pkgsrc/security/libfwbuilder21
bad f6e8007fdf Update fwbuilder and libfwbuilder to 2.1.10.
Changes since 2.1.7 are:

Version 2.1.10

Improvements and bug fixes in the GUI
     * fixed bug #1661140: "built-in installer broken in 2.1.9 for PF".
       Installer incorrectly set name for files it copied to the firewall if
       generated configuration consisted of several files. Affected platforms
       are PF and ipfilter because normally for these platforms compiler
       generates two files.
     * fixed bug #1659832: "No compile with QT without STL support"
     * a workaround for the bug 1629461: "Policy tabs do not scroll @ window
       extent on OSX". The tab widget used to show policy, nat, routing and
       policy branch rulesets does not switch to a "folded" mode on Mac OS X
       when it needs to show more tabs that fit in the window. Since I can't
       figure out a way to force it to do that, I am dropping "Policy/" from
       the tab titles for branches to make them shorter. This will help users
       with policies with many branches, however it does not solve the
       problem because as they keep adding branches, at some point they won't
       fit in the window again.
     * added an item "Where used" to the context menu associated with objects
       in rules

Version 2.1.9

Improvements and bug fixes in the GUI
     * New feature: new operation "Tools/Find Conflicting Objects in Two Data
       Files". This operation inspects two data files (either .fwb or .fwl)
       and finds conflicting objects. Conflicting objects have the same
       internal ID but different attributes. Two data files can not be
       merged, or one imported into another, if they contain such objects.
       This operation also helps identify changes made to objects in two
       copies of the same data file. This operation does not find objects
       present in one file but not in the other, such objects present no
       problem for merge or import operations. This operation works with two
       external files, neither of which needs to be opened in the program.
       Currently opened data file is not affected by this operation and
       objects in the tree do not change. In the process of this operation
       user is presented with series of dialogs showing conflicting objects
       side by side. In the end the program can generate report and write it
       to a text file.
     * installOptionsDialog was too large and did not fit on some laptop
       screens. Doing tricks to make sure the dialog properly resized after
       unused GUI elements are hidden.
     * bug #1629521: "can't delete empty chain/policy tab"
     * bug #1619842: "prolog "script editor" opens behind other windows"
     * bug #1620206: "RuleOptions' "Apply" button greyed-out until menu
       selection"
     * bug 1619930: "Prolog tab's ScriptEditor's import fails to overwrite"
     * bug #1617501:"Install fails after compile". The GUI got confused when
       user enter full path to the policy file in the "Output file name"
       input field in the "Compiler" tab of firewall object dialog. Making
       sure we always strip directory path from the file name if user
       specified full path for the policy file in the "Output file name"
       input field in the "Compiler" tab of firewall object dialog. Need to
       strip path when macro "%FWSCRIPT%" is substituted in installation
       scriptlets and in some other places.
     * "Apply" and "Close" buttons in the objct editor panel should be of
       fixed size horizontally
     * bug #1624577: "group window doesn't stay open on multiple-adds". Using
       special flag to tell ObjectTreeView that it should ignore
       MouseReleaseEvent it gets after d&d operation, so it wont switch
       object in the editor panel. Note the bug triggered only on Mac OS X.
     * bug (no num.): GUI used show fanthom 'Policy', 'NAT' and 'Routing'
       tabs when user deleted objects from the Deleted Objects library,
       provided some of these objects were previously deleted firewalls.
     * bug #1620284: "conflict when adding library to Preferences/Libraries".
       When the user tried to add a library to the list in
       Preferemces/Libraries when a data file with the same object library
       was loaded, the GUI detected the conflict and showed error dialog.
     * bug #1650369: "[patch] please add support for GNU/kFreeBSD". Applied
       patch to make code compile on kFreeBSD.

Compiler for iptables
     * bug #1623338: "Can not disable rules in a branch". Compiler for
       iptables ignored flag 'disabled' on rules in a branch.
     * bug #1623113: 'connlimit fails in compiled "address table" rules'
       Module connlimit can only be used in iptables rules matching TCP
       services. Such iptables commands have "-p tcp" and/or "-m tcp"
       options. If a rule in fwbuilder uses TCP Service and connlimit option
       and has multiple objects in src and dst, optimizer used to split it to
       minimize matches. It however preserved connlimit option in all
       subrules, even though some of them did not have TCP service after the
       split. This lead to generation of incorrect iptables commands.
     * bug #1620925: "compile-time AddressTable object with empty file".
       Compile-time AddressTable object that uses file with no addresses
       should be treated as an empty group according to the "Ignore empty
       groups" option.
     * bug #1618381: "CLASSIFY/MARK are non-terminating". This bug report in
       fact reported several problems.

          * For action Branch with option to add branching rule to the mangle
            table: we now generate rules in PREROUTING, POSTROUTING, INPUT,
            OUTPUT and FORWARD chains. This is because some targets can only
            work in PREROUTING or POSTROUTING chains but we do not know what
            rules will user put in the branch. So we need to branch in all
            chains
          * For rules in mangle table with direction set to Inbound or
            Outbound force chain to PREROUTING or POSTROUTING respectively
            early. This eliminates duplicates such as the same rule in
            PREROUTING and INPUT chains. Also since most (all?) targets that
            require mangle table go into either PREROUTING or POSTROUTING
            chains, it should be enough to use these two chains.
          * Non-terminating rules shadow each other "backwards", that is more
            general rule shadows other rules _above_ it. Added flag 'reverse'
            to the method find_more_general_rule and added new rule processor
            DetectShadowingForNonTerminatingRules that finds such cases of
            'reverse' shadowing. Using it for rules in the mangle table for
            iptables.
          * Adding iptables rule with target ACCEPT to emulate terminating
            behavior for Tag and Classify actions. Emulation is controlled by
            a global option in the "Compiler" tab of the firewall properties
            dialog (default is "off"). This means emulation can be turned on
            and off for all rules that might require it at once. It is
            impossible to mix such rules with terminating and
            non-termninating behavior. The reason for this is that shadowing
            detection algorithm can only work with either terminating or
            non-terminating rules, not with the mix.

     * bug #1628989: "run-time-loaded rules don't accept ";" as line comment"
     * bug #1632054: "Runtime AddressObjects FAIL to load if "Name:" contains
       "."". Compiler checks if the name of the run-time AddressTable object
       contains characters that have special meaning in sheel and relaces
       them with '_' when it generates the name of the temporary shell
       variable.
     * bug (no num.): data files used for run-time AddressTable objects can
       have empty lines, the script should skip them.
                         Firewall Builder Release Notes

Version 2.1.8

Installation
   Optinon poll ran on the fwbuilder-discussion mailing list showed that
   majority of users are not interested in ability to install and run both
   fwbuilder 2.0 and 2.1 on the same machine at the same time. Hence we are
   reverting to the old naming schema without suffix '21' for the binaries
   and man pages in this release.

Improvements and bug fixes in the GUI
     * The user can search for objects using regular expressions matching
       their names or attributes.
     * Fixed bug #1592130: "Policy Chaining Issues". The GUI should properly
       display nested branch rulesets. The user can create policy branches
       within other branches.

All compilers
     * Fixed bug #1590746 "problem with using "DNS Names" objects on MS
       Windows". Compiler failed to convert DNSName objects set to resolve at
       compile time into IP addresses.

Compiler for iptables
     * fixed bug #1593221: "iptables filtering bridge problem - PHYSDEV: no
       physdev opti..." Some times rules were generated with "-m physdev" but
       witout "--physdev-in" or "--physdev-out" options.

Compiler for Cisco PIX
     * fixed a bug (no num, support req. #1604103: "fwb_pix policy compiler
       dies when SNMP or NTP hosts defined". Compiler did not print error
       message when it could not find an interface with network zone matching
       IP address of NTP or SNMP server (it just printed the address without
       explanation of what went wrong)
     * Experimental utility fwb_pix_diff has been added to the package. This
       utility takes two PIX configurations on the command line and produces
       the 'diff' that consists of a set of commands that should bring the
       firewall from the state defined by the first config to the state
       defined by the second. Only PIX 7.0 is supported. This utility will be
       incorporated into policy installer in the future to make policy
       updates simpler and faster, especially when small changes are made to
       the large set of access lists and nat rules.
2007-03-24 18:37:19 +00:00
..
patches
buildlink3.mk
DESCR
distinfo
Makefile
PLIST