Firewall Builder Release Notes 
 Version  2.1.7   
Released 10/31/2006
GUI and compilers v2.1.7 require API library libfwbuilder version 2.1.7
Summary 
For those who wish to build from source, instructions are outlined
in the document "Install and Build instructions" on our web site here
Installation
  Packages of Firewall Builder 2.1 are built in a such way that you
  should be able to install them on the same machine with Firewall
  Builder 2.0.X. All binaries have names that end with "21",
  e.g. "fwbuilder21" or "fwb_ipt21". On Windows the
  binary name is the same but the package installs in
  directory c:\FWBuilder21 which is different from the default
  directory for Firewall Builder 2.0; all registry entries are also
  located in different subtrees. All this is done to ensure the user
  can run Firewall Builder 2.1 while still using stable version 2.0.12
  on the same machine.
Improvements and changes in the GUI
  - The GUI works much faster with very large object trees. Tested
    using a data file with over 3000 objects)
    
     
- "Where used" menu item has been added to quickly find and show
    all groups and firewall rules that reference given
    object. Confirmation dialog that is shown when user tries to
    delete an object also shows all groups and rules that use it.
    
     
- By popular request, built-in installer can now save a copy of
    .fwb file to the firewall.
    
     
- Compile/install dialog is now an independent window instead of a
    modal dialog, this means the user can look at the policy and
    objects while compilation and/or installation is going on. This is
    especially convenient as it allows one to inspect the rules after
    failed compilation while still having compiler error on screen.
    
     
- Network discovery driud is back, ported from fwbuilder
    1.0. As before, it supports reading object definitions from a
    file in /etc/hosts format, can read DNS zone and also can
    crawl the network using SNMP queries.
    
     
- Startup wizard ("Welcome to Firewall Builder") has been
    removed. The GUI now starts either into an empty database or
    opens data file specified on the command line.
    
   
- Keeping track of dependencies between objects. This is
    useful when many firewalls in the tree use the same set of
    objects. Each firewall object keeps track of objects it
    depends on, so if any object is modified, all firewalls that
    use it in their rules are marked with bold font to indicate
    that they need to be recompiled. Object dependencies are
    tracked not only when objects are directly used in rules,
    but also when they apepar there indirectly, as members of
    groups
    
   
- Added bulk compile and install operations. This is useful
    when there are many firewalls in the tree that need to be
    compiled and installed in one go. Bulk install operation is
    only possible if all firewalls use the same user name and
    password for authentication. If this is not the case,
    built-in installer can be instructed to ask for the
    authentication information before it touches each firewall.
    
   
- All object dialogs have been converted into built-in
    panels that appear in the right hand part of the main
    window. This simplifies navigation ( pop-up dialogs used to
    obscure parts of the main window). Objects open in the
    editor on a single mouse click in the tree and rules.
    
   
- Improvements in "Find" function: administrator can now
    drag an object into a well in the find dialog panel to make
    it search for this particular object. This is useful if the
    name of the obejct is not unique. Search by object's name or
    a value of its attribute is also possible.
    
        
 
   
- In addition to the "Find" function, the "Find and replace"
    operation has been implemented. Objects can be found and
    replaced in groups and firewall rules
    
        
 
   
New object types, new rule types and rule elements, new
  actions and other new features
  - AddressTable  This object resolves to a set of
    IP addresses defined in an external file. The object can be
    configured to read the file at compile time or at run time.  For
    each compile-time AddressTable object defined in the object tree
    compiler tries to find and read the file specified in the object
    configuration. Compiler aborts processing if the file can not be
    found or can not be read. If the file is in place and can be
    read, such AddressTable object behaves as if it was a group of
    IP address objects, that is, all addresses are explicitly copied
    into generated configuration, although compiler may use target
    firewall syntax that helps to group such sets of addresses into
    tables. Compilers for iptables, ipfw, ipf and PIX generate bunch
    of rules matching each address read from the file. Compiler for
    PF creates a table and also lists all IP addresses it reads from
    the file; it uses the name of the AddressTable object for the
    name of the table it creates.
      
    Run-time AddressTable objects are only supported by
      compilers for iptables and PF.  Compiler for iptables
      generates shell code to read the contents of the file when
      firewall configuration is activated. Compiler for PF uses
      native "table <name> persist file <file_name>"
      syntax. Here also the name of the table is the same as the
      name of the AddressTable object it was created for.
     
   
- DNSName:  This object resolves a host name to
    the IP address using DNS. Object can be confgiured to do so at
    compile time or run time. Resolution is done using system call
    gethostbyaddr() to read DNS A records for the name. System
    resolver should take care of recursion and CNAME records, if
    any. If the name resolves to several IP addresses, all addresses
    are used in the generated firewall configuration. Run-time
    DNSName objects rely on the target firewall software to be able
    to convert symbolic names used in rules into actual IP addresses
    at a time when policy is activated. Not all platforms provide
    means to support run-time DNSName objects.
    
   
- TagService:  This object matches tags set by
    action Tag. It is translated into --mark
      <mark_code> for iptables and tag option for
    PF. This service object is only supported by compilers for
    iptables and PF.
    
   
- Interface objects can now have an attribute to mark
    them as bridge ports, used for bridging firewalls.
    
   
- Support for routing rules has been implemented using patch
    provided by Tidei Maurizio <fwbuilder-routing at
    compal.de> Support for routing rules is only implemented in
    compiler for iptables. See file README.routing included in
    fwbuilder2 package.
    
       
        NOTE: I can only provide very limited support for this feature, please direct your questions and bugreports to the author
       
   
- Global policy and interface policies have been merged. Each
    policy rule now has rule element "Interface". Administrator
    can drag and drop interface object of the firewall into this
    rule element field. Policy compilers support multiple
    interfaces and negation in "Interface" rule element. Rule
    element "direction" that previously was only part of the
    interface policy rules is now part of all policy rules.
    
   
- Policy rules can have the following new actions:
       
        - Queue:  This action passes the packet to
          user space process for inspection, it is translated
          into QUEUE for iptables and divert for
          ipfw. This action is only supported by compilers for
          iptables and ipfw..
          
         
- Custom:  This action allows administrator
          to define arbitrary piece of code to be used in place of
          an action. Supported by compilers for iptables, ipf and
          ipfw
          
         
- Branch:  This action is used to create a
          branch in the rule set. It works on target platforms that
          provide suitable syntax and allow control to return to the
          higher level rule set if the branch can not make final
          decision about the packet. For iptables this action is
          translated into user-defined chain. The name of the chain
          is the name of the branch choosen by administrator. For PF
          this action is translated into an anchor with the name the
          same as the name of the branch defined by the
          administrator. This action is only supported by compilers
          for iptables and PF.
          
             
 Fig.1 Rule #0 of the global policy creates a branch with the name rule0_branch
 
           
         
- Tag:  This action associates internal tag
          with the packet. Tag can later be inspected using
          service object TagService. This action is
          translated into MARK target with
          corresponding --set-mark parameter and optionally
          additional rule with CONNMARK --save-mark target
          for iptables. If option that activates CONNMARK
          target is used, compiler also adds a rule at the very
          top of the policy to restore the mark.  Rules are placed
          in INPUT,OUTPUT and FORWARD chain
          of the "mangle" table, this ensures
          that DNAT happens before rules placed in the
          mangle table see the packet. PREROUTING chain in
          mangle table is executed before PREROUTING chain
          in the nat table, so placing tagging rules in the
          PREROUTING chain would make them fire before
          DNAT. POSTROUTING chain of the mangle
          table, as well as its FORWARD and OUTPUT
          chains, work before corresponding chains of the nat
          table. In all cases the goal is to make sure DNAT
          rules process the packet before, and SNAT rules process
          it after filtering and tagging rules.
            
            For PF this action is translated into tag.
            Supported only by compilers for iptables and PF.
           
             
 Fig.2 Example of a rule utilizing action Tag. To illustrate policy branches, this rule belongs to the branch with the name rule0_branch
 
           
         
- Classify:  This action allows the firewall
          to define QoS class for the packet that matches the
          rule. It is translated into CLASSIFY for
          iptables, with parameter --set-class. For PF it
          is translated into queue; compiler for ipfw can
          use pipe, queue or divert depending
          on how the action is configured by the administrator in
          the GUI. This action is only supported by compilers for
          iptables, PF and ipfw.
          
         
- Route:  This action makes the firewall to
          route the packet that matches the rule through an
          interface or a gateway specified in the parameters of the
          action. This action is translated into ROUTE target
          for iptables and route option for PF and
          ipfilter. Compilers for PF and ipfilter
          support fastroute, route-to,
          reply-to and dup-to options.
          
             
 Fig.3 Rules #0 and #1 tag packets entering the firewall through interfaces eth0 and eth2; rules #3 and #4 help route reply packets back through the same interfaces
 
           
         
 
      The GUI uses different names for the new actions depending
      on the target firewall platform to simplify adoption. For
      example, new action that created branch in rule set is
      called Chain for iptables firewalls and Anchor
      for PF fierwalls. 
     
- Firewall object now has an attribute "inactive". Firewall
    marked as inactive will not be picked by the GUI for the bulk
    compile and install operations even if the timestamps indicate
    that this firewall object needs to be recompiled
    
   
Compiler for iptables
  - Support for address tables loaded from external files at
    compile or run time
    
   
- Support user defined chains with predefined names (using
    special action )
    
   
- Support
    for CLASSIFY, MARK, CONNMARK, QUEUE, ROUTE
    targets
    
   
- Support for physdev module for bridging firewalls
    
   
- additional optimization of rules i INPUT and OUTPUT chain:
    now removing firewall object from src or dst to simplify rule
    if it uses OUTPUT or INPUT chain. Doing this only if original
    rule did not have negation and we do not add any virtual
    addresses for NAT.  After removal the rule collapses to a
    simple command like this:
    
       
	iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
      
      this works fine except if we have added virtual addresses for
      NAT. It is assumed that firewall object in rules represents
      combination of addresses configured in its interfaces in the
      GUI. Virtual addresses added for NAT are considered to be a
      side effect and connections should not be implicitly permitted
      to them by a rule with fw object in destination. The same
      applies to fw object in source. See bug #685947 for
      discussion. To avoid inadvertently opening holes in the
      firewall by a rule like that, we remove fw object only when it
      is safe to do so.
     
   
-  support for modules connlimit
    and hashlimit. There is an option to generate commands
    for the latter module using name dstlimit because older
    versions of iptables included this module under this (now
    obsolete) name.
    
   
Compiler for PF
  - Support for load balancing rules
- Support for tag and route options
- Support for address ranges and networ objects in TSrc in NAT
    rules
- Support for pool types in NAT rules ('bitmask', 'random',
    'source-hash', 'round-robin'), as well as 'static-port'
    option.
- Supprot for anchors (by way of a special action)
- Support for tables with predefined names (using AddressTable object)
- Support for packet 'tagging' (by way of a special action and service object TagService)
Compiler for ipfilter
  - Support for PPTP and IRC proxies
- Support for route option
API
  - internal object ID is augumented with process ID of the
    program that creates an object. This allows fwbedit to quickly
    create objects and still ensure their IDs are unique
  
- 
fwbedit
  Fwbedit can now create objects and repair broken object
  database. This tool can now be used to populate object database
  using shell scripts or other automation. For example, to create an
  address object in object library 'Test' one could run it like
  this:
    
  
    fwbedit -f filename.fwb -t IPv4 -n newAddress -L Test -o 192.0.2.1
  
  
       Firewall Builder:  general purpose object tree editing tool
       Version 2.1.5-b
       Usage: fwbedit21 -f filename.fwb -u [-a obj,grp] [-r obj,grp] [-d obj] [-s] [-l path] [(-p parent|-L library) -t objtype -n objname [-o object attributes]] 
       -t objtype : create an object of this type
       -L library : specify library when creating a new object
       -p obj     : specify parent object when creating a new object
       -n name    : specify a name of the new object
       -o attribute1[,attribute2...]  :  specify attributes when creating a new object
       -a obj,grp :  create reference to object 'obj' in the group 'grp'
       -r obj,grp :  remove reference to object 'obj' from the group 'grp'
       -d obj     :  delete object 'obj' and remove references to it from
       all rules and groups
       -l path    :  print list of objects for 'path'
       -s         :  test and repair object tree structure
       -u         : autoupgrade of file
       An object and a group can be defined by their ID or 
       by the full path and name in the XML tree
       Object creation syntax:
       -t Firewall -n obj_name -L User -o platform, host OS
       -t IPv4 -n obj_name -L User -o IP address
       -t DNSName -n obj_name -L User -o DNS record,run time
       -t AddressRange -n obj_name -L User -o start address, end address
       -t ObjectGroup
       -t Network -n obj_name -L User -o address,netmask
       -t Interval -n obj_name -L User -o start time,start date,start day,end time, end date, end day
       -t Interface -n obj_name -L User -o security level,address type (dynamic or unnumbered),management
       -t Host
       -t TCPService -n obj_name -L User -o source port range start,end,Destination port range start,end,UAPRSF,UAPRSF
       -t UDPService -n obj_name -L User -o source port range start,end,Destination port range start,end
       -t ICMPService -n obj_name -L User -o ICMP type,ICMP code
       -t IPService -n obj_name -L User -o protocol number,lsrr/ssrr/rr/ts/fragm/short_fragm