f6e8007fdf
Changes since 2.1.7 are: Version 2.1.10 Improvements and bug fixes in the GUI * fixed bug #1661140: "built-in installer broken in 2.1.9 for PF". Installer incorrectly set name for files it copied to the firewall if generated configuration consisted of several files. Affected platforms are PF and ipfilter because normally for these platforms compiler generates two files. * fixed bug #1659832: "No compile with QT without STL support" * a workaround for the bug 1629461: "Policy tabs do not scroll @ window extent on OSX". The tab widget used to show policy, nat, routing and policy branch rulesets does not switch to a "folded" mode on Mac OS X when it needs to show more tabs that fit in the window. Since I can't figure out a way to force it to do that, I am dropping "Policy/" from the tab titles for branches to make them shorter. This will help users with policies with many branches, however it does not solve the problem because as they keep adding branches, at some point they won't fit in the window again. * added an item "Where used" to the context menu associated with objects in rules Version 2.1.9 Improvements and bug fixes in the GUI * New feature: new operation "Tools/Find Conflicting Objects in Two Data Files". This operation inspects two data files (either .fwb or .fwl) and finds conflicting objects. Conflicting objects have the same internal ID but different attributes. Two data files can not be merged, or one imported into another, if they contain such objects. This operation also helps identify changes made to objects in two copies of the same data file. This operation does not find objects present in one file but not in the other, such objects present no problem for merge or import operations. This operation works with two external files, neither of which needs to be opened in the program. Currently opened data file is not affected by this operation and objects in the tree do not change. In the process of this operation user is presented with series of dialogs showing conflicting objects side by side. In the end the program can generate report and write it to a text file. * installOptionsDialog was too large and did not fit on some laptop screens. Doing tricks to make sure the dialog properly resized after unused GUI elements are hidden. * bug #1629521: "can't delete empty chain/policy tab" * bug #1619842: "prolog "script editor" opens behind other windows" * bug #1620206: "RuleOptions' "Apply" button greyed-out until menu selection" * bug 1619930: "Prolog tab's ScriptEditor's import fails to overwrite" * bug #1617501:"Install fails after compile". The GUI got confused when user enter full path to the policy file in the "Output file name" input field in the "Compiler" tab of firewall object dialog. Making sure we always strip directory path from the file name if user specified full path for the policy file in the "Output file name" input field in the "Compiler" tab of firewall object dialog. Need to strip path when macro "%FWSCRIPT%" is substituted in installation scriptlets and in some other places. * "Apply" and "Close" buttons in the objct editor panel should be of fixed size horizontally * bug #1624577: "group window doesn't stay open on multiple-adds". Using special flag to tell ObjectTreeView that it should ignore MouseReleaseEvent it gets after d&d operation, so it wont switch object in the editor panel. Note the bug triggered only on Mac OS X. * bug (no num.): GUI used show fanthom 'Policy', 'NAT' and 'Routing' tabs when user deleted objects from the Deleted Objects library, provided some of these objects were previously deleted firewalls. * bug #1620284: "conflict when adding library to Preferences/Libraries". When the user tried to add a library to the list in Preferemces/Libraries when a data file with the same object library was loaded, the GUI detected the conflict and showed error dialog. * bug #1650369: "[patch] please add support for GNU/kFreeBSD". Applied patch to make code compile on kFreeBSD. Compiler for iptables * bug #1623338: "Can not disable rules in a branch". Compiler for iptables ignored flag 'disabled' on rules in a branch. * bug #1623113: 'connlimit fails in compiled "address table" rules' Module connlimit can only be used in iptables rules matching TCP services. Such iptables commands have "-p tcp" and/or "-m tcp" options. If a rule in fwbuilder uses TCP Service and connlimit option and has multiple objects in src and dst, optimizer used to split it to minimize matches. It however preserved connlimit option in all subrules, even though some of them did not have TCP service after the split. This lead to generation of incorrect iptables commands. * bug #1620925: "compile-time AddressTable object with empty file". Compile-time AddressTable object that uses file with no addresses should be treated as an empty group according to the "Ignore empty groups" option. * bug #1618381: "CLASSIFY/MARK are non-terminating". This bug report in fact reported several problems. * For action Branch with option to add branching rule to the mangle table: we now generate rules in PREROUTING, POSTROUTING, INPUT, OUTPUT and FORWARD chains. This is because some targets can only work in PREROUTING or POSTROUTING chains but we do not know what rules will user put in the branch. So we need to branch in all chains * For rules in mangle table with direction set to Inbound or Outbound force chain to PREROUTING or POSTROUTING respectively early. This eliminates duplicates such as the same rule in PREROUTING and INPUT chains. Also since most (all?) targets that require mangle table go into either PREROUTING or POSTROUTING chains, it should be enough to use these two chains. * Non-terminating rules shadow each other "backwards", that is more general rule shadows other rules _above_ it. Added flag 'reverse' to the method find_more_general_rule and added new rule processor DetectShadowingForNonTerminatingRules that finds such cases of 'reverse' shadowing. Using it for rules in the mangle table for iptables. * Adding iptables rule with target ACCEPT to emulate terminating behavior for Tag and Classify actions. Emulation is controlled by a global option in the "Compiler" tab of the firewall properties dialog (default is "off"). This means emulation can be turned on and off for all rules that might require it at once. It is impossible to mix such rules with terminating and non-termninating behavior. The reason for this is that shadowing detection algorithm can only work with either terminating or non-terminating rules, not with the mix. * bug #1628989: "run-time-loaded rules don't accept ";" as line comment" * bug #1632054: "Runtime AddressObjects FAIL to load if "Name:" contains "."". Compiler checks if the name of the run-time AddressTable object contains characters that have special meaning in sheel and relaces them with '_' when it generates the name of the temporary shell variable. * bug (no num.): data files used for run-time AddressTable objects can have empty lines, the script should skip them. Firewall Builder Release Notes Version 2.1.8 Installation Optinon poll ran on the fwbuilder-discussion mailing list showed that majority of users are not interested in ability to install and run both fwbuilder 2.0 and 2.1 on the same machine at the same time. Hence we are reverting to the old naming schema without suffix '21' for the binaries and man pages in this release. Improvements and bug fixes in the GUI * The user can search for objects using regular expressions matching their names or attributes. * Fixed bug #1592130: "Policy Chaining Issues". The GUI should properly display nested branch rulesets. The user can create policy branches within other branches. All compilers * Fixed bug #1590746 "problem with using "DNS Names" objects on MS Windows". Compiler failed to convert DNSName objects set to resolve at compile time into IP addresses. Compiler for iptables * fixed bug #1593221: "iptables filtering bridge problem - PHYSDEV: no physdev opti..." Some times rules were generated with "-m physdev" but witout "--physdev-in" or "--physdev-out" options. Compiler for Cisco PIX * fixed a bug (no num, support req. #1604103: "fwb_pix policy compiler dies when SNMP or NTP hosts defined". Compiler did not print error message when it could not find an interface with network zone matching IP address of NTP or SNMP server (it just printed the address without explanation of what went wrong) * Experimental utility fwb_pix_diff has been added to the package. This utility takes two PIX configurations on the command line and produces the 'diff' that consists of a set of commands that should bring the firewall from the state defined by the first config to the state defined by the second. Only PIX 7.0 is supported. This utility will be incorporated into policy installer in the future to make policy updates simpler and faster, especially when small changes are made to the large set of access lists and nat rules. |
||
---|---|---|
.. | ||
patches | ||
buildlink3.mk | ||
DESCR | ||
distinfo | ||
Makefile | ||
PLIST |