                         Firewall Builder Release Notes

Version 2.1.12

   Released 06/24/2007
   GUI and compilers v2.1.12 require API library libfwbuilder version 2.1.12

Summary

   This release comes with support for Cisco IOS access lists and ability to
   import existing iptables and IOS access lists configurations. Multiple bug
   fixes are included as well.

   For those who wish to build from source, instructions are outlined in the
   document "Install and Build instructions" on our web site here

Support for Cisco IOS access lists

   Policy compiler for Cisco IOS Access lists has been implemented as part of
   the Firewall Builder GUI as of version 2.1.12. The first functional build
   were importer worked on all supported OS was build 270 (May 22, 2007)

   Features implemented in this version:

     * The compiler generates extended ACLs using "ip access-list extended"
       command. ACL names are automatically generated using abbreviated
       interface names and direction symbols to make it easy to figure out
       which ACL is which. Compiler uses rather minimal set of options of the
       "ip access-list" command and should generate code that will work for
       IOS 12.x. I did not test with 11.x but I am pretty sure it will work,
       at least with the latest versions of 11.x.
     * Compiler can also add commands to configure logging.
     * The GUI includes built-in installer for routers which works just like
       installer for PIX. Both installers were updated however to improve
       support for the automatic roll-back feature in case you lose connect
       with the firewall or the router because of an error in the policy. Now
       you can make installer schedule reboot in a few minutes, then upload
       new policy or ACLs and then cancel reboot if upload was successful.
       While before auto-rollback option was only available if you installed
       in the test mode, now you can always use it. Test mode means that
       installer does not save configuration in the permanent memory, as
       before.
     * All three installation methods that were available for PIX are now
       available for routers: you can make it clear all access lists and then
       load new ones or just update access lists without clearing. The last
       method (the "safety net" method) creates temporary acl to permit
       communication with the management station, assigns it to the interface
       marked as management interface, then clears all access lists and loads
       new ones and in the end swaps proper list on the management interface.
       This helps prevent locking yourself out of the router in the middle of
       the installation process in case of an error in the ACL and at the
       same time does not leave the router with no acls for the time it takes
       to install new policy. In combination with automatic roll-back,
       installation process is pretty reliable.
     * New option has been added to the interface object, called
       "unprotected". This allows you to mark some interfaces to be skipped
       by the compiler when it picks interfaces for ACL rules. This should be
       useful when you have routers with many interfaces and only want to add
       ACLs to some of them. Also, you can explicitly put interface objects
       into policy rules and specify direction if you want to do this
       manually.
     * Since router ACLs have no state, all rules should be created in the
       policy pretty much like you do it on the router, including rules that
       permit reply packets. New option has been added to the TCP Service
       object, called "established". This makes compiler use option
       "established" in rules it generates if it is supported by the firewall
       platform. Compilers for iptables, ipfilter, pf and PIX can not use
       objects with this option and treat it as an error because
       corresponding platforms do not support it. IPFW, on the other hand,
       supports it so compiler fwb_ipfw can use it.

   Shortcomings of this version:

     * "tos", "precedence" and "time-range" options are not supported
     * "igmp" access lists can no be generated

Policy import iptables configurations (v2.1.12, build 281 and later)

   Policy importer has been implemented as part of the Firewall Builder GUI
   as of version 2.1.12. The first functional build were importer worked on
   all supported OS was build 270 (May 22, 2007)

   Policy importer uses ANTLR lexer and parser ( http://www.antlr.org/ )
   Version 2.7.7 is used in Firewall Builder v2.1.12 ( http://www.antlr2.org/
   )

   Firewall Builder needs ANTLR C++ runtime header files and library and
   include these in the source tree under src/antlr. Unless you want to
   change the grammar (*.g files) you don't need to install ANTLR separately.
   All relevant ANTLR files are included in the package. For more information
   on ANTRL see: http://www.antlr2.org

   Features implemented in this version :

     * Importer can parse iptables config saved using iptables-save utility.
       Because of the huge variety of iptables modules, Importer can only
       interpret basic iptables configuration and a subset of modules.
       Currently the following modules are supported:

          * state
          * multiport
          * limit
          * mark

     * Importer creates firewall object with all interfaces. It can not
       assign object name for the firewall object nor add IP and MAC
       addresses to interfaces because this information is not present in
       iptables-save file.
     * option "Assume firewall is part of 'any'" is off in the created
       firewall object. Import is done this way in order to preserve logic of
       chains INPUT, OUTPUT and FORWARD in the recreated fwbuilder rules.
       Rules that had chain INPUT in the imported script will have firewall
       object in "destination" in the corresponding fwbuilder rules. Firewall
       object is placed in "Source" for rules with chain OUTPUT. For rules
       with chain FORWARD rule elements "Source" and "Destination" are
       populated with objects created using options "-s" and "-d" of the
       original rules or left empty ("any").
     * all recognized iptables rules are imported and interface and direction
       are set in all rules appropriately. Interface objects are created as
       parser finds them in the script.
     * targets ACCEPT, DROP, REJECT, MARK and others are converted to the
       corresponding fwbuilder policy rule actions. Unrecognized targets and
       converted to branching rules, where the name of the target becomes the
       name of the branch.
     * SNAT, DNAT, MASQUERADING, REDIRECT and NETMAP targets and their
       parameters are recognized in the NAT rules.
     * Address and service objects are created in the process for all
       addresses and ports used in all rules.
     * iptables rules can refer to tcp/udp ports both by name or by number.
       Importer can properly interpret both formats using system function
       getservbyname() to convert service name to the port number. Since the
       result of this function depends on the OS, some port names may not
       convert on some systems. For example, Windows can convert more limited
       set of service names compared to Linux or BSD.
     * targets LOG and ULOG are converted to the "logging" option in
       fwbuilder rules with action "Continue". This is an empty action that
       does not affect packet flow through the firewall but can be used in
       combination with "logging" option to log the packet. If such empty
       (logging-only) rule is undesired, it must be manually merged with some
       other rule in the policy.
     * "--log-prefix", and "--log-level" options of the LOG target are
       recognized
     * "--ulog-prefix" option of the ULOG target is recognized. Other options
       of the ULOG target are not.
     * Address and service objects are reused in the process of import.
     * in case when importer fails to parse some part of the iptables-save
       file, corresponding policy rule is colored red and appropriate
       diagnostic message added to its comment. The problem must be corrected
       manually.
     * comments ("#") found inside access lists are ignored.

   Shortcomings of this version:

     * user-defined chains in table "nat" are not supported
     * no import of time intervals
     * no MAC address matching import

Policy import of Cisco IOS access lists (v2.1.12, build 270)

   Features implemented in this version :

     * Importer can parse router config saved using "show run" command.
       Although importer can only interpret a subset of IOS configuration
       commands, other commands that it does not understand will be ignored
       and should not affect operation. No manual editing of the config is
       required prior to import.
     * Importer creates firewall object with all interfaces
     * firewall object name is assigned if "hostname" command is found in the
       configuration. If this command is not present, the name remains
       generic "New Firewall"
     * interface addresses are assigned if command "ip address" is found
       (multiple addresses per interface are supported). Interfaces without
       "ip address" in the configuration are marked as "unnumbered" in the
       firewall builder object tree.
     * all access lists are imported and interface and direction are set in
       all rules appropriately
     * Address and service objects are created in the process for all
       addresses and ports used in access lists
     * IOS access lists can define ip protocol, icmp code and type, and
       tcp/udp ports both by name or by number. Importer can properly
       interpret both formats.
     * "log", "log-input", "fragments", "established" keywords are supported
       and translated into rule or object options as appropriate.
     * Address and service objects are reused in the process of import.
     * in case when importer fails to parse some part of the access-list
       command, corresponding policy rule is colored in red and appropriate
       diagnostic message added to its comment. The problem must be corrected
       manually.
     * "remark" commands found inside access lists are translated into rule
       comments
     * comments ("!") found inside access lists are ignored.

   Shortcomings of this version:

     * importer does not use address and service objects that existed in the
       tree before the operation has started, it creates new ones.
       Deduplication only works for objects created in the process of import.
     * the following keywords available in extended access lists are not
       supported at this time: tos, precedence, time-range.
     * igmp access lists are not parsed.

     ----------------------------------------------------------------------

New object types and improvements in the base API

     * TCPService object now has flag "established". Policy comilers for
       platforms that have special keyword for this flag can recognize this
       flag in TCPService object.
     * TCPService object "All TCP established" has been added to the Standard
       objects library.
     * Interface of the firewall has new flag "unprotected", currently only
       used in compiler for Cisco IOS access lists. Compiler skips interfaces
       marked as "unprotected" when it decides which interface a policy rule
       should be assigned to.

Improvements and bug fixes in the GUI

     * dialogs and resource files for Cisco IOS access lists.
     * Policy installer for Cisco routers
     * fixed long-standing problem with size of the built-in installer
       options dialog. The dialog was too big and did not properly resize
       itself when some options were hidden.
     * PIX and Cisco routers (IOS) : built-in installer can schedule reboot
       of the firewall before activating new policy, then cancel it if the
       policy has been activated successfully.
     * note about built-in installer on windows. Installer seems to have
       broke with upgrade of QT to 3.3.8. Specifically, in
       SSHSession::readFromStdout(), proc->readStdout() returns a byte array
       that contains actual output from the device, with some garbage
       appeneded to it. The garbage is included in the size() count of
       QByteArray returned by readStdout so it gets included into the QString
       which we append to stdoutBuffer. This happens only on win32; reverting
       to QT 3.3.7 fixes the problem.
     * the GUI is compiled with ANTLR C++ run-time, used for policy importer
     * Policy importer: can read and import iptables rules from the
       iptables-save file and Cisco IOS access lists from the router
       configuration saved using "show run" command. See README.policy_import
       file for more details.
     * allow for object group in "Interface" rule element
     * Added support for action "Continue" (an empty action) in the GUI and
       compiler for iptables. This action creates a rule that does nothing,
       however it generates iptables command with target "-j LOG" if logging
       is turned on. This can be useful if one wants only to log packets that
       match certain pattern but not make any policy decision in the same
       rule.
     * After changes made in the compiler to simplify algorithm used to
       decide which chain a rule with action Tag should go to, rule action
       option "Mark connections in PREROUTING chain" ( "ipt_mark_prerouting"
       ) has been deprecated.
     * fixed bug (no number) where installer failed to properly copy .fwb
       file over to the firewall if file name contained whitespace
     * fixed bug #1739373: "FWB2111, register Routing not printed". Tab
       "Routing" was not included in the printed copy of firewall policies

Improvements and bug fixes in policy compiler for iptables

     * fixed bug 1737733: "install script doesn't detect BROADCAST if eth is
       NO-CARRIER". If firewall script runs before network interface comes up
       (i.e. is still in NO-CARRIER state), script failed to add virtual
       addresses for NAT.
     * fixed bug #1711595: "ip6tables DROPs". Compiler adds rules to permit
       any-to-any on loopback interface for ipv6 in addition to rules that
       set default policy to DROP for all chains in ipv6
     * streamlined algorithm that assigns chain to a rule with action Tag.
       The goal is to always use chain PREROUTING for rules with direction
       Inbound or Both and a combination of OUTPUT and POSTROUTING for rules
       with direction Outbound and Both.
     * Added support for action "Continue" (an empty action) in the GUI and
       compiler for iptables. This action creates a rule that does nothing,
       however it generates iptables command with target "-j LOG" if logging
       is turned on. This can be useful if one wants only to log packets that
       match certain pattern but not make any policy decision in the same
       rule.
     * fixed bug #1718791: "Bug with more than one router". This bug affected
       routing rules.
     * fixed bug #1720022: "Fail to load modules .ko.gz".
     * fixed bug #1720480: '"-A POSTROUTING -i interface" in branching
       rules'. Compiler should not generate iptables commands in POSTROUTING
       chain with "-i interface" clause.
     * bug (no number): compiler used to not set unique internal id for rules
       in branches, which lead to chain names like 'C.0' in generated script.
     * bug (no number): when a rule number is inserted into a log record in
       place of macro %N, it should be formatted as "N/M" for rules in a
       branch.
     * bug (no number): setting chain for Classify action only if it has not
       been set before. Setting chain to POSTROUTING always broke things if a
       rule with action 'Classify' was used in a branch (so the chain has
       been set to that of the branch)
     * bugs #1676635: "no way to match on state if the action is drop" and
       #1671910: "2.1.8 In 'Branch' acton compiler doesn't insert NEW
       stanza". Rely only on rule option 'stateless' to decide whether the
       rule should have "-m state --state NEW". Rule option 'stateless' is
       automatically set when user changes rule action so it becomes anything
       except 'Accept', 'Tag' or 'Route'. This option is also automatically
       cleared when action is switched to any of these three actions. The
       user can override these default settings by checking or unchecking the
       option in the rule options dialog.

Improvements and bug fixes in policy compiler for PF

     * fixed bug #1727715: "Policy Installer failed but indicates succes".
       Activation script for PF exits with non-zero return code if script
       activation fails.
     * fixed bug #1740545: "AddressTable in NAT section". Policy compiler for
       PF crashed if AddressTable object was used in TDst element of a NAT
       rule.

Improvements and bug fixes in policy compiler for ipfw

     * new TCPService object flag "established" in compiler for ipfw.
     * 
