V4.2 Phase 2 Beta

In addition to bug fixes and minor enhancements, Firewall Builder V4.2 adds the following new features:

The following provides a brief overview of these new features to help users with beta testing them. Please report any bugs on SourceForge Tickets

---

Interfaces in NAT rules

This feature gives users more flexibility to craft narrow NAT rules that should match specific traffic and interface combinations.

• iptables
  • You can optionally specify "In Interface", "Out Interface", or both for each NAT rule which will correspond to -i and -o flags in iptables rules.
  • The default value is "Auto" which is the same as pre-V4.2 behavior where Firewall Builder attempts to select interfaces based on sources, destinations, NAT type, etc.
• Cisco ASA and Cisco PIX
  • You can optionally specify "In Interface" and "Out Interface" for each NAT rule.
    • For ASA and PIX versions prior to 8.3, the "In Interface" is the inbound interface associated with the static(), nat() and global() commands and the "Out Interface" is the outbound interface for these same commands.
    • For ASA and PIX version 8.3, the "In Interface" is the interface associated with the "inside" interface in the nat(<inside>,<outside>) command and the "Out Interface" is the interface associated with the "outside" interface in the nat(<inside>,<outside>) command.
  • The default value is "Auto" which is the same as pre-V4.2 behavior. When the Interface values are set to "Auto" Firewall Builder will use the configured Network Zone of the firewall interfaces to determine the appropriate interface names for the nat commands.
• pf
  • For pf NAT rules theres is only one "Interface" column. The value in this field corresponds to the value used in the "nat on " and "rdr on " rules.
  • The default value is "Auto" which is the same as pre-V4.2 behavior where Firewall Builder will attempt to determine the interface based on sources, destinations, NAT type, etc.
• Interfaces in NAT rules are not supported on ipfilter platforms.

---

Bridge Interface and Static Routing for BSD Platforms

Firewall Builder V4.2 adds the ability to configure and manage bridge interfaces and static routes for BSD platforms.

Bridge Interfaces

Bridge interfaces are configured in the same general way as documented in the Users Guide for creating bridge interfaces on Linux systems:

Users Guide - Bridge Interfaces

NOTE: be sure to update the Firewall Settings -> Script -> "Configure bridge interfaces" checkbox if you would like the Firewall Builder generated script to create the bridge interfaces for you.

Static Routing

Configure static routing as defined in the Users Guide:

Routing Policy

Note: you cannot define "Interface" for BSD static routes so that column is not displayed in the Routing policy.

---

Ability to generate FreeBSD system configurations in rc.conf format

Firewall Builder V4.2 adds the ability to choose to generate system configuration for interfaces, routes, etc. in rc.conf format instead of as a shell script. To enable this, go to the Firewall Settings -> Script menu and select the "file in rc.conf format" radial button.

You can control the name of the generated rc.conf format file in the Firewall Settings -> Compiler menu. Here you can set both the name of the generated files on the local system as well as the names of the files that will be used on the firewall. For example, you could set the name of the generated file to be /etc/rc.conf.local which is the recommended usage.

The location of the files is defined in the Firewall Settings -> Installer menu.

Note: unlike firewall configurations that use the firewall script, if you choose the rc.conf format changes like updating the IP address of an interface are not done automatically.

---

Support for Cisco ASA & PIX devices running versions v8.0 - v8.3

Firewall Builder V4.2 will now properly generate configuration files for Cisco ASA and PIX devices running v8.0 - v8.3. This includes correctly generating NAT configurations in v8.3 with the new nat() command syntax.

---

Use of named objects in Cisco ASA & PIX rules

When configurations are generated for Cisco ASA and PIX devices, Firewall Builder will automatically create named objects such as network-objects, service-objects and group-objects that will be used in the generated access list rules. This helps make the rules more readable and reduces the number of rules that are created by Firewall Builder.

---

Import of Cisco ASA and PIX Configurations

Cisco ASA and PIX configurations in "show run" format can now be imported into Firewall Builder. The import process includes:

• Firewall object with interfaces, IP addresses, nameif and security levels.
• Objects for Networks, IP addresses, IP ranges and any services used in rules will be created in the object database. Firewall Builder will automatically de-duplicate any objects that are already in the object database.
• Access-lists will be imported into the main Policy object with the direction and interface based on the interface the access-list was applied to. If an access-list is not applied to an interface it will be created as a new policy object with the same name as the access-list.
• NAT rules, both global and static, will be imported into the NAT policy object.
• Static routes are not imported at this time.
• Any applicable warnings or errors will be displayed in a progress window during the import.

---

Object de-duplication during import process

Object de-duplication has been added to the import process for all supported platforms. If an object in the configuration being imported matches exactly to an object that already exists in the Firewall Builder data file the existing object will be used where possible.

Currently object groups used in Cisco ASA and PIX configurations are not de-duplicated.

---

Automatic platform and version detection during import

The new Import Firewall wizard automatically detects the platform type based on the contents of the configuration file being imported. Where possible Firewall Builder also detects the software version and sets the created firewall object to use the detected platform and version.

---

Standardize double-click behavior to only open objects for editing

Double-clicking an object in the object tree will now only open the object for editing in the Editor Panel. Previously this action would also expand the object if it had child objects which could lead to undesirable behavior for certain types of objects like firewalls.