                         Firewall Builder Release Notes

Version 2.0.8

   Released 07/08/2005
   GUI and compilers v2.0.8 require API library libfwbuilder version 2.0.8

Summary

   This is a bug fix release

   For those who wish to build from source, instructions are outlined in the
   document "Install and Build instructions" on our web site here

What's new

     * Improvements in the GUI

          * Included updated German translation by Hans Peter Dittler
            <hpdittler at braintec-consult.de>
          * implemented Feature Request #1145666: "Print RCS Log".
            File/Properties dialog can now print RCS log. Thanks to "Ilya V.
            Yalovoy" <yalovoy@pilot.aip.mk.ua> for the patch.
          * Some code changes were made to make the code comiple and work on
            Solaris. In particular, tests and emulation for forkpty and
            cfmakeraw functions were added. Currently this still remains
            largely untested.

     * Improvements in policy compilers for pf, ipf, ipfw

          * implemented support for subnets for backup ssh access for
            pf,ipf,ipfw. Subnet can be defined using either full netmask or
            bitlength: both "192.168.1.0/255.255.255.0" and "192.168.1.0/24"
            are acceptable. Single host address works too, both as
            "192.168.1.10" and as "192.168.1.10/255.255.255.255" or
            "192.168.1.10/32". Incorrect address or netmask cause compiler to
            abort processing.

     * Improvements in compiler for ipfw

          * using rule sets to atomically swap old and new rules. New rules
            are loaded in the set 1 and then swapped into set 0. If there is
            an error in a new rule set, it is caught while loading rules into
            inactive set 1, at which point script stops without changing old
            firewall rules.
          * added "established" rule on top of the regular backup ssh access
            rule; this allows to maintain management ssh session after the
            policy is reloaded. both "ipfw -f" and swapping sets flushes all
            states, so the ssh session used to upload and activate new policy
            breaks. A rule with "established" keyword maintains this session.

     ----------------------------------------------------------------------

Bugs fixed in the Standard Objects library:

     * bug #210518: 'Incorrect ending day in the standard object "weekends"'.
       This object defined time interval ending at 23:59 on Monday instead of
       Sunday

Bugs fixed in scripts and tools:

     * bug #1200902: "fwb_compile_all does not work in 2.0". Script
       fwb_compile_all broke because of changes in data file format

Bugs fixed in GUI:

     * bug #1072842: "fwbuilder: Solaris and forkpty". We need forkpty fr
       built-in installer but this function is not awailable on Solaris. I am
       adding re-implementation, but it hasn't been tested since I do not
       have Solaris machine.
     * bug #1201406: "shutdown messages should be suppressed". Installation
       scriptlet tries to kill shutdown process, if there is one, to cancel
       pending shutdown that might have been left over from test install. If
       there is none, the script prints an error message "shutdown process
       not found" or similar, which confuses user. Needed to suppress these
       error messages.
     * bug #1204067: "incorrect timezone handling in RCS". Windows version of
       RCS incorrectly converts check-in time when time zone is east of GMT.
       This caused the GUI to incorrectly show checkin time of files in the
       "Open File" dialog if the program was running in locale East of GMT,
       for instance in Japan.
     * bug #1207983: "incorrect size of "I" and "L" buttons in the group view
       dialog". Tested with large font and cleaned up layout in many dialogs.
     * bug #1212121: "sudo shutdown doesn't work".
     * bug #1212123: "executing file below /tmp as root". Avoiding
       world-writable directory /tmp/ while activating policy in the test
       mode. This change makes installer use subdirectory "tmp" under
       directory specified in the "intaller" tab of firewall settings dialog.
       That directory is expected to have proper permissions; subdirectory
       "tmp" can be created manually, otherwise installer creates it. Either
       way, it is not world-writable, therefore unauthorized users can not
       create scripts in it.
     * bug #1212179: "tool tips for TCP services cuts off some services". The
       gui would show very long tooltip for large groups; if the group was
       too large, the tooltip did not fit on the screen.
     * bug #1213361: "PF on FreeBSD-5.4R". Bug description is misleading, the
       probem was caused by built-in installer rather than by compiler for
       PF. Installer would not copy generated script over ssh if the script
       was longer than some threshold and the gui was running on FreeBSD.

Bugs fixed in policy compiler for iptables:

     * bug #191423: "Weekend Time restriction not created correctly". Rules
       with time restriction spanning from Saturday to Sunday were generated
       with incorrect "--day" option
     * bug #1205665: "Error with summer time when compiling script".
       Sometimes timezone name has "'" in it which confuses shell and causes
       an error when generated script prints "Activating firewall policy..."
       log message
     * bug #1215279: "rate limiting rule logs everything". Rule utlilizing
       "limit" module to rate limit packets with logging logged every packet
       and dropped those that exceeded the limit. The fix makes it apply the
       limit first and then log only packets that were dropped.

Bugs fixed in policy compiler for iptw:

     * bug #1155351: "Remote install of FW rulset fails due to race
       condition". Generated ipfw firewall script could not be ran reliably
       over ssh session because "ipfw -f" flushes all rules and all state,
       which breaks ssh session. As soon as the script needed to print
       anything, it got I/O error from the system because TCP session for ssh
       was blocked; this stopped the script and did not let it activate new
       firewall policy. Using rule sets and "established" rule for the backup
       ssh access solved the problem.
