Firewall Builder 4.1.1 Release Notes

SourceForge: Tickets for V4

What's new in V4.1.1 ?

This release includes fixes for a number of minor bugs as well being the first release to officially support HP ProCurve ACL configuration. Thanks to a generous donation of several switches from Hewlett Packard we were able to test and finalize the ProCurve support. This release also fixes a critical bug in V4.1 related to Cisco IOS ACL configurations. Some configurations would cause Firewall Builder to incorrectly generate and error with the message "Can not find interface with network zone that includes address A.B.C.D.".

v4.1.1 has been tested, and we believe it to be ready for production use, but if you do find a bug or issue please let us know.

GUI Updates

• Built-in policy installer now works with HP Procurve switches. Currently installer can only execute generated configurarion lines one-by-one on the switch; installation method using scp that is available for Cisco routers is not supported yet. This has been tested with Procurve firmware K14.31 on ProCurve J9470A Switch 3500-24. Caveat: manager access should not be configured with user name (that is, no "password manager user-name foo")

• fixed #1683 When user creates new firewall using snmp scan, fwbuilder will now guess and assign the type to interfaces that look like vlans for the given platform and host OS.

• fixed #1683 class procurveInterfaces interprets interface "DEFAULT_VLAN" as vlan interface with vlan id 1.

Changes in support for iptables

• fixed #1693 SF bug 3048516 "NAT rule with 'Use SNAT instead MASQ' doesn't work". NAT rule using combination of the option "Use SNAT instead of MASQ", dynamic address of an interface and source port translation produced iptables command with incorrect syntax.

• see #1685 "iptables redirecting NAT rules in the OUTPUT chain". This fix makes it possible to create iptables NAT rule with target REDIRECT in the OUTPUT chain. The rule should have firewall object in OSrc and TDst rule elements.

• fixed #1685 "iptables redirecting NAT rules in the OUTPUT chain". NAT rules should be allowed to translate from CustomService to TCP or UDP service, provided CustomService object is configured with matching protocol.

• fixed #1686 "can not generate basic NAT branching rule". NAT branching rules were not generated in single rule compile mode because compiler needs information about targets used in the branch rule set rules to decide which chain the branching rule should be placed in. Now it will use PREROUTING and POSTROUTING in single compile mode but issue a warning.

Support for PF

• No changes support for PF in this release

Changes in support for for Cisco IOS ACL

• fixed #1690 "IOS ACL and Procurve ACL compilers fail because interfaces are not assumed to have network zone any anymore". Compilers for Cisco IOS ACL and Procurve ACL always assumed all interfaces have network zone "any". Recent changes made in 4.1.0 changed that and compilers stopped working for some rule configurations. This bug caused compiler to fail with error message "Can not find interface with network zone that includes address A.B.C.D"

Changes in support for for Cisco ASA (PIX)

• No changes in support for PIX in this release

Support for HP ProCurve

• fixed #1688 "Procurve ACL remarks should be in quotes if they include space"

• fixed #1687 "temporary access list commands syntax is incorrect". Temporary ACL generated for the Procurve platform was incorrect.

• Built-in installer has been tested and now works with ProCurve switches.

Firewall Builder 4.1.0 Release Notes

SourceForge: Tickets for V4

What's new in V4.1.0 ?

There are several new features in this version including:

• Support for Address Table objects that use the iptables ipset module
• Integrated SSH tools (plink.exe and pscp.exe) in Windows installer package
• New toolbar shortcut to view complete generated firewall configuration files in the GUI
• Shortcut buttons in the main window to help new users get started more easily
• Updated many dialog window sizes to work better for users with smaller displays (1024x768)
• Added a new mode for stopping the firewall script called 'block'

In addition to providing new functionality one of the goals of this release is to make Firewall Builder easier for new users to learn. There are new buttons in the main window that are shortcuts to common functions that new users need to get started like adding a new firewall and importing policies from existing devices.

The iptables ipset module support provides an efficient way to build iptables rules that match large sets of ip addresses and update these addresses without reloading iptables rules. Please not this function requires that your firewall has the ipset module loaded. You can find more information about how to setup and use Firewall Builder to manage iptables IP sets in the Users Guide section for Address Table objects.

UsersGuide: Address Table Objects

GUI Updates

• fixed #1505 move "Clip comments in rules" checkbox to "Appearance" tab.

• fixed #1504 Added (optional) text to the toolbar buttons. Text is turned on by default but can be turned off in the global Preferences dialog.

• using separate settings object and file in the .ini format to store instance uuid to ensure uuid persistence on windows across upgrades done with complete deinstall. Fixes #1497

• fixed #1489 removed unnecessary debugging messages.

• fixed #1490 compile problem with Qt 4.7

• fixed #1501 call qsrand(seed) to seed random generator before generating new UUID

• applied patch from slif@bellsouth.net to fix compiler warnings. Patch applied partially since not all fixes were appropriate. fixes #1510

• fixed SF bug #3013532 "file chooser dialog for import policy does not show all files".

• fixed SF bug #3013855 "various fixes for run_tests". Applied patch suggested by Michael J. Slifcak (with changes).

• fixed SF bug #3013735 "invalid pixmap properties during make". Fixed uic warnings.

• fixed #1499 "GroupObjectDialogTest.cpp does not compile with gcc 3.4.6" and SF bug 3015307. There is no reason to make method insertObject() protected which caused problems (and hacky workaround) in the unit test.

• added user work flow progress flags for an attempted install and first successful install. Both flags are Boolean true/false indicating that the even occurred. We do not track and do not report any information about the firewall, platform, rules etc. These flags will be used to determine how many users abandon the program before even trying to run install for real because it is too complicated or the UI is not good enough. Fixes #1495

• added user work flow flag indicating that ssh/scp have been configured in the Preferences dialog. The flag is Boolean and registers only the fact that something was entered in ssh and scp fields. Actual path and programs used are not registered and reported. Fixes #1496

• fixed bug 3016720 "import policy disabled after file close". Menu items "File/Import Library" and "File/Import policy" became disabled after user closed data file using "File/Close" and never became enabled again.

• fixed #1521 "GUI crashes upon exit on CentOS 5". This fixes SourceForge bug reports 3016482 "segfault with RHEL5 pre-built packages on CentOS 5.5" and 3015979 "fwbuilder not exiting in centos 5.5"

• fixed #1493 "workflow icons in the big empty space". The GUI shows big buttons in the empty space in the right hand side of the main window when no firewall policy is not opened yet. These buttons provide simple shortcuts to the workflow functions useful for the novice users. Currently this includes "Create new firewall", "Import configuration of existing firewall" and "Watch Getting Started Tutorial".

• fixed SF bug 3016680 "Vertical scrollbar issue" rules with a lot of objects did not scroll properly vertically.

• fixed #1520 ("Comment field display clips comment text"

• fixed #1526 "Make sure GUI unit tests work in the environment where user turned off tip of the day dialog". Unit tests now use alternative settings file with all default values and do not depend on user's preferences.

• See #1346. Viewer panel that can be used to inspect generated firewall configuration files from within the GUI. The panel can be opened using a button in the mini-toolbar above firewall rules or as a page in the compile and install wizard.

• SF bugs 3020381 and 3027284: "Line failure should abort remote firewall install". If network connection is lost during firewall policy activation, policy installer should detect this, disconnect and declare installation session a failure. Prior to this version, installer detected network failures during policy copy (done with scp) or when it could not connect to the firewall at all, but hang if connection was lost in the middle of ssh session used to activate firewall policy. Now using ssh parameter "ServerAliveInterval" to make it detect connection failure. Added an input field that defines inactivity timeout value in seconds to the "Installer" tab of the global preferences dialog. The same timeout value is used to set up ServerAliveInterval parameter for ssh, ConnectTimeout parameter for scp and registry entries required by plink and pscp on Windows using putty session "fwb_session_with_keepalive". Default value defines 30 sec timeout.

• All instllation commands should be on the single line in the configlet so they are sent to the firewall as one line. When these commands were on separate lines, linefeed characters between them appeared on the standard input of command "sudo -S" and broke installation process. This only happened in my tests when I ran GUI installer on Windows and looked like some sort of a race. When all commands are on the one line the problem disappeared. Changed only configlets that used sudo as part of installation script.

• fixed SourceForge bug 3020761 "printing from command line causes Segmentation fault". Fixes #1533

• fixed source forge bug #3028740 "inspect/install does not like spaces in Firewall object name". compiling firewall objects with name that contains white space produces files with spaces in the name which confused "inspect generated files" function and built-in policy installer. Names with spaces are now supported.

• sorting of filewall and cluster items in compile/install dialog is now case insensitive.

• hiding "Select all" and "Select none" buttons in the first page of the compile/install wizard when there is only one firewall in list.

• renamed buttons "All" to "Select all" and "None" to "Select none" in the first page of the compile/install wizard.

• fixed SourceForge bug #3027272: "default values taken from unexpected sources". When new firewall object was created using "Import Policy" function, parts of its configuration were taken from default settings of an unexpected host OS.

• fixed wrong display of non-ascii symbols in cluster member compilation warning.

• firewall names are now resolved to IP address in the SNMP discovery. Added new input element for firewall IP address to use for SNMP interface discovery when firewall object name does not match DNS record..

• Added "Cancell All" button to the installer options dialog to stop all firewalls installations and renamed OK button to "Install". The new "Cancel All" button lets user interrupt installation process when they are in the middle of pushing configuration to many firewalls.

• fixed #1582 'tree is not refreshed after address substitutions in "new firewall" wizard'

• Most dialogs were adjusted to make sure they fit on the screen 1024x768

• fixed #1612 "File/Open should create new project panel". If user has some unsaved changes in the default project panel (the one with no associated file) and then uses File/Open menu to open another data file, the file should open in a new project panel.

• fixed #1611 "File/New should create new project panel". Like #1612, open new data file in a new project panel if current project panel has no data file associated with it but has unsaved changes.

• fixed #1622 "Crash when configuring cluster". The GUI used to crash if user created a cluster copying rules of one of the cluster members while that rule set was opened in the rule set view.

• fixed #1632 "dependencies created by branching rule sets should be processed recursively". In the case of multi-level branches the GUI should trace all references to find all firewalls affected by a change of an object used in the rule. This fixes SourceForge bug 3033462 "nested shared branch rules between servers not working".

• fixed SF bug 3035426 "canceled save writes .fwb ". The program created file with name ".fwb" if user started with an empty project paje, created some objects, then hit "Compile" but then clicked "Cancel" when offered a chance to save objects into a new data file.

Changes in the policy importer

• fixed #1511, SF bug 3012953: iptables import parse error icmp_type any

• fixed sourceforge bug 3012953 name of UDP and TCP objects created during import should follow the same pattern and not include "0-0" for the source ports if they are equal to zero.

• policy importer for iptables can now parse numerical log levels.

• bug 3012953: iptables importer sometimes does not recognize rule with " ESTABLISHED,RELATED ". Parser properly processed iptables rules with state "RELATED,ESTABLISHED" but not when states were in the opposite order.

• fixed #1513 iptables importer should check default policy in standard chains. Importer creates rules at the bottom of the policy rule set to reproduce default policies in the built-in chains INPUT,OUTPUT,FORWARD. These rules are added only when default policy in these chains is set to ACCEPT because generated iptables script always sets default policies to DROP. Support for this in the mangle table is limited so far, only default policies in PREROUTING, OUTPUT and POSTROUTING can be implemented. Rules created for the commands that set default policy in chains FORWARD and INPUT will generate commands in PREROUTING chain instead. We will try to address this in the future if there is sufficient demand.

• fixed #1516 policy importer for iptables should not use automatic ESTABLISHED rule. (See also SF bug 3012953). Policy importer for iptables always creates explicit rule to match ESTABLISHED,RELATED to make sure it goes into the same chain as the original rule. Also in the same fix, importer creates branch for iptables rules that match both regular service and state ESTABLISHED,RELATED. The service is matched in the main policy rule set, while ESTABLISHED,RELATED state is matched in the branch.

• fixed SF bug 3015641 "imported REJECT rule changed during compile". Importer of iptables rules did not handle properly parameters of the REJECT target.

• Fixed SF bug 3016779: Policy importer for iptables should understand module iprange

• policy importer for iptables replaces --sport and --dport parameters of module multiport with --source-ports and --destination-ports to remove grammar ambiguity that arises from the use of the same parameters --sport and --dport by different iptables modules with different argument syntax.

• fixed SF bug 3017084 "compiler adds extra quote characters to log-prefix string".

• fixed #1544 "fwbuilder crashes during import of file with rtf formatting data". The fix should prevent crashes in other cases when import was unsuccessful.

Changes in libfwbuilder library

• Added framework for creating data files with predictable and repeatable object IDs and references. This is used in unit tests so we can create data files that can be compared.

• fixed missing class variable initialization in class CustomService

Changes common for all policy compilers

• fixed #1631 "Process branch rule sets recursively". Policy compilers used to look only one level deep while processing branching rules. They should allow for arbitrary nesting and correctly avoid infinite loops if user creates looped branches. Compiler issues a warning when it detects looped bracnhing. This fixes SF bug 3033462 "nested shared branch rules between servers not working".

Changes in support for iptables

• fixed #1506 SF bug #3011516: generated iptables script tries to update ip addresses of unnumbered interface.

• fixed #1523 "outbound ipv6 rule matching multicast ipv6 destination is not generated". The rule with network object fe80::/10 in source and ipv6 muticast ff00::/8 in destination did not produce correspondign ip6tables command. The change affects other cases with rules using broadcast or multicast objects that should be considered matching the firewall object.

• fixed bug 3001228 "v4.0.0 iptables: NAT not creating interface addresses". Iptables script generated by fwbuilder used to include commands to configure virtual ip addresses for NAT only if option "configure interfaces" was turned on. Expected behavior is to generate these commands when option "Add virtual addresses for NAT" is turned on regardless of the setting of the option "configure interfaces".

• Added support for iptables module "set" used to generate iptables command for rules with run-time AddressTable objects. This module is only available in iptables 1.4.1.1 and later, however some embedded platforms do not have it even though they ship later versions of iptables (e.g. OpenWRT). Use of this module is controlled by a checkbox in the iptables "advanced" settings dialog which is off by default. This checkbox becomes disabled when iptables version is set to < 1.4.1.1. Supporting shell functions are generated by the configlet run_time_address_tables. This includes shell function that checks if data files used by run time address tables objects are available, a function that loads these files if user activated use of the ipset module using checkbox, a function that checks if command line utility ipset is present and can communicate with the kernel module. This configlet is included in the script generated for all linux-based host os, even though most of them do not support module ipset. If ipset is not supported because iptables version is too old or the module is simply not available for the platform, user can just uncheck the checkbox in the firewall settings dialog and code generated by the configlet will support method of loading addresses from the file at run time based on script variables and a "while" loop.

• Implemented support for mixed address lists for run-time address table objects using ipset module. Normally, one ipset set can either contain individual ip addresses or subnets. We create a "setlist" type set that includes two sub-sets, one for ip addresses and the other for subnets. Function reload_address_table in the configlet run_time_address_tables takes care of managing these three sets automatically. Address list file has the same format as for all other supported types of Address Table object: one address per line, subnets are defined using '/bitlength' or '/netmask' syntax, comments start with '#' or ';' character.

• fixed #1640 "default policy when the script is stopped should be optional". The "stop" command used to be interpreted by the iptables script generated by fwbuilder in a way that it blocked all connections going to, from and through the firewall. Luc Paulin pointed out that this behavior is incompatible with other firewall management scripts, such as /etc/rc.d/init.d/iptables on Fedora Linux or ufw on Ubuntu, where "stop" means disabling the firewall. In v4.1 the "stop" command flushed all chains in all tables and sets default policy to ACCEPT. New command "block" does what "stop" used to do before, that is, flushes all chains in all tables and sets default policy to "DROP". The option to add a rule to permit ssh access from the management workstation when firewall is stopped now adds this rule when firewall script is run with "block" command instead.

• fixed SF bug 3034628 "iptables does not allow target REJECT in mangle table". Iptables does not support target REJECT in mangle table. Added check to the policy compiler to make it detect this situation and issue an error.

• fixed #1654 "Support for run-time Address Tables with empty file in iptables". This is an implementation of the same feature we already have for PF. If the file name in the configuration of the run-time Address Table object is blank, policy compiler generates firewall configuration that uses ipset with the name the same as the name of the object but does not generate code to load addresses from a file into it. All control of the ipset is left for the user.

• fixed #1652 "support for adding single address to address table in the generated script". Generated iptables script now provides functions "add_to_address_table", "remove_from_address_table" and "test_address_table" that let administrator add or remove single ip address to a given address table. Functions take three arguments: set name, file name and address. Functions add and remove the address both from the set in memory and from the given file so that when firewall reboots and the script reloads the set, it is restored to the desired state. Another new function "test_address_table" is a wrapper around "ipset -T" command and tests if given address belongs to the set. All these functios take the name of the run-time Address Table object used to create sets as an argument and perform actual add, remove and test operations on the subsets created for ip addresses and subnets.

Support for PF

• No changes for PF.

Changes in support for for Cisco IOS ACL

• No changes for Cisco IOS ACL.

Changes in support for for Cisco ASA (PIX)

• fixed #1491 fwb_pix crashes trying to compile simple rule. Compiler should check validity of the object used as network zone of an interface.

• do not verify network zones of unprotected interfaces. Compiler does not allow the same obejct to be used as network zone of two different interfaces, which caused problems when a vlan parent interface has zone "Any". Vlan parent interface can not have ACLs attached to it and does not need any meaningful network zone, so "Any" is reasonable fill-in choice. However it coinsides with network zone of the "outside" interface which triggered this check.

Support for HP ProCurve

• No changes for HP ProCurve.

Firewall Builder 4.0.1 Release Notes

This release comes with fixes several minor bugs in the GUI and other components, improves policy importer for iptables and introduces support for HP ProCurve ACLs.

Changes in the GUI

• fixed #1443 GUI crashes compiling file opened read-only. If a file that was added to RCS was opened read-only and then any firewall object in it compiled, the GUI crashed trying to update "last_compiled" timestamp.

• fixed #1444 compile error on FreeBSD-Current Compiler issues error "/usr/include/utmp.h:2:2: error: #error <utmp.h> has been replaced by <utmpx.h>"

• fixes #1447: context menu item "Edit" associated with rule set object in the tree opens it in the rule set view and the editor panel. Menu item "Open" only opens it in the rule set view. This eliminates strange behavior where it would open in the rule set view on first click on "Edit" and then in the editor in the second click on "Edit". Double click used to work the same, the first double click opened in rule set view, the second in the editor. Now double click always opens in rule set view and the editor which is more consistent with the behavior for other object types.

• fixed #1339 "Logging" icon appears looking the same as "Rule options" icon on Mac

• fixed #1460 "when "show icons in rules" is turned off, there is no way to tell when logging is turned on and non-default options are present in a rule".

• fixed #1464, SourceForge bug 3004274: "Branch rule set object displays improperly". Branch rule set attribute was not loaded properly into Branch action dialog for rules of PF firewalls.

• fixed #1462 "if you do a bulk install, and then want to do a single install, bulk mode is selected"

• fixed #1461 Need obvious button to add new rule to the empty rule set. Added button with a "+" icon right above the rule set view, this button adds new rule to the set.

• fixes #1457 "tooltips for rule options seem to be broken". Tooltip always includes the line telling of the rule is "stateful" or "stateless", the function almost never returns empty string now. Added missing hashlimit parameters to the rule options tooltip. Some of the more rarely used hashlimit parameters are still not included in the tooltip. Improved tooltip formatting using html table.

• fixed #1463 Always show branch rule set name with action "Branch"

• fixed #1469 some actions should always display argument, even when text labels for actions and directions is off

• applied patch by Vadim Jukov <persgray@gmail.com>, maintainer of OpenBSD port. Patch fixes compile issues on OpenBSD

• fixed #1468 Open new object in the editor after it has been created.

• see #1466 Implemented instrumentation that should help us improve user experience. Will track few things that new users do (or don't do) and report as a combination of boolean flags at the end of the GUI session. Reporting things such as if user ever looked at the "Getting Started" tutorial, if they created their first firewall object, modified any rules, tried to compile, install or import existing rule set. Information passed in the report is strictly a set of boolean flags, it is not identifiable and does not reveal what firewall platform they are using or anything about their objects and rules. List of flags is listed in the module UserWorkflow.h

• fixed #1478 always use included antlr run-time library. Because of the fixes I've made in CircularQueue?.hpp in 2008 for 64 bit systems, we should always link with antlr run-time that is included with fwbuilder code tree rather than attempt to use the one that might be installed with the OS.

• fixed #1481 when user changes platform in the firewall object, its version should change too.

• added mechanism for one-time announcements that can be pulled from the web site when version check server says there is one. Announcement is shown only once. To do this, I store time stamp when it was shown in settings using hash of the announcement url.

• refs #1483 If program detects change in CustomService object and the change just adds code string for a platform that was not in the object in the user's data file, the change is accepted without showing the dialog.

• fixes #1484 "paste below" function pastes rules out of order

Changes in the policy importer

• See #1450 and SourceForge ticket 3000809: iptables parser can now import "mark" module matches with hexadecimal parameters and "length" module matches. Also added check in the importer for broken iptables-save files where rules for any table are not terminated with "COMMIT".

• fixes #1453 "iptables importer should parse multiport module parameter --ports". Module multuport with parameter "--ports" matches either source or destination port numbers. Importer creates two tcp (or udp) service objects to implement this match.

• see #1451 "policy importer should support some popular iptables modules". Added support for module "recent" and rules that match standard ip/icmp/udp/tcp protocols and at the same time module "mark", "length", "limit" or "recent". Rules like these are translated into a combination of a branching rule and additional rule in a branch rule set that implements module match.

Changes in the Standard Objects library

• fixed #1483 "missing code in the custom service object ESTABLISHED for ProCurve"

Changes in libfwbuilder library

• fixed #1485 "dns name object is recognized as an empty group when it appears in shared rule set"

Support for HP ProCurve

• Added experimental support for HP ProCurve "intelligent" switches (L3). Code is based on the policy compiler for Cisco IOS extended access lists. Differences include ';' character for comments, different naming convention for Vlan interfaces ("VLAN 2", with a space), requirement to unbind an ACL from interface before it can be cleared, different syntax for vlan ACLs and ACLs bound to switch ports.

• At the time of the release of v4.0.1, we were able to test code generation for ProCurve ACL but policy installer remains untested for the lack of hardware. We are going to work on the installer over the next few months to make sure it works in the next point version release of fwbuilder.

Changes in support for iptables

• fixed #1455 Function update_addresses() (host OS linux24 and derivatives) uses both ip and ifconfig. Should stick with /sbin/ip so the script works on systems where ifconfig is not installed.

• fixed #1458 Should permit interface name "br-lan" for bridge interface on Linux. Bridge interfaces on Linux can have any name, including those with "-". OpenWRT creates bridge interface with the name "br-lan" by default.

Changes in support for DD-WRT

• fixes #1448 "need to commit nvram changes on DD-WRT".

Changes in support for for Cisco IOS ACL

• Compiler uses new configlet "safety_net" to add temporary ACL for the "safety net" install method.

• restored function of the "comment the code" in the "Script options" of the firewall settings dialog for Cisco IOS ACL and ProCurve ACL. When this checkbox is off, comments are not added to generated script.

Firewall Builder 4.0.0 Release Notes

• Changes in the GUI
• Changes in the Standard Objects library
• Common changes in all policy compilers
• Support for High Availability configurations
• Cluster configuration for PIX
• Changes in the support for bridging firewalls
• Changes in support for iptables
• Support for IPCOP
• Support for OpenWRT
• Support for DD-WRT
• Changes in support for PF
• Changes in support for Cisco IOS ACL
• Changes in support for Cisco ASA (PIX)
• Changes in the command line tool fwbedit

Changes in the GUI

• The editor panel and object tree are now detachable. You can "float" these windows and rearrange them on the screen any way you want. There is only one editor panel even when you open several data files at the dame time. Each data file is opened in its own project window with object tree and rules.

• Selection of the object in the tree or rules does not automatically open it in the editor anymore. Use double click or context menu item "Edit" to open object in the editor. This helps, for example, when you need to populate large object group and need to switch between libraries to find objects. Switching to another library or accidentally clicking on a wrong object in the tree does not cause editor to switch.

• Full implementation of the "undo" facility for all operations in the GUI. You can also monitor undo stack in the "Undo stack window" that you can open using main menu item "View/Undo Stack".

• Behavior of all object dialogs has changed. According to the results of the user community opinion poll and discussion, object dialogs are losing button "Apply". All changes made in dialog entry fields are saved into the object immediately. This does not change the data in the .fwb file, only objects in memory. Combined with Undo, this allows for faster object editing and roll back of changes.

• "Single rule compile": After you select a rule in policy or NAT rule set, you can compile it and see the result in the editor panel immediately if you hit "X" on the keyboard or use context menu that appears if you click right mouse button. The result is shown in the editor panel immediately. To select a rule click anywhere in it (any rule element, not just rule number).

• Error and warning messages generated by the policy compilers are highlighted using red and blue colors in the compiler output panel when you compile single rule. When you compile all rules of the firewall using toolbar buttons or main menu items "Compile" or "Install", errors and warnings are also highlighted in the dialog. Clicking on the error or warning message opens corresponding firewall and selects the rule that caused it.

• A new "Filter" input field is located above the object tree. Typing fragment of the name in this field automatically limits set of objects shown in the tree to those that match what was typed. The filter maintain history of strings entered in it for the duration of the session.

• Right above the panel showing rules there are now two new buttons. These allow you to compile and install policy for the firewall object shown in the rules panel at the moment. The same functions are available via context menu associated with the firewall or cluster object in the object tree, but these buttons are easier to use.

• The GUI can show brief summary of object attributes in the second column in the object tree. This is controlled by a checkbox in the global preferences dialog, tab "Objects". This is off by default. The first column always shows object icon and its name, the second (optional) column shows its attributes. Interface label is shown in the second column. The width of both columns in the tree is set automatically to accommodate all the text, then can be adjusted by the user using mouse. Column width is saved in settings and will be restored upon program restart. Column width is saved per-file, per-library.

• Now you can change ip addresses of interfaces of the new firewall created from a template. Templates come preconfigured with some IP addresses which probably do not match addresses used on your networks. When you create new firewall object from a template, the "new firewall" wizard includes interface editor page where you can change addresses and interface types (static or dynamic). The program not only changes addresses of interfaces, it also scans policy and NAT rules of the template looking for network objects that match original template addresses and replaces them with network objects that match new ones.

• "Add object to a groups directly from the group dialog". Group object dialog now has a button that shows a menu when clicked, this menu allows you to create new object and add it to the group in one operation.

  

• Password caching: Built-in installer can remember firewall password (and enable password for Cisco) for the duration of the session. Passwords are never stored permanently in any form, encrypted or plain text, they are only kept in memory of working Firewall Builder GUI instance. You need to enter password once when you activate generated policy. If you keep the program open and need to modify and activate policy again, the password fields in the installer dialog can be filled automatically. The feature is optional and is off by default. Cached passwords are associated with the firewall object and account name used to activate policy. To use this feature, turn it on in Preferences and configure user name used to authenticate to the firewall in the "advanced" settings dialog of the firewall object. Warning: using this feature creates certain risk if working Firewall Builder GUI is left unattended on the unlocked workstation. Someone may walk up to the machine and make changes to the firewall using cached password of the administrator who used the same GUI session before. Always lock the screen or exit Firewall Builder GUI when leaving computer.

• The program supports new types of interfaces: VLAN, bridge, bonding. This is fully implemented for Linux and partially for other platforms. VLANs are added as child objects of an interface, like so:

  

  The GUI checks the name of the vlan subinterface against naming convention for vlan interfaces on the chosen OS. For example, both "eth0.100" and "vlan100" are supported on Linux, while on Cisco IOS or PIX it should be "FastEthernet0/1.101"

  See below for more details on the bridge interfaces implementation.

  
  

• The program can generate commands to configure vlans, bridges and bonding interfaces on Linux. This is off by default and controlled by checkboxes in the "script" tab of the firewall object dialog. Generated script adds and removes vlans, bridges, bridge ports, bond and bond slaves incrementally. That is, the script analyzes existing vlan interfaces and compares them with vlan interfaces defined in the Firewall Builder GUI and then adds new ones and removes those that do not exist in fwbuilder. The same algorithm is used to create bridges, add or remove bridge ports and create bonds and then add or remove slave interfaces.

• Configlets: generated firewall script (for all platforms) is assembled from small fragments we call "configlets". These fragments are located in the "/usr/share/fwbuilder/configlets" (on Linux). Each configlet is a template that uses specially defined macros which the program replaces with actual strings and values when it generates firewall configuration. There are separate templates for different firewall platforms and for different parts of the configuration file to be created. Supported macros include simple variable expansion and conditional "If - then" construct. You can override configlets we provide with your own if you create directory "fwbuilder/configlets" in your home directory and place files with the same name there. You need to retain the structure of subdirectories inside this directory, that is, the directory should be "$HOME/fwbuilder/configlets/linux24" for the configlets installed in "linux24" subdirectory under "/usr/share/fwbuilder/configlets". This way, you can change virtually all aspects of generated configuration file.

• Built-in policy installer gets commands that it needs to execute on the firewall from configlets. Two configlets are used for Unix-based firewalls (Linux, OpenWRT, DD-WRT Sveasoft, IPCOP and its variants, OpenBSD, FreeBSD, MacOSX, Solaris): "installer_commands_reg_user" and "installer_commands_root". You can change the behavior of the installer without having to touch C++ code, just create a copy of the configlet file in $HOME/fwbuilder/configlets and modify it.

• Terminology for policy rule actions that create branching in the rule set or tag packets has been unified. Now we call these actions "Branch" and "Tag" for all platforms. Before, the name was different and matched original action on each platform, that is for PF it was "Anchor" and "Tag" and for iptables "Chain" and "Mark" respectively.

• "Find where used" function can now find all uses of the given object, as well as all uses of its children. For example, if the object is firewall, then this function can find all groups and rules that refer to it directly, or to it and all its interfaces and their addresses. This extension is optional, it is controlled by a checkbox in the "Find" dialog.

• Added a place in the global Preferences dialog for options specific for different object types. First parameters include options for DNSName and AddressTable to let the user decide if the newly created objects of these types should be automatically configured with "Compile Time" or "Run Time" mode. Also, added an option that makes DNSName object editor copy the name of the object into the DNS record input field when new object is created or whenever the name changes. This is useful when the user does not want to keep object name and dns record different because they need to enter the name only once.

• "Batch install" checkbox moved to the page that shows compiler progress so the user can decide to do batch install right before they perform installations instead of doing this before they start compile.

• Standard objects library now comes with new IPv6 Network objects. These objects represent IPv6 networks that should not be routed on the Internet. Included: RFC3849 "Documentation Network" 2001:db8::; RFC4291 "Link local" fe80::/10; RFC4773 "Experimental Network" 2001:0000::/29 to 2001:01F8::/29. Also added a group "ipv6 private" that includes all these networks.

• Added GUI elements to support IP option "router-alert" which is now available as an attribute of IPService object.

Changes in the Standard Objects library

• Standard objects library now comes with new IPv6 Network objects. These objects represent IPv6 networks that should not be routed on the Internet. Included: RFC3849 "Documentation Network" 2001:db8::; RFC4291 "Link local" fe80::/10; RFC4773 "Experimental Network" 2001:0000::/29 to 2001:01F8::/29. Also added a group "ipv6 private" that includes all these networks.

• Added address objects for standard multicast groups: all-hosts, all-routers, all DVMRP, OSPF, RIP, EIGRP, DHCP server / relay agent, PIM, RSVP-ENCAPSULATION, VRRP, IGMP, OSPFIGP-TE, HSRP, mDNS, Link-local Multicast Name Resolution, Teredo.

Common changes in all policy compilers

• All compilers issue a warning when the firewall has no top level NAT or Policy rule set. Top rule set is used to generate iptables rules in the built-in chains INPUT/OUTPUT/FORWARD or the rules in the main PF configuration file (not anchors). If the firewall object has other not-top Poluicy and NAT rule sets but no top rule set, packets will never reach any rules. However there are legitimate cases when administrator may want to use fwbuilder to only generate iptables commands for a custom chain or configuration for a custom PF anchor, in which case this is not an error. Compilers generate warning for this condition to bring it to the attention of administrator but continue processing the rules.

Support for High Availability configurations

Test data file cluster.fwb with examples of different cluster configurations is available for download here.

Firewall Builder Users Guide 4.0 has several chapters that offer explanation of the cluster support and provide detailed step by step tutorials that demonstrate how to create cluster configuration in Firewall Builder GUI and show generated firewall configuration.

Chapter that describes firewall cluster configurations: http://www.fwbuilder.org/4.0/docs/users_guide/clusters.html

Examples of cluster configurations on Linux with vrrpd and heartbeat: http://www.fwbuilder.org/4.0/docs/users_guide/cluster-cookbook.html

New object type "Cluster" (located under Clusters in the tree) represents the HA pair. You configure policy and NAT rules in the rule sets of this object rather than in the actual firewalls.

Here is what you need to do to set up HA configuration:

• Create your firewall objects. Assign platform and host OS and name interfaces as usual. Do not add any policy or NAT rules. These are your real (member) firewalls. Interfaces should have their real IP addresses (not CARP or VRRP addresses).
• Create a Cluster object which you configure with proper platform and host OS. Use the usual "New Object" menu or toolbar button to create this object. Note that in order for the firewall object to become a member of a cluster, their platform and host OS settings must match.
• The program guides you through the process of creation of the new Cluster object using wizard-like dialog. You start with the list of firewall objects where you choose which firewalls should become members of the cluster. Next, the program finds interfaces of the member firewalls that have the same name and can be part of the cluster and creates cluster interfaces with the same name. Not all interfaces are eligible, for example bridge ports, bonding interface slaves or parents of vlan interfaces can not be used for the cluster. Cluster interfaces define failover groups. You can add, remove or rename cluster interfaces, as well as change which interfaces of the member firewalls are used with each one. On the next page of the wizard you can change failover protocols and add, remove or change IP addresses of cluster interfaces. Not all failover protocols require IP addresses, for example VRRP or CARP do but heartbeat or OpenAIS don't. Finally, you can choose to use policy and NAT rules of one of the member firewalls to populate Policy and NAT rule sets of the new cluster. If this is done, all references to the original member firewall and its interfaces in rules are replaced with references to the cluster and its interfaces. The program also creates backup copies of the member firewall objects with the name with suffix "-bak" and clears Policy and NAT rule sets of the member firewall objects used with the cluster before new cluster is created.
• OpenBSD or FreeBSD cluster gets carp interfaces. Name them "carp0", "carp1" or whatever indexes they have on your machines. You can add CARP password and ID at the same time, but if you don't, you can add them later.
• If you use heartbeat or OpenAIS (on Linux) for failover, cluster interfaces should have the same names as corresponding member firewall interfaces. In this case, cluster interfaces are virtual entities that represent interfaces of the corresponding member firewalls. The program will make substitution when it compiles rules. This is also how it works for PIX failover configuration.
• Each cluster interface has child "Failover group" object with the name "firewall:carp0:members" or similar. This is where you configure associated member firewall interfaces. Double click this object in the tree and then click "Manage Members" button in the dialog. Select interfaces of the member firewalls in the panel on the left hand side and click arrow button to add them to the list on the right. Use checkbox to select master. Click OK when done. The platform and host OS of the cluster object and members must match, otherwise firewall objects do not appear in the "members" dialog panel.
• Besides interfaces, the Cluster object has a new child object "State Sync Group". This group represents state synchronization protocol. Currently pfsync is supported for OpenBSD and conntrackd for Linux. To configure, double click it in the tree to open it in the dialog and click "Manage Members". Select interfaces of the member firewalls in the panel on the left hand side and click arrow button to add them to the list on the right. Use checkbox to select master. Click OK when done. They should appear in the "members" table in the State Sync Group dialog. The platform and host OS of the cluster object and members must match, otherwise firewall objects do not appear in the "members" dialog panel.
• Button "Edit protocol parameters" allows you to edit some parameters for chosen failover protocol. This is where you can configure an address and port for heartbeat and OpenAIS.
• There are few new checkboxes in the "Script" tab of the firewall object dialog. These allow you to control whether the program will add shell commands to create and configure bonding, bridge and VLAN interfaces.
• Compile by clicking right mouse button on the cluster object and using menu item "Compile". This will in fact compile each member firewall separately so you'll get .fw and .conf files for both of them.
• Again, you configure all the rules in the policy and NAT rule sets that belong to the cluster object. If you put cluster's interfaces in rules, the program replaces them with interfaces of the member firewall when it compiles rules. If you put cluster object in a rule, it is like if you put member firewall object there instead, except the program automatically picks the member firewall it compiles the policy for.
• First, the program looks at Policy and NAT rule set objects of the cluster and member firewalls and compares their names. If there is rule set object with the same name in both the cluster and member firewall and both have non-zero number of rules, the rule set object from the member is used and the one from the cluster is ignored. The program prints a warning message when this is done. If rule set objects with the same name exist but the one in the member firewall has zero rules, it is ignored and the one from the cluster is used (no warning is issued). Likewise, if there are rule sets with the same name but the one in the cluster has zero rules, it is ignored.
• Here is what you need to do if you want to have most rules defined in the cluster so they will translate into rules for all member firewalls, but have some rules defined in the members so you can make configurations of the members slightly different:
  • Create separate rule set object in the cluster and in each member. Use name different from "Policy" or "NAT". Lets use name "member_override".
  • Create a rule with action "Branch" in the main Policy or NAT rule set of the cluster, drag rule set object "member_override" that belongs to the cluster to the well in the Branch action parameters dialog.
  • Leave "member_override" rule set that is a child of the cluster object empty (no rules)
  • Add rules to the rule set "member_override" in each member firewall
  • Make sure rule set "member_override" is not marked as "Top ruleset" in the cluster and each member. This rule set translates into user-defined chain (iptables) or anchor (PF) and should not be the "top ruleset".
  This method works for both policy and NAT rules for all platforms.

Cluster configuration for PIX

Firewall Builder supports PIX "lan based" failover configuration. Unlike in Linux or BSD, where each interface of the firewall runs its own instance of failover protocol, PIX runs one instance of failover protocol over dedicated interface. PIX can also run state synchronization protocol over the same or another dedicated interface. These dedicated interfaces should be connected via separate switch and do not see regular traffic. Here is how this is implemented in Firewall Builder:

• Like with all other supported firewall platforms, interface objects that belong to a cluster object serve to establish association between actual interfaces of the member firewalls. Cluster interface object should have the same name as corresponding member firewall interfaces. It should have Failover Group child object which should be configured with interfaces of the member firewalls. You can create Failover Group object using context menu item "Add Failover Group", the menu appears when you right mouse click on the cluster interface object. Here is an example of correct interface mapping between cluster and member firewalls:



The Failover Group object "cluster1:e0.101:members" is configured with interfaces "Ethernet0.101" of both members:



• Interface that is configured for the failover on the member firewall should be marked as "Dedicated Failover". Use checkbox with this name in the interface object dialog to do this.
• Cluster interface that corresponds to the failover interface of the members should be configured with protocol "PIX failover protocol". Click on the "Edit protocol parameters" button to edit timeout, poll time and the key.
• Cluster interfaces that represent regular interfaces of the members also must have failover group objects; that is where you add interfaces of the member firewalls. There is no need to configure protocol in these failover groups because PIX does not run it over these interfaces. Regular interfaces should not be marked as "Dedicated Failover".
• Cluster object should have State Synchronization group child object. Create it using context menu "Add State Synchronization Group" item if this object does not exist. In this object you need to configure member interfaces that should be used for state synchronization. You can use separate dedicated interfaces or the same interfaces used for failover. If these are separate, corresponding interface objects of the member firewalls must be marked as "Dedicated Failover".
• One of the member firewall interfaces used in the State Synchronization group must be marked as "master". This is where you define which PIX unit is going to be the primary and which is going to be the secondary in the HA pair.
• Here is an example of the state synchronization and failover using the same interface Ethernet2:

  

  The State Synchronization Group object "State Sync Group" is configured with interfaces "Ethernet2" of both members:

  

• Dedicated failover interfaces of the member firewalls must have IP addresses and these addresses must be different but belong to the same subnet.

Built-in policy installer treats PIX clusters in a special way:

• For the PIX cluster, built-in installer installs generated configuration only on the master PIX unit. It determines which one is the master by looking in the StateSyncGroup object (state synchronization cluster group).
• Dialog where user enters authentication credentials and other parameters for the installer has a checkbox that makes installer initiate copy of the configuration to the standby PIX if installation was successful.

Changes in the support for bridging firewalls

Skip this if you do not use Firewall Builder to configure iptables firewalls in bridging configuration. Otherwise, please read on.

Previous versions of Firewall Builder provided an attribute "bridge port" in the dialog of the Interface object. If an interface marked as "bridge port" was used in the "Interface" column of a policy rule, fwbuilder policy compiler used "--physdev-in" or "--physdev-out" option instead of conventional "-i" or "-o" option. The attribute "bridge port" has been deprecated in the new version. You need to make changes to your firewall and interface objects manually in order to make your old configurations compile properly with new version of Firewall Builder.

First, check if you have an interface object to represent the bridge. Usually it will have a name br0 or similar. If you do not have this interface object in the firewall in Firewall Builder, please create it. Regardless whether this object existed before or you just created it, open it in the editor and click "Advanced Interface Settings" button in the dialog. This button and the dialog it opens are new in this version of the program. In the dialog that appears use drop-down menu "Device Type" to set its type to "Bridge". Then click "OK" to close the dialog and save configuration.

Next, find interface objects that should represent bridge ports and simply drag them and drop under the interface br0 (copy/paste works too). In the end, these interfaces become "children" of br0 and should be located in the branch of the tree rooted at br0. The program displays a comment "bridge port" next to the name of an interface like this in the tree. Here is how it looks like:

In this configuration we have bridge interface br0 and two bridge ports eth0 and eth1. Note how eth0 and eth1 are located in the tree under br0, on the same level as its IP address object.

This is it, bridge port interfaces will be recognized by the program again and it will generate proper iptables configuration.

Changes in support for iptables

• When an interface with dynamic address is used in a policy or NAT rule, compiler generates shell script to read its ip addresses at the time of execution, assigns them to temporary shell variables and uses them in rules. In previous versions (fwbuilder v2 and v3) only the first IPv4 address of an interface was used. V4 uses all IPv4 and IPv6 addresses of the interface by creating a shell "for" loop in the script. Note that support for dynamic IPv6 addresses was broken in v3 completely, it was fixed in v4.

• Policy compiler for iptables can generate shell commands to configure bridge, bonding and vlan interfaces (see above).

• Added support for branching rules in NAT.

• Added support for option "--random" in SNAT rules

• "SNAT instead of MASQUERADE on dynamic interfaces". NAT rule options dialog now has a checkbox that makes compiler use SNAT target instead of MASQUERADING when checked when TSrc has dynamic interface. Apparently MASQ target has problems when iptables NAT is used in combination with policy routing. Using SNAT with a variable that gets interface address solves the problem. By default this option is off, that is compiler uses MASQUERADE target when TSrc has dynamic interface.

• Generated script can adjust conntrack kernel module parameters to tune its performance for firewalls that handle heavy traffic.

• Generated iptables script now has standard structure per LSB ("Linux Standard Base Core Specification 3.1"). The script has the following actions controlled by the command line arguments: "start", "stop", "reload", "status". Action "start" reconfigured interfaces and then flushes current iptables tables and chains and loads new iptables configuration. Action "stop" flushes all tables and chains and sets default policy in all chains to "DROP" to shut down the firewall to all kinds of traffic. It can also optionally install iptables rules to permit ssh access to the firewall from the management workstation. Action "status" returns return code per LSB specification. Code 0 means the firewall is loaded and is running (but it does not check that the rules it is running with are those defined in fwbuilder). Return code 3 means iptables modules are not loaded or there are no tables. This return code means the firewall is not running or not configured. It also supports additional actions "interfaces" and "test_interfaces". Action "interfaces" only runs commands that manage ip addresses of interfaces, as well as configure vlan, bridge and bonding interfaces. Action "test_interfaces" runs the same commands in the test mode when it prints commands that would be executed but does not actually execute them.

• Added support for negation in "-m limit --limit rate" and "-m connlimit --connlimit-above" clauses for iptables.

• Option "--random" is now supported in all NAT rules (targets SNAT, DNAT, MASQUERADE)

• Option "--persistent" is now supported in all NAT rules (targets SNAT, DNAT) if version is set to 1.4.3 or later in the firewall object.

• Algorithm that finds policy rules that shadow each other can now recognize rules configured to use iptables modules "limit", "connlimit" and "hashlimit" and detects shadowing taking into account rate, burst and other parameters for these modules.

Support for IPCOP

Firewall Builder v4.0 comes with experimental integration with IPCOP firewalls. To turn it on, choose platform "iptables" and host OS "IPCOP firewall appliance". Generated script is supposed to be installed on the firewall as /etc/rc.d/rc.firewall.local and restarted by the command "/etc/rc.d/rc.firewall restart". Built-in policy installer in Firewall Builder GUI installs it using this name and runs restart command to activate it. Firewall Builder does not manage interfaces of IPCOP firewall to avoid conflicts with IPCOP itself, use fwbuilder only to generate iptables rules. The program comes with some template objects for IPCOP firewalls, you can use them when you create new Firewall object if you choose to create it from a template.

Support for OpenWRT

Another new host OS supported in Firewall Builder v4.0 is OpenWRT. To use fwbuilder with OpenWRT you need to install the following packages on the firewall using command "ipkg install package.ipk":

• ip
• ip6tables (if you need IPv6)
• iptables-mod-extra
• iptables-utils
• kmod-ipt-extra

Firewall Builder uses name "fwbuilder.fw" for the generated script for OpenWRT and places it in directory "/etc/init.d/" on the firewall. To make the firewall run it during boot sequence, install the script using built-in policy installer or copy it to this directory manually, then run command

    /etc/init.d/fwbuilder.fw enable
  

and disable standard firewall script:

    /etc/init.d/firewall disable
  

To activate the firewall and load policy generated by fwbuilder, use command

    /etc/init.d/fwbuilder.fw start
  

To stop the firewall and block all traffic use command

    /etc/init.d/fwbuilder.fw stop
  

An option in the "Compiler" tab of the firewall object in fwbuilder GUI alows you to make the firewall block all traffic when stopped but still permit ssh connections from preconfigured address of the management machine.

This method works both on stable Kamikaze (v7.06) and the latest OpenWRT (v8.09 at the time of Firewall Builder v4.0 release).

In test mode fwbuilder copies generated firewall script to directory /tmp on the firewall.

Support for DD-WRT

This version of Firewall Builder introduces direct support for DD-WRT. There are two options: you can use nvram to install generated firewall policy or you can use jffs (journaling flash file system) on the device and store generated script there. Two host OS settings are provided: "DD-WRT (nvram)" and "DD-WRT (jffs)".

DD-WRT (nvram)

In this mode generated script is somewhat shorter and does not support command line arguments "start", "stop", "status". The script does not try to load iptables modules on the firewall but configures inetrface addresses, vlans, bridge ports and bonding interfaces. Built-in policy installer saves the script in nvram variable "fwb" and configures nvram variable "rc_firewall" to run this script.

DD-WRT (jffs)

First of all, you need to activate JFFS/JFFS2 (Journaling Flash File System) on the firewall. Instructions are provided in the DD-WRT wiki. Once jffs is mounted read-write, you also need to create directory "/jffs/firewall" where fwbuilder will store generated script. This is explained in this article in DD-WRT wiki.

When firewall is configured with host OS "dd-wrt (jffs)", built-in policy installer copies generated script to the file "/jffs/firewall/firewall.fs" on the firewall and configures nvram variable "rc_firewall" to call this script.

Note: recent builds of DD-WRT (tested with v24 and v24SP1) seem to disable JFFS for some reason. If you plan to use jffs method of installing firewall script, check if the version you run supports it.

Changes in support for PF

• Added support for branching rules in NAT. Compiler generates keyword "anchor" if PF version is 4.3 or later and "nat-anchor" and "rdr-anchor" for earlier versions.

• Optimization: rules that have several interface objects (or a group) in the "Interface" column are compiled using "{ }" grouping to produce only one configuration line instead of several for such rule.

• Compiler for PF generates "allow-opts" keyword when IPService object used in the rule has IP options. This includes new option "router-alert".

• Added support for pf state tracking options "no-sync" and "pflow". Set version to "4.5" or "4.6" in the firewall object to be able to use these new options.

• Implemented support for incremental management of IP addresses of interfaces and VLAN pseudo-interfaces for OpenBSD and FreeBSD. The script analyzes existing vlan interfaces and compares them with vlan interfaces defined in the Firewall Builder GUI and then adds new ones and removes those that do not exist in fwbuilder.

• OpenBSD 4.7 has changed the syntax of "nat" and "rdr" PF rules. These keywords are gone, corresponding translations are done using "nat-to" and "rdr-to" options in "pass" or "match" rules. Fwbuilder 4.0 adds support for this. The list of recognized versions for PF has been extended with "4.7", choosing this version number makes policy compiler generate nat and rdr rules using new syntax. Since the "no" keyword has been removed as well, fwbuilder can no longer generate "no nat" rules for 4.7. Policy compiler recognizes this as a fatal error, administrator should use negation to implement exceptions in NAT rule sets.

Changes in support for for Cisco IOS ACL

• Built-in installer can use command scp to copy IOS configuration to the router using ssh and then command "copy file running-config" to activate it. This method is much faster than running configuration line by line. The router should be configured with ssh v2 and scp server. This method can be combined with rollback (by reload or EEM). This method can be combined with rollback. To use this method, turn on checkbox in the tab "Installer" of the "advanced settings" dialog of the router object. Since this option is configured separately for each firewall object, you can have a mix of installation methods if some routers do not support scp.

• For instructions how to configure scp see Secure Copy. You need to do the following:

  • Create RSA keys
  • enable ssh v2 using command "ip ssh version 2"
  • enable scp server using command "ip scp server enable".
  • User account used to copy the policy should have privilege 15: "username vadim privilege 15 password 7 XXXXXXXXXXX".

• To troubleshoot when scp is not working:

  • Test using command line scp tool rather than fwbuilder installer. Use "scp" on Linux and Mac OS X and "pscp.exe" on Windows like this: "scp file.fw router:nvram:file.fw"
  • check that ssh and scp are enabled on the router (see commands above)
  • check that user account has privilege 15
  • Use command "debug ip ssh" on the router to turn debugging on. Diagnostic messages that it prints to the console and to log may help you identify the problem

• Note that installer does not use command "config replace" because configuration created by fwbuilder is incomplete and should be merged with running config rather than replace it.

• Built-in policy installer uses EEM (Embedded Event Manager) on IOS 12.4 or later to schedule automatic configuration rollback instead of reloading the router. EEM appears in IOS 12.4 and supports background operations that can be triggered by some events on the router or by timers. In this new feature, fwbuilder creates EEM applet with a countdown timer that executes command "config replace nvram:startup-config force" when timer expires. User has the following options:

  • Schedule automatic rollback in a few minutes and install updated ACL configuration. This can be used to test new policy and revert to the original one after some short period of time. This also helps to avoid a situation when updated policy blocks access to the router because of an error; rolling back to the ACL configuration that was running before the update will restore access automatically.
  • Schedule rollback in a few minutes, install updated ACL but cancel rollback if installation of the new configuration was successful. This is mostly intended to prevent blocking access to the router in case of an error in the new ACL configuration. If fwbuilder was able to enter all lines of the new configuration all the way to the end, this means new configuration does not block access and installer executes command "no event manager applet fwbuilder-rollback" to cancel scheduled rollback.

  Since IOS before 12.4 does not have EEM, automatic rollback on these older versions is implemented by scheduling router reload with command "reload in ". This hasn't changed since Firewall Builder v3.0

• Added support for the "dry run" installer option for Cisco routers. When this option is on, installer logs into the router and switches to the enable mode, but does not execute any actual commands. If scp is used to copy configuration to the router, installer will copy the file but will not activate it. This tests ssh session in general, login password, enable password and scp but does not make any changes to the router configuration.

• Added support for the object-group statement in generated IOS configuration. This helps reduce size of the geenrated access lists when the router should match long lists of IP addresses or ports. Both "network" and "service" object-groups are supported. This feature is controlled by a checkbox in the "Advanced" settings dialog of the firewall object; it requires IOS v12.4(20)T or later and is off by default. Check if your version of IOS supports "object-group" command before using!

• Policy rule option "Add mirrored rule" (controlled by a checkbox in the rule options dialog) makes policy compiler for IOS ACL automatically create a rule with mirrored source and destination addresses and service fields. This can be used to match "reply" packets using address and service parameters matched by this rule. The action of the mirrored rule is the same as that of this one. Firewall Builder recognizes the following services and creates "mirrored" versions as follows:

  • UDP service: mirrored service has source and destination port ranges reversed
  • TCP service: mirrored service has source and destination port ranges reversed and "established" flag inverted. If TCP service used in this rule does not have "established" flag, the mirrored service gets it, and the other way around. This is designed to simplify creating ACL rules to permit "reply" TCP packets
  • ICMP service: ICMP echo request is recognized, mirrored service becomes ICMP echo reply. Other ICMP types are simply copied to the mirrored service
  • ICMPv6 service: like with ICMP, ICMP echo request is recognized and other ICMPv6 types are just copied
  • IP service: mirrored service is a copy

Changes in support for for Cisco ASA (PIX)

• Built-in installer can use command scp to copy generated configuration to the firewall and then command "copy file running-config" to activate it. This method is much faster than running configuration line by line. The firewall should be configured with ssh v2 and scp server. This method can be combined with rollback. To use this method, turn on checkbox in the tab "Installer" of the "advanced settings" dialog of the PIX firewall. Since this option is configured separately for each firewall object, you can have a mix of installation methods if some firewalls do not support scp.

  To configure scp on the PIX firewall you need to do the following:

  • Create RSA keys
  • enable ssh v2 using command "ssh version 2" in configuration mode
  • enable scp using command "ssh scopy enable" in configuration mode
  • make sure user account used to copy configuration has "privilege 15": "username fwbadmin password XXXXXXX privilege 15"

  To troubleshoot when scp is not working:

  • Test using command line scp tool rather than fwbuilder installer. Use "scp" on Linux and Mac OS X and "pscp.exe" on Windows like this: "scp file.fw firewall:flash:file.fw"
  • check that ssh and scopy are enabled on the firewall
  • check that user account has privilege 15
  • Use command "debug ssh 10" on PIX to turn debugging on. Diagnostic messages that it prints to the console and to log may help you identify the problem

  Note that when fwbuilder uses command "copy file.fw running-config" to activate uploaded policy, the firewall does not print it. If there are errors, they are printed but the lines they refer to are not printed. Some configuration lines trigger lines because they try to configure things that are already configured, such as some parameters of interfaces, global pools etc.

  Generated PIX configuration will include commands that enable ssh v2 and enable scopy if this option is turned on to make sure they stay enabled after configuration is reloaded from the file.

• When certain PIX configuration commands are executed again during configuration update, PIX detects this as an error. Commands that fall into this category are "inspect", "service-policy" and some "failover" commands, to name a few. To avoid this kind of errors while updating PIX using built-in installer and avoid entering commands for parts of configuration that do not change often, you can use checkbox "Generate only access-list, access-group... commands" in the "Script" tab of the PIX firewall "advanced" options dialog. If this checkbox is on, generated configuration file will only include "access-list", "access-group", "telnet", "ssh", "nat", "global" and "static" commands.

Changes in the command line tool fwbedit

User can now merge objects from two data files together using command line tool fwbedit just like the "Import library" function in the GUI.