FWSCRIPT%" is substituted in installation
       scriptlets and in some other places.
     * "Apply" and "Close" buttons in the objct editor panel should be of
       fixed size horizontally
     * bug #1624577: "group window doesn't stay open on multiple-adds". Using
       special flag to tell ObjectTreeView that it should ignore
       MouseReleaseEvent it gets after d&d operation, so it wont switch
       object in the editor panel. Note the bug triggered only on Mac OS X.
     * bug (no num.): GUI used show fanthom 'Policy', 'NAT' and 'Routing'
       tabs when user deleted objects from the Deleted Objects library,
       provided some of these objects were previously deleted firewalls.
     * bug #1620284: "conflict when adding library to Preferences/Libraries".
       When the user tried to add a library to the list in
       Preferemces/Libraries when a data file with the same object library
       was loaded, the GUI detected the conflict and showed error dialog.
     * bug #1650369: "[patch] please add support for GNU/kFreeBSD". Applied
       patch to make code compile on kFreeBSD.

Compiler for iptables
     * bug #1623338: "Can not disable rules in a branch". Compiler for
       iptables ignored flag 'disabled' on rules in a branch.
     * bug #1623113: 'connlimit fails in compiled "address table" rules'
       Module connlimit can only be used in iptables rules matching TCP
       services. Such iptables commands have "-p tcp" and/or "-m tcp"
       options. If a rule in fwbuilder uses TCP Service and connlimit option
       and has multiple objects in src and dst, optimizer used to split it to
       minimize matches. It however preserved connlimit option in all
       subrules, even though some of them did not have TCP service after the
       split. This lead to generation of incorrect iptables commands.
     * bug #1620925: "compile-time AddressTable object with empty file".
       Compile-time AddressTable object that uses file with no addresses
       should be treated as an empty group according to the "Ignore empty
       groups" option.
     * bug #1618381: "CLASSIFY/MARK are non-terminating". This bug report in
       fact reported several problems.

          * For action Branch with option to add branching rule to the mangle
            table: we now generate rules in PREROUTING, POSTROUTING, INPUT,
            OUTPUT and FORWARD chains. This is because some targets can only
            work in PREROUTING or POSTROUTING chains but we do not know what
            rules will user put in the branch. So we need to branch in all
            chains
          * For rules in mangle table with direction set to Inbound or
            Outbound force chain to PREROUTING or POSTROUTING respectively
            early. This eliminates duplicates such as the same rule in
            PREROUTING and INPUT chains. Also since most (all?) targets that
            require mangle table go into either PREROUTING or POSTROUTING
            chains, it should be enough to use these two chains.
          * Non-terminating rules shadow each other "backwards", that is more
            general rule shadows other rules _above_ it. Added flag 'reverse'
            to the method find_more_general_rule and added new rule processor
            DetectShadowingForNonTerminatingRules that finds such cases of
            'reverse' shadowing. Using it for rules in the mangle table for
            iptables.
          * Adding iptables rule with target ACCEPT to emulate terminating
            behavior for Tag and Classify actions. Emulation is controlled by
            a global option in the "Compiler" tab of the firewall properties
            dialog (default is "off"). This means emulation can be turned on
            and off for all rules that might require it at once. It is
            impossible to mix such rules with terminating and
            non-termninating behavior. The reason for this is that shadowing
            detection algorithm can only work with either terminating or
            non-terminating rules, not with the mix.

     * bug #1628989: "run-time-loaded rules don't accept ";" as line comment"
     * bug #1632054: "Runtime AddressObjects FAIL to load if "Name:" contains
       "."". Compiler checks if the name of the run-time AddressTable object
       contains characters that have special meaning in sheel and relaces
       them with '_' when it generates the name of the temporary shell
       variable.
     * bug (no num.): data files used for run-time AddressTable objects can
       have empty lines, the script should skip them.
                         Firewall Builder Release Notes

Version 2.1.8

Installation
   Optinon poll ran on the fwbuilder-discussion mailing list showed that
   majority of users are not interested in ability to install and run both
   fwbuilder 2.0 and 2.1 on the same machine at the same time. Hence we are
   reverting to the old naming schema without suffix '21' for the binaries
   and man pages in this release.

Improvements and bug fixes in the GUI
     * The user can search for objects using regular expressions matching
       their names or attributes.
     * Fixed bug #1592130: "Policy Chaining Issues". The GUI should properly
       display nested branch rulesets. The user can create policy branches
       within other branches.

All compilers
     * Fixed bug #1590746 "problem with using "DNS Names" objects on MS
       Windows". Compiler failed to convert DNSName objects set to resolve at
       compile time into IP addresses.

Compiler for iptables
     * fixed bug #1593221: "iptables filtering bridge problem - PHYSDEV: no
       physdev opti..." Some times rules were generated with "-m physdev" but
       witout "--physdev-in" or "--physdev-out" options.

Compiler for Cisco PIX
     * fixed a bug (no num, support req. #1604103: "fwb_pix policy compiler
       dies when SNMP or NTP hosts defined". Compiler did not print error
       message when it could not find an interface with network zone matching
       IP address of NTP or SNMP server (it just printed the address without
       explanation of what went wrong)
     * Experimental utility fwb_pix_diff has been added to the package. This
       utility takes two PIX configurations on the command line and produces
       the 'diff' that consists of a set of commands that should bring the
       firewall from the state defined by the first config to the state
       defined by the second. Only PIX 7.0 is supported. This utility will be
       incorporated into policy installer in the future to make policy
       updates simpler and faster, especially when small changes are made to
       the large set of access lists and nat rules.
2007-03-24 18:37:19 +00:00
bad
8ce21a8fff Initial import of fwbuilder-2.1.7.
Changes since the 2.0.12 release:

Improvements and changes in the GUI

     * The GUI works much faster with very large object trees.

     * "Where used" menu item to quickly find and show all groups and
       firewall rules that reference given object. Confirmation dialog
       shown when an object is deleted also shows all groups and rules
       that use it.

     * Built-in installer can now save a copy of .fwb file to the firewall.

     * Compile/install dialog is now an independent window instead of a modal
       dialog, this means the user can look at the policy and objects while
       compilation and/or installation is going on.

     * Network discovery driud is back, ported from fwbuilder 1.0. As before,
       it supports reading object definitions from a file in /etc/hosts
       format, can read DNS zone and also can crawl the network using SNMP
       queries.

     * Startup splash window has been removed.

     * Keeping track of dependencies between objects. Firewalls that refer
       to an object that is modified are marked with bold font.

     * Added bulk compile and install operations.

     * All object dialogs have been converted into built-in panels that
       appear in the right hand part of the main window.

     * Improvements in "Find" function: administrator can now drag an object
       into a well in the find dialog panel to make it search for this
       particular object.

     * The "Find and replace" operation has been implemented.

New object types, new rule types and rule elements, new actions and other new
features

     * AddressTable  This object resolves to a set of IP addresses defined in
       an external file.

     * DNSName:  This object resolves a host name to the IP address using
       DNS. Object can be confgiured to do so at compile time or run time.

     * TagService:  This object matches tags set by action Tag.

     * Interface objects can now be marked as bridge ports.

     * Support for routing rules has been implemented.

     * Global policy and interface policies have been merged. Each policy
       rule now has rule element "Interface".

     * Policy rules can have the following new actions:

          * Queue:  This action passes the packet to user space process for
            inspection.

          * Custom:  This action allows administrator to define arbitrary
            piece of code to be used in place of an action.

          * Branch:  This action is used to create a branch in the rule set.

          * Tag:  This action associates internal tag with the packet.

          * Classify:  This action allows the firewall to define QoS class
            for the packet that matches the rule.

          * Route:  This action makes the firewall to route the packet that
            matches the rule through an interface or a gateway specified in
            the parameters of the action.

     * Firewall object now has an attribute "inactive" excluding it from
       bulk compiles and installs.

Compiler for iptables

     * Support for address tables loaded from external files at compile or
       run time.

     * Support user defined chains with predefined names (using special
       action )

     * Support for CLASSIFY, MARK, CONNMARK, QUEUE, ROUTE targets

     * Support for physdev module for bridging firewalls

     * additional optimization of rules in INPUT and OUTPUT chain: now
       removing firewall object from src or dst to simplify rule if it uses
       OUTPUT or INPUT chain.

     * support for modules connlimit and hashlimit.

Compiler for PF

     * Support for load balancing rules
     * Support for tag and route options
     * Support for address ranges and network objects in TSrc in NAT rules
     * Support for pool types in NAT rules ('bitmask', 'random',
       'source-hash', 'round-robin'), as well as 'static-port' option.
     * Supprot for anchors (by way of a special action)
     * Support for tables with predefined names (using AddressTable object)
     * Support for packet 'tagging' (by way of a special action and service
       object TagService)

Compiler for ipfilter

     * Support for PPTP and IRC proxies
     * Support for route option

API

     * internal object ID is augumented with process ID of the program that
       creates an object.
     * fwbedit

   Fwbedit can now create objects and repair broken object database.
2006-11-09 19:07:56 +00:00