[fwbuilder-commits] [SCM] Firewall Builder GUI and Policy Compilers Open Source Code branch, v4_1,
Brought to you by:
mikehorn
From: <gi...@ir...> - 2010-11-12 01:25:11
|
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "Firewall Builder GUI and Policy Compilers Open Source Code". The branch, v4_1 has been updated via d782d648ec8dc048e773aee20f76519318cb5ac9 (commit) from 82ae242fae717c145ea79870f17eac3d4a6ce79e (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit d782d648ec8dc048e773aee20f76519318cb5ac9 Author: Vadim Kurland <va...@ne...> Date: Thu Nov 11 17:17:20 2010 -0800 release notes 4.1.3 fixed #1839 diff --git a/src/res/help/en_US/release_notes_4.1.3.html b/src/res/help/en_US/release_notes_4.1.3.html new file mode 100644 index 0000000..8502cc2 --- /dev/null +++ b/src/res/help/en_US/release_notes_4.1.3.html @@ -0,0 +1,346 @@ + +<h1>Firewall Builder 4.1.3 Release Notes</h1> + +<p> +</p> + +<p> + <a href="https://sourceforge.net/tracker/?atid=1129518&group_id=5314">SourceForge: Tickets for V4</a> +</p> + +<p> +</p> + +<p> + v4.1.3 has been tested, and we believe it to be ready for production + use, but if you do find a bug or issue please let us know. +</p> + +<a name="gui"></a> +<h2>GUI Updates</h2> + +<ul> + + <li> + <p> + see #1823 "Add Preference option for Advanced / Power users". + Added checkbox to the Preferences dialog, this checkbox turns + off some tooltips that can be annoying for users who are + sufficiently familiar with the GUI + </p> + </li> + + <li> + <p> + see #1787 "new fw name input field should have focus when new + firewall wizard opens" + </p> + </li> + + <li> + <p> + code refactoring: see #1822 "refactor all GUI classes into + libgui library and link executable with it" + </p> + </li> + + <li> + <p> + code refactoring: see #1826 "Please place all unit tests in one + directory". All GUI and other unit tests moved to the + directory src/unit_tests + </p> + </li> + + + <li> + <p> + see #1809 "Add Firewall Setting in Logging settings for default + log setting on new rules". Added a tab "Policy Rule" to the + "Objects" page of the global preferences dialog; checkbox in + this tab allows the user to choose whether new policy rules + should be created with logging turned on or off. + </p> + </li> + + <li> + <p> + See #1832, SF bug 3097419 "installer uses bare IP address + instead of putty session name". It appears pscp.exe on Windows + can use putty session name in place of the host name. This + change restores old behavior where session name was used like + that but does it for both plink.exe and pscp.exe. This only + affects users who run fwbuilder GUI on Windows + </p> + </li> + + <li> + <p> + fixed #1837 "generated script gets .fw suffix even when user set + output file name". Suffix .fw should not be appended to the name + entered by the user in the "output file name" input field in the + firewall settings dialog. + </p> + </li> + + <li> + <p> + </p> + </li> + + <li> + <p> + </p> + </li> + + <li> + <p> + </p> + </li> + + <li> + <p> + </p> + </li> + + <li> + <p> + </p> + </li> + + <li> + <p> + </p> + </li> + + +</ul> + + +<a name="std_lib"></a> +<h2>Changes and improvements in the library of standard objects</h2> + +<ul> + <li> + <p> + added ICMPv6 object "parameter problem" (type 4, any code) per + SF feature request 3094743. Also added service group object + "ipv6 unreachable messages" that includes ICMPv6 messages + "destination unreachable", "packet too big", "parameter problem" + and "time exceeded" per SF feature request 3094758 + </p> + </li> +</ul> + + +<a name="iptables"></a> +<h2>Changes in support for iptables</h2> + +<ul> + <li> + <p> + fix for the SF bug #3095615 "reopen no PREROUTING rule with + *-Interface - ID: 3077132". Configlet used wrong shell variable + to access ip address of a wildcard interface. + </p> + </li> + + <li> + <p> + fixed #1820 "skip module "nf_conntrack_ipv6" if generated script + has no ipv6 rules" Shell function load_modules should not try to + load module nf_conntrack_ipv6 if generated script does not load + any ipv6 rules. Loading this module fails if ipv6 has been + disabled in the kernel. + </p> + </li> + + <li> + <p> + fixed SF bug 3091069: "Routing configuration failed". Iptables + script generated by fwbuilder did not configure broadcast when + it added ip addresses to interfaces. Using "ip addr add ADDR/NM + boradcast + dev INTF" syntax to do this. + </p> + </li> + + <li> + <p> + implemented SF feature request 3094738 "Set the HL to 255 for + IPv6 Neighbor Discovery". Neighbor discovery packets must have + hop limit of 255 per RFC 2461. Automatically generated rules + that match neighbor discovery packets will math hooplimit 255. + </p> + </li> + + <li> + <p> + fixed SF bug 3094273 "no state needed for ipv6-icmp in + ip6tables". Rules that match ICMPv6 objects should be + stateless. Compiler will check for this and reset "stateful" + flag of a rule and issue warning if the rule was built stateful + in the GUI. This could be version-dependent, we may need to + revisit this in the future when netfilter fixes the underlying + issue. Some resources: + https://bugzilla.redhat.com/show_bug.cgi?id=243739 + https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/479105 + </p> + </li> + + <li> + <p> + fixed SF bug 3090249 "fwb_ipt ignores -d option ". Documented + behavior is for the compiler to create files in the directory + specified by the argument of the "-d" command line flag. If flag + "-d" is not provided, files should be created in the current + directory. + </p> + </li> + + <li> + <p> + fixed #1824 "should not try to verify wildcard interfaces". + </p> + </li> + + <li> + <p> + fixed #1838 "function configure_interfaces() does not manage ip + addresses of vlan interfaces". This function used to take into + account only interfaces that were direct children objects of the + firewall. Since vlan interfaces are children of the + corresponding physical interface, they were not included. + </p> + </li> + + <li> + <p> + fixed SF bug 3103582 "Cant create redirect rule in cluster + firewall object". Iptables nat rule with target REDIRECT could + not be built in a cluster configuration. It should be possible + to do this by putting cluster object in Translated Destination. + </p> + </li> + + <li> + <p> + </p> + </li> + + <li> + <p> + </p> + </li> + + <li> + <p> + </p> + </li> + +</ul> + + + +<a name="pf"></a> +<h2>Support for PF</h2> + +<ul> + <li> + <p> + fixed #1807 "wrong order of address assignment in the generated + OpenBSD/PF/CARP cluster configuration". Need to assign ip + addresses to regular interfaces before trying to assign them to + carp interfaces. + </p> + </li> +</ul> + + + +<a name="ipf"></a> +<h2>Support for ipfw</h2> + +<ul> + <li> + <p> + fixed #1836 "installer hangs and fails after activation of ipfw + policy". As soon as .fw script swapped ipfw sets usig command + "ipfw sawp" and deleted temporary set 1, ssh session would hang + and eventually break. We optionally add ipfw rules to permit ssh + session used to manage the firewall, as well as a rule to permit + reply packets but the latter rule was not built correctly. It + should match source and destination reversed, as well as match + keyword "established" and recreate state with "keep-state". This + rule automatically recreates state for the established ssh + session over which firewall policy is being managed. Also added + a comment to the firewall settings dialog for ipfw to remind the + user that address or subnet they use with this automatic rule + should be as narrow as possible. + </p> + </li> +</ul> + + + +<a name="ios"></a> +<h2>Changes in support for for Cisco IOS ACL</h2> + +<ul> + <li> + <p> + see #1834 Fixed matching algorithm that determins which + interface a rule should be associated with for Cisco IOS + ACLs. Previously compiler did not compare subnets properly and + because of that it interpreted some configurations + incorrectly. For example in the case with a network object + 10.0.0.0/8 in "source" and an interface with address 10.0.0.1/24 + (network should not be considered matching) compiler considered + this interface matching and assigned the rule to the interface + only with direction "inbound". + </p> + </li> +</ul> + + + + +<a name="pix"></a> +<h2>Changes in support for for Cisco ASA (PIX)</h2> + +<ul> + <li> + <p>There are no changes in the support for ASA in this release + </p> + </li> + + <li> + <p> + </p> + </li> + + <li> + <p> + </p> + </li> + +</ul> + + + + +<a name="procurve"></a> +<h2>Support for HP ProCurve</h2> + +<ul> + <li> + <p>There are no changes in the support for HP ProCurve in this release + </p> + </li> + + +</ul> + + + + + ----------------------------------------------------------------------- Summary of changes: src/res/help/en_US/release_notes_4.1.3.html | 346 +++++++++++++++++++++++++++ 1 files changed, 346 insertions(+), 0 deletions(-) create mode 100644 src/res/help/en_US/release_notes_4.1.3.html hooks/post-receive -- Firewall Builder GUI and Policy Compilers Open Source Code |