Firewall Builder Changelog

What's new in Firewall Builder 5.1.0 Build 3599

Mar 29, 2012

GUI Updates:
fixes #2685 "Clicking "Manage Members" in a vlan subinterface of a cluster causes crash".
Changes in support for iptables:
fixed SF bug #3468358 "change in rule-compilation between 5.0.0 and 5.0.1". Rule with cluster interface in "Destination" should compile into matching ip addresses assigned to the cluster interface object and corresponding member firewall's interface object, but in v5.0.1 it only matched member interface address. This bug triggered when iptables version was set to 1.2.11 or greater. This was a regression from v5.0.0
fixes #2686 "automatic rules for heartbeat are not generated for vlan subinterfaces"
fixes #2684 "fix address deletion in configlet update_addresses". This only applies to Linux firewalls and configurations where an interface has two or more ip addresses. If user deleted one of the addresses that happens to be the "primary" address of the interface in the GUI, generated script deleted both addresses on the firewall machine instead of just one and left interface with no addresses at all. The fix is to use /proc variable /proc/sys/net/ipv4/conf/all/promote_secondaries that makes the kernel "promote" secondary address to a "primary" status when primary address is deleted. Default behavior in Linux kernel is to delete all addresses when primary address is deleted.
using mktemp to create temporary directory in the generated script. If mktemp is not available, fall back onto less secure but guaranteed to work method where I generate randomized the name of the temporary directory using process ID.
fixes SF bug 3489096 "dd-wrt-jffs: all routes are deleted if there is an error". The problem affects all supported Linux-like systems. Shell code that restores old static routing table entries in case of an error with commands adding new routing entries was broken and left the machine with no routes at all.
Other changes:
fix for SF bug #3468802. Need to define macro __STDC_FORMAT_MACROS. This still needs to be tested on all build machines.
running autoconf, configure as part of windows build. Merged qmake .pro and .inc files for Windows, Mac and Linux builds. Moved files needed for Windows and Mac packaging to the "packaging" directory.

New in Firewall Builder 5.0.1 Build 3592 (Dec 27, 2011)

GUI Updates:
moved "batch install" button from the main installer wizard to the dialog where user enters their password. Now user can start in a non-batch install mode but continue in batch install mode at any time if all their firewalls authenticate with the same user name and password.
see #2628 fixed crash that happened if user create new firewall object from a template and changed one of the ip addresses, while another firewall object created from the same template already existed in the tree.
see #2635 Object type AttachedNetworks is not allowed in the "interface" rule element.
The drop-down list of interfaces for the "route-through" rule option for PF and iptables should include not only cluster interfaces, but also interfaces of all members. This way, we can make compiler generate configuration "pass in quick on em0 route-to { ( em0 10.1.1.2 ) } ... " for a rule of a PF cluster. Here "em0" is an interface of a member, not the cluster.
fixes #2642 "GUI crashes if user cancels newFirewall dialog".
fixes #2641 "newFirewall dialog does not accept ipv6 addresses with long prefixes". The dialog did not allow ipv6 addresses of inetrfaces with netmask > 64 bit.
fixes #2643 "GUI crashes when user cuts a rule, then right-mouse click in any rule element of another"
added check to make sure user does not enter netmask with zeroes in the middle for the IPv4 network object. Netmasks like that are not supported by fwbuilder.
fixes #2648 "right mouse click on firewall object in "Deleted objects" library causes GUI crash"
fixes SF bug 3388055 Adding a "DNS Name" with a trailing space causes failure.
fixes SF bug 3302121 "cosmetic mis-format in fwb Linux paths dialog"
fixes SF bug 3247094 "Nomenclature of IP address edit dialog". Network ipv6 dialog says "Prefix length".
see #2654 fixes GUI crash that occured if user copied a rule from file A to file B, then closed file B, opened file C and tried to copy the same rule from A to C'
see #2655 Interface names are not allowed to have dash "-" even with interface verification off. We should allow "-" in the interface name for Cisco IOS
see #2657 snmp network discovery crashed if option "Confine scan to network" was used.
fixes #2658 "snmp network discovery creates duplicate address and network objects"
enable fwbuilder to take advantage of GSSAPIAuthentication with openssh using suggestion by Matthias Witte [email protected]
fixed a bug (no number): if the file name user entered in "Output file name" field in the "advanced settings" dialog of a firewall object ended with a white space, policy installer failed with an error "No such file or directory"
fixed SF bug #3433587 "Manual edit of new service Destination Port END value fails". This bug made it impossible to edit the value of the end of the port range because as soon as the value became less than the value of the beginning the range, the GUI would reset it to be equal to the value of the beginning of the range. This affected both TCP and UDP service object dialogs.
fixes #2665 "Adding text to comment causes rule to go from 2 rows to 1 row". Under certain circumstances, editing rule comment caused the GUI to collapse corresponding row in the rule set view so that only the first object of each rule element that contained several objects was visible.
fixes #2669 "Cant inspect custom Service object in Standard objects library".
Changes in policy importer for all supported platforms:
Changes that affect import of PIX configurations
changed token name from "ESP" to "ESP_WORD" to avoid conflict with macro "ESP" that happened during build on OpenSolaris
see #2662 "Crash when compiling ASA rule with IP range". Need to split address range if it is used in "source" of a rule that controls telnet, ssh or http to the firewall itself and firewall's version is >= 8.3. Commands "ssh", "telnet" and "http" (those that control access on the corresponding protocols to the firewall itself) accept only ip address of a host or a network as their argument. They do not accept address range, named object or object group. This is so at least as of ASA 8.3. Since we expand address ranges only for versions < 8.3 and use named object for 8.3 and later, we need to make this additional check and still expand address ranges in rules that will later convert to "ssh", "telnet" or "http" command. Compiler still generates redundant object-group statement with CIDR blocks generated from the address range but does not use this group in the rule. This does not break generated configuration but the object-group is redundant since it is never used. This will be rectified in future versions.
fixes #2668 Remove "static routes" from the explanation text in ASA/PIX import dialog. We can not import PIX/ASA routing configuration at this time.
fixes #2677 Policy importer for PIX/ASA could not parse command "nat (inside) 1 0 0"
fixes #2679 Policy importer for PIX/ASA could not import "nat exemption" rule (for example: "nat (inside) 0 access-list EXEMPT")
fixes #2678 Policy importer for PIX/ASA could not parse nat command with parameter "outside"
Changes and improvements in the API library libfwbuilder:
function InetAddr::isValidV4Netmask() checks that netmask represented by the object consists of a sequence of "1" bits, followed by the sequence of "0" bits and therefore does not have zeroes in the middle.
fixed bug #2670. Per RFC3021 network with netmask /31 has no network and direct broadcast addresses. When interface of the firewall is configured with netmask /31, policy compilers should not treat the second address of this "subnet" as a broadcast.
Changes in support for iptables:
see #2639 "support for vlan subinterfaces of bridge interfaces (e.g. br0.5)". Currently fwbuilder can not generate script to configure vlan subinterfaces of bridge interfaces, however if user did not request this configuration script to be generated, compiler should not abort when it encounters this combination.
fixes #2650 "rules with address range that includes firewall address in Src are placed in OUTPUT chain even though addresses that do not match the firewall should go in FORWARD"
fixes SF bug #3414382 "Segfault in fwb_ipt dealing with empty groups". Compiler for iptables used to crash when an empty group was used in the "Interface" column of a policy rule.
see SF bug #3416900 "Replace `command` with `which`". Generated script (Linux/iptables) used to use "command -v" to check if command line tools it needs are present on the system. This was used to find iptables, lsmod, modprobe, ifconfig, vconfig, logger and others. Some embedded Linux distributions, notably TomatoUSB, come without support for "command". Switching to "which" that is more ubuquitous and should be available pretty much everywhere.
fixed #2663 "Rule with "old-broadcast" object results in invalid iptables INPUT chain". Compiler was choosing chain INPUT with direction "outbound" for rules that had old broadcast address in "Source", this lead to invalid iptables configuration with chain INPUT and "-o eth0" interface match clause.
fixed bug in the rule processor that replaces AddressRange object that represents single address with an IPv4 object. Also eliminated code redundancy.
fixes #2664 Update error message when "which" command fails. Generated iptables script uses "which" to check if all utilities it uses exist on the machine. We should also check if "which" itself exists and issue meaningful error message if not.
SF bug #3439613. physdev module does not allow --physdev-out for non-bridged traffic anymore. We should add --physdev-is-bridged to make sure this matches only bridged packets. Also adding "-i" / "-o" clause to match parent bridge interface. This allows us to correctly match which bridge the packet comes through in configurations using wildcard bridge port interfaces. For example, when br0 and br1 have "vnet+" bridge port interface, iptables can still correctly match which bridge the packet went through using "-o br0" or "-o br1" clause. This can be useful in installations with many bridged interfaces that get created and destroyed dynamically, e.g. with virtual machines. Note that the "-i br0" / "-o br0" clause is only added when there is more than one bridge interface and bridge port name ends with a wild card symbol "+"
fixed SF bug #3443609 Return of ID: 3059893": iptables "--set" option deprecated". Need to use --match-set instead of --set if iptables version is >= 1.4.4. The fix done for #3059893 was only in the policy compiler but needs to be done in both policy and nat compilers.
Changes in support for PF (FreeBSD, OpenBSD):
see #2636 "carp : Incorrect output in rc.conf.local format". Should use create_args_carp0 instead of ifconfig_carp0 to set up CARP interface vhid, pass and adskew parameters.
see #2638 "When CARP password is empty the advskew value is not read". Should skip "pass " parameter of the ifconfig command that creates carp interface if user did not set up any password.
fixed SF bug #3429377 "PF: IPv6 rules are not added in IPv4/IPv6 ruleset (anchor)". Compiler for PF did not inlcude rules generated for IPv6 in generated PF anchor configuration files.
fixed SF bug 3428992: "PF: rules order problem with IPv4 and IPv6". Compiler for PF should group ipv4 and ipv6 NAT rules together, before it generates ipv4 and ipv6 policy rules.
Several fixes in the algorithms used to process rules when option "preserve group and addresses table object names" is in effect
fixes #2674 NAT compiler for PF crashed when AttachedNetworks object was used in Translated Source of a NAT rule.
Changes in support for Cisco IOS ACL:
fixes #2660 "compiler for IOSACL crashed when address range appears in a rule AND object-group option is turned ON"
fixed SF bug 3435004: "Empty lines in comment result in "Incomplete Command" in IOS".
Changes in support for ipfw:
fixed SF bug #3426843 "ipfw doesn't work for self-reference, in 5.0.0.3568 version".
Changes in support for Cisco ASA (PIX, FWSM):
see #2656 "Generated Cisco ASA access-list has duplicate entry". Under certain circumstances policy compiler fwb_pix generated duplicate access-list lines.
Other changes:
see #2646 and SF bug 3395658: Added few ipv4 and ipv6 network objects to the Standard objects library: TEST-NET-2, TEST-NET-3 (RFC 5735, RFC 5737), translated-ipv4, mapped-ipv4, Teredo, unique-local and few others.

New in Firewall Builder 5.0.0 Build 3568 (Jul 28, 2011)

User Defined System Folders - Users can now create their own subfolders in the object tree. To add a subfolder right-click on a system folder, for example Firewalls, and select "New Subfolder". You can move objects into the subfolder by dragging-and-dropping them from the parent folder in the object tree to the subfolder. You can only delete empty subfolders, so if you want to delete a subfolder first move all the objects in that subfolder to the parent folder and then you can delete the subfolder.
Keywords for Tagging Objects - This feature gives users the ability to apply keywords to objects and then use the filter box to search for objects that match a keyword.
Dynamic Groups with Smart Filters - A new type of group, called a Dynamic Group, has been added to the Group object in the object tree. Right-click the Group object and select "New Dynamic Group" to create a new group. You can use both Keywords and Object Type to create filters of objects that should be included in the Dynamic Group. There is a preview window that displays all the objects that match the filter. You can use Dynamic groups in rules just like you would use a regular Group object. When Firewall Builder compiles a rule that includes a Dynamic Group it will expand the group into all its member objects.
Multiple Operations per Filter Rule - The actions for Tag, Classify and Route have been moved to the rule Options. This allows a user to define a primary action, like Accept, and then define additional actions that should be taken on traffic that matches the rule. This is only supported for iptables and PF platforms. For PF setting multiple actions will result in a single rule with multiple actions defined. For iptables this will result in multiple rules ordered so that all actions are performed correctly.
New Attached Networks Object - There is a new child object for interfaces that represents all the networks that are "attached" to the interface. This means that for each IP address that is configured on an interface the associated network for that IP address will be included in the Attached Networks object.
Improved GUI layout and behavior - There are a number of changes that have been made to make the mouse click behavior more consistent and the layout of the GUI has been updated to make things simplier.
Import of PF configurations - Firewall Builder can now import PF configurations in pf.conf format. To import a pf.conf configuration go to File -> Import Firewall and follow the prompts.
GUI Updates:
"Crash when selecting New Firewall and existing firewall has interface that is locked". Fixed GUI crash that happened on some operations if an object in the tree was locked. For example, if the user locked an interface of one of the firewall objects that then proceeded to create new firewall object, the GUI would crash. The problem was not limited to locking specifically interface objects.
part of the GUI usability improvements, its behavior when user double clicks on "any" in a rule has changed. Now the program opens object "any" in the editor and shows prompt text that explains its behavior. The editor stays read-only and should appear grayed-out if palette is set up for that.
when user double clicks on a firewall object to open it in the editor, rule set view panel switches to the rule set of that firewall. To decide which rule set to show, the program scans history of the objects the user opened before in the same GUI session and shows that firewall's rule set they opened last. If user never opened any rule sets of this firewall, then the first Policy object is shown.
fixed several GUI crashes that happened when user performed various operations on the object tree that contained locked objects.
implementation of keywords associated with objects in the GUI; ability to filter by keywords, dialog layout changes to add GUI controls for keywords.
Removed obsolete localization files (Russian and Japanese). These were incomplete and have never been updated for v4.
Removed transfer agent code. This eliminates dependency on DBus framework.
Added support for creating user-defined subfolders. The subfolders exist purely in the display and are not reflected in the FWObject tree, in order to keep changes in the back-end to a minimum. New attribute "subfolders" on a system folder tells the gui what additional child elements to display in the tree, and attribute "folder" on any FWObject tells gui which child tree element to put it in.
Added feature : directory location caching. Use FWBSettings::{get|set}OpenFileDir() any time we use QFileDialog so that the directory you navigated to last time shows up in the next file dialog. This behavior is overridden by setting a working directory. If the directory no longer exists, gracefully fall back to something sensible.
"Add context menu to move an interface to be a child of another interface". New context menu (submenu) allows user to move an interface in the tree to make it a subinterface of another interface.
Implemented support for address table alternate paths. There's a "data directory" setting under user preferences. If the user selects an address table file using "choose file" and that file is "inside" the data directory, then the appropriate part of the path is replaced with �TADIR% as a variable. If the address table is marked "run-time" then the path is taken from the firewall data directory option.
Fixed bug: save the expanded/collapsed state of the tree when the user starts typing something into the quick filter. When the quick filter is cleared, re-expand any items that started off expanded (so we get the union of expanded items displayed by quick filter plus what the user started with expanded).
"Attempting to copy-and-paste a tag service results in an error". Pasting of a TagService object to the "Tag Services" group did not work.
"Enhance Find to include searching for IP addresses in ranges". Function "find" now finds ip addresses inside address ranges.
"Expanded set of options the user can change to pre-set parameters in the new policy rules they create". Now user can set default values for action ("Deny" or "Accept"), direction, the "stateless" flag and logging.
fixes bug "If file doesn't exist when clicking 'edit file', then you have to hit save button twice". The bug affected "edit file" function in the Address Table object dialog.
"Remove Back and Forward buttons". We have decided behavior of the GUI was too complicated since user can both act on objects directly and navigate backwards and forwards to the objects found in their browsing history. Navigation using browsing history was broken when quick filter was in use, too. All in all, it feels the value of "back" and "forward" buttons was relatively low.
Changes that affect import of PF configurations:
This version implements import of pf.conf configuration with the following limitations:
anchors are not imported. Anchor rules are imported but rules inside anchors are not.
only pf.conf configurations designed with the use of keyword "quick" can be imported.
Macros are expanded during import and are not recreated as objects. Tables are imported as run-time AddressTable obejcts configured with the file name, or object groups.
User has to specify host OS and PF version number during import process because interpretation of rules with default settings of some parameters is version-dependent.
Import of IPv6 addresses and ICMPv6 matches in pf.conf is not supported at this time.
Import of TCP flag matches for flags 'E' and 'W' is not supported.
Import of "include" clause is not supported
Import of "user" and "group" matches is not supported
as of v4.2 we can not generate optional parameters for the "source-hash" pooltype. "sticky-address" is not supported either. This options are not imported.
Interface group names are not recognized
commands "set ruleset-optimization", "set loginterface", "set block-policy", "set state-defaults", "set require-order", "set fingerprints", "set reassemble", "set hostid" are not supported.
Fixes and improvements in import of iptables configurations:
Implemented import of iptables rules with target CLASSIFY.
Changes and improvements in the API library libfwbuilder:
New object type "Attached Networks": network object that automatically matches subnets an interface is attached to. The object can be a child of an interface. The object is optional and is not created automatically for all interfaces; user can add it using context menu associated with an interface. Dialog for this object allows editing of the name and comment. List of network addresses represented by this object is always generated automatically. Compiler for PF translates this object to "en0:network" construct that is supported by PF. Compiler for iptables expands it to the list of ipv4 and ipv6 networks defined by the addresses of the parent interface if interface has static addresses. If interface is confgiured as "dynamic" and has no address in fwbuilder, then compiler treats AttachedNetworks object as run-time and uses shell function to determine network addresses during activation of the firewall script. Compilers for other firewall platforms always treat this object as compile-time and abort if it is used with dynamic interface.
New object type "Dynamic Group". Dynamic group automatically expands to a set of objects using matching rules that at this time can match object types and keywords.
Updated error message that appears when user tries to open .fwb file created by the future version of fwbuilder.
Common changes that affect policy compilers for all platforms:
fixed bug "Compile fails if firewall has locked interface that is set to dynamic".
Changes in support for iptables:
'Mixing Actions "Accept" and "Classify" results in incorrect rules', and 'Mixing Actions "Accept" and "Tag" results in incorrect ruleset'. After we made Tag, Classify and Route rule options instead of actions, rules that mix these options with actions "Accept" and others, except for "Continue", should be treated differently. The action are now implemented using iptables rules in the table "filter" and additional rules in table "mangle" is used to implement only tagging, classification or routing. Generated script does not change default action in table "mangle" and assumes it is "ACCEPT" so adding rules with target ACCEPT in mangle table should not be necessary. Another change because of this affects branching rules that use option "create branch in mangle table in addition to the filter table". These rules used to duplicate the same action and logging rules in mangle. Now they dont do this and only create rules in mangle if branch rule set performs tagging, classification or routing.
"Deprecating Route option for iptables". This target is not included in any of the popular Linux distributions (checked in Ubuntu, Fedora and CentOS). The GUI dialog and all support in the compiler will be removed in future version of fwbuilder. Beginning with 4.3.0, compiler aborts with an error when it encounters a rule using this option. In older versions of fwbuilder (4.2.x and before) this option was presented as an action "Route".
"Tag action should be done in PREROUTING so it can be acted on later". If a rule has both tagging and classification options, the rule should be split so that iptables command doing tagging goes in PREROUTING and rule doing classification goes into POSTROUTING chain.
"Tag and classify actions dont work properly with branches". When branching rule points to a rule set that has rules with Tag and Classify options, branching should occur in mangle table even when checkbox "create branch in mangle table" is not checked. The fix in this change is tentative as it creates branch in chains PREROUTING, POSTROUTING and OUTPUT. Since target CLASSIFY is only allowed in POSTROUTING, this may create conflict. Need to test more.
Added support for single object negation in "Inbound Interface" and "Outbound Interface" columns in compiler for iptables.
fixed SF bug 3371301 "Error compiling with VLAN and masquerade". Iptables NAT rules with vlan interface configured as "dynamic" and no ip address in Translated Source caused compiler crash.
Changes in support for PF (FreeBSD, OpenBSD):
"PF compiler should use 'self' keyword where appropriate". Compiler for PF now uses keyword 'self' in rules where firewall object is used in Source or Destination.
Added support for single object negation in "Interface" rule element of PF NAT rules. Now compiler can produce PF commands such as "nat on ! em0 ... " (for PF = 4.7)
NAT Compiler for PF should use "(interface)" syntax to the right of "->" in NAT rules. This now works for all interfaces, including those that have ip addresses in fwbuilder configuration, when interface object appears in "Translated Source" in a nat rule. When firewall object appears in "Translated Source", it gets replaced with a set of its interfaces which also get translated into "-> (interface)".
fixed bug "PF compiler crashes when ipv4+ipv6 NAT rule uses only ipv4 address". This has been reported as SF bug 3305234.
'avoid " {tcp udp icmp} " in place of protocol'. NAT compiler for PF does not need to generate protocol match "proto {tcp udp icmp}" when service object used in the NAT rule is "any". The reason this was done this way is lost in the mist of time; it's been like this since very early versions of fwbuilder.
"Update generated route-to configuration for PF versions 4.7 and later", SF bug 3348931. The "route-to" parameter moved to the end of pass rules in PF 4.7
"Crash when compiling a route with table object". Compiler for PF crashed when run-time AddressTable object was used in RDst of a routing rule.
"Group and Address Table name persistence in generated config". Compiler for PF can now preserve names of object groups, dynamic groups, compile-time AddressTable and compile-time DNSName objects in the generated pf.conf file. This is optional and is controlled by a checkbox in the firewall settings dialog.
fixes bug "Run-time dns name or address table in routing policy -> crash". Compiler for PF crashed if user placed run-time DNSName object in "destination" of a routing rule.
fixes bug "PF: NAT compiler fails when run-time address table object is used in a rule"
Other changes:
applied patch to provide configure command line option to specify path to ccache.
applied two patches to replace calls to sprintf with safer calls to snprintf and fix some compiler warnings.

New in Firewall Builder 4.2.2 Build 3541 (May 12, 2011)

New in Firewall Builder 4.2.1 Build 3540 (May 11, 2011)

New in Firewall Builder 4.2.0 Build 3530 (Apr 21, 2011)

New in Firewall Builder 4.2.0 Beta Build 3524 (Apr 13, 2011)

New in Firewall Builder 4.1.3 Build 3421 (Dec 8, 2010)

Usability enhancements:
Added checkbox to the Preferences dialog, this checkbox turns off some tooltips that can be annoying for users who are sufficiently familiar with the GUI
Added a tab "Policy Rule" to the "Objects" page of the global preferences dialog; checkbox in this tab allows the user to choose whether new policy rules should be created with logging turned on or off.
Major bug fixes:
Fixed installer issue for Windows users that use Putty sessions. Built-in policy installer can use putty session on Windows when it runs pscp.exe utility to copy generated script to the firewall
Fixed bug in the generated iptables script that made it to not configure broadcast address when it added ip addresses to interfaces.
Several bugs that affected cluster configurations were fixed, see details below.
GUI Updates:
see #1823 "Add Preference option for Advanced / Power users". Added checkbox to the Preferences dialog, this checkbox turns off some tooltips that can be annoying for users who are sufficiently familiar with the GUI
see #1787 "new fw name input field should have focus when new firewall wizard opens"
code refactoring: see #1822 "refactor all GUI classes into libgui library and link executable with it"
code refactoring: see #1826 "Place all unit tests in one directory". All GUI and other unit tests moved to the directory src/unit_tests
see #1809 "Add Firewall Setting in Logging settings for default log setting on new rules". Added a tab "Policy Rule" to the "Objects" page of the global preferences dialog; checkbox in this tab allows the user to choose whether new policy rules should be created with logging turned on or off.
See #1832, SF bug 3097419 "installer uses bare IP address instead of putty session name". It appears pscp.exe on Windows can use putty session name in place of the host name. This change restores old behavior where session name was used like that but does it for both plink.exe and pscp.exe. This only affects users who run fwbuilder GUI on Windows
fixed #1837 "generated script gets .fw suffix even when user set output file name". Suffix .fw should not be appended to the name entered by the user in the "output file name" input field in the firewall settings dialog.
Fixed SF bug #3106168 "Branch destinations lost when adding to cluster". Since the order in which I copy rule sets is undefined and because they may have references to each other via branching rules, I need to fix references after I create all of them.
Fixes #1858 'Remove "Summary of features" page from the package' and #1857 'Remove "Getting Started" guide from the package'. We have dediced to keep documentation and other content like this on the web site. Button "Watch Getting Started Tutorial" in the Tip of the Day dialog opens tutorial hosted on the web site in a web browser.
API library libfwbuilder:
added module uint128 (128-bt arithmetics by Evan Teran). Implemented basic operations with ipv6 addresses using this module. See #1834. Now all policy compilers can correctly compare ipv6 addresses used in rules with ipv6 addresses of interfaces. This helps perform various optimizations and fixes issues with the algorithm used to pick the right interface for the Cisco IOS ACL compiled from a policy rule with an empty "interface" rule element and direction "both".
Library of standard objects:
added ICMPv6 object "parameter problem" (type 4, any code) per SF feature request 3094743. Also added service group object "ipv6 unreachable messages" that includes ICMPv6 messages "destination unreachable", "packet too big", "parameter problem" and "time exceeded" per SF feature request 3094758
Support for iptables:
fix for the SF bug #3095615 "reopen no PREROUTING rule with *-Interface - ID: 3077132". Configlet used wrong shell variable to access ip address of a wildcard interface.
fixed #1820 "skip module "nf_conntrack_ipv6" if generated script has no ipv6 rules" Shell function load_modules should not try to load module nf_conntrack_ipv6 if generated script does not load any ipv6 rules. Loading this module fails if ipv6 has been disabled in the kernel.
fixed SF bug 3091069: "Routing configuration failed". Iptables script generated by fwbuilder did not configure broadcast when it added ip addresses to interfaces. Using "ip addr add ADDR/NM boradcast + dev INTF" syntax to do this.
implemented SF feature request 3094738 "Set the HL to 255 for IPv6 Neighbor Discovery". Neighbor discovery packets must have hop limit of 255 per RFC 2461. Automatically generated rules that match neighbor discovery packets will math hooplimit 255.
fixed SF bug 3094273 "no state needed for ipv6-icmp in ip6tables". Rules that match ICMPv6 objects should be stateless. Compiler will check for this and reset "stateful" flag of a rule and issue warning if the rule was built stateful in the GUI. This could be version-dependent, we may need to revisit this in the future when netfilter fixes the underlying issue. Some resources: https://bugzilla.redhat.com/show_bug.cgi?id=243739 https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/479105
fixed SF bug 3090249 "fwb_ipt ignores -d option ". Documented behavior is for the compiler to create files in the directory specified by the argument of the "-d" command line flag. If flag "-d" is not provided, files should be created in the current directory.
fixed #1824 "should not try to verify wildcard interfaces".
fixed #1838 "function configure_interfaces() does not manage ip addresses of vlan interfaces". This function used to take into account only interfaces that were direct children objects of the firewall. Since vlan interfaces are children of the corresponding physical interface, they were not included.
fixed SF bug 3103582 "Cant create redirect rule in cluster firewall object". Iptables nat rule with target REDIRECT could not be built in a cluster configuration. It should be possible to do this by putting cluster object in Translated Destination.
fixed #1856 "Pemit '-' in Linux interface names". OpenWRT uses name "ppp-dsl" for PPPoE interfaces. In addition to that, Linux bridge interfaces may have names with a "-" such as "br-lan". We will now permit a "-" in Linux interface names.
Support for PF:
fixed #1807 "wrong order of address assignment in the generated OpenBSD/PF/CARP cluster configuration". Need to assign ip addresses to regular interfaces before trying to assign them to carp interfaces.
Support for ipfw:
fixed #1836 "installer hangs and fails after activation of ipfw policy". As soon as .fw script swapped ipfw sets usig command "ipfw sawp" and deleted temporary set 1, ssh session would hang and eventually break. We optionally add ipfw rules to permit ssh session used to manage the firewall, as well as a rule to permit reply packets but the latter rule was not built correctly. It should match source and destination reversed, as well as match keyword "established" and recreate state with "keep-state". This rule automatically recreates state for the established ssh session over which firewall policy is being managed. Also added a comment to the firewall settings dialog for ipfw to remind the user that address or subnet they use with this automatic rule should be as narrow as possible.
Support for for Cisco IOS ACL:
see #1834 Fixed matching algorithm that determins which interface a rule should be associated with for Cisco IOS ACLs. Previously compiler did not compare subnets properly and because of that it interpreted some configurations incorrectly. For example in the case with a network object 10.0.0.0/8 in "source" and an interface with address 10.0.0.1/24 (network should not be considered matching) compiler considered this interface matching and assigned the rule to the interface only with direction "inbound".

New in Firewall Builder 4.1.2 Build 3346 (Oct 9, 2010)

The usability enhancements are designed to make it easier for new users to learn how to use Firewall Builder:
Enable tool tips by default and add additional tool tips
Simplify interface configuration in new object wizards for New Firewall and New Host
Automatically open firewall Policy object when new firewall objects are created
Additional navigational aids and help strings
The major bug fixes in this release include:
Fixed installer issue for Windows users that use Putty sessions
Fix issue (SF 307732) where wildcard interfaces were not matched in PREROUTING rule
Fixed issued (SF 3049665) where Firewall Builder did not generate proper data file name extensions
GUI Updates:
fixed #1703 "importing iptables line with module pkttype causes parser error". We do not have any object with the behavior closely resembling that of iptables module "pkttype" so the importer creates CustomService object with the code taken from the original iptables rule. SF bug 3065435
fixed SF bug 3049665 "Firewall Settings -> Output file name misses .fw extension"
fixed how we append suffix ".fw" to the name of generated script when it is preconfigured in the firewall settings dialog and already includes ".fw" suffix (it was added twice).
Fixed #1699 installation session status was reset from "failure" to "success" in a configuration where fwbuilder gui was running on Windows and talked to Cisco router using pscp.exe and plink.exe and ssh session failed because of authentication failure. This happened because plink.exe terminated with return status "success" even in case of authentication failure.
fixed #1724 . There was a problem with pscp.exe and putty sessions. Plink.exe accepts session name in place of the host name on the command line, but pscp.exe does not. We ask user to enter session name in the "alternative name or address to use to communicate with the firewall" input field in the "Installer" tab of the firewall settings dialog and then use it in place of the host name in the command line for pscp.exe and plink.exe. This works with plink.exe but breaks pscp.exe which interprets it as a host name and fails with an error 'ssh_init: Host does not exist'. The fix checks if what user entered in the "alternative host or address field" is a session name and uses different command line with pscp.exe
fixed #1715 "automatically expand new firewall and new host objects in the tree once they are created"
fixed #1732 "Double clicking on object with child objects should auto expand them". Double clicking on objects and folders in the tree expands and collapses them, as well as opens object in the editor.
fixed #1729 "double clicking a folder in the tree should expand it rather than open it in the editor".
fixed #1738 "Enable tooltips by default"
refs #1731 Change double-clicking on "Any" object behavior. Tooltip shown for the object "any" in rules says "to modify the rule drag and drop an object from the tree here" instead of atributes of the object "any". Double click on "any" in a rule does not try to open object "any" in the tree and editor panel.
fixed #1739 "remove 'tooltip delay' input form preferences dialog". Qt4 does not allow for changing tooltip delay.
fixed #1728 "Update Library drop down menu". Library drop down list shows an item "Object libraries:" at the top that can not be selected and that always stays on top as libraries are added, removed and renamed. The list always stays sorted in ascending order. Library names are indented by 2 spaces to make them visually distinguishable from the prompt item at the top. Implementation uses class ListOfLibrariesModel that inherits QStringListModel.
fixed #1740 "Deleted library remains in the drop-down list". If option "Show deleted objects" was turned off in the Preferences dialog and user deleted a library, it remained in the drop-down list of libraries and its object tree was still displayed in the object tree panel.
fixed #1741 "there is no way to undelete a library object".
fixed #1730 "Add background help text and images to empty policy window". Showing tooltip in the empty space in the rule set view, this tooltip provides hints on how to edit rules which should be useful for the beginners.
fixed #1743 "change default for the option 'Show text descriptions for direction and action'". The option should be on by default.
fixed #1744 "Add tooltip to the rule number". The column in the RuleSetView? where rule number is shown now has a tooltip to remind the user that they can click right mouse button to the the context menu and use keyboard shortcut "x" to compile the rule
Added text to the tooltips shown for the "Direction" and "Action" rule elements to remind user that to change these rule parameters they need to click right mouse button to open list of possible settings
system folders in the tree now have tooltips that explain what kind of objects belong there.
refs #1737 Added "Quick Start Guide" tutorial that demonstrates basic features and key concepts of Firewall Builder. The tutorial is accessible via Help / Tutorials menu and is shown to the first-time user on the GUI startup instead of the "tip of the day" dialog.
refs #1748 "Add dialog about Standard Library when user creates first Service object". First time users will see an informational dialog reminding them about the Standard objects library when they create their first service object.
fixed #1745 "Remove path data from text above rules window that shows firewall name".
fixed #1746 "Force user to change interface name in New Firewall wizard". When user creates interfaces for the new firewall or host using manual method and clicks on the "+" button to add a tab for the new interface in the wizard page, the interface tab is created with blank name. Wizard later checks the name when user clicks Finish to create new firewall or host object and does not let them do this while interface name is still blank. Error dialog reminds that the name of the interface must match the name of the interface on the machine.
fixed #1733 "Add button for video tutorial link". Shortcut button "Watch Getting Started Tutorial" opens page with video tutorials in the standard browser.
added "placeholder" text to the interface name and label input fields. This text is displayed in greyed-out small font inside the imput field but is cleared as soon as user starts their input. The text gives user a prompt as of what is expected in each input field and actual list of example interface names depends on the host OS chosen in the first page of the wizard.. The "placeholder" text support is available only in Qt 4.7 and later so the code is conditional on the version of Qt.
fixed #1718 "Inspect generated files" dialog says "Multiple firewalls" even when there is only one
fixed #1751 "Don't allow interface names to be blank". The GUI should not allow the name of any object to be blank.
fixed #1759 "Use default template library" button seems to do nothing. This button should only be enabled if user switched to their own library of template objects. The button should be disabled if they switched back to the standard template library or never switched to their own one.
fixed #1757 Allow searching by attributes even after an object is dropped into the drop area in search panel.
fixed #1760 'Search by attribute "name" should search by name or label'. The first item in the list of attribute types available for search now reads "Name or label". Searching using this option matches the name or the label of object instead of just the name. Label is only defined for Interface objects.
fixed #1755 "hitting enter after editing search attribute in the Find panel should trigger search"
fixed #1753 "Set interface name hint based on firewall platform and host OS". The placeholder text in the interface name and label input fields in the new firewall wizard will depend on the host OS chosen in the first page of the wizard.
fixed #1761 "blank interface name is possible in new host wizard"
fixed #1763 Implemented basic facility for A/B testing within the GUI
fixed #1765, #1779 Move quick start guide to the web site. The "Quick Start Guide" is now part of the web site and the GUI only shows a dialog-invitation to watch it.
fixed #1776 once new firewall is created, automatically open its Policy
fixed #1767 improved UI in the new firewall and new host dialogs where user chooses file for the custom template library or uses standard template library.
fixed #1791 "Add preference flag to enable / disable the Custom templates button on the New Firewall Wizard". Use of the custom template library to create new firewall object is now optional, controlled by a checkbox in the "Object" tab of the gobal preferenes dialog. New users will have this option turned off by default, however existing users will see it enabled for backwards compatibility.
fixed #1777 "scroll new fw object to the top of the tree view panel once its created". This has side effect in that some other operations that open an object in the tree will also scroll the tree to position this object at the top.
fixed #1778 "main menu Rules should have the same items that context RuleSetView menu when no rules are selected"
fixed SF bug 3039681 "context-menu items inconsistent for Single/Multiple rules". When several rules are selected in rule set, some context menu itmes should turn to plural.
Changes in support for iptables:
fixed SF bug #3071667 "Compilation segfault with DNS address in NAT rule". Added rule processors to replace Run-time DNSName and Address Table objects in TSrc and TDst.
fixed #1705 "iptables (v >= 1.4.4) --set option deprecated ..." (SF bug 3059893) Option '--set' has been deprecated and renamed '--match-set' in iptales 1.4.4
fixed SF bug 3057503 "DNAT rule with dynamic IP has a white space, causing error".
fixed SF bug 3060325 "Address table object and prolog script conflict". Generated script should run prolog before checking and loading run-time address tables.
fixed #1707 "call function "prolog_commands" from the main iptables script part instead of function "script_body" when prolog should be executed after iptables reset"
fixed SF bug #3071667 "Compilation segfault with DNS address in NAT rule". Added rule processors to replace Run-time DNSName and Address Table objects in TSrc and TDst.
fixed #1714 "make checking for MODPROBE conditional". There is no need to check if modprobe utility exists on the firewall machine if it is not used by the script.
fixed SF bug 3077132 "no PREROUTING rule with *-Interface". Rules matching addresses of a wildcard interface (e.g. "ppp*") were not properly generated.
Support for PF:
fixed SF bug 3061034 "ifconfig definition missing". Script generated for the ipfw firewall on Mac OS X missed definition of variable IFCONFIG.
Support for ipfilter:
fixed #1702 "Wrong path in the activation script for ipfilter". Activation command embedded in the generated .fw script used local path to the generated .conf file on the machine where fwbuilder compiler was running.
Changes in support for for Cisco ASA (PIX):
fixed #1783 "PIX routing entries require interface, but PIX config will compile without interface in Routing rule". Policy compiler for PIX now checks that both "interface" and "gateway" rule elements are not empty.
Collection of template firewall objects now includes an object for PIX 50X (501 and 506)
using command "terminal width 256" to turn off ANSI commands in the PIX command echo.

New in Firewall Builder 4.1.1 Build 3243 (Aug 21, 2010)

GUI Updates:
Built-in policy installer now works with HP Procurve switches. Currently installer can only execute generated configurarion lines one-by-one on the switch; installation method using scp that is available for Cisco routers is not supported yet. This has been tested with Procurve firmware K14.31 on ProCurve J9470A Switch 3500-24. Caveat: manager access should not be configured with user name (that is, no "password manager user-name foo")
fixed #1683 When user creates new firewall using snmp scan, fwbuilder will now guess and assign the type to interfaces that look like vlans for the given platform and host OS.
fixed #1683 class procurveInterfaces interprets interface "DEFAULT_VLAN" as vlan interface with vlan id 1.
Changes in support for iptables:
fixed #1693 SF bug 3048516 "NAT rule with 'Use SNAT instead MASQ' doesn't work". NAT rule using combination of the option "Use SNAT instead of MASQ", dynamic address of an interface and source port translation produced iptables command with incorrect syntax.
see #1685 "iptables redirecting NAT rules in the OUTPUT chain". This fix makes it possible to create iptables NAT rule with target REDIRECT in the OUTPUT chain. The rule should have firewall object in OSrc and TDst rule elements.
fixed #1685 "iptables redirecting NAT rules in the OUTPUT chain". NAT rules should be allowed to translate from CustomService to TCP or UDP service, provided CustomService object is configured with matching protocol.
fixed #1686 "can not generate basic NAT branching rule". NAT branching rules were not generated in single rule compile mode because compiler needs information about targets used in the branch rule set rules to decide which chain the branching rule should be placed in. Now it will use PREROUTING and POSTROUTING in single compile mode but issue a warning.
Changes in support for for Cisco IOS ACL:
fixed #1690 "IOS ACL and Procurve ACL compilers fail because interfaces are not assumed to have network zone any anymore". Compilers for Cisco IOS ACL and Procurve ACL always assumed all interfaces have network zone "any". Recent changes made in 4.1.0 changed that and compilers stopped working for some rule configurations. This bug caused compiler to fail with error message "Can not find interface with network zone that includes address A.B.C.D"
Support for HP ProCurve:
fixed #1688 "Procurve ACL remarks should be in quotes if they include space"
fixed #1687 "temporary access list commands syntax is incorrect". Temporary ACL generated for the Procurve platform was incorrect.
Built-in installer has been tested and now works with ProCurve switches.

New in Firewall Builder 4.1.0 Build 3226 (Aug 18, 2010)

New in Firewall Builder 4.0.1 Build 2950 (Jun 3, 2010)

Changes in the GUI:
fixed #1443 GUI crashes compiling file opened read-only. If a file that was added to RCS was opened read-only and then any firewall object in it compiled, the GUI crashed trying to update "last_compiled" timestamp.
fixed #1444 compile error on FreeBSD-Current Compiler issues error "/usr/include/utmp.h:2:2: error: #error has been replaced by "
fixes #1447: context menu item "Edit" associated with rule set object in the tree opens it in the rule set view and the editor panel. Menu item "Open" only opens it in the rule set view. This eliminates strange behavior where it would open in the rule set view on first click on "Edit" and then in the editor in the second click on "Edit". Double click used to work the same, the first double click opened in rule set view, the second in the editor. Now double click always opens in rule set view and the editor which is more consistent with the behavior for other object types.
fixed #1339 "Logging" icon appears looking the same as "Rule options" icon on Mac
fixed #1460 "when "show icons in rules" is turned off, there is no way to tell when logging is turned on and non-default options are present in a rule".
fixed #1464, SourceForge bug 3004274: "Branch rule set object displays improperly". Branch rule set attribute was not loaded properly into Branch action dialog for rules of PF firewalls.
fixed #1462 "if you do a bulk install, and then want to do a single install, bulk mode is selected"
fixed #1461 Need obvious button to add new rule to the empty rule set. Added button with a "+" icon right above the rule set view, this button adds new rule to the set.
fixes #1457 "tooltips for rule options seem to be broken". Tooltip always includes the line telling of the rule is "stateful" or "stateless", the function almost never returns empty string now. Added missing hashlimit parameters to the rule options tooltip. Some of the more rarely used hashlimit parameters are still not included in the tooltip. Improved tooltip formatting using html table.
fixed #1463 Always show branch rule set name with action "Branch"
fixed #1469 some actions should always display argument, even when text labels for actions and directions is off
applied patch by Vadim Jukov , maintainer of OpenBSD port. Patch fixes compile issues on OpenBSD
fixed #1468 Open new object in the editor after it has been created.
see #1466 Implemented instrumentation that should help us improve user experience. Will track few things that new users do (or don't do) and report as a combination of boolean flags at the end of the GUI session. Reporting things such as if user ever looked at the "Getting Started" tutorial, if they created their first firewall object, modified any rules, tried to compile, install or import existing rule set. Information passed in the report is strictly a set of boolean flags, it is not identifiable and does not reveal what firewall platform they are using or anything about their objects and rules. List of flags is listed in the module UserWorkflow.h
fixed #1478 always use included antlr run-time library. Because of the fixes I've made in CircularQueue?.hpp in 2008 for 64 bit systems, we should always link with antlr run-time that is included with fwbuilder code tree rather than attempt to use the one that might be installed with the OS.
fixed #1481 when user changes platform in the firewall object, its version should change too.
added mechanism for one-time announcements that can be pulled from the web site when version check server says there is one. Announcement is shown only once. To do this, I store time stamp when it was shown in settings using hash of the announcement url.
refs #1483 If program detects change in CustomService object and the change just adds code string for a platform that was not in the object in the user's data file, the change is accepted without showing the dialog.
fixes #1484 "paste below" function pastes rules out of order
Changes in the policy importer:
See #1450 and SourceForge ticket 3000809: iptables parser can now import "mark" module matches with hexadecimal parameters and "length" module matches. Also added check in the importer for broken iptables-save files where rules for any table are not terminated with "COMMIT".
fixes #1453 "iptables importer should parse multiport module parameter --ports". Module multuport with parameter "--ports" matches either source or destination port numbers. Importer creates two tcp (or udp) service objects to implement this match.
see #1451 "policy importer should support some popular iptables modules". Added support for module "recent" and rules that match standard ip/icmp/udp/tcp protocols and at the same time module "mark", "length", "limit" or "recent". Rules like these are translated into a combination of a branching rule and additional rule in a branch rule set that implements module match.
Changes in the Standard Objects library:
fixed #1483 "missing code in the custom service object ESTABLISHED for ProCurve"
Changes in libfwbuilder library:
fixed #1485 "dns name object is recognized as an empty group when it appears in shared rule set"
Support for HP ProCurve:
Added experimental support for HP ProCurve "intelligent" switches (L3). Code is based on the policy compiler for Cisco IOS extended access lists. Differences include ';' character for comments, different naming convention for Vlan interfaces ("VLAN 2", with a space), requirement to unbind an ACL from interface before it can be cleared, different syntax for vlan ACLs and ACLs bound to switch ports.
At the time of the release of v4.0.1, we were able to test code generation for ProCurve ACL but policy installer remains untested for the lack of hardware. We are going to work on the installer over the next few months to make sure it works in the next point version release of fwbuilder.
Changes in support for iptables:
fixed #1455 Function update_addresses() (host OS linux24 and derivatives) uses both ip and ifconfig. Should stick with /sbin/ip so the script works on systems where ifconfig is not installed.
fixed #1458 Should permit interface name "br-lan" for bridge interface on Linux. Bridge interfaces on Linux can have any name, including those with "-". OpenWRT creates bridge interface with the name "br-lan" by default.
Changes in support for DD-WRT:
fixes #1448 "need to commit nvram changes on DD-WRT".
Changes in support for for Cisco IOS ACL:
Compiler uses new configlet "safety_net" to add temporary ACL for the "safety net" install method.
restored function of the "comment the code" in the "Script options" of the firewall settings dialog for Cisco IOS ACL and ProCurve ACL. When this checkbox is off, comments are not added to generated script.

New in Firewall Builder 4.0.0 Build 2877 (May 5, 2010)

New in Firewall Builder 3.0.7 Build 1477 (Sep 19, 2009)

New in Firewall Builder 3.0.6 Build 1309 (Aug 18, 2009)

Most notable new features in this release:
Bug fixes in the GUI to improve stability and fix problems with policy printing
Additional optimizations in generated iptables script
Improvements in the policy compiler for PF to streamline generated configuration
Improvements and bug fixes in the GUI:
bug #2807724: "Print out FWB still not ok". Rule groups were always printed expanded, even if they were collapsed by the user in the GUI.
bug #2823668: "MDI window glitch". If the GUI had two or more MDI windows and user moved rules in one of them, the GUI switched to another after the operation was complete.
bug #2835193: "Modulate state doesnt work for PF". The name Xml attribute used to hold the value of "module state" option was entered incorrectly in the dialog.
Improvements and bug fixes in the policy compiler for iptables:
bug #2820840: "IPT: prolog script+iptables-restore silent incompatibility". With this fix the GUI does not allow for the prolog script to be placed after policy reset if iptables-restore is used to activate iptables rules. Also policy compiler for iptables checks for this condition and aborts with an error message if prolog place is set to "after reset" but iptables-restore is used to activate policy. Configuration may end up with this combination of options if user set prolog place to "after reset" first and switched activation method to iptables-restore later.
bug #2821050: "loading new fw rules on iptables 1.4.3.2+ gives warnings". starting with v1.4.3.1 iptables started giving warnings when negation ("!") is used after --option. This fix adds version "1.4.3" to the list of recognized iptables versions in fwbuilder and makes compiler generate extrapositioned version of the option such as "! --option arg".
bug #2819901: "sub-optimal expansion of negated interface". Policy rules with single interface object in "interface" rule element with negation should generate iptables commands using "-i ! itf" or "-o ! itf" rather than multiply the rule using all other interfaces of the firewall. Note that for iptables v1.4.3 and later, extrapositioned syntax is used, such as "! -i itf".
bug #2822098: "IPT: adds useless "-i +" iin some cases". Added optimization to remove redundant "-i +" and "-o +" if chain is INPUT or OUTPUT.
bug #2823951: "unnecessary rules in FORWARD chain". Policy rules that have interface object in "Interface" column and direction "Both" generate unnecessary iptables commands in the FORWARD chain when destination matches one of the addresses that belong to the firewall.
Implemented a better way to do optimization for "-i +", "-o +" for bug #2822098: check for interfaceStr equal to "*" instead of re->isAny()
bug #2836321: "SNAT rule that changes Trans Src and Trans Port does not work". Dual translation rules that change source address and destination port are now supported.
Improvements and bug fixes in the policy compiler for PF:
bug #2820162 "Bad sysctl name for OpenBSD pf" - the sysctl argument for IPv6 forwarding was incorrect.
Implemented change per bug #2828602: "PF Compiler Direction Both no Duplication Patch". PF rules with direction "both" used to be split to make two rules, one with direction "inbound" and another with direction "outbound". This was an artefact of old rule generation model where user could choose to permit everything outbound and only generate inbound rules, or generate both inbound and outbound rules. Since we now always generate both in abd out rules and PF matches both directions when neither "in" or "out" is specificed, this splitting has become redundant.
Applied patch per bug report #2828633: "Patch: Warning when changing rule direction in compiler". This adds warning when rule direction is changed by the compiler because object in source or destination was firewall itself.
remove extra white space after tcp port spec if source port match was not used in the rule.
bug #2835193: "Modulate state doesnt work for PF". Check variable "modulate state" in rule optiopns and global firewall options. If checkbox is turned on in the firewall options, then we always use "modulate state". This option can also be turned on for an individual rule using rule options dialog.
Improvements and bug fixes in the policy compiler for Cisco IOS ACL:
bug #1778536 "IOSACL - remark command". Remarks now include rule comments; if comment consists of several lines, each line is added using separate remark statement. This works for both IOS ACL and PIX platforms.
Improvements and bug fixes in libfwbuilder:
fixed bug #2820152: "Address ranges and other such need IPv4/v6 typing". AddressRange object should be recognized and removed from the rule if it is used in ipv6 rule set. To do this, add virtual method hasInetAddress() (should return true) to indicate that this object has an address. This works since virtual method getAddressPtr() has been implemented anyway.
bug #2823424: "Deleting UserService object breaks data file format". When user deleted UserService object, it was moved to the "Deleted Objects" library which broke XML file because DTD did not allow UserService element as a child of Library

New in Firewall Builder 3.0.5 Build 1076 (Jun 17, 2009)

New in Firewall Builder 3.0.4 Build 794 (Mar 30, 2009)

New in Firewall Builder 3.0.3 Build 688 (Dec 9, 2008)

Improvements and bug fixes in the GUI in the built-in policy importer:
fixed bug #2334007: "Problem parsing Cisco config". Parser now recognizes IOS configuration lines "certificate", "ip community-list", "controller ... description". These lines are recognized and ignored, they should not stop parser from processing the rest of the configuration.
Changes in grammar for iptables: removed ambiguitiesin parser; added lexer rules for elements of ipv6 address. Rules for IPV6 address parsing do not work yet, commented out as work in progress. No new functionality in the parser for iptables, only clean-up and preparations for ipv6.
Improvements and bug fixes in the GUI:
fixed bug (no #): GUI crashed if user closed internal window so no object files were left open, then closed application using "close" button in the main window title bar.
fixed bug (no #): need to check if object in the object editor panel has been modified and needs to be saved when user closes internal window using "close" button in its title bar.
changes to speed up GUI when user copies many objects between different data files (do not reload and redraw object tree widget until last object is copied). Refactoring of the pasteObj to keep the same object ID mapping table for the duration of the bulk paste operation, this helps deduplicate objects. Also using the same ".copy_of_NNNN" object attribute to deduplicate objects.
fixed bug #2405909: "Umlauts in RCS log". RCS log is stored in RCS file in Utf8, need to convert it back from Utf8 on read. Technical note: rcs tools on windows do not seem to process properly rcs comments converted with toLocal8Bit, comment text comes out as '????' when inspected with rlog.exe from the command line. Comment text stored in Utf8, on the other hand, appears intact even though it can not be read in the output of rlog.exe.
fixed bug #2407141 "label markers". Color label text set in Preferences was not used in the contet menus where user can actually apply those colors to rules.
Improvements and bug fixes in the policy compiler for iptables:
fixed bug #2378672: "fwb 3.0.2 build 676 iptables script is not executable". Generated .fw file should have executable permissions.
Improvements and bug fixes in libfwbuilder:
Implemented additional check for object duplicates while copying objects. The problem happened when several object were copied in a batch operation (e.g. when user selected several objects in the GUI and then used copy/paste to copy them all). If some of these objects were groups that referred to other objects from the same batch, the program would copy the object and then create another copy of it when it copied the group using it. To avoid such multiplication it now creates special hidden attribute in the object when it makes a copy to keep track of the original object. When the same original object needs to be copied again, the program can find its copy in the target data tree using this attribute. This creates another problem because the attribute used to track original object is persistent for the duration of the program run. The scenario that leads to this is as follows: user copies object A, modifies it and then copies group B using the orignal of A. The end result is that the program does not recognize that the copy of A has changed and makes copy of group B use it anyway. This means the new group points at modified object A. This can not be easily fixed because we do not have "last_modified" attribute in each object.
fixed bug #2375327: "Crash copying multiple groups between different data files". Using better algorithm to copy objects between different data files.
Should use bits==128 because inet_net_ntop_ipv6 on FreeBSD applies mask constructed from the bits argument to the result, so with bits==0 it always returned "::/0"

New in Firewall Builder 3.0.2 Build 671 (Nov 25, 2008)

Internationalization:
Added Japanese translation by Tadashi Jokagi ( elf2000 )
Added Russian translation. Not 100% but usable.
Improvements and bug fixes in the GUI in the built-in policy installer:
Redesign of the built-in installer. Code refactoring to make it more manageable.
Built-in installer now usies scp (pscp.exe on windows) to copy files to the firewall. This helps improve performance of the installer. This fixes bug #2135827: "Store a copy of fwb file..." very slow
fixed crash in built-in installer that happened when existing PIX configuration was saved before loading new one.
A fix in the built-in installer to make sure it finds all generated files when user specifies alternative name (possibly full path) for the generated script.
fixed bug #2194829: "the gui can not locate data file in non-ascii directory". This seems to have happened only on Windows and Mac; if data file was located in the directory with the name with non-ascii characters, the gui generated incorrect command line for the compiler when user tried to compile the data file more than once.
fixed a bug introduced some time earlier and reported in the bug report #2135827: policy installer would only copy .fwb file to the firewall when "Store data file on the firewall" was activated and skipped actual generated policy file(s) (.fw). This only happened on Windows.
Check to make sure paths to ssh and scp utilities are properly configured in Preferences before running install. Show aprropriate error dialog to the user if path to ssh or scp is not configured.
installer for Cisco routers and PIX could not find generated file because variable conffile is now always a full absolute path. This bug was introduced earlier during installer rewrite for v3.0.2. Tested installer for router and PIX using default generated file name, as well as custom generated file name, defined both as absolute and as relative path. Tested batch install of combination of a router and a pix in one batch (the same user account, then same enable password on both)
Improvements and bug fixes in the GUI in the built-in policy importer:
fixed bug (no #): policy importer for iptables used to create separate Policy objects for chains INPUT, FORWARD, OUTPUT.
policy importer for iptables correctly imports user-defined chain, configures rule with action "Chain" and establishes association between it and ruleset created for the user-defined chain. Multiple rules with this action can point at the same ruleset.
policy importer for iptables properly creates TagService objects and places them into action of the rule finds iptables rule with target "-j MARK"
a temporary fix for the problem in ANTLR that causes crash on import of very large config files. This affected import of both iptables and Cisco IOS configurations and depended just on the file size.
applied patch for gcc 4.4 from bug# 2282828 "patch for gcc-4.4"
Improvements and bug fixes in the GUI:
fixed crash that happened when user opened PIX firewall "advanced" settings dialog and then tried to save changes by clicking OK.
Several build problems fixed for FreeBSD.
fixed bug #2158561: "Solaris fwb 3.0.2-b599 build prob" Fixed build problems on FreeBSD and Solaris
Added GUI control in the Preferences dialog for the path to scp utility used by built-in policy installer
added support for data file compression. This fixes bug# 2130128: "Option to compress the FWB file".
Added tab "Data File" to the Preferences dialog; added checkbox "Enable data file compression" to this tab. If this checkbox is turned on, the GUI will compress data file when it is saved to disk.
fixed bug #2149585 "Deleting Routing object breaks file". The GUI should not allow the user to delete "Routing" ruleset object, as well as any other top-level ruleset object. This applies to both deleting them via context menu item or Delete key stroke.
fixed bug #2149503: ever since attribute "read-only" of FWObject has been converted from a dictionary entry to a member variable, the GUI could not properly check if an object is read-only and could not update context menu and icon in the object tree. This lead to unstable behavior when an object was set read-only because the GUI could not show corresponding icon to indicate its status change, did not switch context menu items and permitted operations that should not have been permitted.
Added attribute to the Policy object for iptables to indicate that this policy ruleset should be compiled into filter and mangle tables or only for the mangle table. This makes sense (and is only shown) for iptables firewalls. By default the attribute is set to "filter+mangle" which means compiler will try to figure out which table each rule should go to. However some combinations of service objects and actions are ambiguous and can be used in both filter and mangle tables. In cases like these, user can help by creating separate Policy ruleset that will be translated only into iptables rules in the mangle table.
fixed bug: object editor panel resized itself erratically when user switched between objects while editor was open. This happened on Windows and Mac OS X.
fixed object type icon in the RuleSet and Interface object dialogs.
fixed bug #2187094: "fwbuilder does not use system colors for text boxes". Some dialogs would not properly pick up KDE theme. This was especially visible if theme used dark background colors and white font, in which case many input fields in dialogs would use white text on white background.
more fixes for bug #2194829: use toLocal8Bit() instead of toLatin1() in all calls to libfwbuilder functions that deal with files (FWObjectDatabase::load() etc.), as well as system functions such as unlink(), rename(), access(). Now I can open, save, check out and check in file if it is in directory with non-ascii name and also can use non-ascii characters in RCS checkin log records.
making sure no rule operations are allowed when rule set or parent firewall object are read-only. This fixes GUI crash that happened when user tried to remove rule from a group in the read-only firewall.
fixed bug #2209210 "crash in fwbuilder: ObjectIconView.cpp:90:". The GUI crashed if user moved mouse cursor over object icons in a group object editor when tooltips were activated.
fixed bug #2255591 Adding new ipv6 policy is always type "mangle". When user added new Policy object to the iptables firewall and made and saved any changes in the object editor (switched to "top rule set" or toggled setting "filter+mangle"="mangle only"), the setting of the ruleset would switch to "mangle only" and stick there. There was no way to switch it back to "filter+mangle". This is fixed in build 641.
fix bug #2303486: "Operation of duplicating firewall should switch policy". When firewall object is duplicated, the GUI should automatically open policy of the new object rather than keep policy of the original open. At the same time, reset lastModified, lastCompiled, lastInstalled of the new firewall instead of keeping copies from the original.
better layout of the first page of Preferences dialog to make sure long path to the working directory fits in the input widget.
fixed printing from command line which was broken some time ago (perhaps in 3.0.1). When user prints firewall policy from command line using "fwbuilder -f file -P fw_object" all rule groups are always printed expanded.
fixed printing with QT 4.4. QT 4.4 correctly sets physical resolution of the printer and sets its logical resolution to 1200dpi. This caused rulesets to be printed incorrectly on Windows and Mac where we use QT 4.4.1. This fix restores printing on these platforms.
Improved Mac OS X bundle: included qt.conf file to make it look only inside the bundle for QT libraries and plugins, this eliminated warnings about QT libraries being loaded from two places if the system where fwbuilder GUI was running had QT installed on it. Now packaging QT accessibility plugin library, this should make the GUI run with acessibility features if accessibility aids are turned on system-wide.
Improvements and bug fixes in components common for all policy compilers:
All compilers: firewall object can be specified by its ID in addition to by name. Command line option "-i" tells compiler that the last parameter of the command line is object ID. This works reliably when firewall object name contains non-ascii characters and the program runs under locale using 8 bit characters. Built-in installer now uses this method while calling all policy compilers.
change in the algorithm used to decide which interfaces of the host or firewall object to use in a rule when this host or firewall object is found in source or destination. Previously, compiler would skip loopback interface unless user associated the rule with loopback by putting it in the "Interface" rule element. This made it impossible to create rules with address 127.0.0.1 in destination but attached to interface other than loopback (such rule is used for transparent proxy configuration). Now if user explicitly put loopback interface object into rule element, we always keep it. However when compiler expands interfaces from a host or firewall object, it will skip loopback as before, unless the rule is attached to loopback interface.
getHostByName() used to insert duplicate IP addresses into the list of the results. Now making sure ip addresses in the result are unique.
Using internal caching to speed-up shadowing detection. This cuts time of shadowing detection almost in half for large policies with many rules.
Optimisations in the code that detects rule shadowing. Combined with improvements in classes Rule and RuleElement, this yields speed-up in shadowing detection by a factor of about 5.
Improvements and bug fixes in the policy compiler for iptables:
Compiler for iptables uses QT functions to properly process non-ascii file names and firewall object names. Compiler correctly creates generated script when its file name contains non-ascii characters on all supported OS. The GUI can find the file and built-in installer can copy it to the firewall and activate it there. QT helps manage encodings and locales in OS-independent manner. Caveats: Dependency on QT libraries means compilers can not be deployed on the firewall separately from the GUI. pscp.exe on Windows does not seem to be able to pick up file with non-ascii characters in name when program runs on Windows with standard English locale. Could not test on Windows running with national locale. As a workaround, user can specify alternative name for the generated script in the firewall settings dialog (tab "Compiler"). Support for non-ascii firewall object and generated script names is currently only available in compiler for iptables
fixed bug #2151898: "use of "--icmp-type any" iptables 1.2.6a". Iptables v1.2.6a and older do not have option "-m icmp --icmp-type any".
fixed bug #2148378: "Negation does not work on Tag Service". Policy compiler for iptables should be able to use "!" single-object negation for TagService obejcts
Added attribute to the Policy object for iptables to indicate that this policy ruleset should be compiled into filter and mangle tables or only for the mangle table. This makes sense (and is only shown) for iptables firewalls. By default the attribute is set to "filter+mangle" which means compiler will try to figure out which table each rule should go to. However some combinations of service objects and actions are ambiguous and can be used in both filter and mangle tables. In cases like these, user can help by creating separate Policy ruleset that will be translated only into iptables rules in the mangle table.
Always placing rules with action "Accept" in table mangle in chain PREROUTING
fixed bug (no #): policy compiler for iptables would crash with assertion when AddressTable or DNSName object was used in a rule in pure mangle table ruleset. This could be related to crash reported in bug #2157121.
Explicitly use "
" instead of endl to avoid implicit conversion to "
" on Windows (generated script is for iptables which can only run on Linux, so it is safe to use "
" instead of endl).
added support for single object negation in OSrc and ODst in NAT rules. This provides for more compact iptables script in the often used case where single object is used with negation in these elements of a NAT rule. Other improvements in handling NAT rules with negation.
fixed bug (no #): policy compiler for iptables did not handle correctly rules where a host that has multiple addresses was a single object in a rule element and had negation.
while processing single object negation, consider hosts and firewalls with one normal interface and loopback interface eligible (i.e. ignore loopback address even though formally such object has at least two ip addresses).
fixed bug #2180556: "broken support for the "old" time module for iptables". Compiler generated incorrect parameters for the "time" module for versions

New in Firewall Builder 3.0.1 Build 565 (Oct 6, 2008)

Filter addresses of IPv4 objects and strip leading and trailing whitespaces and other non-digit characters before converting to InetAddr. This will help with annoying problem where v2.1 allowed such characters in address attributes of Address objects but v3.0 applies strict checks during file load and rejects such data files.
generate unique string object id on demand instead of in the call to generateUniqeueId. This helps speed up compiler operations by a factor of about 3 because we generate unique int ID every time object is created or copied, yet string ID is only needed when object is stored in external XML file. Also using sprintf to assemble string ID, it works faster than ostringstream.
converted attribute "ro" (read-only) from a dictionary variable to the member variable of class FWObject. We check read-only status of objects very often and dictionary lookups were slowing compiler down considerably.
set netmask to /32 when new Network object is created. This used to be the default in fwbuilder v2.1. New default of 0.0.0.0 appears to be confusing and error-prone, by user's requests changing default back to /32. This fixes bug #2125542: New Address objects added with netmask of "0.0.0.0"
bugfix: if user called "Save As" and then hit Cancel in the dialog where they choose file name, internal RCS object used to be deleted anyway.
bug #2091507: "Create New Firewall problem.". If user created new data file using File/New main menu item, items in the main menu File used to stay disabled and file could only be saved using "File/Save As" (which did not make sense because the name has already been assigned to the file during File/New operation).
bug #2091520: "Crash FWB". The GUI crashed if user closed mdi window showing just standard objects and then tried to close the main window.
bug #2099700 "Association of the .fwb and .fwl file types with app on Mac". Implemented support for the association of the application and data file type on Mac OS X. Double-clicking on .fwb and .fwl files in Finder will now open application and load files automatically. User can open several files by selecting them in Finder and double-clicking.
fixed "usage" in fwbedit, command line option that specifies object attributes for the command "new" is "-a", not "-o". Also fixed this in the man page.
bug #2099631 "GUI should rememver firewall object that was opened last". The program remembers opened ruleset between sessions.
bug #2091225: "Can objects in the left pane remember last state.". The program saves state of the object tree branches (expanded or collapsed) between sessions.
bug (no #): added ability to copy/paste rule set objects.
bug #2100415: "cannot re-create or clone Routing object". The GUI does not let the user to delete Routing object. Policy and NAT objects can be deleted as long as there is at least one more left. Also "top" rule set objects can not be deleted at all.
bug (no #): if the name of the plink.exe program was specified in upper case in Preferences dialog, built-in installer failed to provide correct command line options to it.
Additional checks for operations with rules and ruleset on the deleted Policy or NAT object. User should not be able to change anything in rule set object that has been deleted because it does not have parent firewall object.
bug #2106229 "Disable-Icon bad position in rule group". Icon that indicates that a rule is disabled used to be drawn in the wrong row of the ruleset table.
bug #2106280: "option to change color of rule group head". Made rule group head colored in "medium dark", actual color depends on chosen QT theme.
bug #2106124: "Crash after deletion of (last rule in + whole) rule group".
bug #2105111: "use color for compiler status and errors". Compilation and installation status is color coded in the left panel of compile/install dialog (Error is red, Success is green). Also coloring compiler error messages red in the compiler progress panel. Note that this feature is subject to QT bug #212207. This QT bug was introduced in QT 4.4.1. Because of this bug, text labels using non-default color or font disappear unless they are selected. This does not happen with QT 4.3.x or 4.4.1 and later.
bug #2107004: "Fwbuilder crashes while deleting objects in groups". I could only reproduce the crash when there were two identical objects in the group and I was trying to delete both. v3.0 does not allow the user to add the same object twice to the group so this condition should not be possible.
bug #2090332: "Where used search function does not always work.". WhereUsed function could not find firewall if it was used in its own rules.
bug #2099631: there used to be object "icmpv6 unreachables" in the Deleted Objects library in the file of standard objects that comes with the package.
bug # 2109432: "double click on results in "Where used" list opens wrong rule."
bug #2109431: "context menu item "Where used" is missing for rulesets".
bug #2109660: "Compiler Progress: bar is incomplete". Compiler progress bar failed to show full length bar when operation was complete for some firewall platforms.
bug #2109675: "file Title bar contains redundant info". Internal page title should be coordinated with items in the Windows main menu. There is also no need to add "Firewall Builder" to the title of internal windows.
bug #2109833: "Crash on right mouse click in the object group".
bug #2099700 "Association of the .fwb and .fwl file types with app". Implemented support for the association of the application and data file type on Windows and Mac OS X. Double-clicking on .fwb and .fwl files in Explorer or Finder will now open application and load files automatically.
Changed format of the start and stop date fields in the Time Interval object to show year as four digits. Also enabled calendar in these widgets.
change in the logic applied when the program decided which library to open at start time. If a file is opened and there is settings record pointing to the library that was opened in this file last time the program was used, this library is opened. If there is no such settings record, the program tries to find the first not system library in the file but prefers the one named "User". If the program starts without data file, it shows library "User" from the standard objects file.
enable "close" button in the title of several dialog windows (it was not shown on Mac).
Using tabbed presentation of internal subwindows on Mac OS X. This looks much better than standard MDI presentation where internal windows have their own title bar.
workaround for a problem that only appears on Mac: if user uses File/Open but cancels operation, the main window used to switch from the subwindow that was active to another one (usually the empty default window with only standard objects tree).
when the program is started without data file, it shows panel with just default objects, with a title "Untitled". If user opens data file, it is loaded into the same panel and its title changes accordingly. If user makes changes and then saves using "Save As", its title also changes accordingly (and there is still one panel). If user uses "File/New data file" and enters the name of the new data file, it is loaded into the same panel and its title changes accordingly. Still, after this there is only one panel. However if the panel shows contents of some data file, operations "File/Open" and "File/New" load second data file into a new panel.
bug # 2106266: "Save collapse/expand state of groups in policy". The GUI will remember state of the rule groups (expanded/collapsed) between sessions. The state is saved in preferences. Groups are referenced by combination of file name (full path), firewall object name, ruleset name, group name. Since state is saved in preferences rather than in the data file, state of the rule groups is separate for each user.
bug #2123150: "add new rule below inserts at end of rulebase". The program used to append rule at the bottom of the policy when user tried to insert it n the middle when there were rule groups.
bug #2124804: "Policy list "jump" when using groups". Combination of rule groups and very tall rows in the rule set view caused problems with vertical scrolling.
do not print netmask of the IPv4 and IPv6 objects in tooltips and "info" panel unless such object is child of an Interface. This fixes bug #2125542: New Address objects added with netmask of "0.0.0.0"
bug #2126524: "User Service created in the Service Group section" - added missing group UserServices to the standard objects file.
fixed GUI crash that happened when user made modifications in the default object tree but did not save the changes and then tried to exit the program.
Network and NetworkIPv6 object dialogs accept CIDR notation in the "address" input field. Netmask input field is filled automatically using "/NN" entered as part of the address when user hits Return or Tab or switches to another input element using mouse click.
fixed bug #2128261: "fwbuilder thinks the file has changed when opened read-only". Operation "find where used" triggered "dirty" flag on the object tree even though it does not change anything.
bug #2105977: "Viewing firewall settings change state to edited". Opening firewall "advanced" settings dialog triggered internal flag that signalled that something in the object tree has changed.
Added tooltip in the rule set view for the column showing rule group handle, the tooltip shows group name and number of rules.
bug related to #2123152 "Fwbuilder 3.0.0 Gui very slow and doesn't refresh properly". There seems to be a bug in QT 4.4.1 (not sure of 4.4.0, definitely not in 4.3.x) which causes the last row of the rule set view table to come out blank when the table is redrawn. This happens when rows have very different height and looks like the last row comes out blank when user scrolls the table up. The last row is finally redrawn when most of it is already visible.
bug #2129726: "Where Used" not working on collapsed groups.
constructors of rule set view classes (PolicyView, NATView, RoutingView) used to set "dirty" flag in the object database which caused the GUI to ask the user if they wanted to save modifications before exisitng the program even when there were no modifications made. This change fixes this annoying problem.
fixed icon for rule action "Mark"
fixed crash that happened on Ubuntu with QT 4.3.x because of recursive call to updateGeometries()
bug #2125604: "Cancel button does not kill the installer". Cancel button of the installer wizard in fact kills background process. Second issue raised in this bug report is that "Finish" button was always enabled. This is now fixed.
bug #2144114 "fwbuilder * exits if the last object file is closed". The GUI will not terminate after the last window is closed but instead will just show empty main window.
bug #2144358 "Double check with 'save as'". The GUI used to ask twice if user wants to overwrite the file in Save As operation if file with given name already existed.
bug #2144122 "Segfault when trying to add an address to a group"
making sure all modules store settings under the same path prefix "3.0/" (applies to all OS).
bug #2143961: a typo in the man page fwbedit.1
bug #2143894: "fwbedit list does not show objects". Command "fwbedit list -f file" did not print anything unless option "-F" was supplied. This change adds default value for this option so that when it is missing, the command prints object path.
bug (no #): compiler for iptables used date entered for the beginning of the interval in "Time" object both for the beginning and for the end.
fixed compiler error "Error (iptables): The object "eth0" used as interface in the routing rule 0 (main) is not a child of the firewall the rule belongs to!" that also happened because Routing ruleset object being processed is disconnected from the firewall parent at the time compiler works with it.
fixed crashes in RoutingCompiler that happened because Routing ruleset object being processed is disconnected from the firewall parent at the time compiler works with it.
bug #2141911: "no ULOG for ip6tables". ULOG target has not been implemented for ip6tables yet, so the compiler should fall back to LOG target while compiling ipv6 policy.
fixed bug (no #): policy compiler for PF used to insert both "inet" and "inet6" into generated pf.conf lines for the IPv6 policy.
Basic suport for IPv6 for ipfw. IPv6 rules should be kept in a separate policy, just like for all other platforms. Branching rules are not supported so there is no support for multiple policies (although there is no check for that at this time either). Both ipv4 and ipv6 rules are loaded into the same ipfw set "1" with globally unique increasing rule numbers. The order in which ipv4 and ipv6 policies are processed is controlled by an option in firewall settings dialog. Note that this is not complete yet, for example ICMPv6 is not supported. More complete implementation should be done as part of ipfw2 support.
fixed crash in compiler for PIX that happened when compiler tried to merge "global" commands and some of the interfaces of the firewall had dynamic address.

New in Firewall Builder 3.0.0 Beta (Jul 17, 2008)

UI is built with QT4. Built and tested with 4.3 and 4.4
UI is now an MDI, you can open several data files in the GUI and copy/paste or drag and drop objects from one data file to another. Complex objects with dependencies, such as entire firewall with all its policies and rules, copy all dependencies automatically. You can open the same file multiple times and copy objects between libraries as well.
UI lets you choose the font and font size for the object tree and for the rules.
UI lets you switch between 25x25 and 16x16 icons for the rules. This, combined with ability to choose font size, makes it much more friendly for laptops and small screens.
Rule grouping: you can combine rules into any number of groups, group can have a title and color. You can collapse groups in the policy so that only group title is visible.
Action parameters for rules with action "Chain" or "Anchor" (this is the same action, just different names for iptables and pf) can be opened in the object editor. To associate such rule with a branch rule set just drag rule set object into the drop area in the editor.
The same rule set can be used in multiple rules with action "Chain" or "Anchor". This even works if the rule set belongs to a different firewall object. You can create firewall object with a "base" set of rules and then refer to it from policies of many other firewall objects, which "inherit" its policy this way.
Action parameters of the rule with action "Mark" or "Tag" can be opened in the editor panel. Instead of typing mark/tag code manually, drag and drop TagService object into the drop area in the dialog.
Netmasks can be entered as bit length everywhere, that is, instead of 255.255.240.0 you can type "20". Bit length is the only supported method of entering ipv6 netmasks.
Support for add-on libraries in the GUI has been deprecated. User can now open their working file and external library file simultaneously and copy objects from one to another. This removes the need for the cumbersome add-on libraries feature.
Implemented printing of the firewall object contents from CLI per bug #1996739: "Feature: CLI printing or policy export"
Implemented sorting by name and parameter in group dialogs per bug #646804: "No sort in Group".
A firewall can have any number of policy and nat rule sets. These rule sets are shown as objects in the tree rather than using tabs (this is how fwbuilder v1.0 worked, if anyone remembers). Rule sets can be copied and pasted and can be dragged into branched rules.
Each policy and nat rule set object can have unique name. These names are used by the compilers for the names of user-defined chains, anchors or access lists (depending on the platform).
One policy and nat rule set should be marked as "top" rule set using checkbox in the rule set object editor. Compilers treat "top" rule set differently, depending on the firewall platform:
iptables: rules defined in such rule set will go into built-in chains INPUT,OUTPUT,FORWARD etc. Rules defined in rule sets where this checkbox is not checked go into user-defined chain with the name the same as the name of the rule set.
PF: rules defined in the rule set with "top rule set" checkbox turned off go into an anchor with the name of the rule set.
Cisco IOS access lists: if "top rule set" checkbox is turned off, the rules go into access list with the name prefixed with the name of the rule set; this access list will not be assigned to interfaces via "ip access-group" command. Rulesets with checkbox "top rule set" checked generate acls with names consisting of the shortened name of interface and direction abbreviation ("in" or "out"). Only these lists are assigned to interfaces.
object types AddressIPv6, NetworkIPv6, ICMP6Service have been added.
Compilers for iptables and pf can generate ipv6 output.
Each policy and nat rule set must have its address family declared as an attribute of the corresponding rule set object. User can do this by double clicking on the Policy or NAT object, which opens it in the object editor panel (like any other object). There are two radio buttons in the editor that let the user choose between ipv4 and ipv6 for the given rule set.
Compilers allow for mixing ipv4 and ipv6 objects in the same rule set. When objects representing both address families are used in the rule, compiler picks ones that match address family declared for the rule set.
A new object type User Service has been added
Compilers for iptables and pf can generate rules that match on user id. Note that semantics is slightly different on iptables and pf, for example iptables can only match user id for outbound packets created by the firewall itself, while pf can do it for inbound packets as well and the operation is also defined for the forwarded packets. Compilers are aware of these differences.
Firewall Builder 3.0 API library libfwbuilder tracks version of the data file format separately from package version. This means most of the time there will be no need to upgrade data file when package is upgraded from one minor version to another, such as from 3.0.0 to 3.0.1. This also means we will maintain backwards compatibility by the data format between minor program versions, so the user can roll back to the previous version if needed. This was not possible with v2.1 where each package upgrade required upgrade of the data file as well, making it incompatible with older version.
However, sometimes we need to make changes in the XML DTD which requires upgrade of the data file. We do not expect this to happen often and every such occasion will be documented in the Release Notes. If data file upgrade is necessary, the program will do it automatically just like it did it in v2.1. The difference is that this should be required rarely.
Approximately 2x speed up in shadowing detection and compile. In fact, I do not have a machine with both old and new fwbuilder to run the test and compare this accurately. I would appreciate a feedback from users as to how much faster they see the new compiler process their long rule sets.
Compilers include warning and error messages that were generated during rule processing in the generated script in addition to printing on standard error.
Support for ipv6 (using ip6tables)
Support for user matching by module "owner"
Support for new format in module "time" in iptables 1.3.8 and later
Support for multiple rule sets. Rule sets with names other than "Policy" will be compiled as user-defined chains. If there is a rule in any rule set that passes control to such chain, it will be compiled too. Otherwise the chain will be left "orphaned" which can still be useful if a rule that jumps to it is added manually to epilog section of the script.
Added support for TOS and DSCP matching
Support for combinations of srcip, dstip, srcport, dstport options of the hashlimit module has been implemented in the compiler for iptables per bug #1812388: "add srcip,dstip to choices for hashlimit mode"
iptables rule with target TCPMSS generated for option "Clamp MSS to MTU" is valid only in mangle table in iptables 1.3.x and later. Still generate this command in the filter table for earlier versions of iptables
Support for ipv6
Support for user matching
Support for multiple rule sets. Rule sets with names other than "Policy" will be compiled as named anchors. Just like with iptables, if there is a rule in any rule set that passes control to this anchor, it will be compiled too. Otherwise user can add such rule manually to prolog or epilog section of the script.
Added support for TOS and DSCP matching
Support for ipv6
Added support for TOS and DSCP matching

New in Firewall Builder 2.1.19 (May 20, 2008)

Starting with v2.1.18, all policy compilers come as part of the "fwbuilder" RPM. This inludes compilers fwb_ipt, fwb_ipf, fwb_ipfw, fwb_pf, fwb_iosacl and fwb_pix. Instead of 6 RPMs (libfwbuilder, fwbuilder and 4 RPMs for individual compilers) I now build only two: libfwbuilder and fwbuilder. For example, for Fedora C8 only these two RPMs will be built form now on: libfwbuilder-2.1.18.fc8.i386.rpm and fwbuilder-2.1.18.fc8.i386.rpm
GUI: fixed bug #1949103: "manpage slightly broken". Minor fixes in fwbedit.1 man page.
GUI: fixed bug #1949438: "parser expects decimal - hex is not accepted". Importer for iptables should be able to process "--set-mark" with hex argument.
GUI: fixed bug #1562726: "policy print rule cut-off". Long rulesets would not print correctly on Windows, the bottom of the ruleset table was just printed solid grey with no rules visible.
Policy compiler for iptables: bug #1938985: Rate in hashlimit in local language
Policy compiler for iptables: fixed bug# 1940504: "Clamp MSS to MTU". Iptables command that invokes "-j TCPMSS --clamp-mss-to-pmtu" in FORWARD chain should go before the one that matches "--state ESTABLISHED,RELATED" in order to work for the packets in these states.
Policy compiler for iptables: partial fix for bugs #1789059 "shadow issue when using action chain" and #1945149: "Shadowing test for rules with action chain". The mechanism for rule shadowing detection we have at this time can only detect shadowing of one rule by another. In case of branching it is a combination of the branching rule and rules inside the branch that may shadow other rules. I plan to redesign this part of the code in the future, but it won't happen in upcoming v3. Meanwhile, I am fixing it in 2.1 by making compiler ignore rules with action Branch.
Policy compiler for PF: fixed bug #1821573: "Rule options limits allow for multiple overload tables". PF allows only for one "overload" option per rule.
Policy compiler for PF: fixed bug #1961202: "Pf Timeouts overriden by Optimization". Compiler should generate "set optimization" command before "set timeout" commands.

New in Firewall Builder 2.1.18 (Apr 7, 2008)

New in Firewall Builder 2.1.17 (Feb 21, 2008)

New in Firewall Builder 2.1.16 (Dec 21, 2007)

Improvements and bug fixes in the GUI
patch #1849500: "tooltip patch for tcpservicedialog_q.ui". Additional tooltips in the TCP Service dialog to explain function of tcp flags masks and settings.
fixed bug #1850346: "GUI has 2 views on which actions should be stateless". Even though GUI made rules with action Route stateful by default, code that determined if combination of options of a given policy rules was default thought these rules should be stateless.
applied patch #1850368: 'PF 3.7 has support for "set skip on"'. Patch by [email protected] extends support for "set skip on" option to pf 3.7.
fixed bug #1850352: "Install script wrongly completes successful". Added more checks to the installer scriptlet to make it properly terminate with non-zero error code if iptables-restore returned error. Previously "echo" in the end of the generated masked error code returned by iptables-restore and made the GUI report successfull install even when it terminated with an error. Also added test for the presence of pkill on the system so that the script does not try to run it if it is not available.
Improvements and bug fixes in the policy importer for iptables
fixed bug #1849328: "iptables restore unusable in 2.1.15". This bug was introduced by the change for the bug #1812295. If option "use iptables-restore to activate policy" is on, we always generate script that prints iptables commands using echo and sends them to the input of iptables-restore via pipe.
fixed bug 1848204: "ULOG-Setting ignored for invalid packets", applied patch #1848609 provided by reporter. Code that matched and logged packets in state INVALID always used target LOG, which was a problem for iptables installations that only come with target ULOG.
Applied patch 1835308: "Patch for adding "-q" option to fwb_ipt". Option "-q" suppresses timestamp that is normally included in the generated script. This way, if no objects or rules changed in the firewall builder, generated script will be exactly the same. Timestamps made generated script different even if nothing really changed in the objects, which made external version control systems detect changes when there were none.
bug #1850352: "Install script wrongly completes successful". Storing exit status of iptables-restore so that generated firewall script can return the same status after it executes commands that set kernel parameters and runs user-defined epilog code.
fixed bug #1851166: "Installscript does not test for destination ip address". The problem affected specific case of a firewall with two (or more) interfaces that get their address dynamically and a policy rule that has one such interface in source and another in destination. Generated iptables script retrieves actual addresses of both interfaces and assigns them to variables, then uses these variables in actual iptables rules. Special check is provided in case some interface did not obtain any ip address at a time of execution of the script. Previously such test was only done for one dynamic interface per rule. This change makes the script check for both.
Improvements and bug fixes in the policy importer for PF
applied patch #1850368: 'PF 3.7 has support for "set skip on"'. Patch by [email protected] extends support for "set skip on" option to pf 3.7.
applied patch #1850357: "Add support fo load balancing with pf to PolicyRule::Route" by Tom Judge ([email protected]) that adds support for load balancing rules in PF. Extended the patch adding support for address/netmask format of the next hop. Added checks for illegal IP addresses and netmasks in the next hop.