Firewall Builder Release Notes

Version 2.1.19

Released 05/17/2008
GUI and compilers v2.1.19 require API library libfwbuilder version 2.1.19

Summary

This version includes compilers for Cisco PIX and IOS access lists which were released under GPL.

For those who wish to build from source, instructions are outlined in the document "Install and Build instructions" on our web site here

The GUI code is in the freeze for QT4 conversion. I will fix bugs in policy compilers but will try to avoid changes in the GUI. New GUI based on QT4 will be released next spring when KDE4 is included in all major Linux distributions and FreeBSD. There will be bugfix releases for v2.1 if necessary.

Reminder: Improvements and changes in the packaging

• Starting with v2.1.18, all policy compilers come as part of the "fwbuilder" RPM. This inludes compilers fwb_ipt, fwb_ipf, fwb_ipfw, fwb_pf, fwb_iosacl and fwb_pix. Instead of 6 RPMs (libfwbuilder, fwbuilder and 4 RPMs for individual compilers) I now build only two: libfwbuilder and fwbuilder. For example, for Fedora C8 only these two RPMs will be built form now on: libfwbuilder-2.1.18.fc8.i386.rpm and fwbuilder-2.1.18.fc8.i386.rpm

Improvements and bug fixes in the GUI

• fixed bug #1949103: "manpage slightly broken". Minor fixes in fwbedit.1 man page.
• fixed bug #1949438: "parser expects decimal - hex is not accepted". Importer for iptables should be able to process "--set-mark" with hex argument.
• fixed bug #1562726: "policy print rule cut-off". Long rulesets would not print correctly on Windows, the bottom of the ruleset table was just printed solid grey with no rules visible.

Improvements and bug fixes in the policy compiler for iptables

• bug #1938985: Rate in hashlimit in local language
• fixed bug# 1940504: "Clamp MSS to MTU". Iptables command that invokes "-j TCPMSS --clamp-mss-to-pmtu" in FORWARD chain should go before the one that matches "--state ESTABLISHED,RELATED" in order to work for the packets in these states.
• partial fix for bugs #1789059 "shadow issue when using action chain" and #1945149: "Shadowing test for rules with action chain". The mechanism for rule shadowing detection we have at this time can only detect shadowing of one rule by another. In case of branching it is a combination of the branching rule and rules inside the branch that may shadow other rules. I plan to redesign this part of the code in the future, but it won't happen in upcoming v3. Meanwhile, I am fixing it in 2.1 by making compiler ignore rules with action Branch.

Improvements and bug fixes in the policy compiler for PF

• fixed bug #1821573: "Rule options limits allow for multiple overload tables". PF allows only for one "overload" option per rule.
• fixed bug #1961202: "Pf Timeouts overriden by Optimization". Compiler should generate "set optimization" command before "set timeout" commands.

Firewall Builder Release Notes

Version 2.1.18

Released 04/06/2008
GUI and compilers v2.1.18 require API library libfwbuilder version 2.1.18

Summary

This version includes compilers for Cisco PIX and IOS access lists which were released under GPL.

For those who wish to build from source, instructions are outlined in the document "Install and Build instructions" on our web site here

The GUI code is in the freeze for QT4 conversion. I will fix bugs in policy compilers but will try to avoid changes in the GUI. New GUI based on QT4 will be released next spring when KDE4 is included in all major Linux distributions and FreeBSD. There will be bugfix releases for v2.1 if necessary.

Improvements and changes in the packaging

• Now all policy compilers come as part of the "fwbuilder" RPM. This inludes compilers fwb_ipt, fwb_ipf, fwb_ipfw, fwb_pf, fwb_iosacl and fwb_pix. Instead of 6 RPMs (libfwbuilder, fwbuilder and 4 RPMs for individual compilers) I now build only two: libfwbuilder and fwbuilder. For example, for Fedora C8 only these two RPMs will be built form now on: libfwbuilder-2.1.18.fc8.i386.rpm and fwbuilder-2.1.18.fc8.i386.rpm

Improvements and bug fixes in the GUI

• fixed bug #1908351: "rcs does not save log message and file remains locked"

Improvements and bug fixes in the policy compiler for PF

• fixed bug #1899914: "Script to apply the new rules." It is enough to execute "pfctl -f file.conf" to load PF policy. There is no need to purge filter and nat rules first, then reload it.

Improvements and bug fixes in the libfwbuilder API library and all policy compilers

• fixed bug #1905718: "Group of DNS Name objects considered empty"

Firewall Builder Release Notes

Version 2.1.17

Released 02/20/2008
GUI and compilers v2.1.17 require API library libfwbuilder version 2.1.17

Summary

This is a bug-fix release. It improves stablility of the policy importer on 64-bit platforms, supports import of iptables policies that use TCPMSS target, fixes problems with built-in RCS on windows when user does not have administrator's rights and comes with nearly 100% Brazilian Portugese translation

For those who wish to build from source, instructions are outlined in the document "Install and Build instructions" on our web site here

The GUI code is in the freeze for QT4 conversion. I will fix bugs in policy compilers but will try to avoid changes in the GUI. New GUI based on QT4 will be released next spring when KDE4 is included in all major Linux distributions and FreeBSD. There will be bugfix releases for v2.1 if necessary.

Improvements and bug fixes in the GUI

• Updated Brazilian Portuguese translation by Jose Carlos Medeiros <jose@psabs.com.br>
• more for the bug #1816798: "Installing policy on PIX 501 fails". The fix that was made for v2.1.16 did not cover test-mode install, which is now fixed too. Command "terminal pager " is valid only for PIX 7.x and caused error while installing policy on PIX 6.3. Removed this command from the install sequence, it was not essential.
• fixed bug #1849392: "RCS using windows 2003 without administrator rights". Pass TMP and TEMP environment variables to RCS tools
• Fixed bug 1883536: "fwbuilder segfaults when importing iptables conf". Added support for TCPMSS target with option --clamp-mss-to-pmtu in iptables importer; also made importer upderstand option --tcp-option but skip it since it is not supported in fwbuilder.
• fixed bug #1886570: Diagnostic related to Edit->Preferences. Removed harmless but annoying error message that appeared on stderr when user opened Preferences dialog.
• fixed crash of the policy importer on 64-bit systems. This fixes bug #1886575: "Seg Fault on reading vanilla Fedora iptables file". See comment in module CircularQueue.hpp for details.

Firewall Builder Release Notes

Version 2.1.16

Released 12/20/2007
GUI and compilers v2.1.16 require API library libfwbuilder version 2.1.16

Summary

Unfortunate bug introduced in 2.1.15 that broke generated firewall script for iptables in case option "use iptables-restore" was on is fixed in this release. Additional checks were added to the generated script for iptables to improve error detection and make sure the GUI properly detects when it terminates with error. Support for load balancing with PF was also added.

For those who wish to build from source, instructions are outlined in the document "Install and Build instructions" on our web site here

The GUI code is in the freeze for QT4 conversion. I will fix bugs in policy compilers but will try to avoid changes in the GUI. New GUI based on QT4 will be released next spring when KDE4 is included in all major Linux distributions and FreeBSD. There will be bugfix releases for v2.1 if necessary.

Improvements and bug fixes in the GUI

• patch #1849500: "tooltip patch for tcpservicedialog_q.ui". Additional tooltips in the TCP Service dialog to explain function of tcp flags masks and settings.
• fixed bug #1850346: "GUI has 2 views on which actions should be stateless". Even though GUI made rules with action Route stateful by default, code that determined if combination of options of a given policy rules was default thought these rules should be stateless.
• applied patch #1850368: 'PF 3.7 has support for "set skip on"'. Patch by tomjudge@users.sourceforge.net extends support for "set skip on" option to pf 3.7.
• fixed bug #1850352: "Install script wrongly completes successful". Added more checks to the installer scriptlet to make it properly terminate with non-zero error code if iptables-restore returned error. Previously "echo" in the end of the generated masked error code returned by iptables-restore and made the GUI report successfull install even when it terminated with an error. Also added test for the presence of pkill on the system so that the script does not try to run it if it is not available.

Improvements and bug fixes in the policy importer for iptables

• fixed bug #1849328: "iptables restore unusable in 2.1.15". This bug was introduced by the change for the bug #1812295. If option "use iptables-restore to activate policy" is on, we always generate script that prints iptables commands using echo and sends them to the input of iptables-restore via pipe.
• fixed bug 1848204: "ULOG-Setting ignored for invalid packets", applied patch #1848609 provided by reporter. Code that matched and logged packets in state INVALID always used target LOG, which was a problem for iptables installations that only come with target ULOG.
• Applied patch 1835308: "Patch for adding "-q" option to fwb_ipt". Option "-q" suppresses timestamp that is normally included in the generated script. This way, if no objects or rules changed in the firewall builder, generated script will be exactly the same. Timestamps made generated script different even if nothing really changed in the objects, which made external version control systems detect changes when there were none.
• bug #1850352: "Install script wrongly completes successful". Storing exit status of iptables-restore so that generated firewall script can return the same status after it executes commands that set kernel parameters and runs user-defined epilog code.
• fixed bug #1851166: "Installscript does not test for destination ip address". The problem affected specific case of a firewall with two (or more) interfaces that get their address dynamically and a policy rule that has one such interface in source and another in destination. Generated iptables script retrieves actual addresses of both interfaces and assigns them to variables, then uses these variables in actual iptables rules. Special check is provided in case some interface did not obtain any ip address at a time of execution of the script. Previously such test was only done for one dynamic interface per rule. This change makes the script check for both.

Improvements and bug fixes in the policy importer for PF

• applied patch #1850368: 'PF 3.7 has support for "set skip on"'. Patch by tomjudge@users.sourceforge.net extends support for "set skip on" option to pf 3.7.
• applied patch #1850357: "Add support fo load balancing with pf to PolicyRule::Route" by Tom Judge (tomjudge@users.sourceforge.net) that adds support for load balancing rules in PF. Extended the patch adding support for address/netmask format of the next hop. Added checks for illegal IP addresses and netmasks in the next hop.

Firewall Builder Release Notes

Version 2.1.15

Released 12/10/2007
GUI and compilers v2.1.15 require API library libfwbuilder version 2.1.15

Summary

This is another bugfix release. Several problems with policy installer running in batch mode have been fixed, also this release resolves compatibility issues with Windows Vista and Mac OS X Leopard.

For those who wish to build from source, instructions are outlined in the document "Install and Build instructions" on our web site here

The GUI code is in the freeze for QT4 conversion. I will fix bugs in policy compilers but will try to avoid changes in the GUI. New GUI based on QT4 will be released next spring when KDE4 is included in all major Linux distributions and FreeBSD. There will be one more bugfix release for v2.1 if necessary.

Improvements and bug fixes in the GUI

• fixed bug #1811781: "Batch Install". Built-in installer used address of the first firewall of the batch to communicate with all firewalls in the "batch install" mode.
• fixed bug #1826558: "OSX 10.5 font problem". This problem appeared only in Mac OS X Leoprard (10.5) build, other platforms were unaffected.
• Starting with build 320 Windows packages install on Vista
• Added Brazilian Portuguese translation by Jose Carlos Medeiros <jose@psabs.com.br>
• fixed bug #1821576: "Rule option tracking gives inavlid config with default value". Compiler should skip max-src-nodes when it is set to default '0' in the GUI.

Improvements and bug fixes in the policy importer for iptables

• fixed bug #1812295: "Can't use runtime address tables AND iptabels-restore". Script generated by fwb_ipt used "here document" if the option "use iptables-restore to activate policy" was turned on. This did not work in case policy used any tun-time address table objects. Now generated script always uses "echo" to generate iptables commands that it sends to th standard input of iptables-restore.

Improvements and bug fixes in the policy importer for ipfilter

• applied patch by to add support for Kerberos rcmd and Kerberos ekshell proxies in ipfilter NAT rules.

Improvements and bug fixes in the policy importer for pf

• fixed bug #1800875 "'keep state' missing from pass out going traffic rule". Compilers for pf, ipf and ipfw were affected.

Firewall Builder Release Notes

Version 2.1.14

Released 09/10/2007
GUI and compilers v2.1.14 require API library libfwbuilder version 2.1.14

Summary

This is another bugfix release, it comes with numerous improvements in the iptables policy importer and fixes for gcc 4.2 and 4.3

For those who wish to build from source, instructions are outlined in the document "Install and Build instructions" on our web site here

Improvements and bug fixes in libfwbuilder library

• fixed bug #1761373: "libfwbuilder doesn't build on Mandriva cooker". Applied fixes to make the code compile with gcc 4.2

Improvements and bug fixes in the policy importer for iptables

• fixed bug #1764988: "iptables import -> GUI crash":
  • iptables policy importer recognizes and parses target RETURN
  • iptables policy importer recognizes and parses TCP flag parameters ALL and NONE
  • syntax for TCP flag matching in iptables-save should allow for more than 2 flags in 'comp' part

• fixed bug (no num): iptables policy importer should properly parse numeric protocol specification (e.g. "-p 47").
• added missing supprot for "--log-tcp-sequence", "--log-tcp-options" and "--log-ip-options" options for target LOG to iptables policy importer
• added a workaround for a situation when several iptables commands pass control to the same user-define chain in the iptables-save file. As of fwbuilder v2.1, branch ruleset is a child object of PolicyRule. This means two different rules can not point at the same branch ruleset. This is unfortunate but it is hard to fix in the current version because it requires changes XML DTD and API. Will do this in 3.0. Meanwhile, checking if branch ruleset with requested name already exists and change the name by adding suffix '1', '2' etc to make it different. Imported rule is marked as 'bad' (red background) and gets a comment explaining this.
• fixed bug (no num): importer for iptables should properly assign rule options when it finds "-m limit" and "--limit" options in the input file.

Improvements and bug fixes in the GUI

• configure.in: another patch by Carlos Silva <r3pek@r3pek.org> to add third parameter to AC_DEFINE_UNQUOTED
• fixed bug reported in Debian Bug report #417685 - added missing #include to make code compile with gcc 4.3
• applied patch by Carlos Silva <r3pek@r3pek.org> to make configure.in use ANTLR C++ run-time installed on the system if it can find one; otherwise it uses copy in src/antlr
• fixed bug #1772722: "installer should recognize when it uses plink 0.60". We detect when installer uses plink on Windows by checking the name of the configured ssh client. The check should be case-insensitive.
• fixed bug #1764971: "allowed value range for burst limit". Iptables "--limit-burst" option should not be limited in the GUI.

Firewall Builder Release Notes

Version 2.1.13

Released 07/22/2007
GUI and compilers v2.1.13 require API library libfwbuilder version 2.1.13

Summary

This is bugfix release; its main focus is better support for new features available in PF in OpenBSD 4.1.

For those who wish to build from source, instructions are outlined in the document "Install and Build instructions" on our web site here

Improvements and bug fixes in the GUI

• fixed bug #1740766: "lock not saved". This method now copies the value of "ro" attribute (read-only). Clear it in the caller if neccessary. Method duplicate() clears it after calling shallowDuplicate in order to be able to modify the object, then restores this attribute to its original value.
• fixed bug #1743117: "crash while editing any". Added check, user should not be able to unlock Standard objects library
• fixed bug #1753188: "policy activation fails on PIX and IOS". Installer failed if account used to authenticate to the router or PIX went straight to 'enable' mode after login.
• added simple template object for Cisco router 36xx

Improvements and bug fixes in policy compiler for iptables

• fixed bug #1746257: "fwbuilder breaks IPv6". Added an option to the firewall settings dialog for iptables that controls whether compiler should skip generation of the code to set default policy of all ipv6 chains to DROP. This option is off by default, that is compiler puts the code in. This helps maintain backwards compatibility with old data files that do not have this option, which is equivalent to this option being "off".
• fixed bug #1747332: "missing CONNMARK/ restore mark in Output Chain"
• compiler permits setting direction in the rule while interface field is "All". This generates iptables command in chain INPUT or OUTPUT with "-i +" or "-o +" interface specification to match all interfaces.

Improvements and bug fixes in policy compiler for PF

• fixed bug #1747828: "anchors generation - "log" not supported". "Log" keyword is not allowed in "anchor" rules; compiler should not generate it even if user turned logging on in a rule with action 'Branch'
• implemented support for PF limit options "src-nodes", "tables" and "table-entries". Feature Req. #1674919: "Support "set limit table-entries""
• better compliance with PF 4.x. Feature Req. #1679793: "add 'no state' and 'flags any'". If version is set to 4.x, compiler skips "flags S/SA keep state" for rules mathcing tcp services. However, according to the section "1.2. Operational changes" in PF FAQ at http://www.openbsd.org/faq/upgrade41.html , there should be a way to add "keep state" explicitly for rules on interface enc0. Added this option to the rule options dialog.
• Added support for "set skip on " command for PF. If an interface is marked as "unprotected" in the GUI, compiler generates this command for it. This is useful for loopback or other virtual interfaces.

Improvements and bug fixes in policy compilers for Cisco IOS ACL

• Fixed bug that caused compiler to exit abnormally while compiling a rule with interface field "all". Compiler should generate ACL lines for all interfaces of the router (except those marked "unprotected")

Firewall Builder Release Notes

Version 2.1.12

Released 06/24/2007
GUI and compilers v2.1.12 require API library libfwbuilder version 2.1.12

Summary

This release comes with support for Cisco IOS access lists and ability to import existing iptables and IOS access lists configurations. Multiple bug fixes are included as well.

For those who wish to build from source, instructions are outlined in the document "Install and Build instructions" on our web site here

Support for Cisco IOS access lists

Policy compiler for Cisco IOS Access lists has been implemented as part of the Firewall Builder GUI as of version 2.1.12. The first functional build were importer worked on all supported OS was build 270 (May 22, 2007)

Features implemented in this version:

• The compiler generates extended ACLs using "ip access-list extended" command. ACL names are automatically generated using abbreviated interface names and direction symbols to make it easy to figure out which ACL is which. Compiler uses rather minimal set of options of the "ip access-list" command and should generate code that will work for IOS 12.x. I did not test with 11.x but I am pretty sure it will work, at least with the latest versions of 11.x.
• Compiler can also add commands to configure logging.
• The GUI includes built-in installer for routers which works just like installer for PIX. Both installers were updated however to improve support for the automatic roll-back feature in case you lose connect with the firewall or the router because of an error in the policy. Now you can make installer schedule reboot in a few minutes, then upload new policy or ACLs and then cancel reboot if upload was successful. While before auto-rollback option was only available if you installed in the test mode, now you can always use it. Test mode means that installer does not save configuration in the permanent memory, as before.
• All three installation methods that were available for PIX are now available for routers: you can make it clear all access lists and then load new ones or just update access lists without clearing. The last method (the "safety net" method) creates temporary acl to permit communication with the management station, assigns it to the interface marked as management interface, then clears all access lists and loads new ones and in the end swaps proper list on the management interface. This helps prevent locking yourself out of the router in the middle of the installation process in case of an error in the ACL and at the same time does not leave the router with no acls for the time it takes to install new policy. In combination with automatic roll-back, installation process is pretty reliable.
• New option has been added to the interface object, called "unprotected". This allows you to mark some interfaces to be skipped by the compiler when it picks interfaces for ACL rules. This should be useful when you have routers with many interfaces and only want to add ACLs to some of them. Also, you can explicitly put interface objects into policy rules and specify direction if you want to do this manually.
• Since router ACLs have no state, all rules should be created in the policy pretty much like you do it on the router, including rules that permit reply packets. New option has been added to the TCP Service object, called "established". This makes compiler use option "established" in rules it generates if it is supported by the firewall platform. Compilers for iptables, ipfilter, pf and PIX can not use objects with this option and treat it as an error because corresponding platforms do not support it. IPFW, on the other hand, supports it so compiler fwb_ipfw can use it.

Shortcomings of this version:

• "tos", "precedence" and "time-range" options are not supported
• "igmp" access lists can no be generated

Policy import iptables configurations (v2.1.12, build 281 and later)

Policy importer has been implemented as part of the Firewall Builder GUI as of version 2.1.12. The first functional build were importer worked on all supported OS was build 270 (May 22, 2007)

Policy importer uses ANTLR lexer and parser ( http://www.antlr.org/ ) Version 2.7.7 is used in Firewall Builder v2.1.12 ( http://www.antlr2.org/ )

Firewall Builder needs ANTLR C++ runtime header files and library and include these in the source tree under src/antlr. Unless you want to change the grammar (*.g files) you don't need to install ANTLR separately. All relevant ANTLR files are included in the package. For more information on ANTRL see: http://www.antlr2.org

Features implemented in this version :

• Importer can parse iptables config saved using iptables-save utility. Because of the huge variety of iptables modules, Importer can only interpret basic iptables configuration and a subset of modules. Currently the following modules are supported:
  • state
  • multiport
  • limit
  • mark

• Importer creates firewall object with all interfaces. It can not assign object name for the firewall object nor add IP and MAC addresses to interfaces because this information is not present in iptables-save file.
• option "Assume firewall is part of 'any'" is off in the created firewall object. Import is done this way in order to preserve logic of chains INPUT, OUTPUT and FORWARD in the recreated fwbuilder rules. Rules that had chain INPUT in the imported script will have firewall object in "destination" in the corresponding fwbuilder rules. Firewall object is placed in "Source" for rules with chain OUTPUT. For rules with chain FORWARD rule elements "Source" and "Destination" are populated with objects created using options "-s" and "-d" of the original rules or left empty ("any").
• all recognized iptables rules are imported and interface and direction are set in all rules appropriately. Interface objects are created as parser finds them in the script.
• targets ACCEPT, DROP, REJECT, MARK and others are converted to the corresponding fwbuilder policy rule actions. Unrecognized targets and converted to branching rules, where the name of the target becomes the name of the branch.
• SNAT, DNAT, MASQUERADING, REDIRECT and NETMAP targets and their parameters are recognized in the NAT rules.
• Address and service objects are created in the process for all addresses and ports used in all rules.
• iptables rules can refer to tcp/udp ports both by name or by number. Importer can properly interpret both formats using system function getservbyname() to convert service name to the port number. Since the result of this function depends on the OS, some port names may not convert on some systems. For example, Windows can convert more limited set of service names compared to Linux or BSD.
• targets LOG and ULOG are converted to the "logging" option in fwbuilder rules with action "Continue". This is an empty action that does not affect packet flow through the firewall but can be used in combination with "logging" option to log the packet. If such empty (logging-only) rule is undesired, it must be manually merged with some other rule in the policy.
• "--log-prefix", and "--log-level" options of the LOG target are recognized
• "--ulog-prefix" option of the ULOG target is recognized. Other options of the ULOG target are not.
• Address and service objects are reused in the process of import.
• in case when importer fails to parse some part of the iptables-save file, corresponding policy rule is colored red and appropriate diagnostic message added to its comment. The problem must be corrected manually.
• comments ("#") found inside access lists are ignored.

Shortcomings of this version:

• user-defined chains in table "nat" are not supported
• no import of time intervals
• no MAC address matching import

Policy import of Cisco IOS access lists (v2.1.12, build 270)

Features implemented in this version :

• Importer can parse router config saved using "show run" command. Although importer can only interpret a subset of IOS configuration commands, other commands that it does not understand will be ignored and should not affect operation. No manual editing of the config is required prior to import.
• Importer creates firewall object with all interfaces
• firewall object name is assigned if "hostname" command is found in the configuration. If this command is not present, the name remains generic "New Firewall"
• interface addresses are assigned if command "ip address" is found (multiple addresses per interface are supported). Interfaces without "ip address" in the configuration are marked as "unnumbered" in the firewall builder object tree.
• all access lists are imported and interface and direction are set in all rules appropriately
• Address and service objects are created in the process for all addresses and ports used in access lists
• IOS access lists can define ip protocol, icmp code and type, and tcp/udp ports both by name or by number. Importer can properly interpret both formats.
• "log", "log-input", "fragments", "established" keywords are supported and translated into rule or object options as appropriate.
• Address and service objects are reused in the process of import.
• in case when importer fails to parse some part of the access-list command, corresponding policy rule is colored in red and appropriate diagnostic message added to its comment. The problem must be corrected manually.
• "remark" commands found inside access lists are translated into rule comments
• comments ("!") found inside access lists are ignored.

Shortcomings of this version:

• importer does not use address and service objects that existed in the tree before the operation has started, it creates new ones. Deduplication only works for objects created in the process of import.
• the following keywords available in extended access lists are not supported at this time: tos, precedence, time-range.
• igmp access lists are not parsed.

---

New object types and improvements in the base API

• TCPService object now has flag "established". Policy comilers for platforms that have special keyword for this flag can recognize this flag in TCPService object.
• TCPService object "All TCP established" has been added to the Standard objects library.
• Interface of the firewall has new flag "unprotected", currently only used in compiler for Cisco IOS access lists. Compiler skips interfaces marked as "unprotected" when it decides which interface a policy rule should be assigned to.

Improvements and bug fixes in the GUI

• dialogs and resource files for Cisco IOS access lists.
• Policy installer for Cisco routers
• fixed long-standing problem with size of the built-in installer options dialog. The dialog was too big and did not properly resize itself when some options were hidden.
• PIX and Cisco routers (IOS) : built-in installer can schedule reboot of the firewall before activating new policy, then cancel it if the policy has been activated successfully.
• note about built-in installer on windows. Installer seems to have broke with upgrade of QT to 3.3.8. Specifically, in SSHSession::readFromStdout(), proc->readStdout() returns a byte array that contains actual output from the device, with some garbage appeneded to it. The garbage is included in the size() count of QByteArray returned by readStdout so it gets included into the QString which we append to stdoutBuffer. This happens only on win32; reverting to QT 3.3.7 fixes the problem.
• the GUI is compiled with ANTLR C++ run-time, used for policy importer
• Policy importer: can read and import iptables rules from the iptables-save file and Cisco IOS access lists from the router configuration saved using "show run" command. See README.policy_import file for more details.
• allow for object group in "Interface" rule element
• Added support for action "Continue" (an empty action) in the GUI and compiler for iptables. This action creates a rule that does nothing, however it generates iptables command with target "-j LOG" if logging is turned on. This can be useful if one wants only to log packets that match certain pattern but not make any policy decision in the same rule.
• After changes made in the compiler to simplify algorithm used to decide which chain a rule with action Tag should go to, rule action option "Mark connections in PREROUTING chain" ( "ipt_mark_prerouting" ) has been deprecated.
• fixed bug (no number) where installer failed to properly copy .fwb file over to the firewall if file name contained whitespace
• fixed bug #1739373: "FWB2111, register Routing not printed". Tab "Routing" was not included in the printed copy of firewall policies

Improvements and bug fixes in policy compiler for iptables

• fixed bug 1737733: "install script doesn't detect BROADCAST if eth is NO-CARRIER". If firewall script runs before network interface comes up (i.e. is still in NO-CARRIER state), script failed to add virtual addresses for NAT.
• fixed bug #1711595: "ip6tables DROPs". Compiler adds rules to permit any-to-any on loopback interface for ipv6 in addition to rules that set default policy to DROP for all chains in ipv6
• streamlined algorithm that assigns chain to a rule with action Tag. The goal is to always use chain PREROUTING for rules with direction Inbound or Both and a combination of OUTPUT and POSTROUTING for rules with direction Outbound and Both.
• Added support for action "Continue" (an empty action) in the GUI and compiler for iptables. This action creates a rule that does nothing, however it generates iptables command with target "-j LOG" if logging is turned on. This can be useful if one wants only to log packets that match certain pattern but not make any policy decision in the same rule.
• fixed bug #1718791: "Bug with more than one router". This bug affected routing rules.
• fixed bug #1720022: "Fail to load modules .ko.gz".
• fixed bug #1720480: '"-A POSTROUTING -i interface" in branching rules'. Compiler should not generate iptables commands in POSTROUTING chain with "-i interface" clause.
• bug (no number): compiler used to not set unique internal id for rules in branches, which lead to chain names like 'C.0' in generated script.
• bug (no number): when a rule number is inserted into a log record in place of macro %N, it should be formatted as "N/M" for rules in a branch.
• bug (no number): setting chain for Classify action only if it has not been set before. Setting chain to POSTROUTING always broke things if a rule with action 'Classify' was used in a branch (so the chain has been set to that of the branch)
• bugs #1676635: "no way to match on state if the action is drop" and #1671910: "2.1.8 In 'Branch' acton compiler doesn't insert NEW stanza". Rely only on rule option 'stateless' to decide whether the rule should have "-m state --state NEW". Rule option 'stateless' is automatically set when user changes rule action so it becomes anything except 'Accept', 'Tag' or 'Route'. This option is also automatically cleared when action is switched to any of these three actions. The user can override these default settings by checking or unchecking the option in the rule options dialog.

Improvements and bug fixes in policy compiler for PF

• fixed bug #1727715: "Policy Installer failed but indicates succes". Activation script for PF exits with non-zero return code if script activation fails.
• fixed bug #1740545: "AddressTable in NAT section". Policy compiler for PF crashed if AddressTable object was used in TDst element of a NAT rule.

Improvements and bug fixes in policy compiler for ipfw

• new TCPService object flag "established" in compiler for ipfw.

Firewall Builder Release Notes

Version 2.1.11

Released 04/29/2007
GUI and compilers v2.1.11 require API library libfwbuilder version 2.1.11

Summary

This is bugfix release.

For those who wish to build from source, instructions are outlined in the document "Install and Build instructions" on our web site here

Improvements and bug fixes in the GUI

• redesigned TimeService object dialog
• minor redesign of the interface object dialog to make network zone more prominent and easier to set when network and group objects have long names.
• fixed bug #1685741: "GUI crash: click on an empty part of obj tree, then desktop"
• fixed bug #1692411: "can't set accouting rule name (fwbuilder 2.1.11)"
• fixed bug #1684334: "RCS should use $LOGNAME when commit"
• fixed bug #1701971: "Enabeling test mode doent activate the reboot interval". Checking "Test mode" checkbox in the installer options dialog should enable widgets that configure automatic reboot timeout.
• fixed bug #1702830: "fwbuilder does not detect errors during policy install". Built-in installer detects error messages printed by iptables and iptables-restore and aborts installation process. Summary page shown in the end reflects this as failed install.

Improvements and bug fixes in policy compiler for iptables

• Added support for --datestart and --datestop options for module 'time' in compiler for iptables
• fixed bug #1672191: "Time limit generates unexpected iptables command"
• fixed bug #1695481: "compliation error with lower end port". Before, user could enter start port range number greater than the end port range number. Neither the GUI nor compiler noticed this, which resulted in the incorrect firewall configuration. This fix adds check in the GUI to not let the user enter port ranges like that.
• fixed bug 1699483: "hashlimit-htable-expire not set". Added GUI controls and compiler support for hashlimit module options "--hashlimit-name", "--hashlimit-htable-size", "--hashlimit-htable-max", "--hashlimit-htable-expire" and "--hashlimit-htable-gcinterval"
• fixed bug #1703954: "Mark target in postrouting chain". Packets that originate on the firewall should be marked in the OUTPUT chain. According to the netfilter packet flow diagram at http://www.shorewall.net/NetfilterOverview.html , rerouting happens after OUTPUT hook but before POSTROUTING hook. So in order to be able to reroute packet originated on the firewall, they should be marked in OUTPUT

Improvements and bug fixes in policy compiler for PF

• fixed bug #1674940: "if max-src-conn == 0: syntax error". Options max-src-conn and max-src-states can not have value '0'

Improvements and bug fixes in policy compiler for ipfilter

• fixed bug #1678410: "Ipfilter compiler uses wrong keyword for "fragment""
• fixed bug #1676845: "lsrr option not compiling"

Firewall Builder Release Notes

Version 2.1.10

Released 02/17/2007
GUI and compilers v2.1.10 require API library libfwbuilder version 2.1.10

Summary

This is bugfix release.

For those who wish to build from source, instructions are outlined in the document "Install and Build instructions" on our web site here

Improvements and bug fixes in the GUI

• fixed bug #1661140: "built-in installer broken in 2.1.9 for PF". Installer incorrectly set name for files it copied to the firewall if generated configuration consisted of several files. Affected platforms are PF and ipfilter because normally for these platforms compiler generates two files.
• fixed bug #1659832: "No compile with QT without STL support"
• a workaround for the bug 1629461: "Policy tabs do not scroll @ window extent on OSX". The tab widget used to show policy, nat, routing and policy branch rulesets does not switch to a "folded" mode on Mac OS X when it needs to show more tabs that fit in the window. Since I can't figure out a way to force it to do that, I am dropping "Policy/" from the tab titles for branches to make them shorter. This will help users with policies with many branches, however it does not solve the problem because as they keep adding branches, at some point they won't fit in the window again.
• added an item "Where used" to the context menu associated with objects in rules

Firewall Builder Release Notes

Version 2.1.9

Released 02/10/2007
GUI and compilers v2.1.9 require API library libfwbuilder version 2.1.9

Summary

This is bugfix release.

For those who wish to build from source, instructions are outlined in the document "Install and Build instructions" on our web site here

Improvements and bug fixes in the GUI

• New feature: new operation "Tools/Find Conflicting Objects in Two Data Files". This operation inspects two data files (either .fwb or .fwl) and finds conflicting objects. Conflicting objects have the same internal ID but different attributes. Two data files can not be merged, or one imported into another, if they contain such objects. This operation also helps identify changes made to objects in two copies of the same data file. This operation does not find objects present in one file but not in the other, such objects present no problem for merge or import operations. This operation works with two external files, neither of which needs to be opened in the program. Currently opened data file is not affected by this operation and objects in the tree do not change. In the process of this operation user is presented with series of dialogs showing conflicting objects side by side. In the end the program can generate report and write it to a text file.
• installOptionsDialog was too large and did not fit on some laptop screens. Doing tricks to make sure the dialog properly resized after unused GUI elements are hidden.
• bug #1629521: "can't delete empty chain/policy tab"
• bug #1619842: "prolog "script editor" opens behind other windows"
• bug #1620206: "RuleOptions' "Apply" button greyed-out until menu selection"
• bug 1619930: "Prolog tab's ScriptEditor's import fails to overwrite"
• bug #1617501:"Install fails after compile". The GUI got confused when user enter full path to the policy file in the "Output file name" input field in the "Compiler" tab of firewall object dialog. Making sure we always strip directory path from the file name if user specified full path for the policy file in the "Output file name" input field in the "Compiler" tab of firewall object dialog. Need to strip path when macro "%FWSCRIPT%" is substituted in installation scriptlets and in some other places.
• "Apply" and "Close" buttons in the objct editor panel should be of fixed size horizontally
• bug #1624577: "group window doesn't stay open on multiple-adds". Using special flag to tell ObjectTreeView that it should ignore MouseReleaseEvent it gets after d&d operation, so it wont switch object in the editor panel. Note the bug triggered only on Mac OS X.
• bug (no num.): GUI used show fanthom 'Policy', 'NAT' and 'Routing' tabs when user deleted objects from the Deleted Objects library, provided some of these objects were previously deleted firewalls.
• bug #1620284: "conflict when adding library to Preferences/Libraries". When the user tried to add a library to the list in Preferemces/Libraries when a data file with the same object library was loaded, the GUI detected the conflict and showed error dialog.
• bug #1650369: "[patch] please add support for GNU/kFreeBSD". Applied patch to make code compile on kFreeBSD.

Compiler for iptables

• bug #1623338: "Can not disable rules in a branch". Compiler for iptables ignored flag 'disabled' on rules in a branch.
• bug #1623113: 'connlimit fails in compiled "address table" rules' Module connlimit can only be used in iptables rules matching TCP services. Such iptables commands have "-p tcp" and/or "-m tcp" options. If a rule in fwbuilder uses TCP Service and connlimit option and has multiple objects in src and dst, optimizer used to split it to minimize matches. It however preserved connlimit option in all subrules, even though some of them did not have TCP service after the split. This lead to generation of incorrect iptables commands.
• bug #1620925: "compile-time AddressTable object with empty file". Compile-time AddressTable object that uses file with no addresses should be treated as an empty group according to the "Ignore empty groups" option.
• bug #1618381: "CLASSIFY/MARK are non-terminating". This bug report in fact reported several problems.
  • For action Branch with option to add branching rule to the mangle table: we now generate rules in PREROUTING, POSTROUTING, INPUT, OUTPUT and FORWARD chains. This is because some targets can only work in PREROUTING or POSTROUTING chains but we do not know what rules will user put in the branch. So we need to branch in all chains
  • For rules in mangle table with direction set to Inbound or Outbound force chain to PREROUTING or POSTROUTING respectively early. This eliminates duplicates such as the same rule in PREROUTING and INPUT chains. Also since most (all?) targets that require mangle table go into either PREROUTING or POSTROUTING chains, it should be enough to use these two chains.
  • Non-terminating rules shadow each other "backwards", that is more general rule shadows other rules _above_ it. Added flag 'reverse' to the method find_more_general_rule and added new rule processor DetectShadowingForNonTerminatingRules that finds such cases of 'reverse' shadowing. Using it for rules in the mangle table for iptables.
  • Adding iptables rule with target ACCEPT to emulate terminating behavior for Tag and Classify actions. Emulation is controlled by a global option in the "Compiler" tab of the firewall properties dialog (default is "off"). This means emulation can be turned on and off for all rules that might require it at once. It is impossible to mix such rules with terminating and non-termninating behavior. The reason for this is that shadowing detection algorithm can only work with either terminating or non-terminating rules, not with the mix.

• bug #1628989: "run-time-loaded rules don't accept ";" as line comment"
• bug #1632054: "Runtime AddressObjects FAIL to load if "Name:" contains "."". Compiler checks if the name of the run-time AddressTable object contains characters that have special meaning in sheel and relaces them with '_' when it generates the name of the temporary shell variable.
• bug (no num.): data files used for run-time AddressTable objects can have empty lines, the script should skip them.

Firewall Builder Release Notes

Version 2.1.8

Released 12/02/2006
GUI and compilers v2.1.8 require API library libfwbuilder version 2.1.8

Summary

For those who wish to build from source, instructions are outlined in the document "Install and Build instructions" on our web site here

Installation

Optinon poll ran on the fwbuilder-discussion mailing list showed that majority of users are not interested in ability to install and run both fwbuilder 2.0 and 2.1 on the same machine at the same time. Hence we are reverting to the old naming schema without suffix '21' for the binaries and man pages in this release.

Improvements and bug fixes in the GUI

• The user can search for objects using regular expressions matching their names or attributes.

• Fixed bug #1592130: "Policy Chaining Issues". The GUI should properly display nested branch rulesets. The user can create policy branches within other branches.

All compilers

• Fixed bug #1590746 "problem with using "DNS Names" objects on MS Windows". Compiler failed to convert DNSName objects set to resolve at compile time into IP addresses.

Compiler for iptables

• fixed bug #1593221: "iptables filtering bridge problem - PHYSDEV: no physdev opti..." Some times rules were generated with "-m physdev" but witout "--physdev-in" or "--physdev-out" options.

Compiler for Cisco PIX

• fixed a bug (no num, support req. #1604103: "fwb_pix policy compiler dies when SNMP or NTP hosts defined". Compiler did not print error message when it could not find an interface with network zone matching IP address of NTP or SNMP server (it just printed the address without explanation of what went wrong)
• Experimental utility fwb_pix_diff has been added to the package. This utility takes two PIX configurations on the command line and produces the 'diff' that consists of a set of commands that should bring the firewall from the state defined by the first config to the state defined by the second. Only PIX 7.0 is supported. This utility will be incorporated into policy installer in the future to make policy updates simpler and faster, especially when small changes are made to the large set of access lists and nat rules.

Firewall Builder Release Notes

Version 2.1.7

Released 10/31/2006
GUI and compilers v2.1.7 require API library libfwbuilder version 2.1.7

Summary

For those who wish to build from source, instructions are outlined in the document "Install and Build instructions" on our web site here

Installation

Packages of Firewall Builder 2.1 are built in a such way that you should be able to install them on the same machine with Firewall Builder 2.0.X. All binaries have names that end with "21", e.g. "fwbuilder21" or "fwb_ipt21". On Windows the binary name is the same but the package installs in directory c:\FWBuilder21 which is different from the default directory for Firewall Builder 2.0; all registry entries are also located in different subtrees. All this is done to ensure the user can run Firewall Builder 2.1 while still using stable version 2.0.12 on the same machine.

Improvements and changes in the GUI

• The GUI works much faster with very large object trees. Tested using a data file with over 3000 objects)

• "Where used" menu item has been added to quickly find and show all groups and firewall rules that reference given object. Confirmation dialog that is shown when user tries to delete an object also shows all groups and rules that use it.

• By popular request, built-in installer can now save a copy of .fwb file to the firewall.

• Compile/install dialog is now an independent window instead of a modal dialog, this means the user can look at the policy and objects while compilation and/or installation is going on. This is especially convenient as it allows one to inspect the rules after failed compilation while still having compiler error on screen.

• Network discovery driud is back, ported from fwbuilder 1.0. As before, it supports reading object definitions from a file in /etc/hosts format, can read DNS zone and also can crawl the network using SNMP queries.

• Startup wizard ("Welcome to Firewall Builder") has been removed. The GUI now starts either into an empty database or opens data file specified on the command line.

• Keeping track of dependencies between objects. This is useful when many firewalls in the tree use the same set of objects. Each firewall object keeps track of objects it depends on, so if any object is modified, all firewalls that use it in their rules are marked with bold font to indicate that they need to be recompiled. Object dependencies are tracked not only when objects are directly used in rules, but also when they apepar there indirectly, as members of groups

• Added bulk compile and install operations. This is useful when there are many firewalls in the tree that need to be compiled and installed in one go. Bulk install operation is only possible if all firewalls use the same user name and password for authentication. If this is not the case, built-in installer can be instructed to ask for the authentication information before it touches each firewall.

• All object dialogs have been converted into built-in panels that appear in the right hand part of the main window. This simplifies navigation ( pop-up dialogs used to obscure parts of the main window). Objects open in the editor on a single mouse click in the tree and rules.

• Improvements in "Find" function: administrator can now drag an object into a well in the find dialog panel to make it search for this particular object. This is useful if the name of the obejct is not unique. Search by object's name or a value of its attribute is also possible.

  

• In addition to the "Find" function, the "Find and replace" operation has been implemented. Objects can be found and replaced in groups and firewall rules

  

New object types, new rule types and rule elements, new actions and other new features

• AddressTable  This object resolves to a set of IP addresses defined in an external file. The object can be configured to read the file at compile time or at run time. For each compile-time AddressTable object defined in the object tree compiler tries to find and read the file specified in the object configuration. Compiler aborts processing if the file can not be found or can not be read. If the file is in place and can be read, such AddressTable object behaves as if it was a group of IP address objects, that is, all addresses are explicitly copied into generated configuration, although compiler may use target firewall syntax that helps to group such sets of addresses into tables. Compilers for iptables, ipfw, ipf and PIX generate bunch of rules matching each address read from the file. Compiler for PF creates a table and also lists all IP addresses it reads from the file; it uses the name of the AddressTable object for the name of the table it creates.

  Run-time AddressTable objects are only supported by compilers for iptables and PF. Compiler for iptables generates shell code to read the contents of the file when firewall configuration is activated. Compiler for PF uses native "table <name> persist file <file_name>" syntax. Here also the name of the table is the same as the name of the AddressTable object it was created for.

• DNSName:  This object resolves a host name to the IP address using DNS. Object can be confgiured to do so at compile time or run time. Resolution is done using system call gethostbyaddr() to read DNS A records for the name. System resolver should take care of recursion and CNAME records, if any. If the name resolves to several IP addresses, all addresses are used in the generated firewall configuration. Run-time DNSName objects rely on the target firewall software to be able to convert symbolic names used in rules into actual IP addresses at a time when policy is activated. Not all platforms provide means to support run-time DNSName objects.

• TagService:  This object matches tags set by action Tag. It is translated into --mark <mark_code> for iptables and tag option for PF. This service object is only supported by compilers for iptables and PF.

• Interface objects can now have an attribute to mark them as bridge ports, used for bridging firewalls.

• Support for routing rules has been implemented using patch provided by Tidei Maurizio <fwbuilder-routing at compal.de> Support for routing rules is only implemented in compiler for iptables. See file README.routing included in fwbuilder2 package.

  NOTE: I can only provide very limited support for this feature, please direct your questions and bugreports to the author

• Global policy and interface policies have been merged. Each policy rule now has rule element "Interface". Administrator can drag and drop interface object of the firewall into this rule element field. Policy compilers support multiple interfaces and negation in "Interface" rule element. Rule element "direction" that previously was only part of the interface policy rules is now part of all policy rules.

• Policy rules can have the following new actions:
  • Queue:  This action passes the packet to user space process for inspection, it is translated into QUEUE for iptables and divert for ipfw. This action is only supported by compilers for iptables and ipfw..

  • Custom:  This action allows administrator to define arbitrary piece of code to be used in place of an action. Supported by compilers for iptables, ipf and ipfw

  • Branch:  This action is used to create a branch in the rule set. It works on target platforms that provide suitable syntax and allow control to return to the higher level rule set if the branch can not make final decision about the packet. For iptables this action is translated into user-defined chain. The name of the chain is the name of the branch choosen by administrator. For PF this action is translated into an anchor with the name the same as the name of the branch defined by the administrator. This action is only supported by compilers for iptables and PF.

    
    Fig.1 Rule #0 of the global policy creates a branch with the name rule0_branch

  • Tag:  This action associates internal tag with the packet. Tag can later be inspected using service object TagService. This action is translated into MARK target with corresponding --set-mark parameter and optionally additional rule with CONNMARK --save-mark target for iptables. If option that activates CONNMARK target is used, compiler also adds a rule at the very top of the policy to restore the mark. Rules are placed in INPUT,OUTPUT and FORWARD chain of the "mangle" table, this ensures that DNAT happens before rules placed in the mangle table see the packet. PREROUTING chain in mangle table is executed before PREROUTING chain in the nat table, so placing tagging rules in the PREROUTING chain would make them fire before DNAT. POSTROUTING chain of the mangle table, as well as its FORWARD and OUTPUT chains, work before corresponding chains of the nat table. In all cases the goal is to make sure DNAT rules process the packet before, and SNAT rules process it after filtering and tagging rules.

    For PF this action is translated into tag. Supported only by compilers for iptables and PF.

    
    Fig.2 Example of a rule utilizing action Tag. To illustrate policy branches, this rule belongs to the branch with the name rule0_branch

  • Classify:  This action allows the firewall to define QoS class for the packet that matches the rule. It is translated into CLASSIFY for iptables, with parameter --set-class. For PF it is translated into queue; compiler for ipfw can use pipe, queue or divert depending on how the action is configured by the administrator in the GUI. This action is only supported by compilers for iptables, PF and ipfw.

  • Route:  This action makes the firewall to route the packet that matches the rule through an interface or a gateway specified in the parameters of the action. This action is translated into ROUTE target for iptables and route option for PF and ipfilter. Compilers for PF and ipfilter support fastroute, route-to, reply-to and dup-to options.

    
    Fig.3 Rules #0 and #1 tag packets entering the firewall through interfaces eth0 and eth2; rules #3 and #4 help route reply packets back through the same interfaces

  The GUI uses different names for the new actions depending on the target firewall platform to simplify adoption. For example, new action that created branch in rule set is called Chain for iptables firewalls and Anchor for PF fierwalls.

• Firewall object now has an attribute "inactive". Firewall marked as inactive will not be picked by the GUI for the bulk compile and install operations even if the timestamps indicate that this firewall object needs to be recompiled

Compiler for iptables

• Support for address tables loaded from external files at compile or run time

• Support user defined chains with predefined names (using special action )

• Support for CLASSIFY, MARK, CONNMARK, QUEUE, ROUTE targets

• Support for physdev module for bridging firewalls

• additional optimization of rules i INPUT and OUTPUT chain: now removing firewall object from src or dst to simplify rule if it uses OUTPUT or INPUT chain. Doing this only if original rule did not have negation and we do not add any virtual addresses for NAT. After removal the rule collapses to a simple command like this:

  	iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
        

  this works fine except if we have added virtual addresses for NAT. It is assumed that firewall object in rules represents combination of addresses configured in its interfaces in the GUI. Virtual addresses added for NAT are considered to be a side effect and connections should not be implicitly permitted to them by a rule with fw object in destination. The same applies to fw object in source. See bug #685947 for discussion. To avoid inadvertently opening holes in the firewall by a rule like that, we remove fw object only when it is safe to do so.

• support for modules connlimit and hashlimit. There is an option to generate commands for the latter module using name dstlimit because older versions of iptables included this module under this (now obsolete) name.

Compiler for PF

• Support for load balancing rules
• Support for tag and route options
• Support for address ranges and networ objects in TSrc in NAT rules
• Support for pool types in NAT rules ('bitmask', 'random', 'source-hash', 'round-robin'), as well as 'static-port' option.
• Supprot for anchors (by way of a special action)
• Support for tables with predefined names (using AddressTable object)
• Support for packet 'tagging' (by way of a special action and service object TagService)

Compiler for ipfilter

• Support for PPTP and IRC proxies
• Support for route option

API

• internal object ID is augumented with process ID of the program that creates an object. This allows fwbedit to quickly create objects and still ensure their IDs are unique

fwbedit

Fwbedit can now create objects and repair broken object database. This tool can now be used to populate object database using shell scripts or other automation. For example, to create an address object in object library 'Test' one could run it like this:

fwbedit -f filename.fwb -t IPv4 -n newAddress -L Test -o 192.0.2.1

       Firewall Builder:  general purpose object tree editing tool
       Version 2.1.5-b
       Usage: fwbedit21 -f filename.fwb -u [-a obj,grp] [-r obj,grp] [-d obj] [-s] [-l path] [(-p parent|-L library) -t objtype -n objname [-o object attributes]] 

       -t objtype : create an object of this type
       -L library : specify library when creating a new object
       -p obj     : specify parent object when creating a new object
       -n name    : specify a name of the new object
       -o attribute1[,attribute2...]  :  specify attributes when creating a new object
       -a obj,grp :  create reference to object 'obj' in the group 'grp'
       -r obj,grp :  remove reference to object 'obj' from the group 'grp'
       -d obj     :  delete object 'obj' and remove references to it from
       all rules and groups
       -l path    :  print list of objects for 'path'
       -s         :  test and repair object tree structure
       -u         : autoupgrade of file

       An object and a group can be defined by their ID or 
       by the full path and name in the XML tree

       Object creation syntax:

       -t Firewall -n obj_name -L User -o platform, host OS
       -t IPv4 -n obj_name -L User -o IP address
       -t DNSName -n obj_name -L User -o DNS record,run time
       -t AddressRange -n obj_name -L User -o start address, end address
       -t ObjectGroup
       -t Network -n obj_name -L User -o address,netmask
       -t Interval -n obj_name -L User -o start time,start date,start day,end time, end date, end day
       -t Interface -n obj_name -L User -o security level,address type (dynamic or unnumbered),management
       -t Host
       -t TCPService -n obj_name -L User -o source port range start,end,Destination port range start,end,UAPRSF,UAPRSF
       -t UDPService -n obj_name -L User -o source port range start,end,Destination port range start,end
       -t ICMPService -n obj_name -L User -o ICMP type,ICMP code
       -t IPService -n obj_name -L User -o protocol number,lsrr/ssrr/rr/ts/fragm/short_fragm