                        Firewall Builder Release Notes

Version 2.0

   Released 07/28/04
   GUI and compilers v2.0 require API library libfwbuilder version 2.0

Summary

   Firewall Builder GUI v2.0 has been completely rewritten using QT

   For those who wish to build from source, instructions are outlined in
   "Install and Build instructions"

What's new

   The GUI has been rewritten from scratch. The new GUI is based on QT 3.x.
   It has been tested with Qt v3.1.1, 3.2.3 and 3.3.1. We build on RedHat
   9.0, Mandrake 10, SuSE 9.1, FreeBSD 5.2 using QT packages that come with
   these systems.

   The GUI has been redesigned to addresses problems known to exist in
   fwbuilder 1.1.x user interface:

     * Speed imporevements in the GUI. Firewall policy that consist of 1000
       rules renders just as fast as policy that has only 10 rules. The GUI
       has actually been tested with 1000 rules policies.
     * Object tree is not synchronized with firewall policy view. Selecting
       an object in the tree does not immediately open it in the right hand
       panel in the main window. Right hand side panel is dedicated for the
       policy view and always shows policy or NAT rules of the firewall
       selected in the pull-down menu above it. Editing of all objects is
       done in a separate floating editor window that can be kept open at
       all times.
     * Properties of an object selected in the tree or in any rule are
       shown in the information panel under the tree. The size of the panel
       can be changed; the panel has three modes of operation: a) hidden,
       b) showing only comment associated with selected object, c) showing
       its parameters and comment. User can choose the mode by clilcking on
       the toolbar button under the information panel.
     * "Find object" function finds obejcts by their name in the tree, in
       groups and in rules. Regular expressions are recognized.
     * Built-in version control based on RCS provides for a simple way to
       track changes.
     * Data file can be opened read-only for inspection. If the file is
       checked out and locked by a different user, it can only be opened
       read-only.
     * Data file can be given on the command line without "-f" switch. The
       "-f" is also supported for backwards compatibility.
     * The program does not make copies of standard objects in user data
       file anymore (per Feature Request #810504 "'Standard' definitions
       should not be saved" )
     * Users can create and distribute their own libraries of objects. The
       GUI allows for objects to be exported to external library file with
       extension .fwl and imported from such file.
     * Objects in the 'Standard' objects library, as well as objects in
       libraries imported from external files, are read-only
     * Added an option for autosave - if this option is turned on, the gui
       periodically saves data to the file. The autosave interval can be
       set between 1 minute and 2 hours.
     * The GUI detects collisions between objects when external library is
       imported. Collision is detected when any attribute of an objects in
       the tree is different from that attribute in the object with the
       same unique ID in the file being imported. Some old data files may
       trigger collisions because of subtle differences in comments
     * Whenever user changes the name of a firewall, host or an interface
       object, the GUI asks whether they want to also rename all IP and MAC
       addresses that belong to that firewall or host. If user agrees to
       rename them, the program generates names automatically using scheme
       'host_name:interface_name:ip' and 'host_name:interface_name:mac'
     * Deleted objects are moved to a special library and can be recovered
       with "Undelete" operation
     * Rules can be color-labeled in all policies.
     * Window size and position is remembered across multiple sessions for
       all dialogs.
     * Two modes of drag-and-drop of objects in policy and NAT rules:
       dragging of an object moves it; dragging of an object with Ctrl key
       pressed copies it
     * Multiple objects can be selected in the tree. Operations such as
       duplication, moving between libraries, copy/paste can be performed
       on multiple selected objects
     * Multiple rules can also be selected for operations such as moving,
       deleting, copy/paste, setting colors
     * A collection of firewall template objects comes in a separate XML
       file with the package. You can create a new firewall object using
       one for these templates. This replaced "help me build firewall"
       wizard.
     * The "Help me build firewall policy" wizard was phased out and
       replaced with firewall templates. The template library will be
       extended in the future releases.
     * GUI has a built-in installer that uses external ssh client to
       communicate with firewall. Installer has simple GUI interface and
       works on both Linux and Windows (uses putty or SecureCRT on
       Windows). There is no need in external install script fwb_install
       anymore.
     * An option has been added to firewall platforms iptables, ipfilter,
       pf and ipfw that sets up a policy rule to permit ssh access from one
       specified IP address to the firewall regardless of other rules. This
       is for a backup ssh access from the management workstation in case
       of an error in the policy that locks user out of the firewall. The
       option (a checkbox and entry field for the management station
       address) is located in the "Compiler" tab of the firewall settings
       dialog. A command that permits ssh to the firewall from the given
       address is added on top of all other rules.
     * Packages for Windows 2000, Windows XP and Mac OS X will be
       distributed under a different license.
     * The build process is based on qmake and uses autoconf sparingly.
       Libtool is not used at all.
     * Internationalization is done using gettext 0.14.1 which supports QT
       .qm files
     * Reasonably complete French translation is provided.
     * Object names and comments are stored in the object file in UTF-8
       format. This allows for names and comments to be entered and
       displayed in local languages. Although object names can be
       localized, it is recommended to keep firewall names in plain ASCII
       because compilers do not support UTF-8 yet. This fixes very old bug
       #657156: "Special characters problem".
     * Code compiles with gcc 3.4

New firewall platforms and new features that apply to all platforms:

     * Added support for Linksys devices running Sveasoft firmware.
       Firewall object should be configured as platform "iptables", host OS
       "linksys". Policy installer works both using password and public key
       authentication.
     * Added an option to firewall platforms iptables, ipfilter, pf and
       ipfw that sets up a policy rule to permit ssh access from one
       specified IP address to the firewall regardless of other rules. This
       is for a backup ssh access from the management workstation in case
       of an error in the policy that locks user out of the firewall. The
       option (a checkbox and entry field for the management station
       address) is located in the "Compiler" tab of the firewall settings
       dialog. A command that permits ssh to the firewall from the given
       address is added on top of all other rules.
     * added attribute 'lastModified' to element FWBObjectDatabase in DTD.
       this attribute holds time of last modification done to any object in
       the database (GMT). Added support for this attribute in class
       FWObjectDatabase. This attribute is implied.

     --------------------------------------------------------------------

Bugs fixed in libfwbuilder API:

     * fixed bug that appeared only when used with libxml2 2.6.6 and
       libxslt 1.0.33 - '*Group' elements were not converted properly
       (losing all child elements). It worked on RH 9 with libxml2 2.5.4
       and libxslt 1.0.27. Fix tested with libxml2 2.6.6 and libxslt 1.0.33
       on Fedora C1
     * Method Firewall::duplicate replaces references to the firewall, its
       interfaces as well as IPv4 and physical addresses of the interfaces
       in all rule sets with references to the copies of corresponding
       objects. Now firewall created from another one using 'duplicate'
       does not reference interfaces or addresses that belong to the
       original firewall object.
     * bug #950857: "Incorrect conversion of address range" - address range
       that consisted of two IP addresses was converted to a set of
       networks incorrectly.
     * bug that occured on big endian architecture (e.g. Macintosh) because
       of incorrect usage of preprocessor directives to check BYTE_ORDER.
       This bug caused incorrect address arithmetics.
     * bug #906709: "A dynamic interface". Dynamic interface used to
       "shadow" old broadcast object (0.0.0.0)

New features in iptables policy compiler fwb_ipt:

     * Feature Request #913273: make "assume fw is part of any" a per-rule
       option
     * Processing of policy rules where firewall object is used in src or
       dst with negation (possibly in combination with other objects) has
       been optimized. Before, generated script would match firewall's
       addresses in INPUT/OUTPUT and FORWARD chains which added redundant
       checks in the FORWARD chain.

Bugs fixed in iptables policy compiler fwb_ipt:

     * bug #956544: "Error into load modules script generation", where
       generated script would not load kernel modules with names
       "module.ko.gz". Regular expression should match on ".ko.*$" to find
       these modules properly. Thanks to Andrey Kaminsky <and@fao.lv> who
       pointed this out.
     * bug #934949: "duplicate rules". fwb_ipt created duplicate rules for
       a bridging firewall if fw object or its interfaces or their
       addresses were not in the source or desintaion
     * bug #912849: "Reorder activation of network interfaces in IPT" -
       script generated by the compiler for iptables sets default policy to
       DROP, flushes all rules and then reconfigures interfaces of the
       firewall (it used to reconfigure intefaces and then flush the
       rules).
     * bug #906709: "A dynamic interface". Dynamic interface used to
       "shadow" old broadcast object (0.0.0.0)
     * bug #979484: "improper command for rule with service any and action
       reject." For rules like that, and if rule options dialog does not
       specify particular way to handle this combination, the compiler
       splits the rule; the first iptables command rejects any tcp packet
       with TCP RST, while the second rejects everything else with ICMP
       message.
     * bug #917422: "compiler misinterprets interface with addr 0.0.0.0".
       If an interface has IP address "0.0.0.0", it is considered an error.
     * bug #978854: "false rule generated for fw object in interface rule".
       Policy compiler for iptables generated incorrect code for rules
       using negated firewall object in source or destination when global
       option "assume firewall is part of any" was turned off.
     * bug #925199: "compiles wrongly a double negation". Policy compiler
       for iptables generated incorrect code for rules where two rule
       elements used negation (i.e. both src and dst, or dst and srv, etc.)
     * bug #988860: "Logging missing when firewall start is aborted". When
       iptables script generated by fwb_ipt finds missing interfaces, it
       prints error message both on stdout and sends it to the log.
     * bug #965558: "False ruleset generated for iptables (negate w/ nat)".
       There were problems with double negations in NAT rules (OSrc and
       ODst, or ODst and OSrv, etc).
     * bugs #935794: "dual translation and negation in fwb_ipt" and
       #986376: "Wrong result for negated source in NAT rules". Dual
       translation rule with negation in OSrc did not process negation in
       the second half (POSTROUTING rule, the one that translates the
       source).
     * bug #990037: "Wrong rule generated: fw interface included in negated
       group". Rules with negation should not generate code in INPUT/OUTPUT
       chains if option "assume firewall is part of any" is off.

Bugs fixed in iptables policy compiler fwb_pf:

     * bug (no number) where fwb_pf would not include code defined by
       custom service object in the .conf file
     * bug #985527: pf NAT rules miss destination port specification. NAT
       rules that translate to "map" missed destination port specification.
     * bug #986518: "PF redirection always point to loopback address"
