Firewall Builder News

March 05, 2008 > Firewall Builder policy compilers for Cisco IOS ACL and PIX are now under GPL
Code has been released under GPL and merged into the main fwbuilder tree. These two compilers will be included in the next release of Firewall Builder (v2.1.18)
Enjoy!

February 20, 2008 > Firewall Builder 2.1.17
This is a bug-fix release. It improves stablility of the policy importer on 64-bit platforms, supports import of iptables policies that use TCPMSS target, fixes problems with built-in RCS on windows when user does not have administrator's rights and comes with nearly 100% Brazilian Portugese translation

December 20, 2007 > Firewall Builder 2.1.16
Bug introduced in 2.1.15 that broke generated firewall script for iptables in case option "use iptables-restore" was on is fixed in this release. Additional checks were added to the generated script for iptables to improve error detection and make sure the GUI properly detects when it terminates with an error. Support for load balancing with PF was also added.

December 10, 2007 > Firewall Builder 2.1.15
This is another bugfix release. Several problems with policy installer running in batch mode have been fixed, also this release resolves compatibility issues with Windows Vista and Mac OS X Leopard.
See full Release Notes and ChangeLog

September 09, 2007 > Firewall Builder 2.1.14
This is another bugfix release, it comes with numerous improvements in the iptables policy importer and fixes for gcc 4.2 and 4.3
See full Release Notes and ChangeLog

July 22, 2007 > Firewall Builder 2.1.13
This is bugfix release; its main focus is better support for new features available in PF in OpenBSD 4.1 and improvements in built-in policy installer.
See full Release Notes and ChangeLog

June 23, 2007 > Firewall Builder 2.1.12
Major new features in this release include support for Cisco routers access lists and ability to import existing firewall policy. Currently policy importer can parse iptables configuration from a file created by iptables-save utility and Cisco router configuration saved using "show run" or similar command. Numerous bug filxes also come with this version. Ubuntu 7.04 .deb packages are included for the first time.

June 05, 2007 > Iptables import in v2.1.12
It is now possible to import existing iptables script into Firewall Builder. The importer is in Tools -> Discovery Druid, it takes file created by the iptables-save utility and creates firewall object with interfaces and policy and NAT rules.

This was one of the most requested features on the list for a very long time. If you have that one last iptables firewall which you never had time to convert to Firewall Builder, please try it and let me know how did it go. You'll need v2.1.12 build 282 or newer.

Here is the contents of the README.policy_import file:

Policy import iptables configurations (v2.1.12, build 281 and later)

Features implemented in this version :

• Importer can parse iptables config saved using iptables-save utility. Because of the huge variety of iptables modules, Importer can only interpret basic iptables configuration and a subset of modules. Currently the following modules are supported:
  • state
  • multiport
  • limit
  • mark
• Importer creates firewall object with all interfaces. It can not assign object name for the firewall object nor add IP and MAC addresses to interfaces because this information is not present in iptables-save file.
• option "Assume firewall is part of 'any'" is off in the created firewall object. Import is done this way in order to preserve logic of chains INPUT, OUTPUT and FORWARD in the recreated fwbuilder rules. Rules that had chain INPUT in the imported script will have firewall object in "destination" in the corresponding fwbuilder rules. Firewall object is placed in "Source" for rules with chain OUTPUT. For rules with chain FORWARD rule elements "Source" and "Destination" are populated with objects created using options "-s" and "-d" of the original rules or left empty ("any").
• all recognized iptables rules are imported and interface and direction are set in all rules appropriately. Interface objects are created as parser finds them in the script.
• targets ACCEPT, DROP, REJECT, MARK and others are converted to the corresponding fwbuilder policy rule actions. Unrecognized targets and converted to branching rules, where the name of the target becomes the name of the branch.
• SNAT, DNAT, MASQUERADING, REDIRECT and NETMAP targets and their parameters are recognized in the NAT rules.
• Address and service objects are created in the process for all addresses and ports used in all rules.
• iptables rules can refer to tcp/udp ports both by name or by number. Importer can properly interpret both formats using system function getservbyname() to convert service name to the port number. Since the result of this function depends on the OS, some port names may not convert on some systems. For example, Windows can convert more limited set of service names compared to Linux or BSD.
• targets LOG and ULOG are converted to the "logging" option in fwbuilder rules with action "Continue". This is an empty action that does not affect packet flow through the firewall but can be used in combination with "logging" option to log the packet. If such empty (logging-only) rule is undesired, it must be manually merged with some other rule in the policy.
• "--log-prefix", and "--log-level" options of the LOG target are recognized
• "--ulog-prefix" option of the ULOG target is recognized. Other options of the ULOG target are not.
• Address and service objects are reused in the process of import.
• in case when importer fails to parse some part of the iptables-save file, corresponding policy rule is colored red and appropriate diagnostic message added to its comment. The problem must be corrected manually.
• comments ("#") found inside access lists are ignored.

Shortcomings of this version:

• user-defined chains in table "nat" are not supported
• no import of time intervals
• no MAC address matching import