Archive News

March 05, 2008 > Firewall Builder policy compilers for Cisco IOS ACL and PIX are now under GPL
Code has been released under GPL and merged into the main fwbuilder tree. These two compilers will be included in the next release of Firewall Builder (v2.1.18)
Enjoy!

February 20, 2008 > Firewall Builder 2.1.17
This is a bug-fix release. It improves stablility of the policy importer on 64-bit platforms, supports import of iptables policies that use TCPMSS target, fixes problems with built-in RCS on windows when user does not have administrator's rights and comes with nearly 100% Brazilian Portugese translation

December 20, 2007 > Firewall Builder 2.1.16
Bug introduced in 2.1.15 that broke generated firewall script for iptables in case option "use iptables-restore" was on is fixed in this release. Additional checks were added to the generated script for iptables to improve error detection and make sure the GUI properly detects when it terminates with an error. Support for load balancing with PF was also added.

December 10, 2007 > Firewall Builder 2.1.15
This is another bugfix release. Several problems with policy installer running in batch mode have been fixed, also this release resolves compatibility issues with Windows Vista and Mac OS X Leopard.
See full Release Notes and ChangeLog

September 09, 2007 > Firewall Builder 2.1.14
This is another bugfix release, it comes with numerous improvements in the iptables policy importer and fixes for gcc 4.2 and 4.3
See full Release Notes and ChangeLog

July 22, 2007 > Firewall Builder 2.1.13
This is bugfix release; its main focus is better support for new features available in PF in OpenBSD 4.1 and improvements in built-in policy installer.
See full Release Notes and ChangeLog

June 23, 2007 > Firewall Builder 2.1.12
Major new features in this release include support for Cisco routers access lists and ability to import existing firewall policy. Currently policy importer can parse iptables configuration from a file created by iptables-save utility and Cisco router configuration saved using "show run" or similar command. Numerous bug filxes also come with this version. Ubuntu 7.04 .deb packages are included for the first time.

June 05, 2007 > Iptables import in v2.1.12
It is now possible to import existing iptables script into Firewall Builder. The importer is in Tools -> Discovery Druid, it takes file created by the iptables-save utility and creates firewall object with interfaces and policy and NAT rules.

This was one of the most requested features on the list for a very long time. If you have that one last iptables firewall which you never had time to convert to Firewall Builder, please try it and let me know how did it go. You'll need v2.1.12 build 282 or newer.

Here is the contents of the README.policy_import file:

Policy import iptables configurations (v2.1.12, build 281 and later)

Features implemented in this version :

• Importer can parse iptables config saved using iptables-save utility. Because of the huge variety of iptables modules, Importer can only interpret basic iptables configuration and a subset of modules. Currently the following modules are supported:
  • state
  • multiport
  • limit
  • mark
• Importer creates firewall object with all interfaces. It can not assign object name for the firewall object nor add IP and MAC addresses to interfaces because this information is not present in iptables-save file.
• option "Assume firewall is part of 'any'" is off in the created firewall object. Import is done this way in order to preserve logic of chains INPUT, OUTPUT and FORWARD in the recreated fwbuilder rules. Rules that had chain INPUT in the imported script will have firewall object in "destination" in the corresponding fwbuilder rules. Firewall object is placed in "Source" for rules with chain OUTPUT. For rules with chain FORWARD rule elements "Source" and "Destination" are populated with objects created using options "-s" and "-d" of the original rules or left empty ("any").
• all recognized iptables rules are imported and interface and direction are set in all rules appropriately. Interface objects are created as parser finds them in the script.
• targets ACCEPT, DROP, REJECT, MARK and others are converted to the corresponding fwbuilder policy rule actions. Unrecognized targets and converted to branching rules, where the name of the target becomes the name of the branch.
• SNAT, DNAT, MASQUERADING, REDIRECT and NETMAP targets and their parameters are recognized in the NAT rules.
• Address and service objects are created in the process for all addresses and ports used in all rules.
• iptables rules can refer to tcp/udp ports both by name or by number. Importer can properly interpret both formats using system function getservbyname() to convert service name to the port number. Since the result of this function depends on the OS, some port names may not convert on some systems. For example, Windows can convert more limited set of service names compared to Linux or BSD.
• targets LOG and ULOG are converted to the "logging" option in fwbuilder rules with action "Continue". This is an empty action that does not affect packet flow through the firewall but can be used in combination with "logging" option to log the packet. If such empty (logging-only) rule is undesired, it must be manually merged with some other rule in the policy.
• "--log-prefix", and "--log-level" options of the LOG target are recognized
• "--ulog-prefix" option of the ULOG target is recognized. Other options of the ULOG target are not.
• Address and service objects are reused in the process of import.
• in case when importer fails to parse some part of the iptables-save file, corresponding policy rule is colored red and appropriate diagnostic message added to its comment. The problem must be corrected manually.
• comments ("#") found inside access lists are ignored.

Shortcomings of this version:

• user-defined chains in table "nat" are not supported
• no import of time intervals
• no MAC address matching import

May 25, 2007 >What is coming up
Firewall Builder v2.1.12 is not going to be another minor bugfix release. Instead, this release adds two major new features: support for Cisco IOS access lists and a framework to import existing firewall or router configuration. This turns Firewall Builder into universal access policy management tool for a data center, office or an ISP. With Firewall Builder you can not only manage policies of firewalls built using any of the supported Open Source firewall platforms, plus Cisco PIX, you can now manage router access lists as well, all from the same familiar GUI using the same common objects set.

Currently only Cisco IOS access lists can be imported but I plan to add import for other platforms as well. Nightly builds packages starting with build #270 include these features, please check them out!

Here is brief description of policy compiler and importer for IOS access lists :

Policy compiler for Cisco IOS Access lists has been implemented as part of the Firewall Builder GUI as of version 2.1.12. The first functional build were importer worked on all supported OS was build 270 (May 22, 2007)

Support for Cisco IOS access lists in Firewall Builder v2.1.12, build 270:

Features implemented in this version:

• The compiler generates extended ACLs using "ip access-list extended" command. ACL names are automatically generated using abbreviated interface names and direction symbols to make it easy to figure out which ACL is which. Compiler uses rather minimal set of options of the "ip access-list" command and should generate code that will work for IOS 12.x. I did not test with 11.x but I am pretty sure it will work, at least with the latest versions of 11.x.
• Compiler can also add commands to configure logging.
• The GUI includes built-in installer for routers which works just like installer for PIX. Both installers were updated however to improve support for the automatic roll-back feature in case you lose connect with the firewall or the router because of an error in the policy. Now you can make installer schedule reboot in a few minutes, then upload new policy or ACLs and then cancel reboot if upload was successful. While before auto-rollback option was only available if you installed in the test mode, now you can always use it. Test mode means that installer does not save configuration in the permanent memory, as before.
• All three installation methods that were available for PIX are now available for routers: you can make it clear all access lists and then load new ones or just update access lists without clearing. The last method (the "safety net" method) creates temporary acl to permit communication with the management station, assigns it to the interface marked as management interface, then clears all access lists and loads new ones and in the end swaps proper list on the management interface. This helps prevent locking yourself out of the router in the middle of the installation process in case of an error in the ACL and at the same time does not leave the router with no acls for the time it takes to install new policy. In combination with automatic roll-back, installation process is pretty reliable.
• New option has been added to the interface object, called "unprotected". This allows you to mark some interfaces to be skipped by the compiler when it picks interfaces for ACL rules. This should be useful when you have routers with many interfaces and only want to add ACLs to some of them. Also, you can explicitly put interface objects into policy rules and specify direction if you want to do this manually.
• Since router ACLs have no state, all rules should be created in the policy pretty much like you do it on the router, including rules that permit reply packets. New option has been added to the TCP Service object, called "established". This makes compiler use option "established" in rules it generates if it is supported by the firewall platform. Compilers for iptables, ipfilter, pf and PIX can not use objects with this option and treat it as an error because corresponding platforms do not support it. IPFW, on the other hand, supports it so compiler fwb_ipfw can use it.

Shortcomings of this version:

• "tos", "precedence" and "time-range" options are not supported
• "igmp" access lists can no be generated

Policy import of Cisco IOS access lists (v2.1.12, build 270)

Features implemented in this version:

• Importer can parse router config saved using "show run" command. Although importer can only interpret a subset of IOS configuration commands, other commands that it does not understand will be ignored and should not affect operation. No manual editing of the config is required prior to import.
• Importer creates firewall object with all interfaces
• firewall object name is assigned if "hostname" command is found in the configuration. If this command is not present, the name remains generic "New Firewall"
• interface addresses are assigned if command "ip address" is found (multiple addresses per interface are supported). Interfaces without "ip address" in the configuration are marked as "unnumbered" in the firewall builder object tree.
• all access lists are imported and interface and direction are set in all rules appropriately
• Address and service objects are created in the process for all addresses and ports used in access lists
• IOS access lists can define ip protocol, icmp code and type, and tcp/udp ports both by name or by number. Importer can properly interpret both formats.
• "log", "log-input", "fragments", "established" keywords are supported and translated into rule or object options as appropriate.
• Address and service objects are reused in the process of import.
• in case when importer fails to parse some part of the access-list command, corresponding policy rule is colored in red and appropriate diagnostic message added to its comment. The problem must be corrected manually.
• "remark" commands found inside access lists are translated into rule comments
• comments ("!") found inside access lists are ignored.

Shortcomings of this version:

• importer does not use address and service objects that existed in the tree before the operation has started, it creates new ones. Deduplication only works for objects created in the process of import.
• the following keywords available in extended access lists are not supported at this time: tos, precedence, time-range.
• igmp access lists are not parsed.

Policy importer uses ANTLR lexer and parser (http://www.antlr.org/) Version 2.7.7 is used in Firewall Builder v2.1.12 (http://www.antlr2.org/)

April 29, 2007 >Firewall Builder 2.1.11
Another bug fix release. Built-in installer now properly detects errors that arise during activation of the iptables script. Support for --datestart and --datestop options of the "time" module, as well as full set of options for the "hashlimit" module were implemented in the policy compiler for iptables. It is now possible to generate rules to mark packets in the OUTPUT chain of the mangle table. Support for options "max-src-conn" and "max-src-states" has been improved in the compiler for PF. Support for IP option "lsrr" has been added in compiler for ipfilter.

March 02, 2007 >Firewall Builder 2.1.10
This is a bugfix release, see Release Notes

February 18, 2007 >broken installer in 2.1.9
A bug has been found in v2.1.9 (bug report) that affects built-in installer for firewalls running PF or ipfilter. For these platforms policy compiler generates at least two files (.conf and .fw) but installer incorrectly uses name with suffix .fw for both when it copies them to the firewall. The bug has been fixed in v2.1.10 build 217. Please use latest nightly build of 2.1.10 which you can download here: http://www.fwbuilder.org/nightly_builds/

February 10, 2007 >Firewall Builder 2.1.9
Several bugs have been fixed in the GUI and policy compiler for iptables. Compiler is more tolerant while processing Address Table object with empty address file or with a file with empty lines. Ability to emulate terminating behavior for rules with actions Classify and Tag and improved shadowing detection for these rules have been added in compiler for iptables.

New function to compare two data files and find conflicting objects has been added.

December 03, 2006 >Firewall Builder 2.1.8
This is mostly a bug fix release which is a followup to 2.1.7. Ability to search for objects using regular expressions matching their names or attributes has been added. A bug that prevented user from creating a rule set branch inside another branch has been fixed. See Release Notes for the complete list.

October 31, 2006 >Firewall Builder 2.1
Thanks to all who helped to make this happen. Finally beta testing is over and the release is out. This version comes with many new features in the GUI and policy compilers. The GUI is much faster now, new object types "Address Table", "DNS Name", "Tag", as well as new rule actions "Tag", "Queue", "Classify" and "Custom" have been added. We still have quite a bit of work to do though, particularly localization has only began.

See the list of the new features and improvements in the Release Notes

September 17, 2006 >Firewall Builder 2.1.6-beta
Another 2.1-beta. Most notable change since 2.1.5 was done in the core API of the package; the GUI now works much faster with large data files (tested using data file with over 3000 objects). We have added "Where used" menu item that quickly finds and shows all groups and firewall rules that reference given object. Confirmation dialog that is shown when user tries to delete an object also shows all groups and rules that use it. By popular request, built-in installer can now save a copy of .fwb file to the firewall. Compile/install dialog is now an independent window instead of a modal dialog, this means the user can look at the policy and objects while compilation and/or installation is going on. This is especially convenient as it allows one to inspect the rules after failed compilation while still having compiler error on screen. Packages are available for download on our SourceForge downloads page.

July 24, 2006 >RPMs for RedHat EL3 and EL4
Jeffrey Grace <Jeffrey.Grace at citec.com.au> contributed RPMs of fwbuilder v2.1.5 build 98 for RedHat Enterprise Linux 3 and 4. I've uploaded these packages to our SourceForge download page. My thanks to Jeffrey for the help.

July 23, 2006 >Firewall Builder 2.1.5-beta
This is the first "official" public beta testing release. My post "What is new in Firewall Builder 2.1" lists new features and additions made in this release. Binary packages for Linux are available on SourceForge; packages for Windows and Mac OS X are in the nightly builds area (grab the latest build from there).

July 07, 2006 >What is new in Firewall Builder 2.1
Here is the list of changes and new features available in Firewall Builder 2.1. Beta packages for several OS (including Windows XP and Mac OS X) can be downloaded from the nightly builds page. We plan to run public beta for a few months and release final version in October. Please as usual file bugs using bug tracking tool on SourceForge, post comments and suggestions on public forums and in our mailing list

What is new in Firewall Builder v2.1

Installation

Packages of Firewall Builder 2.1 are built in a such way that you should be able to install them on the same machine with Firewall Builder 2.0.X. All binaries have names that end with "21", e.g. "fwbuilder21" or "fwb_ipt21". We'll remove this suffix when final version is released. On Windows the binary name is the same but the package installs in directory c:\FWBuilder21 which is different from the default directory for Firewall Builder 2.0; all registry entries are also located in different subtrees. All this is done to ensure the user can test Firewall Builder 2.1 while still using stable version 2.0.12 on the same machine.

NOTE: Even though we have tested concurrent installation, please make backup copies of your data files and setting files before you start experimenting with 2.1 beta. This is still an early stage of beta testing and I am pretty sure there are bugs.

Improvements and changes in the GUI

• Network discovery driud is back, ported from fwbuilder 1.0. As before, it supports reading object definitions from a file in /etc/hosts format, can read DNS zone and also can crawl the network using SNMP queries.
• Startup wizard ("Welcome to Firewall Builder") has been removed. The GUI now starts either into an empty database or opens data file specified on the command line.
• Keeping track of dependencies between objects. This is useful when many firewalls in the tree use the same set of objects. Each firewall object keeps track of objects it depends on, so if any object is modified, all firewalls that use it in their rules are marked with bold font to indicate that they need to be recompiled. Object dependencies are tracked not only when objects are directly used in rules, but also when they apepar there indirectly, as members of groups
• Added bulk compile and install operations. This is useful when there are many firewalls in the tree that need to be compiled and installed in one go. Bulk install operation is only possible if all firewalls use the same user name and password for authentication. If this is not the case, built-in installer can be instructed to ask for the authentication information before it touches each firewall.
• All object dialogs have been converted into built-in panels that appear in the right hand part of the main window. This simplifies navigation ( pop-up dialogs used to obscure parts of the main window). Objects open in the editor on a single mouse click in the tree and rules.
• Improvements in "Find" function: administrator can now drag an object into a well in the find dialog panel to make it search for this particular object. This is useful if the name of the obejct is not unique. Search by object's name or a value of its attribute is also possible.
  
• In addition to the "Find" function, the "Find and replace" operation has been implemented. Objects can be found and replaced in groups and firewall rules
  

New object types, new rule types and rule elements, new actions and other new features

• AddressTable  This object resolves to a set of IP addresses defined in an external file. The object can be configured to read the file at compile time or at run time. For each compile-time AddressTable object defined in the object tree compiler tries to find and read the file specified in the object configuration. Compiler aborts processing if the file can not be found or can not be read. If the file is in place and can be read, such AddressTable object behaves as if it was a group of IP address objects, that is, all addresses are explicitly copied into generated configuration, although compiler may use target firewall syntax that helps to group such sets of addresses into tables. Compilers for iptables, ipfw, ipf and PIX generate bunch of rules matching each address read from the file. Compiler for PF creates a table and also lists all IP addresses it reads from the file; it uses the name of the AddressTable object for the name of the table it creates.

  Run-time AddressTable objects are only supported by compilers for iptables and PF. Compiler for iptables generates shell code to read the contents of the file when firewall configuration is activated. Compiler for PF uses native "table <name> persist file <file_name>" syntax. Here also the name of the table is the same as the name of the AddressTable object it was created for.

• DNSName:  This object resolves a host name to the IP address using DNS. Object can be confgiured to do so at compile time or run time. Resolution is done using system call gethostbyaddr() to read DNS A records for the name. System resolver should take care of recursion and CNAME records, if any. If the name resolves to several IP addresses, all addresses are used in the generated firewall configuration. Run-time DNSName objects rely on the target firewall software to be able to convert symbolic names used in rules into actual IP addresses at a time when policy is activated. Not all platforms provide means to support run-time DNSName objects.
• TagService:  This object matches tags set by action Tag. It is translated into --mark <mark_code> for iptables and tag option for PF. This service object is only supported by compilers for iptables and PF.
• Interface objects can now have an attribute to mark them as bridge ports, used for bridging firewalls.
• Support for routing rules has been implemented using patch provided by Tidei Maurizio <fwbuilder-routing at compal.de> Support for routing rules is only implemented in compiler for iptables. See file README.routing included in fwbuilder2 package.

  NOTE: I can only provide very limited support for this feature, please direct your questions and bugreports to the author

• Global policy and interface policies have been merged. Each policy rule now has rule element "Interface". Administrator can drag and drop interface object of the firewall into this rule element field. Policy compilers support multiple interfaces and negation in "Interface" rule element. Rule element "direction" that previously was only part of the interface policy rules is now part of all policy rules.
• Policy rules can have the following new actions:
  • Queue:  This action passes the packet to user space process for inspection, it is translated into QUEUE for iptables and divert for ipfw. This action is only supported by compilers for iptables and ipfw..
  • Custom:  This action allows administrator to define arbitrary piece of code to be used in place of an action. Supported by compilers for iptables, ipf and ipfw
  • Branch:  This action is used to create a branch in the rule set. It works on target platforms that provide suitable syntax and allow control to return to the higher level rule set if the branch can not make final decision about the packet. For iptables this action is translated into user-defined chain. The name of the chain is the name of the branch choosen by administrator. For PF this action is translated into an anchor with the name the same as the name of the branch defined by the administrator. This action is only supported by compilers for iptables and PF.
    
    Fig.1 Rule #0 of the global policy creates a branch with the name rule0_branch

  • Tag:  This action associates internal tag with the packet. Tag can later be inspected using service object TagService. This action is translated into MARK target with corresponding --set-mark parameter and optionally additional rule with CONNMARK --save-mark target for iptables. If option that activates CONNMARK target is used, compiler also adds a rule at the very top of the policy to restore the mark. Rules are placed in INPUT,OUTPUT and FORWARD chain of the "mangle" table, this ensures that DNAT happens before rules placed in the mangle table see the packet. PREROUTING chain in mangle table is executed before PREROUTING chain in the nat table, so placing tagging rules in the PREROUTING chain would make them fire before DNAT. POSTROUTING chain of the mangle table, as well as its FORWARD and OUTPUT chains, work before corresponding chains of the nat table. In all cases the goal is to make sure DNAT rules process the packet before, and SNAT rules process it after filtering and tagging rules.

    For PF this action is translated into tag. Supported only by compilers for iptables and PF.
    
    Fig.2 Example of a rule utilizing action Tag. To illustrate policy branches, this rule belongs to the branch with the name rule0_branch

  • Classify:  This action allows the firewall to define QoS class for the packet that matches the rule. It is translated into CLASSIFY for iptables, with parameter --set-class. For PF it is translated into queue; compiler for ipfw can use pipe, queue or divert depending on how the action is configured by the administrator in the GUI. This action is only supported by compilers for iptables, PF and ipfw.
  • Route:  This action makes the firewall to route the packet that matches the rule through an interface or a gateway specified in the parameters of the action. This action is translated into ROUTE target for iptables and route option for PF and ipfilter. Compilers for PF and ipfilter support fastroute, route-to, reply-to and dup-to options.
    
    Fig.3 Rules #0 and #1 tag packets entering the firewall through interfaces eth0 and eth2; rules #3 and #4 help route reply packets back through the same interfaces

  The GUI uses different names for the new actions depending on the target firewall platform to simplify adoption. For example, new action that created branch in rule set is called Chain for iptables firewalls and Anchor for PF fierwalls.

• Firewall object now has an attribute "inactive". Firewall marked as inactive will not be picked by the GUI for the bulk compile and install operations even if the timestamps indicate that this firewall object needs to be recompiled

Compiler for iptables

• Support for address tables loaded from external files at compile or run time
• Support user defined chains with predefined names (using special action)
• Support for CLASSIFY, MARK, CONNMARK, QUEUE, ROUTE targets
• Support for physdev module for bridging firewalls
• additional optimization of rules i INPUT and OUTPUT chain: now removing firewall object from src or dst to simplify rule if it uses OUTPUT or INPUT chain. Doing this only if original rule did not have negation and we do not add any virtual addresses for NAT. After removal the rule collapses to a simple command like this:

  	                        iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
                                

  this works fine except if we have added virtual addresses for NAT. It is assumed that firewall object in rules represents combination of addresses configured in its interfaces in the GUI. Virtual addresses added for NAT are considered to be a side effect and connections should not be implicitly permitted to them by a rule with fw object in destination. The same applies to fw object in source. See bug #685947 for discussion. To avoid inadvertently opening holes in the firewall by a rule like that, we remove fw object only when it is safe to do so.

• support for modules connlimit and hashlimit. There is an option to generate commands for the latter module using name dstlimit because older versions of iptables included this module under this (now obsolete) name.

Compiler for PF

• Support for load balancing rules
• Support for tag and route options
• Support for address ranges and networ objects in TSrc in NAT rules
• Support for pool types in NAT rules ('bitmask', 'random', 'source-hash', 'round-robin'), as well as 'static-port' option.
• Supprot for anchors (by way of a special action)
• Support for tables with predefined names (using AddressTable object)
• Support for packet 'tagging' (by way of a special action and service object TagService)

Compiler for ipfilter

• Support for PPTP and IRC proxies
• Support for route option

API

• internal object ID is augumented with process ID of the program that creates an object. This allows fwbedit to quickly create objects and still ensure their IDs are unique

fwbedit

Fwbedit can now create objects and repair broken object database. This tool can now be used to populate object database using shell scripts or other automation. For example, to create an address object in object library 'Test' one could run it like this:

fwbedit -f filename.fwb -t IPv4 -n newAddress -L Test -o 192.0.2.1

                            Firewall Builder:  general purpose object tree editing tool
                            Version 2.1.5-b

                            Usage:
                            
                            fwbedit21 -f filename.fwb -u [-a obj,grp] [-r obj,grp] [-d obj] [-s] [-l path] [(-p parent|-L library) 
                            -t objtype -n objname [-o object attributes]] 

                            -t objtype : create an object of this type
                            -L library : specify library when creating a new object
                            -p obj     : specify parent object when creating a new object
                            -n name    : specify a name of the new object
                            -o attribute1[,attribute2...]  :  specify attributes when creating a new object
                            -a obj,grp :  create reference to object 'obj' in the group 'grp'
                            -r obj,grp :  remove reference to object 'obj' from the group 'grp'
                            -d obj     :  delete object 'obj' and remove references to it from
                            all rules and groups
                            -l path    :  print list of objects for 'path'
                            -s         :  test and repair object tree structure
                            -u         : autoupgrade of file

                            An object and a group can be defined by their ID or 
                            by the full path and name in the XML tree

                            Object creation syntax:

                            -t Firewall -n obj_name -L User -o platform, host OS
                            -t IPv4 -n obj_name -L User -o IP address
                            -t DNSName -n obj_name -L User -o DNS record,run time
                            -t AddressRange -n obj_name -L User -o start address, end address
                            -t ObjectGroup
                            -t Network -n obj_name -L User -o address,netmask
                            -t Interval -n obj_name -L User -o start time,start date,start day,end time, end date, end day
                            -t Interface -n obj_name -L User -o security level,address type (dynamic or unnumbered),management
                            -t Host
                            -t TCPService -n obj_name -L User -o source port range start,end,Destination port range start,end,UAPRSF,UAPRSF
                            -t UDPService -n obj_name -L User -o source port range start,end,Destination port range start,end
                            -t ICMPService -n obj_name -L User -o ICMP type,ICMP code
                            -t IPService -n obj_name -L User -o protocol number,lsrr/ssrr/rr/ts/fragm/short_fragm 
                          

April 15, 2006 >Firewall Builder 2.0.12
This is a quick bugfix release. Fix implemented in v2.0.11 for the bug that caused firewall script corruption if any rule comments where written in UTF-8 broke built-in installer on Windows and Mac OS X. This release implements more portable solution that works on all supported platforms. Bug numbers: #1455772 and #1468745

April 08, 2006 >Firewall Builder 2.0.11
This is a bugfix release. Bug that caused firewall script to break during transfer to the firewall if any of the rule or object comments used non-english UTF-8 characters has been fixed. Generated firewall script will properly load iptables modules on 2.6 kernels. Code compiles with g++ 4.1.

November 12, 2005 >Firewall Builder v2.0.10
This is a bugfix release. GUI crash in a situation when one of the resource files was missing has been fixed, code compiles and works on Solaris and few minor bugs have been fixed in the compiler for iptables.

September 30, 2005 >Hottest pick award by Linux Format

In issue 70, September 2005, Firewall Builder received the Hottest Pick award by Linux Format magazine.

September 17, 2005 >Firewall Builder v2.0.9
This is mostly bugfix release, with a handful of new features. It comes with Spanish translation and support for Cisco FWSM.

July 09, 2005 >Firewall Builder v2.0.8
This release offers bug fixes and few new features.

Rule sets are now used to swap rules on ipfw firewalls. Backup ssh access can now be configured for subnets. Few bugs were fixed in built-in installer to make it work more reliably on FreeBSD and to improve its reliability for ipfw firewalls.

May 12, 2005 >Firewall Builder v2.0.7
This release includes bug fixes and minor improvements in the GUI and policy compilers.

Ability to search by IP address, tcp/udp port, icmp type or ip protocol number is now available in the GUI. Administrator can now specify additional command line parameters for ssh that built-in installer runs to access firewall, this way alternative ssh keys or port number can be used. Added support for dynamic interface addresses in ipfilter.

February 20, 2005 >Firewall Builder v2.0.6
This is the first release to include support for printing of rulesets. It also comes with bugfixes and updated localization.

January 27, 2005>Printing
One of the long overdue feature requests for v2.0 series was until recently an ability to print firewall rules and object parameters. The next release (2.0.6) will finally support printing; it is already included in the latest nightly builds starting with build 541. This is not final implementation yet but it is already does what I indended.

Your bug reports and general feedback are very welcome. download the nightly build here: http://www.fwbuilder.org/nightly_builds/

Here is a brief summary of what it can do:

• prints policies and NAT rules for the currently opened firewall object
• can print a header on each page, header includes file name, RCS revision number and page number. Header can be turned off
• can print a legend at the end of the printout. Legend shows each icon and what object type it corresponds to. Printing of the legend can be turned off.
• can print a list of objects used in all rules of the firewall. Each object is accompanied with a brief summary of its parameters. This can be turned off as well.
• While printing rule sets, the program will break the table on the boundary of a rule when it reaches end of the page
• Rule sets are printed as screenshots of the same table widget used in the GUI. The user can change scaling factor for the tables to make them fit on the page
• Printing has been tested on Linux, Windows and Mac OS X

January 07, 2005 >Firewall Builder v2.0.5 has been released
This is a bug fix release; its main focus is on internationalization and usability. Complete Russian and Japanese translations have been added. Code has been fixed in many places where text strings were not properly marked for localization. See Release Notes for complete list of bugs fixed in this release.

December 03, 2004 >Firewall Builder v2.0.4 has been released
This release includes few significant improvements, as well as usual bug fixes.

In particular, new policy activation methods using iptables-restore are now available for Linux/iptables firewalls. Iptables-restore provides for atomic policy load and allows to load large policy much faster. Atomic load means the whole filter or nat table is activated at once, and if there is an error, nothing is changed.

New installation method has also been implemented for PIX firewalls. "Safety Net Install" provides a way to manage access lists on a PIX firewall through the IPSEC tunnel. Previously this was impossible because "clear access-list" command would switch firewall into all blocking mode, which breaks the tunnel. Safety Net Install works around this problem and maintains communication through the tunnel at all times.

See Release Notes for the complete list of improvements and bug fixes in Firewall Builder v2.0.4

October 25, 2004 >What is coming: New features in Firewall Builder 2.0.4
I am currently working on several cool features that will be included in the upcoming v2.0.4. I regularly post announces of new builds on the mailing list; you may want to subscribe to stay up to speed with latest development.

• Policy compiler for iptables can now use iptables-restore to activate firewall policy. Iptables-restore provides for atomic policy load and allows to load large policy much faster. Atomic load means the whole filter or nat table is activated at once, and if there is an error, nothing is changed. Compiler generates script in three possible formats:
  • the ususal shell script that adds rules one at a time by executing iptables command with an "-A" flag to add a rule;
  • commands are fed to iptables-restore, this format is used when all interfaces of the firewall have static IP addresses and script does not need to determine addresses at run time;
  • script determines IP addresses of interfaces and discovers dynamic interfaces that were defined as a "wildcard" interface in fwbuilder (e.g. 'ppp*'); code that is sent to iptables-restore is generated dynamically by the script at run time.

  Using iptables-restore is optional and is controlled by the checkbutton in the "Script options" tab of firewall settings dialog. Path to iptables-restore utility can be set in the "Paths" tab of the host settings dialog.

• Support for "prolog" and "epilog" scripts has been added for all platforms. This was available for PIX for some time, now it has been added for all platforms. "Prolog/Epilog" tab of the firewall settings dialog allows for editing of two blocks of commands that will be added to the generated firewall script verbatim. Prolog block is added on top, while epilog block is added at the bottom. Both prolog and epilog are expected to be shell scripts and are added to the generated shell script that activates firewall. For iptables and ipfw all compiler generates is this shell script and prolog and epilog commands are inserted into it. These commands may execute some actions, as well as add any policy or nat commands. For ipf and pf prolog and epilog commands are added to the activation shell script ( .fw file); prolog is added immediately after the command that flushes all rules. This way user may either execute shell commands or add policy and/or nat rules by loading them from external file.
• Activation script for PF flushes only information about rules, nat, source and tables (it used to flush "all"). This preserves queue entries and states.
• Compiler produces optimized code for iptables firewalls used on servers. If ip forwarding is turned off, no rules are placed in the FORWARD chain

As usual, latest builds and source tar archives are available for downloads from the nightly builds site; just click on Downloads and follow the link.

October 01, 2004 >Firewall Builder v2.0.3 has been released
This is a maintenance release. See Release Notes for the list of bug fixes and improvements.

Summary:

• This release improves support for the PF firewall by always using tables in policy rules; it also uses syntax"! <tbl>" for negation, assignes "rdr" rules to interfaces and adds "flags S/SA" to policy rules that keep state.
• This release significantly improves optimizer for iptables and adds an automatically generated rule to block packets that correspond to an INVALID state

• Built-in policy installer can compress firewall policy script before it is installed in flash memory on Linksys/Sveasoft firewall; this allows for much larger policy to be used on Linksys. Script compression is optional.
• Built-in policy installer can be used to test new policy rules with automatic roll-back to the previous version of the policy after specified interval of time. This feature helps to work around errors in the policy that block access to the firewall from the management workstation.

September 01, 2004 >Firewall Builder v2.0.2 has been released
This is a maintenance release. See Release Notes for the list of bug fixes and improvements.

This release adds several service objects to the Standard Objects library, couple firewall object templates, fixes bugs reported over the last two weeks and adds support for timeout and limit options in pf.

August 12, 2004 >Firewall Builder on Windows and Macintosh
Firewall Builder is now available on Windows 2000/XP and Mac OS X. Native packages are distributed by NetCitadel LLC, you can download them here.

August 11, 2004 >Firewall Builder v2.0.1 has been released
This is a maintenance release that only includes bugfixes for a few bugs. See the list in Release Notes

v2.0.1 should be stable and suitable for production use. I am going to focus on adding new features now, with a goal to make next release in a couple of month. As usual, the best place to watch the progress is our mailing list; you can subscribe it here.

July 25, 2004 >What is new in Firewall Builder 2.0
As I mentioned before, the GUI in v2.0 has been rewritten from scratch using QT 3.x. It has been tested with Qt v3.1.1, 3.2.3 and 3.3.1. We build on RedHat 9.0, Fedora Core1 and 2, Mandrake 10, SuSE 9.1, FreeBSD 5.2 using QT packages that come with these systems. Here is a list of new features in v2.0:

• Speed imporevements in the GUI. Firewall policy that consist of 1000 rules renders just as fast as policy that has only 10 rules. The GUI has actually been tested with 1000 rules policies.
• Object tree is not synchronized with firewall policy view. Selecting an object in the tree does not immediately open it in the right hand panel in the main window. Right hand side panel is dedicated for the policy view and always shows policy or NAT rules of the firewall selected in the pull-down menu above it. Editing of all objects is done in a separate floating editor window that can be kept open at all times.
• Properties of an object selected in the tree or in any rule are shown in the information panel under the tree. The size of the panel can be changed; the panel has three modes of operation: a) hidden, b) showing only comment associated with selected object, c) showing its parameters and comment. User can choose the mode by clilcking on the toolbar button under the information panel.
• "Find object" function finds obejcts by their name in the tree, in groups and in rules. Regular expressions are recognized.
• Built-in version control based on RCS provides for a simple way to track changes.
• Data file can be opened read-only for inspection. If the file is checked out and locked by a different user, it can only be opened read-only.
• Data file can be given on the command line without "-f" switch. The "-f" is also supported for backwards compatibility.
• The program does not make copies of standard objects in user data file anymore (per Feature Request #810504 "'Standard' definitions should not be saved")
• Users can create and distribute their own libraries of objects. The GUI allows for objects to be exported to external library file with extension .fwl and imported from such file.
• Objects in the 'Standard' objects library, as well as objects in libraries imported from external files, are read-only
• Added an option for autosave - if this option is turned on, the gui periodically saves data to the file. The autosave interval can be set between 1 minute and 2 hours.
• The GUI detects collisions between objects when external library is imported. Collision is detected when any attribute of an objects in the tree is different from that attribute in the object with the same unique ID in the file being imported. Some old data files may trigger collisions because of subtle differences in comments
• Whenever user changes the name of a firewall, host or an interface object, the GUI asks whether they want to also rename all IP and MAC addresses that belong to that firewall or host. If user agrees to rename them, the program generates names automatically using scheme 'host_name:interface_name:ip' and 'host_name:interface_name:mac'
• Deleted objects are moved to a special library and can be recovered with "Undelete" operation
• Rules can be color-labeled in all policies.
• Window size and position is remembered across multiple sessions for all dialogs.
• Two modes of drag-and-drop of objects in policy and NAT rules: dragging of an object moves it; dragging of an object with Ctrl key pressed copies it
• Multiple objects can be selected in the tree. Operations such as duplication, moving between libraries, copy/paste can be performed on multiple selected objects
• Multiple rules can also be selected for operations such as moving, deleting, copy/paste, setting colors
• A collection of firewall template objects comes in a separate XML file with the package. You can create a new firewall object using one for these templates. This replaced "help me build firewall" wizard.
• The "Help me build firewall policy" wizard was phased out and replaced with firewall templates. The template library will be extended in the future releases.
• GUI has a built-in installer that uses external ssh client to communicate with firewall. Installer has simple GUI interface and works on both Linux and Windows (uses putty or SecureCRT on Windows). There is no need in external install script fwb_install anymore.
• An option has been added to firewall platforms iptables, ipfilter, pf and ipfw that sets up a policy rule to permit ssh access from one specified IP address to the firewall regardless of other rules. This is for a backup ssh access from the management workstation in case of an error in the policy that locks user out of the firewall. The option (a checkbox and entry field for the management station address) is located in the "Compiler" tab of the firewall settings dialog. A command that permits ssh to the firewall from the given address is added on top of all other rules.
• Packages for Windows 2000, Windows XP and Mac OS X will be distributed under a different license.
• The build process is based on qmake and uses autoconf sparingly. Libtool is not used at all.
• Internationalization is done using gettext 0.14.1 which supports QT .qm files
• Reasonably complete French translation is provided.
• Object names and comments are stored in the object file in UTF-8 format. This allows for names and comments to be entered and displayed in local languages. Although object names can be localized, it is recommended to keep firewall names in plain ASCII because compilers do not support UTF-8 yet. This fixes very old bug #657156: "Special characters problem".
• Code compiles with gcc 3.4

The object discovery druid has not been ported to Firewall Builder 2.0 yet

July 07, 2004 >Support for Linksys devices running Sveasoft firmware
Firewall Builder 2.0 now supports Linksys WRT54G and WRT54GS routers running Sveasoft firmware. Sveasoft's firmware is amazing, it includes everything that "big" PC running Linux with iptables can offer but packs it all into this tiny package. Firewall Builder can generate policy and NAT rules and built-in installer pushes them to the Linksys box using ssh (see screenshot below).

It was tested with Sveasoft new beta images (pre-5.1), probably will not work with their stable (4.0) release. In order to generate iptables script that can be used on Linksys, configure your firewall object with platform "iptables" (version 1.2.9 or later) and host OS "linksys".

Currently Firewall Builder can only generate policy and NAT rules for the Linksys box running Sveasoft firmware. It can not configure QoS and other features available there, but you can always use web interface for those. It won't work with the original firmware.

Here is the screenshot of the policy editor and installer:

June 24, 2004 >Help us test Firewall Builder 2.0
Firewall Builder 2.0 is almost ready for release, but I need your help to test it! Please download the latest nightly build from ftp://downloads.fwbuilder.org/pub/fwbuilder/nightly_builds/ and give it a try. I build binary RPMs for Fedora C1, RedHat 9.0, Mandrake 10.0, SuSE 9.1, as well as FreeBSD 5.2 packages (port files are provided) every night. RPMs built for Fedora C1 work on Fedora C2.

Please post your comments, bug reports and suggestions to the mailing list or open bug report on SourceForge project page. You can subsribe mailing list here: http://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion

Thank you!

February 08, 2004 >Firewall Builder on Mac OS X
Thanks to Vadim Zaliva, fwbuilder now builds and works on Mac OS X Panther (10.3) as a fink package. I've uploaded .info files to download area; build instructions can be found in the usual place and in Vadim's web log

January 17, 2004 >Firewall Builder v1.1.2 has been released
This is a bug fix release. The most important and visible fix is for a bug that caused the GUI to crash while saving data to the xml file if it was using libxml2 v2.6.4. In particular this bug broke FreeBSD port.

Another improvement in v1.1.2 is an addition of support for tables in OpenBSD pf. Tables have become available in PF in OpenBSD 3.4 and improve performance of the filter, as well as make policy shorter.

Also this version comes with updated French translation.

See ChangeLog and Release Notes for details.

January 16, 2004>I'll be speaking about Firewall Builder on DFN-CERT workshop
I am going to speak about Firewall Builder on DFN-CERT workshop in Hamburg, Germany on February 4, 2004.

Program of the workshop is available here. Use Google to translate these pages

See you in Hamburg :-)

December 09, 2003 >Firewall Builder for PIX v1.1.1 has been released
This version adds support for PIX v6.3, an incremental policy installer program and features number of other improvements. You can download free trial version here.

December 02, 2003 >Firewall Builder v1.1.1 has been released
This is a bugfix release. A critical bug in the policy compiler for ipfilter that has slipped through testing in v1.1 made it necessary to rush with v1.1.1. The bug has been fixed, along with a couple of others. See ChangeLog for the list of bugs fixed in this release.

See Release Notes here and download it here

November 23, 2003 >Firewall Builder v1.1 has been released
v1.1 includes recent bugfixes. Compile speed improvements and script optimizations have been made for iptables and ipfilter, iptables script generated by fwbuilder is now compatible with kernel v2.6.

Firewall Builder now supports PIX v6.3.

See Release Notes for v1.1 here, download it here

This version is stable, only bugfixes and translation improvements will be added to v1.1 in the future. All new development will be done in a new code branch.

November 15, 2003 >v1.0.12 is almost there
v1.0.12-RC2 is out. I plan on making release some time next week.
Here is a brief list of improvements in this version:

• compile speed improvements and script optimizations for iptables and ipfilter
• iptables script generated by fwbuilder is now compatible with kernel v2.6
• support for PIX v6.3
• incremental policy installer for PIX

Here is the changeLog

Nightly builds are done on the following systems:

• FreeBSD 4.9
• FreeBSD 5.1-release
• OpenBSD 3.4
• Fedora c1
• Mandrake 9.1
• RedHat 7
• RedHat 8.0
• RedHat 9.0
• SuSE 8.2
• SuSE 9.0

October 01, 2003 >New Web Site
As you can see, our project got completely new web site. Well, the old one was good and lasted long enough but I felt it had its limitations and outlived its days. It is time to change it.

The new web site is designed around a Firewall Builder "cookbook", a dynamic collection of the tips and tricks, examples of the network configurations and firewall policies that support them. I am going to be adding articles to the "cookbook", so please come back often. You can post comments to each article and I am hoping to move some of the interesting discussions we've had in the "Open Forum" here.

Besides the "cookbook", I moved all the documents that used to be published on the old site here, and added many new ones. Since the new site is focused on the documentation, there is no section "Documents" anymore; the whole site is that section now.

One of the most important improvements in the web site is that it now has a "Search" function. Just type few words in the input field and click the button, it will scan all the documents, comments and postings and show everything related to your query.

Please explore new site, post your comments to the articles and let me know what you think about it. Welcome!

Vadim