[fwbuilder-commits] [SCM] Firewall Builder GUI and Policy Compilers Open Source Code branch, v4_1, updated. d782d648ec8dc048e773aee20f76519318cb5ac9

[<gi...@ir...>]

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Firewall Builder GUI and Policy Compilers Open Source Code".

The branch, v4_1 has been updated
       via  d782d648ec8dc048e773aee20f76519318cb5ac9 (commit)
      from  82ae242fae717c145ea79870f17eac3d4a6ce79e (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit d782d648ec8dc048e773aee20f76519318cb5ac9
Author: Vadim Kurland <va...@ne...>
Date:   Thu Nov 11 17:17:20 2010 -0800

    release notes 4.1.3  fixed #1839

diff --git a/src/res/help/en_US/release_notes_4.1.3.html b/src/res/help/en_US/release_notes_4.1.3.html
new file mode 100644
index 0000000..8502cc2
--- /dev/null
+++ b/src/res/help/en_US/release_notes_4.1.3.html
@@ -0,0 +1,346 @@
+
+<h1>Firewall Builder 4.1.3 Release Notes</h1>
+
+<p>
+</p>
+
+<p>
+  <a href="https://sourceforge.net/tracker/?atid=1129518&group_id=5314">SourceForge: Tickets for V4</a>
+</p>
+
+<p>
+</p>
+
+<p>
+  v4.1.3 has been tested, and we believe it to be ready for production
+  use, but if you do find a bug or issue please let us know.
+</p>
+
+<a name="gui"></a>
+<h2>GUI Updates</h2>
+
+<ul>
+
+  <li>
+    <p>
+      see #1823 "Add Preference option for Advanced / Power users".
+      Added checkbox to the Preferences dialog, this checkbox turns
+      off some tooltips that can be annoying for users who are
+      sufficiently familiar with the GUI
+    </p>
+  </li>
+
+  <li>
+    <p>
+      see #1787 "new fw name input field should have focus when new
+      firewall wizard opens"
+    </p>
+  </li>
+
+  <li>
+    <p>
+      code refactoring: see #1822 "refactor all GUI classes into
+      libgui library and link executable with it"
+    </p>
+  </li>
+
+  <li>
+    <p>
+      code refactoring: see #1826 "Please place all unit tests in one
+      directory". All GUI and other unit tests moved to the
+      directory src/unit_tests
+    </p>
+  </li>
+
+
+  <li>
+    <p>
+      see #1809 "Add Firewall Setting in Logging settings for default
+      log setting on new rules". Added a tab "Policy Rule" to the
+      "Objects" page of the global preferences dialog; checkbox in
+      this tab allows the user to choose whether new policy rules
+      should be created with logging turned on or off.
+    </p>
+  </li>
+
+  <li>
+    <p>
+      See #1832, SF bug 3097419 "installer uses bare IP address
+      instead of putty session name". It appears pscp.exe on Windows
+      can use putty session name in place of the host name. This
+      change restores old behavior where session name was used like
+      that but does it for both plink.exe and pscp.exe. This only
+      affects users who run fwbuilder GUI on Windows
+    </p>
+  </li>
+
+  <li>
+    <p>
+      fixed #1837 "generated script gets .fw suffix even when user set
+      output file name". Suffix .fw should not be appended to the name
+      entered by the user in the "output file name" input field in the
+      firewall settings dialog.
+    </p>
+  </li>
+
+  <li>
+    <p>
+    </p>
+  </li>
+
+  <li>
+    <p>
+    </p>
+  </li>
+
+  <li>
+    <p>
+    </p>
+  </li>
+
+  <li>
+    <p>
+    </p>
+  </li>
+
+  <li>
+    <p>
+    </p>
+  </li>
+
+  <li>
+    <p>
+    </p>
+  </li>
+
+
+</ul>
+
+
+<a name="std_lib"></a>
+<h2>Changes and improvements in the library of standard objects</h2>
+
+<ul>
+  <li>
+    <p>
+      added ICMPv6 object "parameter problem" (type 4, any code) per
+      SF feature request 3094743.  Also added service group object
+      "ipv6 unreachable messages" that includes ICMPv6 messages
+      "destination unreachable", "packet too big", "parameter problem"
+      and "time exceeded" per SF feature request 3094758
+    </p>
+  </li>
+</ul>
+
+
+<a name="iptables"></a>
+<h2>Changes in support for iptables</h2>
+
+<ul>
+  <li>
+    <p>
+      fix for the SF bug #3095615 "reopen no PREROUTING rule with
+      *-Interface - ID: 3077132". Configlet used wrong shell variable
+      to access ip address of a wildcard interface.
+    </p>
+  </li>
+
+  <li>
+    <p>
+      fixed #1820 "skip module "nf_conntrack_ipv6" if generated script
+      has no ipv6 rules" Shell function load_modules should not try to
+      load module nf_conntrack_ipv6 if generated script does not load
+      any ipv6 rules. Loading this module fails if ipv6 has been
+      disabled in the kernel.
+    </p>
+  </li>
+
+  <li>
+    <p>
+      fixed SF bug 3091069: "Routing configuration failed". Iptables
+      script generated by fwbuilder did not configure broadcast when
+      it added ip addresses to interfaces. Using "ip addr add ADDR/NM
+      boradcast + dev INTF" syntax to do this.
+    </p>
+  </li>
+
+  <li>
+    <p>
+      implemented SF feature request 3094738 "Set the HL to 255 for
+      IPv6 Neighbor Discovery". Neighbor discovery packets must have
+      hop limit of 255 per RFC 2461. Automatically generated rules
+      that match neighbor discovery packets will math hooplimit 255.
+    </p>
+  </li>
+
+  <li>
+    <p>
+      fixed SF bug 3094273 "no state needed for ipv6-icmp in
+      ip6tables". Rules that match ICMPv6 objects should be
+      stateless. Compiler will check for this and reset "stateful"
+      flag of a rule and issue warning if the rule was built stateful
+      in the GUI. This could be version-dependent, we may need to
+      revisit this in the future when netfilter fixes the underlying
+      issue. Some resources:
+      https://bugzilla.redhat.com/show_bug.cgi?id=243739
+      https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/479105
+    </p>
+  </li>
+
+  <li>
+    <p>
+      fixed SF bug 3090249 "fwb_ipt ignores -d option ". Documented
+      behavior is for the compiler to create files in the directory
+      specified by the argument of the "-d" command line flag. If flag
+      "-d" is not provided, files should be created in the current
+      directory.
+    </p>
+  </li>
+
+  <li>
+    <p>
+      fixed #1824 "should not try to verify wildcard interfaces".
+    </p>
+  </li>
+
+  <li>
+    <p>
+      fixed #1838 "function configure_interfaces() does not manage ip
+      addresses of vlan interfaces". This function used to take into
+      account only interfaces that were direct children objects of the
+      firewall. Since vlan interfaces are children of the
+      corresponding physical interface, they were not included.
+    </p>
+  </li>
+
+  <li>
+    <p>
+      fixed SF bug 3103582 "Cant create redirect rule in cluster
+      firewall object".  Iptables nat rule with target REDIRECT could
+      not be built in a cluster configuration. It should be possible
+      to do this by putting cluster object in Translated Destination.
+    </p>
+  </li>
+
+  <li>
+    <p>
+    </p>
+  </li>
+
+  <li>
+    <p>
+    </p>
+  </li>
+
+  <li>
+    <p>
+    </p>
+  </li>
+
+</ul>
+
+
+
+<a name="pf"></a>
+<h2>Support for PF</h2>
+
+<ul>
+  <li>
+    <p>
+      fixed #1807 "wrong order of address assignment in the generated
+      OpenBSD/PF/CARP cluster configuration". Need to assign ip
+      addresses to regular interfaces before trying to assign them to
+      carp interfaces.
+    </p>
+  </li>
+</ul>
+
+
+
+<a name="ipf"></a>
+<h2>Support for ipfw</h2>
+
+<ul>
+  <li>
+    <p>
+      fixed #1836 "installer hangs and fails after activation of ipfw
+      policy".  As soon as .fw script swapped ipfw sets usig command
+      "ipfw sawp" and deleted temporary set 1, ssh session would hang
+      and eventually break. We optionally add ipfw rules to permit ssh
+      session used to manage the firewall, as well as a rule to permit
+      reply packets but the latter rule was not built correctly. It
+      should match source and destination reversed, as well as match
+      keyword "established" and recreate state with "keep-state". This
+      rule automatically recreates state for the established ssh
+      session over which firewall policy is being managed. Also added
+      a comment to the firewall settings dialog for ipfw to remind the
+      user that address or subnet they use with this automatic rule
+      should be as narrow as possible.
+    </p>
+  </li>
+</ul>
+
+
+
+<a name="ios"></a>
+<h2>Changes in support for for Cisco IOS ACL</h2>
+
+<ul>
+  <li>
+    <p>
+      see #1834 Fixed matching algorithm that determins which
+      interface a rule should be associated with for Cisco IOS
+      ACLs. Previously compiler did not compare subnets properly and
+      because of that it interpreted some configurations
+      incorrectly. For example in the case with a network object
+      10.0.0.0/8 in "source" and an interface with address 10.0.0.1/24
+      (network should not be considered matching) compiler considered
+      this interface matching and assigned the rule to the interface
+      only with direction "inbound".
+    </p>
+  </li>
+</ul>
+
+
+
+
+<a name="pix"></a>
+<h2>Changes in support for for Cisco ASA (PIX)</h2>
+
+<ul>
+  <li>
+    <p>There are no changes in the support for ASA in this release
+    </p>
+  </li>
+
+  <li>
+    <p>
+    </p>
+  </li>
+
+  <li>
+    <p>
+    </p>
+  </li>
+
+</ul>
+
+
+
+
+<a name="procurve"></a>
+<h2>Support for HP ProCurve</h2>
+
+<ul>
+  <li>
+    <p>There are no changes in the support for HP ProCurve in this release
+    </p>
+  </li>
+
+
+</ul>
+
+
+
+
+

-----------------------------------------------------------------------

Summary of changes:
 src/res/help/en_US/release_notes_4.1.3.html |  346 +++++++++++++++++++++++++++
 1 files changed, 346 insertions(+), 0 deletions(-)
 create mode 100644 src/res/help/en_US/release_notes_4.1.3.html


hooks/post-receive
-- 
Firewall Builder GUI and Policy Compilers Open Source Code