                         Firewall Builder Release Notes

Version 2.1.8

   Released 12/02/2006
   GUI and compilers v2.1.8 require API library libfwbuilder version 2.1.8

Summary

   For those who wish to build from source, instructions are outlined in the
   document "Install and Build instructions" on our web site here

Installation

   Optinon poll ran on the fwbuilder-discussion mailing list showed that
   majority of users are not interested in ability to install and run both
   fwbuilder 2.0 and 2.1 on the same machine at the same time. Hence we are
   reverting to the old naming schema without suffix '21' for the binaries
   and man pages in this release.

Improvements and bug fixes in the GUI

     * The user can search for objects using regular expressions matching
       their names or attributes.

     * Fixed bug #1592130: "Policy Chaining Issues". The GUI should properly
       display nested branch rulesets. The user can create policy branches
       within other branches.

All compilers

     * Fixed bug #1590746 "problem with using "DNS Names" objects on MS
       Windows". Compiler failed to convert DNSName objects set to resolve at
       compile time into IP addresses.

Compiler for iptables

     * fixed bug #1593221: "iptables filtering bridge problem - PHYSDEV: no
       physdev opti..." Some times rules were generated with "-m physdev" but
       witout "--physdev-in" or "--physdev-out" options.

Compiler for Cisco PIX

     * fixed a bug (no num, support req. #1604103: "fwb_pix policy compiler
       dies when SNMP or NTP hosts defined". Compiler did not print error
       message when it could not find an interface with network zone matching
       IP address of NTP or SNMP server (it just printed the address without
       explanation of what went wrong)
     * Experimental utility fwb_pix_diff has been added to the package. This
       utility takes two PIX configurations on the command line and produces
       the 'diff' that consists of a set of commands that should bring the
       firewall from the state defined by the first config to the state
       defined by the second. Only PIX 7.0 is supported. This utility will be
       incorporated into policy installer in the future to make policy
       updates simpler and faster, especially when small changes are made to
       the large set of access lists and nat rules.
