                         Firewall Builder Release Notes

Version 2.0.3

   Released 09/30/04
   GUI and compilers v2.0.3 require API library libfwbuilder version 2.0.3

Summary

   Firewall Builder GUI v2.0.3 is a maintenance release that includes fixes
   for bugs discovered since 2.0.2 has been released.

   For those who wish to build from source, instructions are outlined in
   "Install and Build instructions"

     * This release improves support for the PF firewall by always using
       tables in policy rules; it also uses syntax " ! <tbl>" for negation,
       assignes "rdr" rules to interfaces and adds "flags S/SA" to policy
       rules that keep state.
     * This release significantly improves optimizer for iptables and adds an
       automatically generated rule to block packets that correspond to an
       INVALID state
     * Built-in policy installer can compress firewall policy script before
       it is installed in flash memory on Linksys/Sveasoft firewall; this
       allows for much larger policy to be used on Linksys. Script
       compression is optional.
     * Built-in policy installer can be used to test new policy rules with
       automatic roll-back to the previous version of the policy after
       specified interval of time. This feature helps to work around errors
       in the policy that block access to the firewall from the management
       workstation.

Caveats

   New version (as of build 421) completely changes the way it loads and
   activates firewall script on linksys. Old version put the whole script in
   variable rc_firewall. New one puts script in variable fwb and puts a
   one-line command in rc_firewall to read the script from fwb and execute
   it. This was done because of the need to uncompress it when linksys
   executes command stored in rc_firewall, in other words, rc_firewall needs
   to be a little script that uncompresses and runs the main firewall script.
   This is why scripts were separated and rc_firewall has changed compared to
   the previous versions of fwbuilder.

   Reverting from v2.0.3 (build 421 and later) to v2.0.2 requires you to
   erase nvram variable "fwb" which holds the whole script in the new builds.

New features in the built in policy installer

     * added an option for test run. When this option is activated, policy
       script is pushed to the firewall and is executed but is not stored
       there permanently. Firewall reverts to the last working configuration
       after reboot.
     * implemented compression of the firewall script for Linksys/Sveasoft
       combo. Using gzip and uuencode/uudecode to compress the script and
       store it in flash variable 'fwb'. Installer prints flash memory stats
       after commiting changes. Installer uses scp to copy firewall script to
       the firewall and autogenerated prompt to detect when it logged in; it
       does not depend on Linksys shell prompt anymore.
     * added an option to schedule automatic firewall reboot in specified
       time (in minutes) after policy activation. This option is available
       for all firewall platforms but PIX. This option only works if user
       requested policy activation in a test mode, in which case policy is
       copied and activated on the firewall but not stored in the permanent
       location. After reboot the firewall reverts to the previous version of
       the policy. To cancel scheduled reboot, run installer again with "test
       run" option turned off. Installer stores the policy in the permanent
       location, activates it and cancels scheduled reboot. The commands used
       to schedule reboot and cancel it depend on the host os of the
       firewall. On Linux, it will use "shutdown -r +NN" and "shutdown -c".
       On *BSD systems it uses "shutdown -r +NN" and a combination of ps and
       awk to find and kill shutdown when reboot is canceled. Installer uses
       "reboot" and kills it with "killall" on linksys.
     * All manipulations that installer does on the firewall are programmed
       in little one-line scripts stored in resource file for each supported
       OS the firewall is running. These are in /usr/share/fwbuilder/os on
       Linux/*BSD or in C:\FWBuilder\resources\os on Windows. Users can hack
       commands in these files to make installer work with host OS that is
       not supported by default. Currently, the GUI only looks for the
       OS-specific resource files in the system-wide directory. Future
       versions will also look in a predefined directory in users' home.
       Directory path to be defined later.
     * Added option "output file name" to firewall settings dialogs for all
       platforms. User can specify the name for the output file; this name is
       then used by built in installer in place of a macro %FWSCRIPT%.

New features in policy compiler for iptables

     * implemented feature request #1023430: "add checkbox for INVALID
       support in fw settings". Added two checkboxes to the firewall settings
       dialog: one adds a rule to drop INVALID packets and another adds
       logging to the rule.
     * rules that permit packets associated with ESTABLISHED,RELATED states
       moved to the beginning of the script before NAT rules.
     * bug #1022216: "negated time produces incorrect iptables rule".
       Implemented negation for the "Time" rule element for iptables
     * using abbreviated versions of "--dport", "--sport", "--dports",
       "--sports" options to make generated iptables script smaller. Also
       changed the name of the variables used to hold IP address of dynamic
       interface from "interface_<ifname>" to "i_<ifname>". All this should
       help to fit larger policies into small flash on linksys. These changes
       shrunk my test script from 7964 bytes to 7430 bytes
     * Generated iptables script flushes only secondary ip addresses on
       interfaces during initialization phase if option "configure
       interfaces" is on. This should fix a bug that caused linksys/sveasoft
       unit to lose default route upon reboot if external interface has
       static IP address.
     * Generated script checks if /usr/sbin/ip exists on the firewall before
       it tries to use it to verify interfaces and configure IP addresses.
       This check is only performed if user activated options that use this
       tool. An error message "Interface eth0 does not exist" was generated
       if package iproute2 was not installed on the firewall, which was
       confusing.

New features in policy compiler for PF

     * A NAT rule of type DNAT (rdr rule) is assigned to an interface of the
       firewall if interface object or its address object is used in ODst. To
       get rdr rule without interface assignment, use an Address or a Host
       object that has the same IP address as that of firewall's interface
       but that is not a child of an interface. This is the same approach
       that is used in iptables.
     * Compiler for pf always uses tables; this breaks compatibility with
       older OpenBSD systems (3.2 and 3.3)
     * Compiler for pf puts interface name in a table for rules that use
       multiple objects in src or dst and one of these objects is dynamic
       interface of the firewall that is being processed. Using dynamic
       interface of another object in a rule is still considered an error.
       Compiler puts the name of dynamic interface in a table verbatim,
       without brackets '(' ')' since pf does not replace dynamic interface
       with its address dynamically if it is used in a table (pfctl issues an
       error if interface is put in brackets)
     * added an option to permit tcp sessions opened prior to firewall
       restart. This is needed now since compiler generates "flags S/SA" for
       the "keep state" and "modulate state" rules which means firewall won't
       permit TCP sessions unless it saw opening SYN packet.
     * bug #1028973: fwb_pf: missing "flags S/SA" in front of "modulate
       state". Compiler adds "flags S/SA" to policy rules that use either
       "keep state" or "modulate state" options.
     * bug #1028980: "need an option to turn logging on on fallback rule".
       Option has been added.

Bugs fixed in libfwbuilder API:

     * bug #1022788: "GUI corrupts XML file after creating a second
       firewall". Global object ID counter was getting reset every time new
       FWObjectDatabase object was created. This lead to the ID collision if
       user quickly created and deleted complex objects (such as Firewall)
       and used database merge. This should also fix bug #1022785: "GUI
       corrupts XML file after creating a host entry"
     * fixed bug (no number): all references to the interfaces, as well as
       their IP and MAC addresses, in policy and NAT rules should be replaced
       when Firewall object is duplicated. Until now only references to the
       firewall object itself and to its interfaces were replaced with
       references to the newly created copies of object. References to IP and
       MAC addresses still pointed at the old objects.

Bugs fixed in GUI:

     * bug (no number): after deleting a library firewall objects that belong
       to it were not removed from the pull-down list
     * bug #1026945: '"Save As" does not work if current file is in RCS'
     * bug #1028078: "options.png is not displayed for "Assume firewall is
       part..."
     * bug #1035132: "compile errors with default Linksys firewall object".
       This bug has been introduced in build 435. When user created a new
       firewall object using one of the template objects, the GUI would add
       bunch of garbage to the firewall options. This garbage violated XML
       DTD, so compilers and the GUI would not accept the data file anymore.
     * bug #1035130: 'Persistent "Save" dialog box'. Certain combination of
       actions on user's part used to lead to an indefinite loop of "do you
       want to save the data" dialogs. The problem was triggered if user
       skipped choosing a name for the new file in startup dialog.

Bugs fixed in iptables policy compiler fwb_ipt:

     * bug #1024861: "optimizer is broken in fwb_ipt". Used idea and a patch
       by Mark Vevers <mark@vevers.net>. Fixed compiler fwb_ipt generates
       more efficient iptables script for rules with multiple objects in all
       rule elements. The script is smaller and eliminates unnecessary
       comparisons for packet attributes. Every attribute (i.e. source
       address, destination address, protocol and port numbers) is checked by
       the script only once. This should help reduce load on firewalls with
       lots of complex rules.
     * bug #1026509: "incorrect rules generated for dual negation with time".
       Compiler generated incorrect iptables commands for rules that had
       negation in two or more rule elements, one of which was Time.
     * bug #1026794: multiple SRC ntwks --> "iptables: invalid argument".
       Recent changes in optimizer introduced this bug. Rules with multiple
       objects in src or dst, TCP service, action Reject and option "reject
       with TCP RST" would generate iptables command that used option
       "--reject-with tcp-reset" without "-p tcp"

Bugs fixed in iptables policy compiler fwb_pf:

     * bug #1006906: "Negated network causes pass on network". Compiler for
       pf uses native negation syntax that is now available in pf
     * bug (no num): "firewall settings" dialog for OpenBSD pf did not save
       option "Use tables". Since compiler is always using tables, this
       option was removed from the dialog.

     ----------------------------------------------------------------------

   Last modified: Thu Sep 30 20:16:23 PDT 2004 
