                         Firewall Builder Release Notes

Version 2.1.16

   Released 12/20/2007
   GUI and compilers v2.1.16 require API library libfwbuilder version 2.1.16

Summary

   Unfortunate bug introduced in 2.1.15 that broke generated firewall script
   for iptables in case option "use iptables-restore" was on is fixed in this
   release. Additional checks were added to the generated script for iptables
   to improve error detection and make sure the GUI properly detects when it
   terminates with error. Support for load balancing with PF was also added.

   For those who wish to build from source, instructions are outlined in the
   document "Install and Build instructions" on our web site here

   The GUI code is in the freeze for QT4 conversion. I will fix bugs in
   policy compilers but will try to avoid changes in the GUI. New GUI based
   on QT4 will be released next spring when KDE4 is included in all major
   Linux distributions and FreeBSD. There will be bugfix releases for v2.1 if
   necessary.

Improvements and bug fixes in the GUI

     * patch #1849500: "tooltip patch for tcpservicedialog_q.ui". Additional
       tooltips in the TCP Service dialog to explain function of tcp flags
       masks and settings.
     * fixed bug #1850346: "GUI has 2 views on which actions should be
       stateless". Even though GUI made rules with action Route stateful by
       default, code that determined if combination of options of a given
       policy rules was default thought these rules should be stateless.
     * applied patch #1850368: 'PF 3.7 has support for "set skip on"'. Patch
       by tomjudge@users.sourceforge.net extends support for "set skip on"
       option to pf 3.7.
     * fixed bug #1850352: "Install script wrongly completes successful".
       Added more checks to the installer scriptlet to make it properly
       terminate with non-zero error code if iptables-restore returned error.
       Previously "echo" in the end of the generated masked error code
       returned by iptables-restore and made the GUI report successfull
       install even when it terminated with an error. Also added test for the
       presence of pkill on the system so that the script does not try to run
       it if it is not available.

Improvements and bug fixes in the policy importer for iptables

     * fixed bug #1849328: "iptables restore unusable in 2.1.15". This bug
       was introduced by the change for the bug #1812295. If option "use
       iptables-restore to activate policy" is on, we always generate script
       that prints iptables commands using echo and sends them to the input
       of iptables-restore via pipe.
     * fixed bug 1848204: "ULOG-Setting ignored for invalid packets", applied
       patch #1848609 provided by reporter. Code that matched and logged
       packets in state INVALID always used target LOG, which was a problem
       for iptables installations that only come with target ULOG.
     * Applied patch 1835308: "Patch for adding "-q" option to fwb_ipt".
       Option "-q" suppresses timestamp that is normally included in the
       generated script. This way, if no objects or rules changed in the
       firewall builder, generated script will be exactly the same.
       Timestamps made generated script different even if nothing really
       changed in the objects, which made external version control systems
       detect changes when there were none.
     * bug #1850352: "Install script wrongly completes successful". Storing
       exit status of iptables-restore so that generated firewall script can
       return the same status after it executes commands that set kernel
       parameters and runs user-defined epilog code.
     * fixed bug #1851166: "Installscript does not test for destination ip
       address". The problem affected specific case of a firewall with two
       (or more) interfaces that get their address dynamically and a policy
       rule that has one such interface in source and another in destination.
       Generated iptables script retrieves actual addresses of both
       interfaces and assigns them to variables, then uses these variables in
       actual iptables rules. Special check is provided in case some
       interface did not obtain any ip address at a time of execution of the
       script. Previously such test was only done for one dynamic interface
       per rule. This change makes the script check for both.

Improvements and bug fixes in the policy importer for PF

     * applied patch #1850368: 'PF 3.7 has support for "set skip on"'. Patch
       by tomjudge@users.sourceforge.net extends support for "set skip on"
       option to pf 3.7.
     * applied patch #1850357: "Add support fo load balancing with pf to
       PolicyRule::Route" by Tom Judge (tomjudge@users.sourceforge.net) that
       adds support for load balancing rules in PF. Extended the patch adding
       support for address/netmask format of the next hop. Added checks for
       illegal IP addresses and netmasks in the next hop.
