Switch branches/tags
Nothing to show
Find file
Fetching contributors…
Cannot retrieve contributors at this time
16918 lines (12984 sloc) 726 KB
2015-03-10 Sirius Bakke <>
* Version 5.3.6
* Several bugfixes for Junos, including rollback on syntax error,
correct netmask for host objects and ssh password prompt lock-up
2014-09-24 Sirius Bakke <>
* Version 5.3.0
* Support for Junos Access lists
* Show release notes for previous releases
2013-08-10 Sirius Bakke <>
* Version 5.2.0
* Search for objects by port number or ip addres
* View graphical diff and autocompile firewall when loading file
* Support for Cisco NXOS Access lists
* Added support for dummy objects in rules
* Port to Qt5
* New buildscript for OSX
* Added build instructions for Windows
2012-03-21 Vadim Kurland <>
* running autoconf, configure as part of windows build. Merged
qmake .pro and .inc files for Windows, Mac and Linux builds. Moved
files needed for Windows and Mac packaging to the "packaging"
2012-03-19 Vadim Kurland <>
* version 5.1.0
* switching to GPL for Mac OS X and Windows.
2012-03-18 Vadim Kurland <>
* CompilerDriver.cpp (CompilerDriver::populateClusterElements):
fixes #2686 "automatic rules for heartbeat are not generated for
vlan subinterfaces"
* clusterMembersDialog.cpp (clusterMembersDialog::clusterMembersDialog):
fixes #2685 "Clicking "Manage Members" in a vlan subinterface of a
cluster causes crash".
2012-02-20 Vadim Kurland <>
* configlets/linux24/routing_functions (OLD_ROUTES): fixes SF bug
3489096 "dd-wrt-jffs: all routes are deleted if there is an
error". The problem affects all supported Linux-like
systems. Shell code that restores old static routing table entries
in case of an error with commands adding new routing entries was
broken and left the machine with no routes at all.
* configlets/linux24/routing_functions: using mktemp to create
temporary directory. If mktemp is not available, fall back onto
less secure but guaranteed to work method where I generate
randomized the name of the temporary directory using process ID.
* OSConfigurator_linux24_interfaces.cpp (printInterfaceConfigurationCommands):
fixes #2684 "fix address deletion in configlet update_addresses".
This only applies to Linux firewalls and configurations where an
interface has two or more ip addresses. If user deleted one of the
addresses that happens to be the "primary" address of the
interface in the GUI, generated script deleted both addresses on
the firewall machine instead of just one and left interface with
no addresses at all. The fix is to use /proc variable
/proc/sys/net/ipv4/conf/all/promote_secondaries that makes the
kernel "promote" secondary address to a "primary" status when
primary address is deleted. Default behavior in Linux kernel is to
delete all addresses when primary address is deleted.
2012-02-13 Vadim Kurland <>
* (QMAKE_CXXFLAGS_DEBUG): fix for SF bug #3468802.
Need to define macro __STDC_FORMAT_MACROS. This still needs to be
tested on all build machines.
build 3594
2012-01-02 Vadim Kurland <>
* PolicyCompiler_ipt.cpp (specialCaseAddressRangeInRE::processNext):
fixed SF bug #3468358 "change in rule-compilation between 5.0.0
and 5.0.1". Rule with cluster interface in "Destination"
should compile into matching ip addresses assigned to the cluster
interface object and corresponding member firewall's interface
object, but in v5.0.1 it only matched member interface
address. This bug triggered when iptables version was set to
1.2.11 or greater. This was a regression from v5.0.0
2011-12-23 Vadim Kurland <>
* v5.0.1 released
2011-12-07 Vadim Kurland <>
* pix.g (nat_command_last_parameters): fixes #2678 Policy importer
for PIX/ASA could not parse nat command with parameter "outside"
* PIXImporterNat.cpp (PIXImporter::buildNoNATRule): fixes #2679
Policy importer for PIX/ASA could not import "nat exemption" rule
(for example: "nat (inside) 0 access-list EXEMPT")
* pix.g (nat_addr_match): fixes #2677 Policy importer for PIX/ASA
could not parse command "nat (inside) 1 0 0"
* iptAdvancedDialog.cpp (iptAdvancedDialog::iptAdvancedDialog):
fixed strings that should be translated; these strings
caused problems when translation was loaded at the run time.
2011-11-30 Vadim Kurland <>
* NATCompiler_pf.cpp (NATCompiler_pf::compile): fixes #2674
NAT compiler for PF crashed when AttachedNetworks object
was used in Translated Source of a NAT rule.
2011-11-28 Vadim Kurland <>
* NATCompiler_PrintRule.cpp (_printIpSetMatch): fixed SF bug
#3443609 Return of ID: 3059893": iptables "--set" option
deprecated". Need to use --match-set instead of --set if iptables
version is >= 1.4.4. The fix done for #3059893 was only in the
policy compiler but needs to be done in both policy and nat
* PolicyCompiler_PrintRule.cpp (_printDirectionAndInterface): more
fixes for SF bug #3439613. Adding "-i" / "-o" clause to match
parent bridge interface. This allows us to correctly match which
bridge the packet comes through in configurations using wildcard
bridge port interfaces. For example, when br0 and br1 have "vnet+"
bridge port interface, iptables can still correctly match which
bridge the packet went through using "-o br0" or "-o br1"
clause. This can be useful in installations with many bridged
interfaces that get created and destroyed dynamically, e.g. with
virtual machines. Note that the "-i br0" / "-o br0" clause is only
added when there is more than one bridge interface and bridge
port name ends with a wild card symbol "+"
2011-11-21 Vadim Kurland <>
* TableFactory.cpp (TableFactory::createTablesForRE): see #2671
Duplicate objects appear in PF table when option "preserve group
and addresses table object names" is in effect. This happened if
the same user-defined group was used in multiple rules or
different rule element of the same rule. In this case generated PF
table would have several copies of the same addresses.
* TableFactory.cpp (TableFactory::createTablesForRE): see #2672 PF
option "preserve group and addresses table object names" does not
work right when the same object is used in several different
groups. If the same object was a member of multiple groups and
these groups were used in the same or different rules of the same
PF firewall, compiler used all groups in all rules. This could
create match for objects that were not intended to be part of some
rules. This problem has been fixed. Note that configuration with
a combination of ipv4 and ipv6 objects as members of the same
user-defined group when group is used in mixed ipv4+ipv6 rule
set still does not work right. In this case compiler generates
table that exactly reflects configuration user created in the
GUI (i.e. includes both ipv4 and ipv6 addresses) and then uses
this table in both "inet" and "inet6" rules.
* PolicyCompiler_pf.cpp (createTables): With this fix, when option
"preserve group and addresses table object names" is in effect,
compiler for PF will create named tables for the user-defined
object group even if it contains just one object.
* PolicyCompiler_PrintRule.cpp (_printDirectionAndInterface): SF
bug #3439613. physdev module does not allow --physdev-out for
non-bridged traffic anymore. We should add --physdev-is-bridged to
make sure this matches only bridged packets.
2011-11-16 Vadim Kurland <>
* InetAddrMask.cpp (InetAddrMask::setNetworkAndBroadcastAddress):
fixed bug (no number) introduced when I was working on #2670.
Setting broadcast address in the network object with netmask /31
to broke rule shadowing algorithm.
2011-11-15 Vadim Kurland <>
* CustomServiceDialog.cpp (loadFWObject): fixes #2669 "Cant
inspect custom Service object in Standard objects library".
2011-11-10 Vadim Kurland <>
* configlets/linux24/check_utilities: fixes #2664 Update error
message when "which" command fails. Generated iptables script uses
"which" to check if all utilities it uses exist on the machine.
We should also check if "which" itself exists and issue meaningful
error message if not.
* IC_PlatformWarningPage.cpp (initializePage): fixes #2668 Remove
"static routes" from the explanation text in ASA/PIX import
dialog. We can not import PIX/ASA routing configuration at this
2011-11-08 Vadim Kurland <>
* InetAddrMask.cpp (setNetworkAndBroadcastAddress): see #2670. Per
RFC3021 network with netmask /31 has no network and direct
broadcast addresses.
* PolicyCompiler_ipt.cpp (specialCaseAddressRangeInRE): fixed bug
in the rule processor that replaces AddressRange object that
represents single address with an IPv4 object. Also eliminated
code redundancy.
* PolicyCompiler_ipt.cpp (splitIfDstMatchingAddressRange): fixes
#2663 "Rule with "old-broadcast" object results in invalid
iptables INPUT chain". Compiler was choosing chain INPUT with
direction "outbound" for rules that had old broadcast address in
"Source", this lead to invalid iptables configuration with chain
INPUT and "-o eth0" interface match clause.
* ObjectMatcher.cpp (checkComplexMatchForSingleAddress): see #2663
Special handling of the "old broadcast" address. This
address ( should be treated just like when
we check if an address "matches" the firewall.
* RuleSetViewDelegate.cpp (sizeHint): fixes #2665 "Adding text to
comment causes rule to go from 2 rows to 1 row"
* ACL.cpp (ciscoACL::trimLine): fixed SF bug 3435004: "Empty lines
in comment result in "Incomplete Command" in IOS".
* CompilerDriver_pf_run.cpp (CompilerDriver_pf::run): fixed SF bug
#3429377 "PF: IPv6 rules are not added in IPv4/IPv6
ruleset (anchor)". Compiler for PF did not inlcude rules generated
for IPv6 in generated PF anchor configuration files.
* CompilerDriver_pf_run.cpp (CompilerDriver_pf::run): fixed SF bug
3428992: "PF: rules order problem with IPv4 and IPv6". Compiler
for PF should group ipv4 and ipv6 NAT rules together, before it
generates ipv4 and ipv6 policy rules.
* BaseObjectDialog.cpp (connectSignalsOfAllWidgetsToSlotChange):
fixed SF bug #3433587 "Manual edit of new service Destination Port
END value fails". This bug made it impossible to edit the value of
the end of the port range because as soon as the value became less
than the value of the beginning the range, the GUI would reset it
to be equal to the value of the beginning of the range. This
affected both TCP and UDP service object dialogs.
* PolicyCompiler_ipfw_writers.cpp (PrintRule::_printAddr): fixed
SF bug #3426843 "ipfw doesn't work for self-reference, in version".
2011-10-19 Vadim Kurland <>
* PolicyCompiler_pix.cpp (AddressRangesIfTcpServiceToFW::processNext):
see #2662 "Crash when compiling ASA rule with IP range". Need to
split address range if it is used in "source" of a rule that
controls telnet, ssh or http to the firewall itself and firewall's
version is >= 8.3. Commands "ssh", "telnet" and "http" (those that
control access on the corresponding protocols to the firewall
itself) accept only ip address of a host or a network as their
argument. They do not accept address range, named object or object
group. This is so at least as of ASA 8.3. Since we expand address
ranges only for versions < 8.3 and use named object for 8.3 and
later, we need to make this additional check and still expand
address ranges in rules that will later convert to "ssh", "telnet"
or "http" command. Compiler also generates redundant object-group
statement with CIDR blocks generated from the address range but
does not use this group in the rule. This does not break generated
configuration but the object-group is redundant since it is never
used. This will be rectified in future versions.
* CompilerDriver_files.cpp (CompilerDriver::getOutputFileNameInternal):
fixed a bug (no number): if the file name user entered in "Output
file name" field in the "advanced settings" dialog of a firewall
object ended with a white space, policy installer failed with an error
"No such file or directory"
* build
2011-10-02 Vadim Kurland <>
* shell_functions: see SF bug #3416900 "Replace `command` with
`which`". Generated script (Linux/iptables) used to use "command
-v" to check if command line tools it needs are present on the
system. This was used to find iptables, lsmod, modprobe, ifconfig,
vconfig, logger and others. Some embedded Linux distributions,
notably TomatoUSB, come without support for "command". Switching to
"which" that is more ubuquitous and should be available pretty
much everywhere.
2011-09-29 Vadim Kurland <>
* SSHSession.cpp (startSession): enable fwbuilder to take
advantage of GSSAPIAuthentication with openssh using suggestion by
Matthias Witte
* PolicyCompiler_ipt.cpp (compile): fixes SF bug #3414382
"Segfault in fwb_ipt dealing with empty groups". Compiler for
iptables used to crash when an empty group was used in the
"Interface" column of a policy rule.
2011-09-24 Vadim Kurland <>
* NamedObjectsAndGroupsSupport.cpp (CreateObjectGroups::processNext):
fixes #2660 "compiler for IOSACL crashed when address range appears
in a rule AND object-group option is turned ON"
2011-09-19 Vadim Kurland <>
* PolicyCompiler_cisco_acls.cpp (setInterfaceAndDirectionBySrc):
see #2656 "Generated Cisco ASA access-list has duplicate entry".
* snmp.cpp (SNMPCrawler::run_impl): fixes #2658 "snmp network
discovery creates duplicate address and network objects"
* ND_ProgressPage.h (class ND_ProgressPage): see #2657 snmp
network discovery crashed if option "Confine scan to network" was
* iosInterfaces.cpp (iosInterfaces::basicValidateInterfaceName):
see #2655 Interface names are not allowed to have dash "-" even
with interface verification off. We should allow "-" in the
interface name for Cisco IOS
2011-09-04 Vadim Kurland <>
* IPTImporter.cpp (IPTImporter::isSupportedTable): see #2653
Importer for iptables checks that netfilter table used in
the original iptables config is one of the tables we support.
Currently only "filter", "mangle" and "nat" are supported. Also
see #2651, #2652
* FWObjectDatabase_tree_ops.cpp (_recursively_copy_subtree): see
#2654 fixes GUI crash that occured if user copied a rule from file
A to file B, then closed file B, opened file C and tried to copy
the same rule from A to C'
2011-08-30 Vadim Kurland <>
* fixes SF bug 3247094 "Nomenclature of IP address edit dialog".
Network ipv6 dialog says "Prefix length".
* linux24advanceddialog_q.ui: fixes SF bug 3302121 "cosmetic
mis-format in fwb Linux paths dialog"
* DNSNameDialog.cpp (applyChanges): fixes SF bug 3388055 Adding a
"DNS Name" with a trailing space causes failure.
2011-08-25 Vadim Kurland <>
* see #2646 and SF bug 3395658: Added few ipv4 and ipv6 network
objects to the Standard objects library: TEST-NET-2,
TEST-NET-3 (RFC 5735, RFC 5737), translated-ipv4, mapped-ipv4,
Teredo, unique-local and few others.
* ObjectManipulator.cpp (openLibForObject): fixes #2648 "right
mouse click on firewall object in "Deleted objects" library causes
GUI crash"
* PolicyCompiler_ipt.cpp (processNext): fixes #2650 "rules with
address range that includes firewall address in Src are placed in
OUTPUT chain even though addresses that do not match the firewall
should go in FORWARD"
2011-08-14 Vadim Kurland <>
* InetAddr.cpp (InetAddr::isValidV4Netmask): function
InetAddr::isValidV4Netmask() checks that netmask represented by
the object consists of a sequence of "1" bits, followed by the
sequence of "0" bits and therefore does not have zeroes in the
* NetworkDialog.cpp (NetworkDialog::validate): added check to make
sure user does not enter netmask with zeroes in the middle for the
IPv4 network object. Netmasks like that are not supported by
* RuleSetView.cpp (RuleSetView::addColumnRelatedMenu): fixes #2643
"GUI crashes when user cuts a rule, then right-mouse click in any
rule element of another"
2011-08-11 Vadim Kurland <>
* freebsd/carp_interface: see #2638 "When CARP password is empty
the advskew value is not read". Should skip "pass <word>"
parameter of the ifconfig command that creates carp interface
if user did not set up any password.
* OSConfigurator_linux24_interfaces.cpp (validateInterfaces):
see #2639 "support for vlan subinterfaces of bridge interfaces
(e.g. br0.5)". Currently fwbuilder can not generate script to
configure vlan subinterfaces of bridge interfaces, however if user
did not request this configuration script to be generated,
compiler should not abort when it encounters this combination.
* InterfaceEditorWidget.cpp (validateAddress): fixes #2641
"newFirewall dialog does not accept ipv6 addresses with long
prefixes". The dialog did not allow ipv6 addresses of inetrfaces
with netmask > 64 bit.
* newFirewallDialog.cpp (cleanup): fixes #2642 "GUI crashes if
user cancels newFirewall dialog".
* RuleOptionsDialog.cpp (fillInterfaces): the drop-down list of
interfaces for the "route-through" rule option for PF and iptables
should include not only cluster interfaces, but also interfaces of
all members. This way, we can make compiler generate configuration
"pass in quick on em0 route-to { ( em0 ) } ... " for a
rule of a PF cluster. Here "em0" is an interface of a member, not
the cluster.
2011-08-08 Vadim Kurland <>
* configlets/freebsd/rc_conf_carp_interface: see #2636 "carp :
Incorrect output in rc.conf.local format". Should use
create_args_carp0 instead of ifconfig_carp0 to set up CARP
interface vhid, pass and adskew parameters.
2011-08-05 Vadim Kurland <>
* RuleElement.cpp (RuleElementItf::validateChild): see #2635
Object type AttachedNetworks is not allowed in the "interface"
rule element.
2011-08-03 Vadim Kurland <>
* newFirewallDialog_from_template.cpp (replaceReferencesToObject):
see #2628 fixed crash that happened if user create new firewall
object from a template and changed one of the ip addresses, while
another firewall object created from the same template already
existed in the tree.
2011-08-02 Vadim Kurland <>
* instDialog_ui_ops.cpp (instDialog::getInstOptions): moved "batch
install" button from the main installer wizard to the dialog where
user enters their password. Now user can start in a non-batch
install mode but continue in batch install mode at any time if all
their firewalls authenticate with the same user name and password.
2011-08-01 Vadim Kurland <>
* pix.g (static_command_common_last_parameters): changed token
name from "ESP" to "ESP_WORD" to avoid conflict with macro "ESP"
that happened during build on OpenSolaris
* unit_tests/ObjectMatcherTest/ObjectMatcherTest.cpp (matchTest):
fixed unit test (ObjectMatcher matches ipv6 only when internal
flag is set accordingly)
* VERSION: set version to 5.0.1
2011-07-28 vadim <>
* version 5.0.0. release
2011-07-22 vadim <>
* ObjectManipulator.h (QWidget): see #2622 "Remove Back and
Forward buttons". We have decided behavior of the GUI was too
complicated since user can both act on objects directly and
navigate backwards and forwards to the objects found in their
browsing history. Navigation using browsing history was broken
when quick filter was in use, too. All in all, it feels the value
of "back" and "forward" buttons was relatively low.
2011-07-21 vadim <>
* XMLTools.cpp (convert): see #2577 Updated error message that
appears when user tries to open .fwb file created by the future
version of fwbuilder.
* TextFileEditor.cpp (save): fixes #2567 "If file doesn't exist
when clicking 'edit file', then you have to hit save button twice".
The bug affected "edit file" function in the Address Table object
* NATCompiler_pf_writers.cpp (_printAddr): fixes #2590 "PF: NAT
compiler fails when run-time address table object is used in a
* RoutingCompiler.cpp (processNext): fixes #2565 "Run-time dns
name or address table in routing policy -> crash". Compiler for PF
crashed if user placed run-time DNSName object in "destination"
of a routing rule.
* RuleSetModel.cpp (initRule): see #2515 Expanded set of options
the user can change to pre-set parameters in the new policy rules
they create. Now user can set default values for action ("Deny" or
"Accept"), direction, the "stateless" flag and logging.
* FindObjectWidget.cpp (matchAttr): see #2516 "Enhance Find to
include searching for IP addresses in ranges". Function "find"
now finds ip addresses inside address ranges.
2011-07-20 vadim <>
* FWBTree.cpp (init_statics): see #2619 "Attempting to
copy-and-paste a tag service results in an error". Pasting of a
TagService object to the "Tag Services" group did not work.
* RuleSetView.cpp (itemDoubleClicked): fixes #2566, #2618 Fix for
the regression introduced when I worked on #2566 "Double-clicking
on rule when program first starts results in empty editor pane".
Double click on the rule number should not do anything, but double
click on rule options, comment and other fields should open the
editor. Change done for #2566 broke this.
2011-07-20 Vadim Kurland <>
* ObjectMatcher.cpp (dispatch): removed optimization in
dispatch(IPv4*,void*) and dispatch(IPv6*, void*) that assumed
address matches a host or a firewall if it is located somewhere in
the subtree rooted at the firewall object. This assumption fails
if the address is a child of a Variable that belongs to the
Variables folder of this firewall. Instead, always calling
checkComplexMatchForSingleAddress() which uses
Interface::findAllInterfaces() and therefore only matches against
addresses that belong to the interfaces. See #2598
* PolicyCompiler_ipt.cpp (processSingleObjectNegationInRE):
consolidated rule processors that deal with single object negation
into one class. Also, taking into account Variables.
* Interface.cpp (findAllInterfaces): added more efficient way to
get a list of all interfaces of a firewall. This function assumes
interfaces are direct children of the firewall and each interface
may have a subinterface (one level deep). This function is faster
because it does not scan whole tree rooted at the firewall object
which might be large if firewall has lots of rules.
2011-07-19 vadim <>
* NATCompiler_ipt.cpp (processNext): fixed SF bug 3371301 "Error
compiling with VLAN and masquerade". Iptables NAT rules with vlan
interface configured as "dynamic" and no ip address in Translated
Source caused compiler crash.
2011-07-18 theron <>
* Fixed #2511: make sure auto-scroll of items in ObjectTreeView
works, otherwise it's impossible to move an item into a
user-defined folder if there are lots of intervening items.
2011-07-13 theron <>
* Fixed #2505: make sure that objects that we show are members of
a dynamic group are actually objects. Previously we were showing
stuff like FirewallOptions objects. To make sure that dynamic
group expansion is done the same way in the UI and for the
compiler, also fixed #2502 (consolidate logic for DynamicGroup).
* Modified checks (added for #2514) for empty path in an Address
Table object. It's valid to have an empty path for the situation
where a user wants to use an ipset in place of the table.
However, if there is a path and it comes out blank in
getSourceNameAsPath() then that means %DATADIR% expansion failed.
* Fixed #2440. Now when a firewall is matched in the quick
filter, all child elements (e.g. policies, interfaces) will be
displayed as well.
* Fixed #2523: save the expanded/collapsed state of the tree when
the user starts typing something into the quick filter. When the
quick filter is cleared, re-expand any items that started off
expanded (so we get the union of expanded items displayed by quick
filter plus what the user started with expanded).
* Tried to fix #2507: set a size for the "type" column in the
dynamic group dialog (on some platforms it comes out so narrow you
can't see it, despite it having ResizeToContents).
2011-07-11 theron <>
* Implemented #2514, support for address table alternate paths.
There's a "data directory" setting under user preferences. If the
user selects an address table file using "choose file" and that
file is "inside" the data directory, then the appropriate part of
the path is replaced with %DATADIR% as a variable. If the address
table is marked "run-time" then the path is taken from the
firewall data directory option.
2011-07-11 Vadim Kurland <>
* TableFactory.cpp (createTablesForRE): see #2513 "Group and
Address Table name persistence in generated config". Compiler for
PF can now preserve names of object groups, dynamic groups,
compile-time AddressTable and compile-time DNSName objects in
the generated pf.conf file. This is optional and is controlled
by a checkbox in the firewall settings dialog.
2011-07-09 vadim <>
* pf.g (rule_extended): see #2551 Importer should parse PF rules
that use "route-to", "reply-to" and "dup-to" options in both
pre-4.7 and 4.7 formats. In PF 4.7 these parameters moved to the
end of the rule and are now part of the "filteropts" block of
* PFImporter.cpp (pushPolicyRule): see #2551 Importer should
correctly import "pool type" parameter that follows source routing
rule options "route-to", "reply-to" and "dup-to". Also, since
currently fwbuilder does not support source routing rules with
multiple different interface-gateway pairs (only one interface in
combination with one or multiple gateway addresses are supported),
importer displays warning and marks rules as "broken" when it
encounters this configuration.
* ObjectManipulator_slots.cpp (makeSubinterface): see #2561
operation of making an interface a subinterface should be
performed using undo/redo command. Also, this should take care of
inconvenient scrolling of the object tree after this operation.
* ObjectManipulator.cpp (addSubinterfaceSubmenu): see #2562 "Crash
when making an interface that has subinterfaces a subinterface of
another interfrace". If an interface has subinterfaces, it should
not be allowed to become subinterface of another interface.
2011-07-08 vadim <>
* ObjectManipulator_slots.cpp (makeSubinterface): see #2561 "Add
context menu to move an interface to be a child of another
interface". New context menu (submenu) allows user to move an
interface in the tree to make it a subinterface of another
* parsers/pf.g: see #2556 "PF import: impor of rules referring to
undefined macros". Importer now records all parser errors in the
comments of rules where they occurred and marks these rules
"broken" by coloring them red. Behavior on import of pf.conf file
with undefined macros is inconsistent at this time: undefined
macro that appears in a rule where parser expects ip addresses is
converted to a run-time DNSName object with name "$macro", a
warning is displayed and rule is marked as "broken". Undefined
macro in the position of interface name, port name or other
parameters triggers generic parser error that looks like "Parser
error: line 26:19: unexpected token: $ext". The rule is marked as
"broken" and the error is recorded in the comment.
* PFImporterRun.cpp (substituteMacros): see #2556 "PF import:
impor of rules referring to undefined macros". Importer displays
warnings for all undefined macros found in the file, even if there
are several.
* objectSignature.cpp: fixes #2559 "Crash on import when at least
one DynamicGroup object already exists in the object tree."
2011-07-07 Vadim Kurland <>
* RoutingCompiler.cpp (processNext): see #2191 "Crash when
compiling a route with table object". Compiler for PF crashed
when run-time AddressTable object was used in RDst of a routing
* PFImporter.cpp (makeAddressObj): see #2546 "PF import - negation
inside of inline tables is ignored". Since we can not import
address lists or tables that contain a mix of negated and
non-negated items, importer should display an error when it
enounters one of these and mark all rules that use it as "broken"
(rule is colored red and error message is added to the comment).
* PFImporter.cpp (makeAddressObj): see #2556 "PF import: impor of
rules referring to undefined macros". If pf.conf file uses an
undefined macro (there is $macro somewhere but the macro has never
been defined), importer issues a warning, creates run-time DNSName
object with the name "$macro" and marks all rules where it is used
as broken, that is, rules are colored red and the error message is
added to the comment field. Using run-time DNSName object makes
compiler use "$macro" in the generated pf rule which means
fwbuilder generates exactly the same pf rule as the one it tried
to import.
* PFImporterRun.cpp (run): see #2554 "PF import: create groups of
address objects for macros where possible". Importer for PF
recognizes macros that define lists of ip addresses, interfaces or
host names and creates object groups with the same name from them.
Only macros that contain at least one ip address in the list are
* PF import: check if a macro used somewhere in the file to be
imported is actually defined and abort if not
* PF import: see #2551 making sure rules that have route-to option
get the call to setRoute() in the importer
2011-07-06 Vadim Kurland <>
* applied two patches by Vadim Zhukov to
replace calls to sprintf with safer calls to snprintf and fix some
compiler warnings.
* Importer.cpp (addStandardImportComment): see #2552 "PF import:
add ability to suppress comments referring to line numbers in the
original file".
* PFImporter.cpp (pushPolicyRule): see #2551 "PF Import - source
routing rules are not imported with rule options set". Importer
should import "route-to" rule parameters.
* PFImporter.cpp (newAddressTableObject): see #2546 "PF import -
negation inside of inline tables is ignored". We can not import
PF table definition that has some addresses negated.
* PFImporterRun.cpp (run): see #2550 "PF import - recursive macros
are not supported". Importer for PF should interpret macro
definitions that use other macros. See #2545 "PF import error when
using macro names with same base name and incrementing digit
suffix". Importer should correctly interpret a macro that has name
of another macro as a substring of its own name.
2011-07-05 vadim <>
* PolicyCompiler_pf_writers.cpp (processNext): see #2549 "Update
generated route-to configuration for PF versions 4.7 and later",
SF bug 3348931. The "route-to" parameter moved to the end of
pass rules in PF 4.7
* pf.g: fixed bug in PF import: address lists such as "{ addr1,
addr2, ... }" defined as macros or inside the rule could not be
imported correctly.
* pf.g: we should be able to import both "block quick log" and
"block log quick".
2011-06-29 theron <>
* Fixed #2547, made keyword add/remove buttons same size.
2011-06-29 theron <>
* Fixed #2540. On mac we can get a drop event even if
dragMoveEvent() says the drop is invalid. So in ObjectTreeView we
validate the drop the same we we validate in dragMove to make sure
the drop is valid.
* Fixed #2542. Catch exception inside preprocessor loop so that
loop continues after error (for unit tests). Also make sure to
set ".loaded" variable before calling loadFromSource so that if an
exception happens we won't try to load it again later.
* Fixed #2539. Make sure user folders are added properly. Also
deal with case of an object that has a folder attribute that
doesn't exist in the parent's subfolders list (shouldn't ever
happen, but in case it does it no longer crashes). Also make sure
that subfolders don't have commas in them.
* Partially fixed #2544. Adding new icons for dynamic group.
2011-06-27 theron <>
* Fixed #2530, where adding a subfolder opens the parent folder in
the object editor.
* Fixed #2529, where dragging and dropping items between
subfolders could cause a crash.
* Fixed #2528, display icon next to "new subfolder" menu item.
* Added feature #2517: directory location caching. Use
FWBSettings::{get|set}OpenFileDir() any time we use QFileDialog so
that the directory you navigated to last time shows up in the next
file dialog. This behavior is overridden by setting a working
directory. If the directory no longer exists, gracefully fall
back to something sensible.
2011-06-23 theron <>
* Added support for creating user-defined subfolders. The
subfolders exist purely in the display and are not reflected in
the FWObject tree, in order to keep changes in the back-end to a
minimum. New attribute "subfolders" on a system folder tells the
gui what additional child elements to display in the tree, and
attribute "folder" on any FWObject tells gui which child tree
element to put it in.
2011-06-22 Vadim Kurland <>
* ObjectManipulator_ops.cpp (autorename): fixed #2520 "Attached
Network objects are not renamed if a firewall is renamed"
* AttachedNetworksDialog.cpp (addAddressToList): see #2519 Avoid
creating duplicate network objects for the AttachedNetwork object
if the parent interface has multiple ip addresses that belong to
the same subnet.
* CompilerDriver.cpp (CompilerDriver): fixed #2521 "Compile fails
if firewall has locked interface that is set to dynamic".
* NATCompiler_pf_writers.cpp (_printProtocol): see #2524 'avoid
" {tcp udp icmp} " in place of protocol'. NAT compiler for PF does
not need to generate protocol match "proto {tcp udp icmp}" when
service object used in the NAT rule is "any". The reason this was
done this way is lost in the mist of time; it's been like this
since very early versions of fwbuilder.
2011-06-21 vadim <>
* NATCompiler_pf.cpp (compile): fixed #2428 "PF compiler crashes
when ipv4+ipv6 NAT rule uses only ipv4 address". This has been
reported as SF bug 3305234.
2011-06-20 Vadim Kurland <>
* ObjectManipulator_slots.cpp (forward): see #2493 implemented
"forward" function in addition to the "back" function, added
a button to the roolbar, using new icons for Back and Forward
* (SUBDIRS): see #2477 removed transfer agent
* see #2506 Removed obsolete localization files (Russian
and Japanese). These were incomplete and have never been updated for
2011-06-10 Theron Tock <>
* implementation of keywords associated with objects in the GUI;
ability to filter by keywords, dialog layout changes to add GUI
controls for keywords.
* imlementation of the DynamicGroup object type. Dynamic group
automatically expands to a set of objects using matching rules
that at this time can match object types and keywords.
2011-06-09 Vadim Kurland <>
* fixed several GUI crashes that happened when user performed
various operations on the object tree that contained locked
objects. see #2487
2011-06-04 vadim <>
* FWWindow_editor.cpp (openEditor): this change is a part of the
GUI usability improvements: when user double clicks on a firewall
object to open it in the editor, rule set view panel switches to
the rule set of that firewall. To decide which rule set to show,
the program scans history of the objects the user opened before in
the same GUI session and shows that firewall's rule set they
opened last. If user never opened any rule sets of this firewall,
then the first Policy object is shown. See #2465.
* RuleSetView.cpp (itemDoubleClicked): as part of the GUI
usability improvements, its behavior when user double clicks on
"any" in a rule has changed. Now the program opens object "any" in
the editor and shows prompt text that explains its behavior. The
editor stays read-only and should appear grayed-out if palette
is set up for that. This reverses the change made for #1731. See #2454.
2011-06-03 vadim <>
* applied patch to provide configure command line option to specify
path to ccache. Thanks to user "a. k. huettel " on SourceForge.
* NATCompiler_pf.cpp (_expand_addr): see #2455 NAT Compiler for PF
should use "(interface)" syntax to the right of "->" in NAT rules.
This now works for all interfaces, including those that have ip
addresses in fwbuilder configuration, when interface object
appears in "Translated Source" in a nat rule. When firewall object
appears in "Translated Source", it gets replaced with a set of its
interfaces which also get translated into "-> (interface)".
* NATCompiler_ipt.cpp (compile): see #2456 Added support for
single object negation in "Inbound Interface" and "Outbound
Interface" columns in compiler for iptables.
* NATCompiler_pf.cpp (compile): see #2456 Added support for single
object negation in "Interface" rule element of PF NAT rules. Now
compiler can produce PF commands such as "nat on ! em0 ... " (for
PF <4.7) or "match on ! em0 ..." (for PF >= 4.7)
* Compiler.cpp (singleObjectNegation::processNext): moved rule
processor that processes single object negation in any rule
element to the base class Compiler.
2011-06-02 Vadim Kurland <>
* pf.g (set_rule): see #2464 implemented import of PF "set timeout",
"set limit" and other "set" commands. Known limitations:
- commands "set ruleset-optimization", "set loginterface",
"set block-policy", "set state-defaults", "set require-order",
"set fingerprints", "set reassemble", "set hostid" are not supported.
2011-05-30 vadim <>
* pf.g (nat_rule): see #2449 Implementd import of PF "nat"
rules. Known limitations:
- as of v4.2 we can not generate optinal parameters for the
"source-hash" pooltype. "sticky-address" is not supported either.
- Interface group names are not recognized
2011-05-27 vadim <>
* PFImporter.cpp: see #2394 pf.conf import. This version implements
import of pf.conf configuration with the following limitations:
- anchors are not imported. Anchor rules are imported but rules
inside anchors are not.
- only pf.conf configurations designed with the use of keyword
"quick" can be imported.
- Macros are expanded during import and are not recreated as
objects. Tables are imported as run-time AddressTable obejcts
configured with the file name, or object groups.
- User has to specify host OS and PF version number during import
process because interpretation of rules with default settings
of some parameters is version-dependent.
- Import of IPv6 addresses and ICMPv6 matches in pf.conf is not
supported at this time.
- Import of TCP flag matches for flags 'E' and 'W' is not supported.
- Import of "include" clause is not supported
- Import of "user" and "group" matches is not supported
2011-05-26 Vadim Kurland <>
* PolicyCompiler_pf.cpp (compile): see #2434 "PF compiler should
use 'self' keyword where appropriate". Compiler for PF now uses
keyword 'self' in rules where firewall object is used in Source
or Destination.
* fwcompiler/Compiler.cpp (processNext): added rule processor to
replace firewall object with special run-time object "self" in
Source and Destination rule elements. This rule processor can
be used in policy compilers for any platform.
2011-05-17 vadim <>
* FWObjectDatabase_tree_ops.cpp (merge): see #2420 "Crash when
selecting New Firewall and existing firewall has interface that is
locked". Fixed GUI crash that happened on some operations if an
object in the tree was locked. For example, if the user locked an
interface of one of the firewall objects that then proceeded to
create new firewall object, the GUI would crash. The problem was
not limited to locking specifically interface objects.
2011-05-15 vadim <>
* IPTImporter.cpp (pushPolicyRule): see #2411 Implemented import
of iptables rules with target CLASSIFY.
2011-05-14 vadim <>
* CompilerDriver_ipt.cpp (findBranchesInMangleTable): see #2405
"Tag and classify actions dont work properly with branches".
When branching rule points to a rule set that has rules with Tag
and Classify options, branching should occur in mangle table even
when checkbox "create branch in mangle table" is not checked. The
fix in this change is tentative as it creates branch in chains
allowed in POSTROUTING, this may create conflict. Need to test
* AttachedNetworks.cpp (AttachedNetworks): see #1580 New object
type: network object that automatically matches subnets an
interface is attached to. The object can be a child of an
interface. The object is optional and is not created automatically
for all interfaces; user can add it using context menu associated
with an interface. Dialog for this object allows editing of the
name and comment. List of network addresses represented by this
object is always generated automatically. Compiler for PF
translates this object to "en0:network" construct that is
supported by PF. Compiler for iptables expands it to the list of
ipv4 and ipv6 networks defined by the addresses of the parent
interface if interface has static addresses. If interface is
confgiured as "dynamic" and has no address in fwbuilder, then
compiler treats AttachedNetworks object as run-time and uses shell
function to determine network addresses during activation of the
firewall script. Compilers for other firewall platforms always
treat this object as compile-time and abort if it is used with
dynamic interface.
2011-05-13 vadim <>
* PolicyCompiler_ipt.cpp (processNext): see #2402 "Tag action
should be done in PREROUTING so it can be acted on later". If a
rule has both tagging and classification options, the rule should
be split so that iptables command doing tagging goes in PREROUTING
and rule doing classification goes into POSTROUTING chain.
* PolicyCompiler_ipt.cpp (processNext): see #2401 "Deprecating
Route option for iptables". This target is not included in any of
the popular Linux distributions (checked in Ubuntu, Fedora and
CentOS). The GUI dialog and all support in the compiler will be
removed in future version of fwbuilder. Beginning with 4.3.0,
compiler aborts with an error when it encounters a rule using this
option. In older versions of fwbuilder (4.2.x and before) this
option was presented as an action "Route".
* CompilerDriver_ipt_run.cpp (run): see #2400 'Mixing Actions
"Accept" and "Classify" results in incorrect rules', see #2399
'Mixing Actions "Accept" and "Tag" results in incorrect ruleset'.
After we made Tag, Classify and Route rule options instead of
actions, rules that mix these options with actions "Accept" and
others, except for "Continue", should be treated differently. The
action are now implemented using iptables rules in the table
"filter" and additional rules in table "mangle" is used to
implement only tagging, classification or routing. Generated
script does not change default action in table "mangle" and
assumes it is "ACCEPT" so adding rules with target ACCEPT in
mangle table should not be necessary. Another change because of
this affects branching rules that use option "create branch in
mangle table in addition to the filter table". These rules used to
duplicate the same action and logging rules in mangle. Now they
dont do this and only create rules in mangle if branch rule set
performs tagging, classification or routing.
2011-05-11 vadim <>
* v4.2.2 released
* newFirewallDialog.cpp (finishClicked): fixes #2395 "Crash when
setting installer directory location" and fixes #2396 "Crash when
changing firewall name". These two bug reports where the
manifestation of the same problem that was introduced by the fix
for #2380. When user hits OK in the newFirewallDialog and it
merges temporary object tree into the main object tree, it should
call fixTree() to fix all pointers to the root of the tree.
2011-05-10 vadim <>
* v4.2.1 released
2011-05-10 Vadim Kurland <>
* fwbuilder released; started v4.3.0
* merged from branch multiple_actions to add changes that
implement conversion of actions Tag, Classify and Route to
options. Now one policy rule can have any combination of these
options. See #2367.
2011-05-09 Vadim Kurland <>
* FWCmdAddObject.cpp (redo): fixes #2391 "selecting 'new library'
when editor panel not on 'editor' tab causes crash"
2011-05-06 vadim <>
* PolicyCompiler_pf_writers.cpp (_printQueue): see #2390 Classify
does not generate "queue" string for rules created in V4.2.1.3538
This completes the fix for the bug #2385.
2011-05-05 Vadim Kurland <>
* FWObjectDatabase_19.xslt: see #2385 "PF action Classify uses
wrong parameter". This change fixes a bug introduced in 4.2.0
that affects rules with action Classify in PF firewalls.
The bug causes the following problems:
For users who built their rules before v4.2.0:
- rules compile normally, both in the single rule compile and
when the whole firewall is compiled
- if they opened the action of one of such rules in the action
editor, the classification string would look empty
- if they entered new classification string in the editor,
compiler kept using the old one (which they can not see or
change in the editor)
For users who tried to build rules with action Classify with v4.2.0:
- no matter what classification string they enter in the action
dialog, generated code does not use it
2011-05-04 Vadim Kurland <>
* FWObjectDatabase_18.xslt: XSLT transformation to upgrade data
files from DTD v18 to DTD v19. This transformation finds
"PolicyRule" elements with missing "Itf" child elements and fixes
them by adding such element with a reference pointint to "any".
Fixes #2383
* Element "Itf" (an interface) of "PolicyRule"
should be required. DTD version increment.
2011-05-03 vadim <>
* PolicyCompiler_ipt.cpp (processNext): see #2367 "Multiple
actions per policy rule". Options "Tag", "Classify" and "Route"
work with iptables in a combination with any action. This
implementation has one restriction: option Route can not be used
in combination with options Tag or Classify and any action that is
not Continue. This is because option Route can yield rules in
PREROUTING or POSTROUTING chains that are also used by options Tag
and Classify. For this combination we create two user-defined
chains that perform routing and tagging (or classification). In
case of a terminating action both chains end with it. This means
if one matches the packet, the other is never going to see it.
Non-terminating action "Continue" does not create this problem.
This limitation may be removed in future versions of fwbuilder.
2011-05-03 vadim <>
* newFirewallDialog.cpp (finishClicked): see #2380 "Firewall
object is created in the middle of the "new firewall" wizard and
clicking Back creates two firewall objects". If user chose to
create new firewall object from a template and clicked Back after
choosing the template, the program actually created two firewall
objects but only one was visible in the tree.
2011-04-30 vadim <>
* RuleSetModel.cpp (objectChanged): see #2373 "GUI becomes
unresponsive for a long time when an object that is used in a
large number of rules is modified". The program spent too much
time resizing rule set view columns.
2011-04-29 vadim <>
* UsageResolver.cpp (findFirewallsForObject): see #2373 "GUI
becomes unresponsive for a long time when an object that is used
in a large number of rules is modified". This bug only affected
configurations with very large rule sets (1500 rules) where lots
of rules used the same object. The change in UsageResolver
eliminates unnecessary scanning of all rule sets to check if the
affected rule set might be used as a branch. The program used to
scan the same objects many times.
* iosaclAdvancedDialog.cpp (accept): fixes #2368 and SF bug
3294457 "External install script". External install script name
and arguments weren't saved for IOS firewall objects.
* snmpNetworkDiscoveryWizard/ND_ProgressPage.h: fixes #2370, #2371
"broken signals in network discovery wizard". Network discovery
wizard was not correctly initializased and did not work.
2011-04-25 Vadim Kurland <>
* instDialog_ui_ops.cpp (readInstallerOptionsFromDialog):
tentative fix for SF bug 3169045 "Batch installer lists IPv4
address as management address". Built-in installer wanted to use
management interface address in batch mode even when alternative
address or putty session name was provided. This happens only in
batch mode install.
* VERSION (GENERATION): version 4.2.0 released; started 4.2.1
2011-04-20 vadim <>
* configlets/pix_os/script_skeleton: fixed bug (no #): "clear"
commands were not added when option "generate only access-list,
access-group, nat, static..." was in effect; also making sure
"clear" commands for object-groups and ssh are not added when
option "do not add clear commands" is on. This affects PIX/ASA/FWSM.
2011-04-19 Vadim Kurland <>
* RoutingCompiler_ipt.cpp (compile): see #2359 "Crash when
compiling single rule with IPv6 destination and IPv4 gateway or
interface". Routing compiler for iptables does not support ipv6 at
this time and will issue a warning when user tries to place ipv6
address or network in a routing rule. The warning does not appear
when ipv6 address is a member of a group used in the rule. Also
see #1575.
2011-04-17 vadim <>
* fwbedit.cpp (main): added command line switch "-d" to function
"import" in fwbedit. This switch activates object deduplication
on import.
2011-04-15 vadim <>
* fwbedit.cpp (main): see #2328 "Add ability to run firewall import
from the command line". This has been implemented as a new function
"import" in fwbedit. See man page fwbedit(1) and "fwbedit -h" for
more details.
* iptables.g (multiport_tcp_udp_port_spec): see #2245 fixed bug in
parser for iptables that prevented correct import of iptables rules
using module "multiport" with port range matches.
2011-04-14 vadim <>
* CompilerDriver_pix_run.cpp (pixSecurityLevelChecks): see #2351
Security levels of ASA and FWSM interfaces do not have to be
unique. Removed check that enforced this.
* IPTImporterRun.cpp (run): see #2275 Importer for iptables now
correctly handles both "intrapositioned" ("-s ! address") and
"extrapositioned" ("! -s address") negation.
* platform/fwsm.xml: see #2295 Added FWSM version "3.2". According to
Cisco documentation, FWSM version 3.2 matches PIX 7.
* platform/pix.xml: see #2348: "Accounting action is not valid for
FWSM platform". Actions "Accounting" and "Reject" should not
appear in the drop-down list of actions in the GUI if platform is
pix or fwsm.
* PolicyCompiler_pix.cpp (printPreambleCommands): see #2347 "FWSM
move up the "access-list mode auto-commit" command". Command that
configures access list commit mode should be issued before any
commands that clear and configure access lists. Also in this
change moving commands that set up temporary access list to the
top of the script.
* PolicyCompiler_pix.cpp (printClearCommands): see #2322 If this
is FWSM and if manual commit mode is used, need to commit after
clearing ACLs before we clear object groups.
2011-04-13 Vadim Kurland <>
* IPTImporter.cpp (pushPolicyRule): see #2338 "Empty Mangle Policy
object created on import". Iptables rules in the table 'mangle'
will be imported in the dedicated Policy rule set with name
"Mangle". Rules that use chains FORWARD and POSTROUTING in table
'mangle' can not be reproduced and will be marked as "bad" (color
red and corresponding comment).
* configlets/fwsm_os/ntp: see #2344 fwbuilder should not generate
any "ntp" commands for FWSM because NTP can not be configured on FWSM.
* OSConfigurator_pix_os.cpp (_printSysopt): see #2345 More fixes for
FWSM 4.x: "service resetoutbound", "timeout xlate", "timeout sunrpc"
* OSConfigurator_pix_os.cpp (_printInterfaceConfiguration): see #2343
"Interface nameif error when installing generated config for FWSM".
Use correct "nameif" command sytax in FWSM 2.x and 4.x.
* OSConfigurator_pix_os.cpp (_printSSHConfiguration): see #2344
"FWSM install errors for clear commands". Using correct syntax for
"clear" commands for FWSM v4.x
2011-04-11 vadim <>
* PolicyCompiler_PrintRule.cpp (_printTarget): see #2235 "Modified
rule action for Continue". Rules with action "Continue" should
translate into iptables commands without "-j TARGET" parameter. If
such rule also has logging enabled, it should use target "-j LOG"
instead of generating additional chain.
* IPTImporter.cpp (pushPolicyRule): see #2206 Iptables commands with
no "-j TARGET" parameter should be imported using action "Continue".
* iptables.g (comment): see #2336 Importer for iptables recognizes
version stored in the top comment by iptables-save and sets
version in the firewall object it creates.
2011-04-10 vadim <>
* utils.cpp (expand_interface_with_phys_address): see #2324 "NAT +
MAC-matching rules not generated properly". Iptables NAT rules
matching a group of host objects with both IP and MAC addresses each
in "Original Source" were not generated properly.
* PolicyCompiler_PrintRule.cpp (_printOptionalGlobalRules): SF bug
3178186 "Add ND/NS allow rules for the FORWARD chain". Rules that are
added automatically to ipv6 Linux firewall to permit neighbor discovery
packets should be also added to the FORWARD chain if the firewall is
a bridge.
* ObjectManipulator_create_new.cpp (actuallyCreateObject): see #2229
"Multiple new objects with the same name". The GUI should automatically
choose unique object names for new objects.
* platforms.cpp (setInterfaceTypes): see #2224 "FreeBSD - Bridge
interfaces with the name vlan<xx> don't show as Bridge Port
Interfaces". This actually applies to all OS where we support vlan
and bridge interfaces. Fwbuilder GUI should allow the user to set
subinterface type to both "ethernet" and "vlan" when its parent
interface has type "bridge". Setting subinterface type to
"ethernet" makes it bridge port, while setting the type to "vlan"
signals policy compiler that it should generate code to configure
real vlan interface. If the name of the subinterface does not
include the name of the parent, such as "vlan101", or when the
name does not match vlan ID, such as "vlan8101", global
preferences option "Verify interface names and autoconfigure their
parameters..." should turned off. The option is located in the
Preferences dialog, tab "Objects".
2011-04-08 vadim <>
* FWBSettings.cpp (init): fixed bug (no #): "Show text
description in rule columns" does not persist across sessions
* clusterMembersDialog.cpp (createMember): see SF bug 3211769
"Member interfaces not sorted". Sorting interfaces by name in the
dialog where user adds them to the cluster member group.
* os/ios.xml: see #2330 "Crash when creating a cluster of IOS
router firewalls". Added support for basic IOS router clusters.
No failover protocol support at this time, but the cluster can be
configured with protocol "None" and fwbuilder will do address
substitutions at compile time.
* PolicyCompiler_cisco.cpp (processNext): see #2308 "ASA rules
with service set to "http" and destination set to asa firewall
object should generate different command syntax". Policy rules
that have firewall object in Destination and http object in
Service now generate "http" commands. This is similar to how
fwbuilder generates "ssh", "telnet" and "icmp" commands to permit
corresponding services to the firewall itself.
* pix.g (static_starts_with_tcp_udp): more fixes for import of
PIX/ASA "static" command in different variations. See #2334
* ObjectEditor.cpp (changed): see #2335 "GUI switches between data
files upon closing editor panel". If user opened two data files in
the GUI and was in the process of editing objects in one of them,
the GUI would flip to the other file under certin circumstances.
2011-04-07 vadim <>
* PIXImporterNat.cpp (buildDNATRule): resolved several problems
with import of "static" commands that use access list that matches
source or destination tcp/udp ports. See #2326, #2327
* pix.g (network_top_level_command): see #2295 fixes in the grammar
to support import of FWSM configs
* PIXImporter.cpp (fixServiceObjectUsedForBothSrcAndDstPorts):
see #2265 "ASA 8.3 acl import: access-list commands using two
named objects or object-groups", see #2290 "Access lists that
include mix of service objects and inline service definitions are
not properly imported". To import access-list command that matches
both source and destination tcp/udp ports and uses object-group in
either match I should create a new service group with a collection
of TCP or UDP service objects matching all combinations of source
and destination port ranges defined by the rule. This should work
when one or both matches use object-group in combination with
inline port match.
* PIXImporter.cpp (pushPolicyRule): see #2297 Added warning when
importer enounters access-list command that matches tcp or udp
ports with "neq" port operators in both source and
destination. This configuration is not supported by import at this
* PIXImporterNat.cpp (buildSNATRule): see #2319 "Imported nat
rules with multi-line access-lists have only the first entry"
* PIXImporterRun.cpp (run): see #2167 Implemented import of
"names" and "name" commands in PIX/ASA configs.
* CompilerDriver_pix_run.cpp (pixNetworkZoneChecks): see SF bug
3213019 "FWSM Network zone and IPv6". Currently we do not support
ipv6 with PIX/ASA and FWSM. If user creates a group to be used as
network zone object and places ipv6 address in it, this address
should be ignored while compiling the policy but this should not
be an error.
* FirewallInstaller.cpp (executeExternalInstallScript): see SF bug
3212988 "external script makes getopt difficult". User-defined
parameters for the external script moved to the end of the command
* res/os/fwsm_os.xml: updated filesystem path on FWSM where
fwbuilder built-in installer should place generated configuration
when it is installed using scp. Currently using path "disk:".
2011-04-05 vadim <>
* pix.g (static_command_common_last_parameters): see #2314 "Import
of static NAT statements drops netmask value and uses host
instead". "Netmask" parameter of a "static" command applies to
the real address.
* PIXImporterNat.cpp (buildDNATRule): see #2313 "NAT with
access-list destination address and original service not set".
"Nat" and "static" commands that use access-list should import all
components of the access-list command (source, destination and
* PIXImporterNat.cpp (buildSNATRule): see #2310 "Imported global /
nat rule has wrong interface defined". Importer mixed up inbound
and outbound interfaces in NAT commands created from combination
of "global" and "nat" PIX/ASA commands.
* pix.g (nat_new_top_level_command): since import of ASA8.3
"new" nat commands is not implemented yet, importer should issue
a warning when such command is encountered. See #2315
2011-04-01 vadim <>
* FWObject.cpp (insert_before): see #2171 "Undoing delete of rule
ends up with rules being created with duplicate rule
numbers". Also see #2172 "Crash when deleting rule - related to
#2171". When user deleted the last rule in a rule set, then used
Undo to restore it, the program lost track of rules in the rule
set and became unstable.
* FWObject.cpp (shallowDuplicate): see #2286 "Crash when closing
file". The GUI crashed if user imported iptables or pix
configuration, then deleted a rule and tried to close project
* PIXImporter.cpp (mirrorServiceObjectRecursively): see #2291 The
same service object-group that matches some tcp or udp ports can
be used to match both source and destination ports in an
access-list command. Importer should recognize when such group
is used to match source ports and create mirrored group with
potentially mirrored service objects. This should work when group
includes other groups.
* FWWindow_editor.cpp (openOptEditor): fixes #2307 "GUI switches
to another file after editor panel is closed"
2011-03-31 vadim <>
* parsers/pix.g (http_command): see #2164 fixed import of "ssh"
commands and added import of "http" commands
* objectMaker.h (ObjectMakerErrorTracker): see #2302 Importer
should log and continue when it encounters an error. This matches
its behavior in older versions and makes it more resilient to
changes in target platform firewall languages. Rule that had an
error or unrecognized syntax in it should be marked by changing
its color to red and an explanation should be added to its
* PIXImporterNat.cpp (buildSNATRule): import of PIX/ASA "global"
and "nat" commands works.
2011-03-30 vadim <>
* PIXImporterNat.cpp (buildDNATRule): import of PIX/ASA "static"
commands works for the most part. Needs more testing.
2011-03-28 vadim <>
* ObjectManipulator.cpp (getDeleteMenuState): see #2226 fixed GUI
crash that happened when user tried to delete or cut an object
from locked library.
* RuleOptionsDialog.cpp (loadFWObject): see #2230 the GUI should
allow limit-burst values of up to 10000
2011-03-27 vadim <>
* import/PIXImporter.cpp (addLogging): see #2279 Support for import
of ASA access-list lines with log levels and intervals
* parsers/pix.g (tcp_udp_port_spec): see #2284 fixed import of
tcp/udp port ranges using mix of port numbers and port names
* getServByName.cpp (getPortByName): see #2268 Making sure all tcp
and udp port names are recognized on import; also since PIX/ASA
converts udp port numbersin "show run" output to the same names
as if they were tcp, using the same name mapping table.
2011-03-25 vadim <>
* Importer.cpp (pushRule): fixes #2280 Rules created from PIX
config import showed an icon that indicated non-default
combination of rule options, yet all rule options looked normal
when opened in the editor.
* parsers/pix.g (icmp_top_level_command): see #2164 Implemented
import of "ssh", "telnet" and "icmp" PIX/ASA commands. These
commands are imported as regular rules in the main Policy ruleset.
* PIXImporter.cpp (finalize): see #2277 "Create policy objects for
ASA access-lists that are not applied in an access-group". Policy
rule set will be created and populated with rules found in the
corresponding access-list even if this access-list is not applied
to an interface with access-group command.
* parsers/pix.g (tcp_udp_rule_extended): see #2273 Improvements in
the parser for PIX/ASA configs to make it recognize object-group
and named object names used to define source port, destination
address or destination port in "access-list ... tcp|udp" rules,
including ambiguous situation when an object-group appears after
source address specification because this group can define either
source port or destination address.
2011-03-24 vadim <>
* ASA8ObjectGroup.cpp: see #2263 looks like "object-group service"
that includes named objects defined as "service-object" can not be
used in access-list commands and therefore is useless. Unless I
misunderstood and there is a way to use it, I should not generate
ASA configuration like this:
object-group service id5102X14531.srv.tcp.0 tcp
service-object object http.0
service-object object https.0
Object-group with "tcp" or "udp" type-suffix in the end does not
allow "service-object" statements at all, so this configuration
is incorrect anyway. However even without "tcp" in the end to
make "service-object" references acceptable, the group can be built
but can not be used in access-list statements.
Instead, the group should use port-object statements:
object-group service id5102X14531.srv.tcp.0 tcp
port-object eq 80
port-object eq 443
* IOSImporter.cpp (createTCPUDPServicePair): see #2267 added
support for import of object-group and service-object statements
of type "tcp-udp" (these get imported as service group object with
two tcp and udp service objects).
* getServByName.cpp (getPortByName): see #2268 updated list of
named tcp and udp ports recognized by the importer for Cisco ASA.
It is still unclear what port does the name "cifs" correspond to.
2011-03-23 vadim <>
* addressObjectMaker.cpp (createObject): see #1548 Improved
algorithm used to deduplicate Network objects on import.
* FWWindow.cpp (prepareToolsMenu): fixed SF bug 3238026: build
failure on systems without net-snmp development libraries.
2011-03-22 vadim <>
* parsers/pix.g (acl_xoperator_src): first attempt at PIX/ASA
access-list import. Not done yet.
* parsers/pix.g (port_object): see #2234 added support for import
of "obejct-group service name tcp|udp" constructs in ASA 8.3 with
subsequent "port-object" statements.
2011-03-21 vadim <>
* PortRangeConverter.h (PortRangeConverter): see #2252 TCP and UDP
service objects that define port ranges assume port ranges are
inclusive, that is, range boundaries are included in the
match. This is the behavior of port range matches in iptables and
PF, however policy compilers for Cisco IOS ACL and PIX used to
convert these objects into ios and pix access list configurations
that excluded port range boundaries from the match. This behavior
made TCP and UDP service objects with port ranges incompatible
between firewall platforms, that is, the same object could not be
used in rules of firewall objects of different platforms because
generated configurations would behave differently. This change
makes port ranges inclusive in generated IOS and PIX
configurations. Users should verify their configurations and
adjust port range boundaries in TCP and UDP service objects if
2011-03-20 vadim <>
* ImportFirewallConfigurationWizard.cpp (accept): see #2253
"importer should not creates objects while still in the middle of
the wizard". Importer wizard creates new objects in the object
tree only when user clicks Finish and abandons results if they
click Cancel.
2011-03-19 vadim <>
* IOSImporter.cpp (createTCPUDPNeqObject): see #2248 implemented
import of Cisco IOS and PIX/ASA service configurations using port
operation "neq". Since object model in fwbuilder does not provide
direct support for "port not equal to" expression, this
configuration is conveted into two tcp or udp service objects with
port range extending below and above specified port and these two
service objects are then placed in a group.
* objectMaker.cpp (findMatchingObject): see #2240 better
deduplication algorithm on import: we consider objects created
from in-line address/netmask and port specifications found inside
object-group, access-list, filter or nat commands "anonymous"
objects. These objects get automatically generated names and are
deduplicated using only their relevant attributes but not names.
Objects created from pix named object ("object network foo",
"object service bar") statements are considered "named"
objects. They get the name matching the name in corresponding pix
config line and are deduplicated using both relevant attributes
and the name.
2011-03-17 vadim <>
* PIXImporter.cpp (newObjectGroupNetwork): see #2234 Added support
for import of PIX/ASA "object-group" statements.
* FirewallInstaller.cpp (getActivationCmd): see #2239 Added
variable "firewall_name" to configlets that define commands
installer runs on the firewall to activate new policy (all
2011-03-16 vadim <>
* Importer.cpp (prepareForDeduplication): fixed #1548 "Object
de-duplication during import process". Also SourceForge 3030072
"remove duplicates during any import". Now the program can
optionally re-use existing objects from both Standard Objects and
user-defined libraries when it imports existing firewall
configuration. This works for any firewall platform for which we
support policy import. Objects are matched by attributes such as
address, netmask, port etc. Object name and comment are not taken
into account. Importing the same configuration file twice creates
two firewall objects with the same interfaces and rules but
re-uses address and service objects created on the first import.
2011-03-14 vadim <>
* pix.g (named_object_network): see #2223 Implemented import of
named objects for Cisco PIX and ASA ("object network name" and
"object service name")
2011-03-12 vadim <>
* Compiler.cpp (expandGroupsInRuleElement): sorting objects in the
rule element by name after group is expanded, this helps ensure
stable ordering of objects in generated configuration.
* Compiler.cpp (replaceClusterInterfaceInItfRE::processNext):
sorting objects in rule element after cluster interfaces have been
replaced, this helps ensure stable ordering of objects in generated
* FWObject.h (FWObjectNameCmpPredicate): moved this class from
gui-specific module to libfwbuilder as it is universally useful.
It can compare FWObject objects by name and can optionally can
follow references; it can be used with std::sort() to sort lists
of FWObject pointers or directly sort rule elements.
* Compiler.cpp (_init): see #2212 "Performance improvement in
compilers". This change brings significant improvement in compile
time on large object trees. The speed-up is especially noticeable
in single rule compile where the time before generated firewall
configuration appears in the GUI shrank by up to a factor of 10.
2011-03-11 vadim <>
* FWObject.cpp (add): fixes #2209 "do not allow the same object to
be child of different objects in the tree". Method FWObject::add()
enforces this. Subsequent clean-up and fixes in many places to
follow this logic. This makes code much cleaner, better organized
and more reliable.
2011-03-10 vadim <>
* libfwbuilder/src/fwcompiler/Compiler.cpp (Compiler): see #2207
fixed memory leak in policy compilers. The impact of this leak was
especially severe on Windows with very large object databases.
2011-03-08 vadim <>
* CustomServiceDialog.cpp (loadFWObject): fixes #2201 "Some fields
of locked object are editable". Some input fields of the Custom
Service object dialog were editable even when object was locked
* GroupObjectDialog.cpp (loadFWObject): fixes #2203 "Crash when
attempting to add an object to a locked group".
* PolicyCompiler.cpp (checkForShadowing): see #2204 "Shadowing
detected for rule with action Continue". Policy rules with action
"Continue" should not shadow other rules and can not be shadowed.
* Importer.cpp (addStandardRuleComment): see #2189 Program adds
the file name and the line number to comments of policy and nat
rules it creates during import.
* IPTImporter.cpp (pushPolicyRule): see #2202 importer for
iptables creates Custom Service object to match combination of
states it does not recognize. This includes "NEW,ESTABLISHED".
2011-03-07 vadim <>
* IPTImporter.cpp (pushNATRule): see #2197 "iptables nat rules in
chain OUTPUT not imported correctly"
* iptables.g (nat_addr_range): see #2194 "iptables import problem
with SNAT rule translating to an address range". NAT rules
translating into address range with "-j SNAT --to-source" did not import correctly
* IPTImporter.cpp (pushNATRule): fixes #2195 "incorrect iptables
import of nat rule with NETMAP target"
* IPTImporter.cpp (pushNATRule): see #2196 "iptables nat rules
with target REDIRECT not imported". Iptables NAT rules with target
REDIRECT where not imported correctly.
* IPTImporter.cpp (pushNATRule): see #2190 "support for import of
branches in NAT rules for iptables". Implemented import of NAT
rules in user-defined chains for iptables, these translate into
branching NAT rules in fwbuilder.
2011-03-06 vadim <>
* Importer.cpp (ignoreCurrentInterface): see #2152 "ASA Import -
shutdown interfaces". Importer recognizes and skips ASA interfaces
in "shutdown" mode.
* IPTImporter.cpp (pushNATRule): see #2181 "Update iptables
importer to detect inbound & outbound interfaces in NAT rules".
Importer can now import nat rules with "-i" or "-o" interface spec.
* NATCompiler_ipt.cpp (processNext): see #2170 "Compiler should
generate error for invalid iptables NAT configs". Now that we
allow the user to specify inbound and outbound interfaces in
iptables NAT rules, compiler should verify that combination of
requested "-i" and "-o" interfaces is in fact valid. For example
iptables does not allow "-o" interface spec with rules that go
into PREROUTING chain (DNAT rules) or "-i" interface spec with
rules in POSTROUTING chain (SNAT rules).
* IPTImporter.cpp (pushPolicyRule): see #2189 Policy importer
warnings and errors now include line numbers to help find relevant
lines in the original configuration file.
2011-03-05 vadim <>
* importFirewallConfigurationWizard/IC_ProgressPage.cpp (logLine):
see #2183 "count errors and warnings generated by the importer and
show the numbers in the progress page of the wizard". Configuration
import wizard now shows counters of warnings and errors generated
by the importer.
* FWBMainWindow_q.ui: see #2162 menu item "File / Import Policy"
renamed to "File / Import Firewall". This menu item launches
wizard that imports existing iptables, Cisco router IOS or
Cisco PIX/ASA config.
2011-03-04 vadim <>
* IC_NetworkZonesPage.cpp (setNetworkZones): see #2161 policy
import wizard shows the page where user can set up network zones
of interfaces if firewall platform was determined to be PIX.
* IC_PlatformWarningPage.cpp (initializePage): see #2161 "import
workflow and automatic detection of firewall platform from the
config file". When user imports existing firewall configuration,
the GUI automatically detects firewall platform from the format
of the config file and shows platform-specific warning to explain
what parts of the config can and can not be imported. It also
detects firewall host name where possible (currently Cisco IOS
and ASA/PIX). Importer wizard has been reimplemented using
QWizard and QWizardPage classes and its workflow significantly
2011-03-01 vadim <>
* importAddressListWizard/ImportAddressListWizard.cpp
(ImportAddressListWizard): see #2163 code that imports addresses
from a file in /etc/hosts format moved to its own wizard; using
QWizard and QWizardPage classes with correct implementation of
page sequencing and validation; old discovery druid has been
disabled. SNMP discovery and ios/pix/iptables configuration import
will move to their own wizards later.
2011-02-27 vadim <>
* DiscoveryDruid.cpp (finishClicked): fixes #2156 "After import
the firewall should be opened in object tree".
* instDialog_ui_ops.cpp (readInstallerOptionsFromFirewallObject):
fixes #2160 "Installer reports error "Generated script file
<firewall>.fw not found."". The problem was intorduced earlier
while fixing #2047
2011-02-26 vadim <>
* DiscoveryDruid.cpp (finishClicked): see #2153 "Add Network Zone
explanation and selection dialog to ASA/PIX import". Wizard shows
additional page when user imports PIX/ASA config. This page
explains concept of network zones and offers UI to let them choose
network objects or groups as a network zone of each interface.
* PIXImporter.cpp (rearrangeVlanInterfaces): see #2145 "ASA Import
of VLAN interfaces - Advanced Interface Settings not available".
Vlan interfaces discovered in the process of PIX configuration
import should be created as subinterfaces of the corresponding
parent with correct interface type and vlan id.
* parsers/pix.g (intf_address): fixes #2146 Issue a warning when
parser encounters "standby" parameter in an interface
configuration. We do not support import of PIX failover
configuration at this time.
* platforms.cpp (findBestVersionMatch): fixes #2147 "ASA Import -
some versions are not detected correctly". when user imports
PIX/ASA configuration, firewall object will automatically be
configured with the version setting that best fits version
indicated in the imported configuration. Note that fwbuilder does
not provide the list of version numbers that match PIX/ASA
versions exactly, for example we do not have settings "7.1" and
"7.2". Devices running these versions of PIX/ASA software should
be configured with version "7.0" in fwbuilder.
2011-02-25 vadim <>
* parsers/pix.g (intf_address): see #87 "Import of PIX
configuration". Basic grammar that can parse host name, version,
interfaces, their names, labels, addresses, security levels and
few other things for PIX 6, 7 and ASA 8. PIX standby configuration
is not parsed (so we can't import cluster configuration at this
time). More work needs to be done to import named objects, object
groups, as well as policy and nat rules.
2011-02-24 Vadim Kurland <>
* FirewallInstaller.cpp (getGeneratedFileName): see #2047 "Inspect
generated files button shows different path information". Do not
pass full path to the output file as an argument of the "-o"
option when the GUI launches policy compiler. Since the "-d"
option passes directory path where files sould be saved, actual
file names do not need to be absolute path, except if the user
entered absolute path for the output file name in the firewall
settings dialog.
* configlets/freebsd/installer_commands_root: see #2143 "installer
should run /etc/rc.d/pf script to reload PF rules on FreeBSD when
generated script is in rc.conf format"
* AddressTableDialog.cpp (browse): see #2140 "Attempting to create
new Address Table file results in read-only error". Implemented
support for the workflow when user wants to create the file used
to feed addresses to the AddressTable object.
* AddressTableEditor.cpp (load): fixes #2139 "Provide "Cancel"
button if Address Table file is read-only". IF the file configured
with Address Table object is read-only, the GUI shows warning when
user clicks "Edit" button and offers a choice: open it for viewing
read-only or cancel.
2011-02-23 vadim <>
* AddressTableEditor.cpp (save): fixes #2135 "Editing table
objects". Dialog of the AddressTable object now offers button
"Edit" that lets the user edit address table file. This only
works if the file is located on the same machine where the GUI
is running, so it is probably most useful for compile time
2011-02-22 Vadim Kurland <>
* configlets/linux24/shell_functions: see #2130 "unnecessary
output when iptables script runs on the firewall". Ever since I
switched to using "command" to verify that various system
utilities generated script needs are present and can be used, the
scirpt produced extra lines in the log printing full path and
names to /usr/bin/logger, /sbin/ip etc. These lines are
unnecessary and should not be there. This problem was introduced
some time during the work on 4.2.0
* instOptionsDialog.cpp (instOptionsDialog): fixes #2129
'deprecate "test install" function'. We have decided to deprecate
test install because it is rather heavy-handed on Linux and PIX
where it reboots the firewall and plain does not work on *BSD.
2011-02-21 vadim <>
* PolicyCompiler_ipt.cpp (processNext): fixes #2008 "option
"--physdev-out" is not allowed in OUTPUT chain". After this
change, compiler avoids INPUT/OUTPUT chain if interface in the
rule column "Interface" is a bridge port and firewall is bridging
firewall (which means we are going to use --physdev-in or
--physdev-out option for this rule).
* newFirewallDialog.cpp (monitor): see #2126 Using snmp sysDescr
OID to guess version of the new firewall when it is created using
snmp polling.
* platform/pix.xml: see #1990 "Change default value for Cisco
ASA/PIX 7+ to generate outbound ACLs". Newly created PIX/ASA
firewall objects will now have "generate outbound acl" option
turned on by default.
* newFirewallDialog.cpp (showPage): fixes #1678 "When creating a
firewall from template it appears that a default template is
selected". When user arrives at the page where they choose
template to create new firewall object from, the first template
should be automatically selected.
* AddressRangeDialog.cpp (applyChanges): fixes #1971 "Address
range can be created with end address lower than start address".
Address Range object dialog should not let the user enter range
end address which is lower than range start address. Dialog
behavior is now similar to the behavior of the tcp and udp service
dialog where user can not enter port range end number lower than
port range start number.
* InterfaceData.cpp (guessLabel): fixes #2113 "ASA/PIX SNMP
discovery - assign default labels based on interface description".
Added pattern to match Cisco ASA interface description which is
different from Cisco PIX interface descriptions as returned via
2011-02-20 vadim <>
* BaseCompiler.cpp (getErrorsForRule): fixes #2124 "some error
messages get multiplied when compiler splits rules". Under certain
circumstances error messages could appear multiple times in the
generated script.
* Compiler.cpp (_expand_interface): fixes #1920 "Setting host
interface to unnumbered after it has been assigned IP address
doesn't have desired effect". Compiler still used ip addresses
that belonged to the interface even if it switchd to "unnumbered".
These children address objects should be ignored.
2011-02-19 vadim <>
* NATCompiler_pix.cpp (processNext): see #2098 Added support for
user-configurable inbound and outbound interfaces in Cisco PIX/ASA
NAT rules. Two new columns appear in the rule set view: "Inbound
Interface" and "Outbound Interface". If user leaves one or both
columns blank, the GUI shows "Auto" in there and policy compiler
picks corresponding interface automatically. Leaving both columns
blank ("Auto") triggers backwards-compatible automatic behavior
where both interfaces are picked automatically. Multiple interface
objects and groups of interfaces are allowed in these columns.
* ClusterInterfaceWidget.cpp (getInterfaceData): fixes #2117 "CARP
interfaces in cluster that use VLAN interaces have no interface
set to MASTER". When PF cluster configuration was built using vlan
interfaces of member firewalls, CARP interfaces were not properly
configured with master/slave choice user makes on the first page
of the new cluster wizard.
* configlets/bsd/update_addresses: fixes #2116 "When CARP
interface IP address can't be assigned error or warning should
appear". The problem actually affects any type of interface.
Generated script should abort with an error termination code
when ifconfig fails to assign ip address to an interface.
2011-02-17 vadim <>
* NATCompiler_ipt.cpp (processNext): see #2097 #133 "support for
inbound and outbound interface columns in iptables NAT
rules". This also addresses SF feature requests 1954286 "DNAT with
interface as condition not possible" and 621023 "manipulating
interface in NAT rule".
* platforms.cpp (setDefaultFailoverGroupAttributes): fixes #2101
"CARP interfaces are set with same advskew". When new PF cluster
is created, master advskew paramerer will be set to 10 and backup
to 20 to make it deterministic.
* NATCompiler_ipf.cpp (processNext): see #133, fixes #2108 making
nat compiler for ipfilter work with interface column, however the
column is not exposed to the user. Compiler behavior should be
backwards compatible with older versions of fwbuilder.
* NATCompiler_pf.cpp (processNext): see #133. MErged code from the
branch, running tests. Making sure rules that have firewall
object in ODst and interface columnblank end up with rdr command
without "on interface" clause as before.
* stopped making builds on Ubuntu Hardy. Old Qt (4.4.1) means more
and more parts of the code do not compile and require workarounds,
sometimes with loss of functionality in the GUI. v4.1.3 will be
the last officially released version of fwbuilder to work on
2011-02-16 vadim <>
* NATCompiler_pf.cpp (compile): fixes #2095 added support for
groups and multiple objects in column "Interface" for PF NAT
rules. These translate into { em0 em1 em2 } groups in generated
pf.conf lines.
* NATCompiler_pf.cpp (compile): fixes #2096 added support for
negation in Interface column for PF NAT rules. Sets of interfaces
are converted to complementary sets using complete list of
interfaces of the firewall.
* carpOptionsDialog.cpp (validate): fixes #2100 carp password
should be optional parameter
* OSConfigurator_bsd_interfaces.cpp (configureInterfaces): make
sure we print "ifconfig" commands for mtu and other parameters for
all interfaces, including those with no ip addresses and bridge
ports (unnumbered interfaces used to be skipped before)
* ObjectTreeView.cpp (startDrag): fixes #2099 "Object list scrolls
up to the last edited object". Object tree used to scroll
spontaneously when user started dragging an object from it to a
* configlets/bsd/update_vlans: see #2105: generated script now
supports vlan interfaces with names that do not match vlan IDs
(OpenBSD, FreeBSD, shell script format).
* OSConfigurator_bsd_interfaces.cpp (sort_interface_names): see
#1807, #2104: arrange interface configuration commands in the
generated scritpt in such order that bridge and carp interfaces
are configured after all other interfaces are done.
* compiler_lib/CompilerDriver.cpp (commonChecks2): see #2103
removed interface name validation check in compilers, this
check will only be done in the GUI. Comiler still verifies
bridge inetrface configuration and makes sure vlan interfaces
that should also be bridge ports are created as copies.
* InterfaceDialog.cpp (applyChanges): see #2103 "complex
vlan/bridge configurations are not supported by the interface
validation code". Added checkbox to let the user turn off
interface name validation functions in the GUI. Checkbox is
located in the global Preferences dialog, tab Objects, subtab
Interface. For backwards compatibility, the checkbox is turned on
by default. When it is off, the GUI does not validate the name of
inetrfaces and subinterfaces and turns off checks that enforced
interface name patterns for VLAN, bridge and bodning interfaces.
It also turns off check for the validity of vlan ID derived from
vlan interface name and turns off automatic configuration of
interface type and vlan ID. These checks sometimes were in the way
of building complex configurations that involved multiple vlan
interfaces with names not matching their IDs. This also fixes SF
bug #3066714 "please dont stop me from creating a new interface"
where user wanted to create interface "veth201.0" on Linux but the
GUI blocked this operation because the name seemed to match vlan
interface pattern.
2011-02-15 vadim <>
* ActionsDialog.cpp (setRule): see #1871 "PF Actions Tag and
Classify can be terminating or non-terminating". Added checkbox to
the action properties dialog for actions Tag and Classify for PF
that lets the user choose if these actions should be terminating
or not. Old behavior (Tag was non-terminating and Classify was
terminating) is reflected in default settings of the checkboxes.
Terminating rules generate "pass quick" commands, while
non-terminating rules generate "pass" commands (no "quick" option).
* libfwbuilder/migration/FWObjectDatabase_17.xslt: see #133
Working on adding interfaces to the NAT rule model. There will be
two inetrfaces per NAT rule: "inbound interface" and "outbound
interface". DTD version changes to "18", old data files need to
be upgraded.
2011-02-14 vadim <>
* OSConfigurator_bsd_interfaces.cpp (configureInterfaces): fixes
#2091 "ethernet intrface options a used twice if the interface is
a bridge port". When an interface appeared twice in the firewall
configuration, such as when it is used as a bridge port and
vlan parent interface, options configured for it in its settings
dialog were added twice to the generated configuration.
* OSConfigurator_freebsd.cpp (interfaceConfigLineBridge): fixes
#2092 "option "stp" should be optional in the ifconfig command
that builds bridge interface for FreeBSD". The dialog provides
checkbox "Enable STP", parameter "stp" will be added to the
ifconfig command only when the checkbox is turned on.
* pfAdvancedDialog.cpp (pfAdvancedDialog): fixes #1866 "support
for pf option set state-policy", #1868 "support for pf
option set block-policy", #1869 "support for pf option set debug".
2011-02-13 vadim <>
* configlets/freebsd/carp_interface: see #2074 On FreeBSD ifconfig
does not understand parameter carpdev
* PolicyCompiler_pf.cpp (checkForShadowingPlatformSpecific): see
#1867 "PF: rule with non-terminating action Tag shadows other
rules below it". Since action Tag is non-terminating, rules with
this action should not shadow other rules.
* instConf.cpp (clear): see #2088 "Installer caches putty session".
Need to initialize putty_session properly and clear it in clear().
* snmp.cpp (run_impl): See #2084 "snmp discovery takes forever on
devices with large routing tables". This takes very long time on
decides with large routing tables. This code was implemented long
time ago and apparently routing data was intended to be used to
discover "external" interfaces, but it is unclear if this is still
done. The concept of external/internal currently exists only for
platforms that support security levels (PIX) and there we guess
levels by matching addresses against RFC1918 and let the user user
adjust levels manually anyway.
2011-02-12 vadim <>
* ObjectManipulator_tree_ops.cpp (expandOrCollapseCurrentTreeNode):
fixes #1895 "Add context menu option to expand all child nodes in
object tree". Added menu item "Expand" to the context menu
associated with all objects in the object tree. This item recursively
expands all tree nodes under the given object and automatically
changes to "Collapse" if the item is expanded. Also changed behavior
of the double click on the object in tree: before, double click
opened object in the editor and expanded or collapsed subtree. Now
it only opens object in the editor but does not expand/collapse
* fixes #2083 Added new services to the Standard Objects Library:
rtmp, xmpp-client, xmpp-server, nrpe
2011-02-11 vadim <>
* instDialog_ui_ops.cpp (verifyManagementAddress): see #2073 "Add
additional information or workflow when no management inferface
configured". The error message shown to the user when no
interfaces has been marked as "management" is now more verbose and
provides instructions how to do this. Also, if user provided
alternative address to be used to communicate with the firewall,
the check for the management interface is not performed since it
is not needed.
* configlets/bsd/update_carp: see #2078 added verbose error
message in a situation when "ifconfig carp0 create" command fails
to create CARP interface.
* OSConfigurator_bsd_interfaces.cpp (interfaceIfconfigLine): fixes
#2058 "Ability to configure mtu and metric of regular inetrfaces".
"Advanced settings" dialog of the interface object provides
controls to configure MTU and possibly add any additional ifconfig
parameters. This is available for OpenBSD and FreeBSD.
2011-02-10 vadim <>
* NamedObjectsManagerPIX.cpp (getClearCommands): fixes #2060
"Existing configuration objects are not cleared in PIX 6.3".
Commands used to clear object groups and objects have different
syntax in PIX 6.3 and PIX 7 and later.
* linux24/check_utilities: fixes #1999 "log() does not work" Using
built-in utitlity "command" to verify that all the tools generated
script needs to function properly are available and can be
accessed either via direct full path or are in the PATH
variable. This includes the check for the logger tool that is used
to make log record when firewall is activated.
* OSConfigurator_freebsd.cpp (interfaceConfigLineVlan): fixes #2071
"vlandev missing in the vlan definition (when using rc.conf.local )"
* NATCompiler_ipt.cpp (getAddressTableVarName): fixed SF bug
#3102044 "Colon in (runtime) Address Table name". Variable used to
process addresses in the run-time address table should not use
character ":" even if it appears in the Address Table object name.
* instDialog_ui_ops.cpp (summary): fixed SF bug 3169045: "Batch
installer lists IPv4 address as management address". The "summary"
display in the installer progress log output will now show putty
session name if it is used instead of the management address.
* NATCompiler_pf.cpp (processNext): fixes #2069 "PF: allow
multiple objects in ODst of redirecting nat rule". This fixes SF
bug 3162862 "NAT - more than one object in original destination"
* newFirewallDialog_from_template.cpp (replaceReferencesToNetworks):
fixes #1979 "New firewall created with Cisco c36xx template
results in network object in interface column in Policy"
* ObjectManipulator_tree_ops.cpp (getTreeLabel): fixes #2067 "Add
way to show interface label in object tree". The tree now shows
interface name and label if the label is not empty.
* configlets/bsd/update_vlans: fixes #2066 "Existing VLAN
interfaces are not properly removed from FreeBSD and install
script fails"
2011-02-09 Vadim Kurland <>
* RuleSetView.cpp (showToolTip): fixes #1915 "tooltip shown when
mouse is over rule number should be added to the list of
suppressed tooltips when 'Advanced user mode' is in effect"
* platforms.cpp (setDefaultFailoverGroupAttributes): fixes #2064
"CARP interfaces are not properly installed on FreeBSD cluster".
I need to populate failover group objects with some reasonable
defaults when they are created.
* configlets/freebsd/installer_commands_root: fixes #2065
"activation commands on FreeBSD and OpenBSD lose script exit
status". Sequence of commands ran by the built-in installer on
*BSD firewalls were losing exit status of the script which meant
installer always declared installation a "success" even when
there were errors.
2011-02-08 vadim <>
* SSHUnx.cpp (SSHUnx): fixes #2061 "Installer shows success for
failed installed on FreeBSD due to corrupt script file". Added
bunch of common shell error messages to make sure installer
recognizes them and mark install as a failure even if ssh fails
to pass termination code.
* instDialog.cpp (showPage): fixes #2037 "If there is an error
when compiling firewall then installer should be
aborted". Compile/install wizard should disable "Next" button
after compile phase is done if all firewalls failed to compile
with no errors.
* configlets/bsd/update_bridge: fixes #2042 "add configlet and
shell functions to manage bridge interfaces via shell script on
OpenBSD and FreeBSD". Bridge interfaces are managed incrementally,
that is, the script creates and destroys them as needed, then adds
or removes bridge ports, to bring bridge configuration in sync
with what is defined in fwbuilder GUI.
* CompilerDriver_pf_run.cpp (run): fixes #2054 "Add support for
load anchor PF command". Instead of loading anchors using "pfctl
-a anchor -f file" command in the .fw initialization script, now
generated PF configuration uses "load anchor" commands in the
pf.conf file. This way, we can load anchors correctly when PF
configuration is activated from the generated rc.conf.local file
where only one pf.conf file can be referenced.
2011-02-07 Vadim Kurland <>
* CompilerDriver_pix_run.cpp (run): fixes #2055 "Compiler shows
success, but there was a fatal error in the config". The bug has
been introduced recently (in 4.2.0) and really affected all
* AddressTableDialog.cpp (browse): fixes #1914 "Address table
object file name is not created properly if user clicks outside
Editor panel"
2011-02-06 vadim <>
* SSHUnx.cpp (SSHUnx): fixes #2049 "Installer reports success even
if there was an error while creating static routes". Added our own
error message generated when command used to add static route
fails to the list of error messages recognized by the installer.
* OSConfigurator_freebsd.cpp (updateBridgeOfInterface): see #1889, #2043
Added support for bridge interface configuration in BSD.
2011-02-05 vadim <>
* SSHUnx.cpp (SSHUnx): see #2039 "Installer reports success even
if pfctl can't load config file". Added more pfctl error messages
to the list to make code more robust.
* CompilerDriver_pf.cpp (printStaticOptions): fixes #2038 "pfctl
error when firewall settings include scrub option for reassembly".
Command "scrub all reassemble tcp" does not allow direction.
Tested and verified on OpenBSD 4.2 and FreeBSD 8.1
2011-02-04 vadim <>
* freebsdInterfaces.cpp (manageIpAddresses): fixes #2032 "support
for DHCP interfaces in rc.conf mode". Include dynamic interfaces
inin the list of interfaces generated script manages when the
script is in rc.conf format. This addds lines similar to
2011-02-03 vadim <>
* RoutingCompiler_freebsd_writers.cpp (RoutingRuleToString): fixes
#2026 Compiler can now generate static routing configuration
in rc.conf format for FreeBSD.
* pfAdvancedDialog.cpp (pfAdvancedDialog): fixes #2021 "since
rc.conf format is only supported for FreeBSD, the option in the
dialog should not be available for other OS"
2011-02-02 vadim <>
* OSConfigurator_freebsd.cpp: see #1888 "Add option to generate
rc.conf.local file for BSD systems". Added ability to generate
initialization script in rc.conf fromat for FreeBSD. Only FreeBSD
is currently supported (not OpenBSD). Generated script includes
variables to configure interfaces and their ipv4 and ipv6
addresses, vlans, CARP and pfsync interfaces, as well as variables
that initialize PF.
2011-02-01 vadim <>
* CompilerDriver_files.cpp (determineOutputFileNames): See #2015
"Add support for setting names of generated .fw and .conf files
separately for PF". Added second input field in the "advanced
settings" dialog, tab "Compiler" for the firewall platform "PF".
Now user can set the name for both the generated .fw
initialization script and .conf PF configuration file, as well as
names for both files on the firewall. Support for this is generic
and the same functions work for other platforms if corresponding
input field in the dialog exists. The name of the initialization
script is set as follows: 1) if user provided -o command line
switch to the compiler, its argument is used. 2) if -o switch was
not present but the name was configured in the firewall settings
dialog, it is used. 3) if none of them were present, the name is
constructed from the name of the firewall object with suffix .fw.
The name of the .conf PF configuration file is taken from the
settings dialog, but if it is blank, then it is constructed from
the name of the initialization script but with suffix .conf.
2011-01-31 Vadim Kurland <>
* RoutingCompiler_bsd_writers.cpp (_printAddr): see #1890 "Add
support for configuring static routes on BSD". Implemented support
for simple static routing rules. ECMP and routing via interface
(routing to directly reachable subnets) are not
supported. Generated script preserves static routing entries that
existed before and attempts to recover in case of error. Needs
2011-01-30 vadim <>
* FWWindow_editor.cpp (clearEditorAndSearchPanels): see #2006
"Crash when closing editor panel with find-and-replace". The GUI
crashed if user tried to close editor panel at the bottom after
closing objects+rules panel and while some object was still
displayed in the editor.
2011-01-28 vadim <>
* newFirewallDialog.cpp (fillInterfaceNZList): fixes #2000 "New
dialog window in New Firewall wizard for ASA / PIX - Network Zone
explanation". Added page to the new firewall wizard to let the
user configure network zones of interfaces when chosen firewall
platform supports network zones (only PIX/ASA right now).
* newFirewallDialog.cpp (fillInterfaceSLList): fixes #1983 "ASA
multiple interfaces have the same security level". Using table
widget with spin-boxes to let the user edit security levels of
interfaces conveniently.
2011-01-27 vadim <>
* ProjectPanel.cpp (closeEvent): fixes #1998 "Crash after running
find-and-replace then closing file". Specific sequence of actions
and only on Mac OSX caused GUI to crash. To fix, I clear editor
panel when user closes project window using MDI window title menu
item "Close" or "Close" button.
* ProjectPanel.cpp (registerModifiedObject): see #1996 "Crash when
finding and replacing a large number of objects". When "find and
replace" function was used to replace large number of objects in a
rule set, it generated stream of calls to
updateLastModifiedTimestampForAllFirewalls() which caused
corresponding stream of events to update various parts of the GUI,
both in the tree and rule set views. This caused weird corruption
and crash on Windows. Trying to resolve the issue by optimizing
the part that updated "last modified" timestamp on the firewall
since all parts of the rule set updated in one call to "find and
replace" function belong to the same firewall.
* IOSImporterRun.cpp (run): see #1931 "Update failed import
behavior". Added meaningful error messages for when policy
importer fails to create firewall object or does not create
interface objects or any rules.
* Rule.cpp (removeRef): fixes #1997 "add removeRef and addRef
methods to class NATRule". Now undo and redo correctly remove and
restore references to NAT rule sets in NAT rules with action
* Rule.cpp (addRef): fixes #1991 "Undo does not restore object as
a parameter of policy rule action Branch or Tag after it was
deleted deleted". Now Undo restores references to rule sets and tag
services as arguments of corresponding policy rules, as well as
references to objects configured as interface network zones.
* Interface.cpp (removeRef): fixes #1987 "Deleting object that is
used as Network Zone for ASA/PIX interface results in inconsistent
behavior". When an object that is used as a network zone of an
interface is deleted, it should be removed from the interface
configuration as well.
* Cluster.cpp (init): fixes #1995 "Crash when compiling a cluster
with identical firewalls". Method Cluster::init() must call base
class method Firewall::init() to get child Policy, NAT and Routing
objects created.
* CompilerDriver_pix_run.cpp (run): fixes #1994 "Crash when
compiling a firewall in an imported Library". Compilers should
reset any read-only flags in the copy of object tree they work
with before they make any modifications.
2011-01-26 vadim <>
* ProjectPanel_events.cpp (event): see #1994 "Crash when compiling
a firewall in an imported Library". To prevent crash, added check
to make sure firewall object is not read-only before an attempt to
update its "last compiled" or "last installed" timestamp.
* ProjectPanel_file_ops.cpp (fileExport): fixes #1993 "V4.2 on
Windows - export Library shows the file type as Firewall Builder
* FWBSettings.h (SETTINGS_PATH_PREFIX): fixes #1992 " V4.2 on
Windows - installer error can't find Secure Shell utility"
* init.cpp (init): fixed #1989 "variables respath and librespath
are redundant and copy Constants::getTemplateDirectory()". Got rid
of global variables sysfname, tempfname, librespath, respath and
localepath; will now use class Constants to keep this information.
2011-01-25 vadim <>
* src/fwbuilder/ fixes #1937 "RES_DIR
macro is defined twice". Got rid of duplicate definition of this
* FWObject.cpp (updateNonStandardObjectReferences): see #1985
added virtual function updateNonStandardObjectReferences() that is
supposed to update any references to objects stored as attributes.
* ACL.cpp (trimLine): fixes #1986 "Cisco ASA remarks should be
truncated to 100 characters or less". Trimming all lines used for
access list remarks to <100 characters. Remarks can only be less
than 101 characters on PIX/ASA and less than 100 characters on
2011-01-24 Vadim Kurland <>
* PolicyCompiler.cpp (addMgmtRule): fixes #1966 "IOSACL:
object-group can get name that consists of only suffix". Compiler
generated object-group statements with names such as ""
in some cases.
* ObjectIconView.cpp (dragEnterEvent): see #1980 "Objects from
Deleted Objects should not be allowed to be used in rules". Added
checks to not allow drag&drop of an object from Deleted Objects
library into rules and groups.
* NamedObject.cpp (createServiceObjectCommand): See #1958
"consistently use "exit" to get out of nested context in pix
config". Using "exit" to exit from nested context while adding
network or service object in generated PIX/ASA configuraton.
* PolicyCompiler_pix.cpp (compile): see #1970 "ASA Policy - single
IPv6 icmp object allowed in rules". Since we do not support ipv6
for PIX/ASA at this time, policy compiler should drop the rule
if ipv6 address or icmpv6 service is used and issue a warning.
* PolicyCompiler_pix_v6_acls.cpp (processNext): see #1981 "ASA /
FWSM Policy - Generate warning message if rule will not generate
config data"
2011-01-22 vadim <>
* ObjectManipulator.cpp (contextMenuRequested): context menu item
that opens object in the editor should be named "Inspect" when the
object is read-only because the editor would not allow the user to
change it.
* ObjectManipulator.cpp (contextMenuRequested): fixed #1926
"Crash when moving object in Standard library". Context menu
item "Move" should be disabled when the object is located in
the read-only library.
* GroupObjectDialog.cpp (setupPopupMenu): see #1976 "Crash when
deleting firewall object from rule after export / import library"
Crash occurred as the result of the following sequence of actions
in the GUI: 1) use context menu item "Cut" to delete an object in
the tree, 2) open object group or rule and use context menu item
"Paste" to add it, 3) export library to an external file, 4)
import this library into different data file, 5) save the data
file. Saved data file is invalid XML since it has unsatisfied
reference and some operations on it cause crash. The problem is
that since it is a reference to the object that is being added in
case of both groups and rules, we end up with a group or rule with
a reference to an object that is located in Deleted Objects
library. Deleted Objects library is not included when a library
file is merged into data file and this leads to a dangling
reference. The fix is to not allow Paste if object in the
clipboard has been deleted.
* NamedObjectsAndGroupsSupport.cpp (saveObjectGroups): see #1968,
#1972 Class NamedObjectsManager maintains its own copy of object
tree that holds object group objects it creates during compiler
passes. This allows me to maitain one common set of object groups
for both policy and nat compilers and avoid creating duplicate and
redundant object-group statements.
* NamedObjectsManagerPIX.cpp (getClearCommands): see #1968, #1972
class NamedObjectsManager (and derived classes for IOS and PIX)
generate "clear" commands. This way, I can generate correct set
of "clear" commands that take into account any named objects and
object-groups that could be created during both policy and nat
compiler passes.
2011-01-21 vadim <>
* FWObject.cpp (init): see #1972 Seaprated object creation and
initialization. Some complex objects need to create a set of
standard child objects. Previously this was done in a special type
of constructor which required pointer to the object tree root
(FWObjectDatabase*). This created problems with implementation
of the method to register functions that create objects of new
types outside of the API. Now all objects have just a basic set
of constructors, plus method init() that can initialize them.
* FWObjectDatabase_create_object.cpp (registerObjectType): see
#1972 implemented mechanism that allows me to register new object
types created and used outside of libfwbuilder API. This means
FWObjectDatabase can then copy and manipulate object trees that
use these new object types.
2011-01-20 vadim <>
* NamedObjectsAndGroupsSupport.cpp (getNamedObjectsDefinitions):
see #1963 "move printing of object-group definitions to
NamedObjectManager::getNamedObjectsDefinitions()". Consolidated
code that works with named objects and object groups in the class
NamedObjectManager. This class manages all the objects and in the
end generates commands.
* PolicyCompiler_cisco (printClearCommands): Refactored parts that
generate "clear" commands to make sure they are printed in the
right order at the top of the generated configuration. Previously
compiler placed "clear global", "clear static" and "clear nat"
commands above the NAT section but below policy section. Since
ASA8.3 nat commands can use named objects and object groups, and
since I have added support for object groups in ASA 8.3 policy
rules, I now need to clear objects and object groups at the very
beginning of the generated config. However in order to be able to
clear objects and object-groups, I need to clear access-lists and
nat commands that might be using them first. So, all clear
commands are now grouped at the beginning of the generated
configuration. This affects pix/asa, iosacl and procurve_acl
* NamedObjectsAndGroupsSupport.cpp (printObjectsForRE): See #1959
"ASA Policy - ranges are broken into composite network instead of
using range command". I have to create named objects for address
ranges and put them into an object-group, which I can then use in
access-list commands.
* PolicyCompiler_pix.cpp (compile): See #1965 "ASA Policy - PIX
6.1 configurations use object groups". Policy compiler for PIX is
now aware that object-group statement was introduced in PIX v6.2
and avoids using object-groups when firewall object version is set
to 6.1
* NamedObjectsAndGroupsSupport.cpp (processNext): made names
automatically assigned to object-groups in generated PIX
configuration shorter by removing interface label prefix.
2011-01-19 vadim <>
* PolicyCompiler_pix.cpp (compile): See #1959 "ASA Policy - ranges
are broken into composite network instead of using range command."
Added support for address ranges using named network object with
parameter "range" for ASA 8.3 and later. NOTE: if a network or ip
address object is used in a nat rule for ASA 8.3, a named object
has to be created for it since ASA 8.3 does not accept ip
addresses or subnets in "nat" commands. In the situation like
this, if the same address or network object is used in any Policy
rule, the same named object will be used in the generated
access-lists command.
* NamedObjectsAndGroupsSupport.cpp (getNamedObjectsDefinitions):
see #1959 Moved generation of the code that defines named objects
to class NamedObjectManager. This allows me to put all named
object commands on top of the generated policy, nat and routing
configurations and make sure each object is defined only once.
Still need to do #1963 - move code that generates commands to
define object-groups to class NamedObjectManager.
* NATCompiler_asa8.cpp (processNext): see #1954 "ASA NAT -
generate warning if nat rule is split and one of the resulting nat
rules have the same real interface and mapped interface". Compiler
issues warning when objects used in OSrc and TSrc of a NAT rule
make it use the same interface as both real and mapped interface
in the generated nat command. This check is only done for ASA 8.3
NAT rules.
2011-01-19 Vadim Kurland <>
* NamedObject.cpp (sanitizeObjectName): see #1953 "ASA NAT - two
host objects in the same rule result in incorrect config". We now
register and keep track of all named objects to make sure their
names are unique.
* newHostDialog.cpp (finishClicked): see #1953 "ASA NAT - two host
objects in the same rule result in incorrect config". Objects that
represent addresses of interfaces of a host object created using
template will be automatically renamed to follow standard naming
convention "host_name:interface_name:ip" to avoid creating
duplicate names.
* PolicyCompiler_pix_writers.cpp: see #1960 add support for
CustomService for PIX policy rules. Note that CustomService
objects are only supported in Policy rules since nat commands in
ASA 8.3 require use of named objects and it is difficult to
implement correct named objects and object-groups with protocol
parameter and custom services.
2011-01-18 Vadim Kurland <>
* PIXObjectGroup.cpp: ASA 8.3 see #1942, #1943 fixed generation of
the "object-group" statements by adding protocol keyword at the
end so that the group can be used in access-list commands. It
looks like mixed service groups that have no protocol keyword at
the end of the line that defines them cause error "specified
object group <foo> has wrong type; expecting service type". I am
going to avoid using mixed service groups because of this.
2011-01-17 vadim <>
* ASA8TwiceNatLogic.cpp (getAutomaticType): fixes #1916 "nat rule
must be "static" when subnet is present in TSrc"
* ServiceRuleProcessors.cpp (condition): see #1942 improved
support for CustomService objects for ASA 8.3. Generate separate
named object and object-group for these objects, then split policy
and nat rules so that only one custom service object is left in
each rule and then use object-group to match it. Note: this has
been rolled back. There is no support for CustomService objects in
NAT rules.
* PolicyCompiler_pix.cpp (processNext): fixes #1948 "incorrect
configuration created when a CustomService object is used in a
policy rule for PIX/ASA v<8.3". Since we do not support custom
service objects in policy and nat rules for versions older than
8.3, added check to generate fatal error when such object is used.
* NamedObjectsAndGroupsSupport.cpp (init): fixes #1945
"object-group names include ever-growing suffix". Object-groups
created by the compiler for PIX/ASA had numerical suffix that was
constantly increasing when user used single-rule compile function
in the GUI.
* PolicyCompiler_pix.cpp (compile): fixed #1944 "ASA Policy -
duplicate network object groups created for mixed service group
with TCP dst and TCP src port range objects". Need to convert
address range objects to subnets early, before the rule is split
for any reason, to make sure object groups created later match
and are reused.
* NamedObjectsAndGroupsSupport.cpp (processNext): See #1943 "ASA
Policy - mixed service group with TCP destination port range and
standard TCP object generates invalid config". Protocol word "tcp"
was missing after "deny" in the generated rule.
* NATCompiler_asa8.h (fwcompiler): see #1949 "ASA NAT - split
objects if OSrc contains objects that are in more than one network
2011-01-16 vadim <>
* NamedObjectsAndGroupsSupport.cpp (processNext): Added support for
CustomService objects in policy and nat rules for asa 8.3 using
named objects and object-groups.
-- see #1942 "ASA NAT - if custom service is included in service
group incorrect config generated"
-- see #1929 "move map named_objects inside class NamedObjectManager"
-- see #1946 "restrict generation of the named objects by
PolicyCompiler_pix to ASA 8"
-- see #1885 "named network and service objects in pix8"
Note: this has been rolled back. There is no support for
CustomService objects in NAT rules.
* NATCompiler_pix.cpp (processNext): see #1941 "ASA NAT - compiler
complains about range in original destination". NAT rules
translating destination allow Address Range objects in ODst or TDst
for ASA 8.3
* NamedObject.cpp (NamedObject): see #1940 "ASA NAT - fwbuilder
host objects interface ip is reserved keyword". Added list of
reserved words used in IOS and ASA software to make sure generated
named objects do not conflict. Will maintain single super-set
of reserved words instead of separate set for each version of IOS
and ASA.
* PolicyCompiler_pix.cpp (compile): fixed #1938 "icmp" commands
were not generated for ASA 8.x policy rules.
* NATCompiler_asa8.cpp (processNext): See #1927. Added check for
NAT rules that request translation of destination address but have
ODst "any". This only applies to ASA 8.3; these rules are
2011-01-14 vadim <>
* NATCompiler_asa8_writers.cpp (printSDNAT): fixes #1932 "Add
description field to generated NAT rules for ASA". NAT rules
generated for ASA 8.3 and later will have "description" keyword
added, with rule label as an argument. Rule label includes
word "NAT" and rule number.
* libfwbuilder/src/fwbuilder/InetAddrMask.cpp (getOverlap): fixes
#1934 "libfwbuilder::getOverlap() incorrectly calculates overlap
between ipv4 networks". This should also fix SF bug 3156376 "Can
not find interface with network zone that includes address range".
2011-01-13 vadim <>
* NATCompiler_asa8.cpp (compile): refs #1928 "Support for
object-group in OSrc". Implemented support for object-group
and named objects for Osrc and ODst in ASA 8.3 NAT rules.
* PolicyCompiler_cisco.cpp (removeRedundantAddresses): fixed #1917
"Duplicate objects are not detected". Compiler should detect
duplicate objects that may be created in a rule element when user
combines Address Table object with other address or network
objects there.
* ASA8ObjectGroup.cpp (toString): refs #1885 Compiler uses named
objects and objects groups to build configurations that use
address ranges in TSrc in NAT rules. (only ASA 8.3 and later)
2011-01-12 Vadim Kurland <>
* NATCompiler_asa8_writers.cpp (printSDNAT): refs #1907 "ASA NAT -
fwbuilder doesn't support multiple translated sources in a single
NAT rule". Compiler uses object-group to translate NAT rules that
have multiple objects in Translated Source.
* PolicyCompiler_pix_writers.cpp (_printLog): fixed #1913 "ASA/PIX
rules with logging enabled don't have log set unless user modifies
Firewall Settings". Added default log level setting to the
resource xml file for platform "pix", set to "informational". ACL
lines now get "log " keyword followed by the log level taken from
the rule options, or if that was not configured, from the
firewall object settings, or if that is not configured, the
2011-01-11 vadim <>
* NATCompiler_asa8_writers.cpp (printSDNAT): refs #1908 "ASA NAT -
cannot configure static NAT translations with (inside,outside)".
Added NAT rule option to make source nat rules "static". The
option is presented to the user as three radio buttons in the NAT
rule options dialog which is only enabled when platform is "pix"
and version >= 8.3. Policy compiler generates "twice nat" rules
with keyword "static" in the following cases: when TSrc is
"original", so the rule translates destination and not source or
when numbers of ip addresses represented by OSrc and TSrc are
equal. If TSrc is not "original" and represents different number
of ip addresses than OSrc, compiler looks at the new rule
option. User can use or override automatic algorithm using radio
buttons in the NAT rule options dialog.
* NATCompiler_asa8_writers.cpp (printSDNAT): refs #1902 "Add NAT
rule option "translate dns" for PIX". The option is only available
for ASA 8.3 or later.
* NATCompiler_asa8_writers.cpp (printSDNAT): fixed #1909 "ASA NAT
- static nat port translation where service is the same for
original service and translated service not generated correctly"
2011-01-10 vadim <>
* PolicyCompiler_pix.cpp (compile): fixed #1862 "fwb_pix crash".
Compiler fwb_pix crashed when DNSName run-time object was used in
a rule, but worked fine and issued an error when used in
single-rule compile mode.
* Helper.cpp (findInterfaceByNetzone): fixed #1906 "ASA NAT -
Address objects are not properly identified by network zone and
have the wrong real interface". The problem should have affected
both "old" (PIX 6 and 7) and "new" (ASA 8.3) configuration. When
an Address object was used in Original Source of a NAT rule,
compiler used wrong interface in the (interfac1,interface2) pair
in "nat" command.
* CompilerDriver_pix_run.cpp (run): fixed #1905 "fwbuilder crash
when compiling a rule with hosts folder as destination". Compiler
issues a warning when an empty group object is used in a rule, but
GUI crashed when user tried to compile this rule using single-rule
compile function. The change actually affects all policy compilers
and makes sure the GUI catches exception and does not crash, and
prints any errors generated by the compiler in the compiler output
panel when single-rule compile function is used.
* CompilerDriver_ipt.cpp (findBranchesInMangleTable): fixed #1879
"gui crash". Both GUI and fwb_ipt crashed trying to compile a rule
with action Branch that was not configured to point to any rule
2011-01-07 vadim <>
* NATCompiler_pix.cpp (NATCompiler_pix): fixes #1901 "add
destructor to NATCompiler_pix and NATCompiler_asa8". This
eliminates memory leak.
* ASA8Object.cpp (ASA8Object): refs #1885 "named network and
service objects in pix8". So far, these objects are only used
for nat configuration.
* NATCompiler_asa8_writers.cpp (processNext): fixes #1903 "correct
order of clear commands for ASA 8.3"
* NATCompiler_asa8_writers.cpp (printSDNAT): refs #1886 "new nat
configuration in pix 8.3". Initial support for new style nat
2011-01-04 vadim <>
* platform/fwsm.xml: FWSM v4.x does not have "fixup" command, instead,
we should use policy-map and class commands.
* OSConfigurator_pix_os_inspectors_pix8.cpp (_printPolicyMapTypeInspect):
refs #1893 fixes #1883 "inspect ip options in pix8". Added support for
"policy-map type inspect ip-options" command in PIX v8.2 and later.
At this time, of all possible types of "policy-map type inspect"
command only "ip-options" is implemented.
* PIX8ObjectGroup.cpp (toString): refs #1882 "Mixed service groups
in PIX8". Added pix versions 8.0 and 8.3; added support for mixed
servcie groups in pix 8.0 and later.
* PolicyCompiler_srvre_functions.cpp (processNext): fixed #1892
"move rule processor class separateServiceObject to
PolicyCompiler". This rule processor used to be implemented only
in the compiler for PF, but since it has very general meaning, the
same function was duplicated in other compilers as well. Moved the
class to libfwbuilder and reimplemented several other rule
processors to inherit from this class to avoid further duplication
for code.
* PolicyCompiler_pix.cpp (compile): fixed #1891 "problems with TCP
and UDP services with source ports". Policy compiler for PIX did not
generate correct PIX ACL lines when one Policy rule tried to match
several TCP and/or UDP objects matching source ports.
2010-12-29 vadim <>
* VERSION (VERSION): started 4.2.0
This version is the first one to merge libfwbuilder and fwbuilder
packages. Libfwbuilder is now in the src/libfwbuilder subtree inside
fwbuilder code tree.
RPM .spec files and DEB .control files are now located in the packaging
directory inside fwbuilder code tree.
Changes in the versioning format: I am going to use build number
as a "nano" version number, composing complete version as
"". The "-N" suffix in rpm and deb package names will
be used for package release number and most of the time will be
"-1". This suffix should reflect minor differences in the package
that do not affect code at all.
2010-12-16 Vadim Kurland <>
* ActionsDialog.cpp (fillInterfaces): fixed #1872: "vlan interface
does not appear in the list of interfaces for route-to action for
2010-12-12 Vadim Kurland <>
* VERSION (FWB_MICRO_VERSION): started 4.1.4
2010-12-05 Mike Horn <>
* minor updates to main help dialog text to fix broken/outdated
2010-12-02 Vadim Kurland <>
* OSConfigurator_linux24.cpp (OSConfigurator_linux24::getInterfaceVarName):
fixed #1856 "Pemit '-' in Linux interface names". OpenWRT uses
name "ppp-dsl" for PPPoE interfaces. In addition to that, Linux
bridge interfaces may have names with a "-" such as
"br-lan". We will now permit a "-" in Linux interface names.
* FWWIndow.cpp: Fixes #1858 'Remove "Summary of features" page
from the package' and #1857 'Remove "Getting Started" guide from
the package'. We have dediced to keep documentation and other
content like this on the web site. Button "Watch Getting Started
Tutorial" in the Tip of the Day dialog opens tutorial hosted on
the web site in a web browser.
2010-11-16 Vadim Kurland <>
* check_utilities: fixed #1851 "no need to check for modprobe when
host OS is "dd-wrt" and possibly other embedded Linux
systems". Generated script does not use modprobe utility when host
OS is set to "DD-WRT" or "OpenWRT" and should not try to find this
utility on the system. This is also related to the SourceForge bug
2010-11-16 Vadim Kurland <>
* newclusterdialog_q.ui: fixed #1848 Text formatting clean up -
New cluster wizard dialog
2010-11-15 Vadim Kurland <>
* InetAddr.cpp (InetAddr::opGT): (change in libfwbuilder) added
module uint128 (128-bt arithmetics by Evan Teran). Implemented
basic operations with ipv6 addresses using this module. See #1834.
Now all policy compilers can correctly compare ipv6 addresses used
in rules with ipv6 addresses of interfaces. This helps perform
various optimizations and fixes issues with the algorithm used to
pick the right interface for the Cisco IOS ACL compiled from a
policy rule with an empty "interface" rule element and direction
2010-11-11 Vadim Kurland <>
* newClusterDialog_create.cpp (copyRuleSets): Fixed SF bug
#3106168 "Branch destinations lost when adding to cluster". Since
the order in which I copy rule sets is undefined and because they
may have references to each other via branching rules, I need to
fix references after I create all of them.
* configlets/linux24/load_modules: fixed #1844 "generated script
fails if module nf_conntrack_ipv6 does not exist". Generated
script tries to load module nf_conntrack_ipv6 if user defined
any ipv6 rules, however the script should not fail if the module
is not installed.
* src/gui/ (LIBS): fixed #1840: fixed build on Mandriva
2010, all static libraries should go first on the linker command
2010-11-10 Vadim Kurland <>
* NATCompiler_ipt.cpp (processNext): fixed SF bug 3103582 "Cant
create redirect rule in cluster firewall object". Iptables nat
rule with target REDIRECT could not be built in a cluster
configuration. It should be possible to do this by putting cluster
object in Translated Destination.
* OSConfigurator_linux24_interfaces.cpp (printDynamicAddressesConfigurationCommands):
fixed #1838 "function configure_interfaces() does not manage ip
addresses of vlan interfaces". This function used to take into
account only interfaces that were direct children objects of the
firewall. Since vlan interfaces are children of the corresponding
physical interface, they were not included.
* FirewallInstaller.cpp (getGeneratedFileFullPath): fixed #1837
"generated script gets .fw suffix even when user set output file
name". Suffix .fw should not be appended to the name entered by
the user in the "output file name" input field in the firewall
settings dialog.
* PolicyCompiler_ipfw_writers.cpp (processNext): fixed #1836
"installer hangs and fails after activation of ipfw policy". As
soon as .fw script swapped ipfw sets usig command "ipfw sawp" and
deleted temporary set 1, ssh session would hang and eventually
break. We optionally add ipfw rules to permit ssh session used to
manage the firewall, as well as a rule to permit reply packets but
the latter rule was not built correctly. It should match source
and destination reversed, as well as match keyword "established"
and recreate state with "keep-state". This rule automatically
recreates state for the established ssh session over which
firewall policy is being managed. Also added a comment to the
firewall settings dialog for ipfw to remind the user that address
or subnet they use with this automatic rule should be as narrow as
* instOptionsDialog.cpp (instOptionsDialog): see #1832 if user
wants to use putty session, show session name instead of the ip
address in the "Address that will be used to communicate with the
firewall" input field in the installer options dialog.
2010-11-09 Vadim Kurland <>
* Helper.cpp (Helper::findInterfaceByAddress): see #1834 Fixed
matching algorithm that determins which interface a rule should be
associated with for Cisco IOS ACLs. Previously compiler did not
compare subnets properly and because of that it interpreted some
configurations incorrectly. For example in the case with a network
object in "source" and an interface with address (network should not be considered matching) compiler
considered this interface matching and assigned the rule to the
interface only with direction "inbound".
* FirewallInstaller.cpp (FirewallInstaller::packSCPArgs): see #1832
pscp.exe supports putty session in place of the target name but
not if argument "-load session_name" is also present. Plink.exe
does the same. We can not use fwb_session_with_keepalive if user
wants to use putty session.
2010-11-08 Vadim Kurland <>
* FirewallInstaller.cpp (FirewallInstaller::packSCPArgs): See
#1832, SF bug 3097419 "installer uses bare IP address instead of
putty session name". It appears pscp.exe on Windows can use putty
session name in place of the host name. This change restores old
behavior where session name was used like that but does it for
both plink.exe and pscp.exe. This only affects users who run
fwbuilder GUI on Windows
2010-11-05 Roman Bovsunivskiy <>
* see #1809 "Add Firewall Setting in Logging settings for default
log setting on new rules". Added a tab "Policy Rule" to the
"Objects" page of the global preferences dialog; checkbox in this
tab allows the user to choose whether new policy rules should be
created with logging turned on or off.
2010-11-04 Roman Bovsunivskiy <>
* see #1826 "Please place all unit tests in one directory". All GUI
and other unit tests moved to the directory src/unit_tests
2010-11-03 Roman Bovsunivskiy <>
* code refactoring: see #1822 "refactor all GUI classes into
libgui library and link executable with it"
* see #1787 "new fw name input field should have focus when new
firewall wizard opens"
* see #1823 "Add Preference option for Advanced / Power users".
Added checkbox to the Preferences dialog, this checkbox turns off
some tooltips that can be annoying for users who are sufficiently
familiar with the GUI
2010-11-02 Vadim Kurland <>
* OSConfigurator_linux24_interfaces.cpp (printVerifyInterfacesCommands):
fixed #1824 "should not try to verify wildcard interfaces".
2010-11-01 Vadim Kurland <>
* CompilerDriver.cpp (CompilerDriver::getAbsOutputFileName): fixed
SF bug 3090249 "fwb_ipt ignores -d option ". Documented behavior
is for the compiler to create files in the directory specified by
the argument of the "-d" command line flag. If flag "-d" is not
provided, files should be created in the current directory.
2010-10-29 Vadim Kurland <>
* PolicyCompiler_ipt.cpp (checkForStatefulICMP6Rules::processNext):
fixed SF bug 3094273 "no state needed for ipv6-icmp in
ip6tables". Rules that match ICMPv6 objects should be
stateless. Compiler will check for this and reset "stateful" flag
of a rule and issue warning if the rule was built stateful in the
GUI. This could be version-dependent, we may need to revisit this
in the future when netfilter fixes the underlying issue. Some
* src/res/ added ICMPv6 object "parameter
problem" (type 4, any code) per SF feature request 3094743. Also
added service group object "ipv6 unreachable messages" that
includes ICMPv6 messages "destination unreachable", "packet too
big", "parameter problem" and "time exceeded" per SF feature
request 3094758
* configlets/linux24/automatic_rules: implemented SF feature
request 3094738 "Set the HL to 255 for IPv6 Neighbor
Discovery". Neighbor discovery packets must have hop limit of 255
per RFC 2461. Automatically generated rules that match neighbor
discovery packets will math hooplimit 255.
* configlets/linux24/update_addresses: fixed SF bug 3091069:
"Routing configuration failed". Iptables script generated by
fwbuilder did not configure broadcast when it added ip addresses
to interfaces. Using "ip addr add ADDR/NM boradcast + dev INTF"
syntax to do this.
* OSConfigurator_bsd.cpp (compare_names): fixed #1807 "wrong order
of address assignment in the generated OpenBSD/PF/CARP cluster
configuration". Need to assign ip addresses to regular interfaces
before trying to assign them to carp interfaces.
* configlets/linux24/load_modules: fixed #1820 "skip module
"nf_conntrack_ipv6" if generated script has no ipv6 rules"
Shell function load_modules should not try to load module
nf_conntrack_ipv6 if generated script does not load any ipv6
rules. Loading this module fails if ipv6 has been disabled in
the kernel.
2010-10-29 Vadim Kurland <>
* run_time_wrappers: fix for the SF bug #3095615 "reopen no
PREROUTING rule with *-Interface - ID: 3077132". Configlet used wrong
shell variable to access ip address of a wildcard interface.
* VERSION (FWB_MICRO_VERSION): started 4.1.3
2010-10-07 Vadim Kurland <>
* configlets/pix_os/installer_commands_reg_user: using command
"terminal width 256" to turn off ANSI commands in the PIX command
* FindObjectWidget.cpp (showObject): rolled back change done in
r3320 (refs #1790) "When an object is found using Find and the
object is in the object tree, the keyboard focus shifts to the
Object Panel". That change broke highlighting of the found object
in rules.
* refs #336 "Need template for PIX firewall"; added template for
PIX 50X (501 and 506)
2010-10-06 Vadim Kurland <>
* FWWindow.cpp (FWWindow::showIntroDialog): fixed compile problem
with old Qt (v < 4.5.0).
* FWWindow.cpp (FWWindow::showIntroDialog): See #1765, #1779 Will
show a dialog inviting the user to watch Quick Start Guide on the
web site when they run the GUI for the first few times. The dialog
is shown instead of the Time of the day dialog. Switching to the
tip of the day after 5 starts.
* RoutingCompiler_pix.cpp (emptyRDstOrRItf::processNext): fixed
#1783 "PIX routing entries require interface, but PIX config will
compile without interface in Routing rule". Policy compiler for PIX
now checks that both "interface" and "gateway" rule elements are
not empty.
2010-10-05 Vadim Kurland <>
* OSConfigurator_linux24.cpp (printRunTimeWrappers): fixed SF bug
3077132 "no PREROUTING rule with *-Interface". Rules matching
addresses of a wildcard interface (e.g. "ppp*") were not properly
* RuleSetView.cpp (updateSelectionSensitiveActions): fixed SF bug
3039681 "context-menu items inconsistent for Single/Multiple
rules". When several rules are selected in rule set, some context
menu itmes should turn to plural.
* FWWindow.cpp (prepareRulesMenu): fixed #1778 "main menu Rules
should have the same items that context RuleSetView menu when no
rules are selected"
2010-10-04 Vadim Kurland <>
* ObjectManipulator.cpp (showObjectInTree): fixed #1777 "scroll
new fw object to the top of the tree view panel once its created"
This has side effect in that some other operations that open an
object in the tree will also sc roll the tree to position this
object at the top.
* FWBSettings.cpp (setCustomTemplatesEnabled): fixed #1791 "Add
preference flag to enable / disable the Custom templates button on
the New Firewall Wizard". Use of the custom template library
to create new firewall object is now optional, controlled by
a checkbox in the "Object" tab of the gobal preferenes dialog.
New users will have this option turned off by default, however
existing users will see it enabled for backwards compatibility.
* FindObjectWidget.cpp (showObject): fixed #1790 "When an object
is found using Find and the object is in the object tree, the
keyboard focus shifts to the Object Panel". The "find" pabel now
retains keyboard focus after it shows found object in the tree,
this allows the user to just hit Enter on the keyboard to find
the next object.
* FindObjectWidget.cpp (objectDeleted): fixed #1785 "Deleting
graphic icon of object from Find tab should also remove the text
name or label"
* newFirewallDialog.cpp (changed): fixed #1770 Eliminated pause
that happened when user switched from page 0 to page 1 of the new
firewall wizard. Pause was caused by the DNS queries the program
ran trying to determine ip address of the firewall using the name
provided on the first page of the wizard. Now DNS query is
launched only if user wants to create interfaces uses snmp scan.
* InterfaceEditorWidget.cpp (InterfaceEditorWidget): fixed #1772
improved design of the widget used to edit ip addresses and other
attributes of an interface in the new firewall, new host and new
cluster wizards. Removed "MAC Address" imput field and rearranged
other input fields according to the result of usability tests.
* SSHCisco.cpp (SSHCisco): fixed #1784 added Cisco ASA (PIX) error
message "cannot add route entry" to the list of errors that
built-in installer recognizes and marks install process as
* newFirewallDialog.cpp (showPage): fixed #1767 improved UI in the
new firewall and new host dialogs where user chooses file for the
custom template library or uses standard template library.
2010-10-03 Vadim Kurland <>
* ObjectManipulator_create_new.cpp (ObjectManipulator::createNewObject):
fixed #1776 once new firewall is created, automatically open its Policy
* FWWindow.cpp (FWWindow::showIntroDialog): fixed #1765, #1779
Move quick start guide to the web site. The "Quick Start Guide" is
now part of the web site and the GUI only shows a
dialog-invitation to watch it.
2010-10-01 Vadim Kurland <>
* FWBSettings.cpp (getABTestingGroup): fixed #1763 Implemented
basic facility for A/B testing within the GUI
2010-09-30 Vadim Kurland <>
* FindObjectWidget.cpp (keyPressEvent): fixed #1755 "hitting enter
after editing search attribute in the Find panel should trigger
* FindObjectWidget.cpp (matchAttr): fixed #1760 'Search by
attribute "name" should search by name or label'.
* FindObjectWidget.cpp (objectInserted): fixed #1757 Allow
searching by attributes even after an object is dropped into the
drop area in search panel.
* newFirewallDialog.cpp (browseTemplate): fixed #1759 "Use default
template library" button seems to do nothing. This button should
only be enabled if user switched to their own library of template
objects. The button should be disabled if they switched back to
the standard template library or never switched to their own one.
* newHostDialog.cpp (finishClicked): fixed #1761 "blank interface
name is possible in new host wizard"
* FWObjectPropertiesFactory.cpp (getInterfaceNameExamplesForHostOS):
fixed #1753 "Set interface name hint based on firewall platform
and host OS". The placeholder text in the interface name and label
input fields in the new firewall wizard will depend on the host OS
chosen in the first page of the wizard.
* utils.cpp (validateName): fixed #1751 "Don't allow interface
names to be blank". The GUI should not allow the name of any
object to be blank.
2010-09-29 Vadim Kurland <>
* ProjectPanel.cpp (ProjectPanel::inspect): fixed #1718 "Inspect
generated files" dialog says "Multiple firewalls" even when there
is only one
* InterfaceEditorWidget.cpp (InterfaceEditorWidget::InterfaceEditorWidget):
added "placeholder" text to the interface name and label input
fields. This text is displayed in greyed-out small font inside
the imput field but is cleared as soon as user starts their input.
The text gives user a prompt as of what is expected in each input
field. The "placeholder" text support is available only in Qt 4.7
and later so the code is conditional on the version of Qt.
* WorkflowIcons.cpp (WorkflowIcons::openTutorial): fixed #1733
"Add button for video tutorial link". Shortcut button "Watch
Getting Started Tutorial" opens page with video tutorials in
the standard browser.
* InterfaceEditorWidget.cpp (InterfaceEditorWidget::isValid):
fixed #1746 "Force user to change interface name in New Firewall
wizard". When user creates interfaces for the new firewall or host
using manual method and clicks on the "+" button to add a tab for
the new interface in the wizard page, the interface tab is created
with blank name. Wizard later checks the name when user clicks
Finish to create new firewall or host object and does not let them
do this while interface name is still blank. Error dialog reminds
that the name of the interface must match the name of the
interface on the machine.
* ProjectPanel.cpp (ProjectPanel::updateFirewallName): fixed #1745
"Remove path data from text above rules window that shows firewall
2010-09-28 Vadim Kurland <>
* ObjectManipulator_create_new.cpp (reminderAboutStandardLib):
refs #1748 "Add dialog about Standard Library when user creates
first Service object". First time users will see an informational
dialog reminding them about the Standard objects library when
they create their first service object.
2010-09-27 Vadim Kurland <>
* src/gui/Tutorial/introduction/html/page0.html: refs #1737 Added
"Quick Start Guide" tutorial that demonstrates basic features and
key concepts of Firewall Builder. The tutorial is accessible
via Help / Tutorials menu and is shown to the first-time user
on the GUI startup instead of the "tip of the day" dialog.
* FWObjectPropertiesFactory.cpp (getObjectPropertiesDetailed):
system folders in the tree now have tooltips that explain what
kind of objects belong there.
* RuleSetView.cpp (showToolTip): Added text to the tooltips shown
for the "Direction" and "Action" rule elements to remind user that
to change these rule parameters they need to click right mouse
button to open list of possible settings
* RuleSetView.cpp (showToolTip): fixed #1744 "Add tooltip to the
rule number". The column in the RuleSetView? where rule number is
shown now has a tooltip to remind the user that they can click
right mouse button to the the context menu and use keyboard
shortcut "x" to compile the rule
* FWBSettings.cpp (init): fixed #1743 "change default for the
option 'Show text descriptions for direction and action'". The
option should be on by default.
* RuleSetView.cpp (showToolTip): fixed #1730 "Add background help
text and images to empty policy window". Showing tooltip in the
empty space in the rule set view, this tooltip provides hints on
how to edit rules which should be useful for the beginners.
2010-09-26 Vadim Kurland <>
* ObjectManipulator.cpp (ObjectManipulator::contextMenuRequested):
fixed #1741 "there is no way to undelete a library object".
* FWCmdMoveObject.cpp (FWCmdMoveObject::notify): fixed #1740
"Deleted library remains in the drop-down list". If option "Show
deleted objects" was turned off in the Preferences dialog and user
deleted a library, it remained in the drop-down list of libraries
and its object tree was still displayed in the object tree panel.
* listOfLibrariesModel.cpp (ListOfLibrariesModel::addStaticItems):
fixed #1728 "Update Library drop down menu". Library drop down
list shows an item "Object libraries:" at the top that can not be
selected and that always stays on top as libraries are added,
removed and renamed. The list always stays sorted in ascending
order. Library names are indented by 2 spaces to make them
visually distinguishable from the prompt item at the
top. Implementation uses class ListOfLibrariesModel that inherits
* PrefsDialog.cpp (PrefsDialog::PrefsDialog): fixed #1739 "remove
"tooltip delay" input form preferences dialog". Qt4 does not allow
for changing tooltip delay.
2010-09-24 Vadim Kurland <>
* RuleSetView.cpp (itemDoubleClicked): refs #1731 Change
double-clicking on "Any" object behavior. Double click on "any" in
a rule does not try to open object "any" in the tree and editor
* FWObjectPropertiesFactory.cpp (getObjectPropertiesDetailed):
refs #1731 Change double-clicking on "Any" object
behavior. Tooltip shown for the object "any" in rules says
"to modify the rule drag and drop an object from the tree here"
instead of atributes of the object "any".
* FWBSettings.cpp (init): fixed #1738 "Enable tooltips by default"
* ObjectManipulator.cpp (editSelectedObject): fixed #1729 "double
clicking a folder in the tree should expand it rather than open it
in the editor".
* ObjectTreeView.cpp (edit): fixed #1732 "Double clicking on
object with child objects should auto expand them". Double
clicking on objects and folders in the tree expands and collapses
them, as well as opens object in the editor.
* ObjectManipulator.cpp (expandObjectInTree): fixed #1715
"automatically expand new firewall and new host objects in the
tree once they are created"
* configlets/linux24/check_utilities: fixed #1714 "make checking
for MODPROBE conditional". There is no need to check if modprobe
utility exists on the firewall machine if it is not used by the
2010-09-22 Vadim Kurland <>
* instDialog_ui_ops.cpp (instDialog::readInstallerOptionsFromFirewallObject):
fixed #1724 . There was a problem with pscp.exe and putty
sessions. Plink.exe accepts session name in place of the host name
on the command line, but pscp.exe does not. We ask user to enter
session name in the "alternative name or address to use to
communicate with the firewall" input field in the "Installer" tab
of the firewall settings dialog and then use it in place of the
host name in the command line for pscp.exe and plink.exe. This
works with plink.exe but breaks pscp.exe which interprets it as a
host name and fails with an error ""ssh_init: Host does not
exist". The fix checks if what user entered in the "alternative
host or address field" is a session name and uses different
command line with pscp.exe
2010-09-20 Vadim Kurland <>
* NATCompiler_ipt.cpp (compile): fixed SF bug #3071667
"Compilation segfault with DNS address in NAT rule". Added rule
processors to replace Run-time DNSName and Address Table objects
in TSrc and TDst.
2010-09-16 Vadim Kurland <>
* SSHSession.cpp: Refs #1699 installation session status was reset
from "failure" to "success" in a configuration where fwbuilder gui
was running on Windows and talked to Cisco router using pscp.exe
and plink.exe and ssh session failed because of authentication
failure. This happened because plink.exe terminated with return
status "success" even in case of authentication failure.
* generatedScriptTestsIpfilter.cpp (GeneratedScriptTest::runCompiler):
unit tests to test manifest and activation commands in the generated
.fw script for ipfilter. Refs #1702
* FirewallInstaller.cpp (FirewallInstaller::getGeneratedFileFullPath):
fixed how we append suffix ".fw" to the name of generated script
when it is preconfigured in the firewall settings dialog and already
includes ".fw" suffix (it was added twice).
* CompilerDriver_ipf_run.cpp (CompilerDriver_ipf::run): fixed #1702
"Wrong path in the activation script for ipfilter". Activation command
embedded in the generated .fw script used local path to the generated
.conf file on the machine where fwbuilder compiler was running.
2010-09-14 Vadim Kurland <>
* FirewallInstaller.cpp (getGeneratedFileFullPath): fixed SF bug
3049665 "Firewall Settings -> Output file name misses .fw
* CompilerDriver_ipt_policy.cpp (processPolicyRuleSet): fixed
#1707 "call function "prolog_commands" from the main iptables
script part instead of function "script_body" when prolog should
be executed after iptables reset"
* configlets/linux24/script_skeleton (cmd): fixed SF bug 3060325
"Address table object and prolog script conflict". Generated
script should run prolog before checking and loading run-time
address tables.
* NATCompiler_PrintRule.cpp (processNext): fixed SF bug 3057503
"DNAT rule with dynamic IP has a white space, causing error".
* PolicyCompiler_PrintRule.cpp (_printIpSetMatch): fixed #1705
"iptables (v>=1.4.4) "--set option deprecated ..." (SF bug 3059893)
Option "--set" has been deprecated and renamed "--match-set" in
iptales 1.4.4
* CompilerDriver_pf.cpp (printPathForAllTools): fixed SF bug
3061034 "ifconfig definition missing". Script generated for the
ipfw firewall on Mac OS X missed definition of variable IFCONFIG.
2010-09-13 Vadim Kurland <>
* IPTImporter.cpp (addPktTypeMatch), iptables.g: fixed #1703
"importing iptables line with module pkttype causes parser
error". We do not have any object with the behavior closely
resembling that of iptables module "pkttype" so the importer
creates CustomService object with the code taken from the original
iptables rule. SF bug 3065435
* VERSION (FWB_MICRO_VERSION): started 4.1.2
2010-08-20 Vadim Kurland <>
* v4.1.1 released
2010-08-19 Vadim Kurland <>
* NATCompiler_ipt.cpp (splitNATBranchRule::processNext): fixed #1686
"can not generate basic NAT branching rule". NAT branching rules
were not generated in single rule compile mode because compiler
needs information about targets used in the branch rule set rules
to decide which chain the branching rule should be placed in. Now it
will use PREROUTING and POSTROUTING in single compile mode but issue
a warning.
* NATCompiler_ipt.cpp (VerifyRules2::processNext): fixed #1685
"iptables redirecting NAT rules in the OUTPUT chain". NAT rules
should be allowed to translate from CustomService to TCP or UDP
service, provided CustomService object is configured with matching
protocol. See also change in libfwbuilder NATCompiler::classifyNATRule::processNext.
* NATCompiler_ipt.cpp (localNATRule::processNext): see #1685
"iptables redirecting NAT rules in the OUTPUT chain". This fix
makes it possible to create iptables NAT rule with target REDIRECT
in the OUTPUT chain. The rule should have firewall object in OSrc
and TDst rule elements.
* NATCompiler_PrintRule.cpp (PrintRule::processNext): fixed #1693
SF bug 3048516 "NAT rule with 'Use SNAT instead MASQ' doesn't
work". NAT rule using combination of the option "Use SNAT instead
of MASQ", dynamic address of an interface and source port
translation produced iptables command with incorrect syntax.
2010-08-18 Vadim Kurland <>
* Helper.cpp (list): fixed #1691 , this is a better fix for the
problem reported in the earlier bug (see #1690).
Function Helper::findInterfaceByNetzone() throws FWException, this
changed in v4.1.0 with a fix for #1653.
2010-08-17 Vadim Kurland <>
* procurveInterfaces.cpp (procurveInterfaces::parseVlan): fixed #1683
class procurveInterfaces interprets interface "DEFAULT_VLAN" as
vlan interface with vlan id 1.
* newFirewallDialog.cpp (newFirewallDialog::finishClicked):
fixed #1683 When user creates new firewall using snmp scan,
fwbuilder will now guess and assign the type to interfaces that
look like vlans for the given platform and host OS.
* safety_net_acl: fixed #1687 "temporary access list commands
syntax is incorrect". Temporary ACL generated for the Procurve
platform was incorrect.
* PolicyCompiler_cisco.cpp (PolicyCompiler_cisco::setAllNetworkZonesToAny):
fixed #1690 "IOS ACL and Procurve ACL compilers fail because
interfaces are not assumed to have network zone "any" anymore".
Compilers for Cisco IOS ACL and Procurve ACL always assumed all
interfaces have network zone "any". Recent changes made in 4.1.0
changed that and compilers stopped working for some rule configurations.
* (PolicyCompiler_cisco::createACLObject): fixed #1688 "Procurve
ACL remarks should be in quotes if they include space"
2010-08-14 Vadim Kurland <>
* FirewallInstallerProcurve.cpp (FirewallInstallerProcurve::packInstallJobsList):
Policy installer for HP Procurve. Currently only works in line-by-line
mode (no support for scp). Tested with Procurve firmware K14.31 on
ProCurve J9470A Switch 3500-24. Caveat: manager access should not be
configured with user name (that is, no "password manager user-name foo")
* set version to 4.1.1
2010-08-10 Vadim Kurland <>
* v4.1.0 released
2010-08-08 Vadim Kurland <>
* ObjectManipulator_ops.cpp (ObjectManipulator::actuallyDeleteObject):
fixed #1674 "Crash while using Undo Stack". Operation "Cut" should be
represented by an undo macro object and should appear as one operation
on the undo stack.
* ObjectManipulator.cpp (ObjectManipulator::getMenuState): fixed #1676
"Crash when deleting an interface that has multiple IP addresses
and not all addresses are selected for deletion"
2010-08-06 vadim <>
* ObjectManipulator_tree_ops.cpp (ObjectManipulator::clearObjects):
fixed crash that happened on Mac if the GUI was started with a
file name as command line argument. The issue was introduced recently
when GUI state update was reimplemented as an event.
2010-08-05 Vadim Kurland <>
* ProjectPanel_events.cpp (event): fixed #1660 "Crash when
cut-and-pasting firewall between libraries". GUI crashed if user
performed the following sequence: cut an object, switch to a
different object library, try to paste using keyboard shortcut
Ctrl-V while library object was selected in the tree.
2010-08-04 Vadim Kurland <>
* IPTImporter.cpp (IPTImporter::finalize): fixed #1664 "Policy
import creates firewall object w/o version". This also fixes
crash reported in SF bug #3036934
* pixAdvancedDialog.cpp (pixAdvancedDialog::displayCommands):
fixed SF bug #3038945 "ASA inspect configurations not saved".
Under some circumstances the GUI did not save changes made in the
"Inspectors" tab of the PIX advanced settings dialog into the
* ObjectManipulator_tree_ops.cpp (ObjectManipulator::removeObjectFromHistory):
fixed #1661 "Crash after deleting firewall" a sequence where user deleted
an object and then hit "Back" button caused crash.
2010-08-03 Vadim Kurland <>
* pixAdvancedDialog.cpp (pixAdvancedDialog): fixed SF bug #3038948
"ASA logging severity levels are incremented". Log levels in the
"Logging" tab of the PIX firewall advanced settings were
incremented every time user opened the dialog and then clicked OK.
* PolicyCompiler_PrintRule.cpp (_printIP): fixed SF bug #3038636
@v4.1b, "iptables v1.4.8: unknown option `--ra'". Ipv4options
module has changed in iptables 1.4.3 and now accepts different set
of parameters. Policy compiler generates new parameters if user
set version in the firewall object dialog to "1.4.3 or later".
2010-08-02 Vadim Kurland <>
* InterfaceDialog.cpp (loadFWObject): fixed #1657 "When no network
zone is defined on the interface, the Interface object editor says
it is "Any" which is a lie"
* configlets/linux24/run_time_address_tables: fixed #1652 "support
for adding single address to address table in the generated
script". Generated iptables script now provides functions
"add_to_address_table", "remove_from_address_table" and
"test_address_table" that let administrator add or remove single
ip address to a given address_table.
* OSConfigurator_linux24.cpp (printRunTimeAddressTablesCode):
fixed #1654 "Support for run-time Address Tables with empty file
in iptables". This is an implementation of the same feature we
already have for PF. If the file name in the configuration of the
run-time Address Table object is blank, policy compiler generates
firewall configuration that uses ipset with the name the same as
the name of the object but does not generate code to load
addresses from a file into it. All control of the ipset is left
for the user.
* Helper.cpp (findInterfaceByNetzone): fixed #1653 "Crash when
compiling a rule for Cisco PIX with incorrect network zone".
2010-07-29 Vadim Kurland <>
* instDialog_installer.cpp (instDialog::installerSuccess):
fixed #1639 "Add success message to the bottom of the process log
for the installer". Added a message to the installer log to
display installation status.
* stop_action: "stop" action should reset ipv4 iptables
configuration only if firewall object configuration defines any
ipv4 rules. This is how generated script works for ipv6; behavior
for ipv4 and ipv6 should be similar. Fixes SF bug #3036541 "IPV6
only firewall resets ipv4 stack"
* script_skeleton (cmd): added action "block" to the "usage" string
of the generated iptables script
2010-07-28 Vadim Kurland <>
* PolicyCompiler_ipt.cpp (checkActionInMangleTable::processNext):
fixed SF bug 3034628 "iptables does not allow target REJECT in
mangle table". Iptables does not support target REJECT in mangle
table. Added check to the policy compiler to make it detect this
situation and issue an error.
* FWWindow.cpp (FWWindow::compile): fixed SF bug 3035426 "canceled
save writes .fwb ". The program created file with name ".fwb" if
user started with an empty project paje, created some objects, then
hit "Compile" but then clicked "Cancel" when offered a chance to
save objects into a new data file.
* CompilerDriver.cpp (CompilerDriver::_findImportedRuleSetsRecursively):
fixed #1631 "Process branch rule sets recursively". Policy
compilers used to look only one level deep while processing
branching rules. They should allow for arbitrary nesting and
correctly avoid infinite loops if user creates looped branches.
Compiler issues a warning when it detects looped bracnhing.
This fixes SF bug 3033462 "nested shared branch rules between
servers not working".
* UsageResolver.cpp (UsageResolver::findWhereUsedRecursively):
fixed #1632 "dependencies created by branching rule sets should be
processed recursively". In the case of multi-level branches
the GUI should trace all references to find all firewalls affected
by a change of an object used in the rule.
2010-07-27 Vadim Kurland <>
* configlets/linux24/block_action: fixed #1640 "default policy
when the script is stopped should be optional". The "stop" command
used to be interpreted by the iptables script generated by
fwbuilder in a way that it blocked all connections going to, from
and through the firewall. Luc Paulin <>
pointed out that this behavior is incompatible with other firewall
management scripts, such as /etc/rc.d/init.d/iptables on Fedora
Linux or ufw on Ubuntu, where "stop" means disabling the firewall.
In v4.1 the "stop" command flushed all chains in all tables and
sets default policy to ACCEPT. New command "block" does what
"stop" used to do before, that is, flushes all chains in all
tables and sets default policy to "DROP". The option to add
a rule to permit ssh access from the management workstation when
firewall is stopped now adds this rule when firewall script is
run with "block" command instead.
2010-07-26 Vadim Kurland <>
* configlets/linux24/run_time_address_tables: implemented support
for mixed address lists for run-time address table objects using
ipset module. Normally, one ipset set can either contain
individual ip addresses or subnets. We create a "setlist" type set
that includes two sub-sets, one for ip addresses and the other for
subnets. Function reload_address_table in the configlet
run_time_address_tables takes care of managing these three sets
automatically. Address list file has the same format as for all
other supported types of Address Table object: one address per
line, subnets are defined using '/bitlength' or '/netmask' syntax,
comments start with '#' or ';' character.
2010-07-24 Vadim Kurland <>
* code cleanup. Removed bunch of warnings and cleaned up some test
cases using small patches from Mike Slifcak
2010-07-23 Vadim Kurland <>
* Fixes #1635: included code generated by the configlet
run_time_address_tables into script for all linux-based host
OS (dd-wrt, openwrt, ipcop) even though most of they do not
support ipset at this time. If ipset is not supported because
iptables version is too old or the module is simply not available
for the platform, user can just uncheck the checkbox in the
firewall settings dialog and code generated by the configlet will
support method of loading addresses from the file at run time
based on script variables and a "while" loop.
* script_skeleton: added command line argument "reload_address_table"
that calls function reload_address_table and takes two additional
arguments: set name and file name.
* script_skeleton (cmd): calling functions to check if data files
used by run time address table objects are available before making
any changes to iptables policy. If files are not available, the
script aborts and leaves iptables in the original state. This
fixes #1628 "generated script checks presence of the address table
files after it sets default iptables policy to DROP". fixes #1628
* run_time_address_tables: new configlet that adds shell code to
check if all run time address table data files are present on the
firewall machine and that ipset utility works and can communicate
the the kernel driver. This configlet also defines a function to
reload one ipset with given name and data file name and function
to reload all ipsets used in the generated script. Fixes #1625, #1627
* PolicyCompiler_PrintRule.cpp (PrintRule::normalizeSetName):
fixed #1626 "convert space and other special characters found in
the run time address table object into underscores". The name of
the run-time Address Table object is used for the name of the
ipset module set. Making sure the name is sanitized of the
chanracters considered "special" by shell before it is used.
* check_utilities: fixed #1625, #see 137: added ipset to the list
of command line utilities generated iptables script can
use. Script will check if the utility is present on the firewall
if user requested use of iptables module "set" for run-time
Address Table objects. Also added an input field for ipset in the
advanced settings host OS dialog for Linux to let the user specify
path to ipset if it is not standard.
2010-07-22 Vadim Kurland <>
* PolicyCompiler_PrintRule.cpp: added support for iptables module
"set" used to generate iptables command for rules with run-time
AddressTable objects. This module is only available in iptables and later, however some embedded platforms do not have it
even though they ship later versions of iptables (e.g. OpenWRT).
Use of this module is controlled by a checkbox in the iptables
"advanced" settings dialog which is off by default. This checkbox
becomes disabled when iptables version is set to <
* newClusterDialog_create.cpp (newClusterDialog::createNewCluster):
fixed #1622 "Crash when configuring cluster". The GUI used to crash
if user created a cluster copying rules of one of the cluster members
while that rule set was opened in the rule set view.
2010-07-21 Vadim Kurland <>
* iptadvanceddialog_q.ui: rearranged elements in the tab
"Compiler" of the dialog to make it shorter and wider. Still
needs some work to make it render better.
* InterfaceEditorWidget.ui: set minimum height for the name, label
and few other input fields because they came out squished on Mac.
Fixes #1613.
* FWWindow.cpp (fileNew): fixed #1611 "File/New should create new
project panel". Like #1612, open new data file in a new project
panel if current project panel has no data file associated with it
but has unsaved changes.
* FWWindow.cpp (loadFile): fixed #1612 "File/Open should create
new project panel". If user has some unsaved changes in the
default project panel (the one with no associated file) and then
uses File/Open menu to open another data file, the file should
open in a new project panel.
2010-07-20 Vadim Kurland <>
* FWWindow.cpp (FWWindow::showEvent): default main window geometry
should be 1000x600, wider than it used to be before. This is to
make object dialogs fit in the main window without squishing.
* routing_functions: added a copy of the routing_functions
configlet to the dd-wrt-nvram and dd-wrt-jjfs because newest
versions of DD-WRT lack mktemp. The original routing_functions
configlet does not use mktemp either, but Gentoo (and possibly
other distros) ship patched version that needs mktemp which breaks
fwbuilder generated script on these versions of DD-WRT. Hopefully
they won't patch the copy of routing_functions configlet.
* StartTipDialog.cpp (StartTipDialog::StartTipDialog): fixed #1603
"Welcome dialog should show full version of the program".
* set version to 4.1.0 and version of the data file format to
"17". Data files need to be upgraded. Upgrade script changes the
version and makes sure Standard objects library is read-only. Some
users may have this library configured read-write in their data
files because of a bug in the early versions of fwbuilder 4.
* We have decided to release this version as 4.1.0 rather than
4.0.2. "4.0.2" will remain our internal testing version
2010-07-19 Roman Bovsunivskiy <>
* DiscoveryDruid_q.ui, newclusterdialog_q.ui, newfirewalldialog_q.ui:
Set up default buttons in dialogs
* DiscoveryDruid_q.ui, DiscoveryDruid.cpp, Importer.cpp: Added firewall
name input field.
* InterfaceEditorWidget.cpp: Button "Add address" now changes text
to "Add anoter address" when there is at least one address in current
2010-07-19 Vadim Kurland <>
* fixed bug #3031721 "Qt has caught an
exception thrown from an event handler." The "Standard" objects
library was made read-write in one of the earlier builds
2010-07-17 Vadim Kurland <>
* DiscoveryDruid.cpp (DiscoveryDruid::DiscoveryDruid): fixed #1597
import method "import configuration of a firewall" is disabled on
the first page of the discovery druid
2010-07-15 Vadim Kurland <>
* newFirewallDialog_from_template.cpp (newFirewallDialog::replaceReferencesToNetworks):
fixed #1582 'tree is not refreshed after address substitutions in
"new firewall" wizard'
2010-07-14 Vadim Kurland <>
* FirewallInstaller.cpp (FirewallInstaller::packSCPArgs):
fixed #1571 "Installer does not work if firewall object name
contains spaces". Installer should use escaping to make sure
file name with a space is correctly interpreted by the script
it runs on the firewall.
* DiscoveryDruid.cpp (DiscoveryDruid::loadDataFromImporter):
fixed #1544 "fwbuilder crashes during import of file with rtf
formatting data". The fix should prevent crashes in other cases
when import was unsuccessful.
2010-07-13 Roman Bovsunivskiy <>
* instdialogoptions_q.ui: Added "Cancell All" button to stop all
firewalls installations, renamed OK button to "Install"
* instDialog_ui_opts.cpp (instDialog::getInstOptions): added support
for "Cancel All" dialog result code.
2010-07-12 Roman Bovsunivskiy <>
* instDialog_ui_opts.cpp (intDialog::fillCompileSelectList): fixed
wrong display of non-ascii symbols in cluster member compilation
* newFirewallDialog.cpp (newFirewallDialog::showPage): firewall names
are now resolved to IP address. Added new input element for firewall
IP address to use for SNMP interface discovery.
2010-07-11 Vadim Kurland <>
* FirewallInstaller.cpp (FirewallInstaller::packSSHArgs): fixed
bug 3027284: "redux settings for scp/ssh to respond to line
failure". The solution for bug 3020381 used to force ssh and scp
commands to use the parameters ServerAliveInterval and
ConnectTimeout to activate and configure ssh keepalive protocol.
These command line parameters were enforced and added to the input
fields where user enters the path to ssh and scp utilities on the
machine where fwbuilder GUI is running. This was confusing and
poor GUI design as the program was changing fields that were
supposed to be user-editable. This fix adds an input field for the
timeout value in seconds to the "Installer" tab of the global
preferences dialog. The program does not change strings entered by
the user for ssh and scp path anymore. The same timeout value is
used to set up ServerAliveInterval parameter for ssh,
ConnectTimeout parameter for scp and registry entries required by
plink and pscp on Windows.
2010-07-10 Vadim Kurland <>
* Importer.cpp (Importer::getFirewallObject): fixed bug #3027272:
"default values taken from unexpected sources". When new firewall
object was created using "Import Policy" function, parts of its
configuration were taken from default settings of an unexpected
host OS.
2010-07-09 Roman Bovsunivskiy <>
* newFirewallDialog.cpp (newFirewallDialog::finishClicked): fixed
crash when clicking finish after getting error about wrong IP
address or netmask
* FirewallCodeViewer.cpp (FirewallCodeViewer::fileSelected): now
when viewing again file that was viewed before scroll position is
same as user left it.
* instDialog_q.ui: renames "All" button to "Select all" and "None"
to "Select none"
* instDialog.cpp (instDialog::show): hide "Select all" and "Select none"
buttons when there is only one firewall in list
* instDialog.cpp (instDialog::showPage): next button on inspect page
is now not enabled if dialog called for compile only
2010-07-05 Roman Bovsunivskiy <>
* instDialog.cpp (instDialog::findFirewalls): sorting of filewall
and cluster items in compile/install dialog is now case insensitive.
* ProjectPanel.cpp (ProjectPanel::inspectAll)
* ObjectManipulator.cpp (ObjectManipulator::inspet): inspect is now
working with cluster objects.
2010-07-03 Vadim Kurland <>
* RuleSetView.cpp (RuleSetView::restoreCollapsedGroups): fixed
SourceForge bug 3020761 "printing from command line causes
Segmentation fault". Fixes #1533
2010-06-28 Vadim Kurland <>
* utils.cpp (parseCommandLine): See #1542 since now user can enter
differet command line parameters together with the path to ssh and
scp clients in the global Preferences dialog, we need to parse
these properly. This is especially important if file paths or
arguments contain white space characters. Unit tests are in
2010-06-26 Vadim Kurland <>
* installer_commands_reg_user: all instllation commands should be
on the single line in the configlet so they are sent to the
firewall as one line. When these commands were on separate lines,
linefeed characters between them appeared on the standard input of
command "sudo -S" and broke installation process. This only
happened in my tests when I ran GUI installer on windows and
looked like some sort of a race. When all commands are on the one
line the problem disappeared. Changed only configlets that used
sudo as part of installation script.
* CompilerDriver_pix_run.cpp (CompilerDriver_pix::pixNetworkZoneChecks):
do not verify network zones of unprotected interfaces. Compiler
does not allow the same obejct to be used as network zone of two
different interfaces, which caused problems when a vlan parent
interface has zone "Any". Vlan parent interface can not have ACLs
attached to it and does not need any meaningful network zone, so
"Any" is reasonable fill-in choice. However it coinsides with network
zone of the "outside" interface which triggered this check.
* SSHUnx.cpp (SSHUnx::stateMachine): SF bug 3020381: "Line failure
should abort remote firewall install". If network connection is
lost during firewall policy activation, policy installer should
detect this, disconnect and declare installation session a
failure. Prior to v4.0.2, installer detected network failures
during policy copy (done with scp) or when it could not connect to
the firewall at all, but hang if connection was lost in the middle
of ssh session used to activate firewall policy. Now using ssh
parameter "ServerAliveInterval" to make it detect connection
failure. This does not work with plink.exe on Windows which does
not support these command line options. Still looking for a
* FWBSettings.cpp (FWBSettings::init): automatically adding ssh
parameters "-o ServerAliveInterval=2 -o ServerAliveCountMax=15" and
scp parameter "-o ConnectTimeout=30" to the path to ssh and scp in
the global preferecnes dialog, tab "Installer" to activate ssh
keepalive. This way, user can change values if they need
to. Default values define 30 sec timeout which should be rather
conservative. On windows automatically configuring plink.exe and
pscp.exe to load parameters of putty session "fwb_session_with_keepalive"
that turns keepalives on.
2010-06-25 Roman Bovsunivskiy <>
* FirewallCodeViewer.cpp (FirewallCodeViewer::FirewallCodeViewer):
See #1346. Mostly completed implementation of the viewer panel
that can be used to inspect generated firewall configuration files
from within the GUI. The panel can be opened using a button in the
mini-toolbar above firewall rules or as a page in the compile and
install wizard.
2010-06-24 Vadim Kurland <>
* OSConfigurator_linux24::printVirtualAddressesForNatCommands:
fixed bug 3001228 "v4.0.0 iptables: NAT not creating interface
addresses". Iptables script generated by fwbuilder used to include
commands to configure virtual ip addresses for NAT only if option
"configure interfaces" was turned on. Expected behavior is to
generate these commands when option "Add virtual addresses for
NAT" is turned on regardless of the setting of the option
"configure interfaces".
2010-06-22 Roman Bovsunivskiy <>
* fixed #1526 "Make sure GUI unit tests work in the environment
where user turned off tip of the day dialog". Unit tests now use
alternative settings file with all default values and do not
depend on user's preferences.
2010-06-18 Roman Bovsunivskiy <>
* fixed #1520 ("Comment field display clips comment text"
2010-06-17 Vadim Kurland <>
* PolicyCompiler_ipt.cpp (specialCaseWithFWInDstAndOutbound::processNext):
fixed #1523 "outbound ipv6 rule matching multicast ipv6 destination
is not generated". The rule with network object fe80::/10 in source
and ipv6 muticast ff00::/8 in destination did not produce correspondign
ip6tables command. The change affects other cases with rules using
broadcast or multicast objects that should be considered matching
the firewall object.
2010-06-17 Roman Bovsunivskiy <>
* RuleSetView.cpp: fixed SF bug 3016680 "Vertical scrollbar issue"
rules with a lot of objects did not scroll properly vertically.
* fixed #1493 "workflow icons in the big empty space". The GUI
shows big buttons in the empty space in the right hand side of the
main window when no firewall policy is not opened yet. These buttons
provide simple shortcuts to the workflow functions useful for the
novice users. Currently this includes "Create new firewall",
"Import configuration of existing firewall" and "Watch Getting
Started Tutorial".
* fixed #1521 "GUI crashes upon exit on CentOS 5". This fixes
SourceForge bug reports 3016482 "segfault with RHEL5 pre-built
packages on CentOS 5.5" and 3015979 "fwbuilder not exiting in
centos 5.5"
2010-06-16 Vadim Kurland <>
* IPTImporter.cpp (IPTImporter::pushPolicyRule): fixed SF bug 3017084
"compiler adds extra quote characters to log-prefix string".
2010-06-15 Vadim Kurland <>
* IPTImporterRun.cpp (IPTImporter::run): policy importer for
iptables replaces --sport and --dport parameters of module
multiport with --source-ports and --destination-ports to remove
grammar ambiguity that arises from the use of the same parameters
--sport and --dport by different iptables modules with different
argument syntax.
* iptables.g (match_iprange_src): Fixed SF bug 3016779: Policy
importer for iptables should understand module iprange
* FWWindow.cpp (FWWindow::prepareFileMenu): fixed bug 3016720
"import policy disabled after file close". Menu items "File/Import
Library" and "File/Import policy" became disabled after user
closed data file using "File/Close" and never became enabled
2010-06-14 Roman Bovsunivskiy <>
* FWBSettings.cpp (FWBSettings::init): fixed #1504 Added (optional)
text to the toolbar buttons. Text is turned on by default but
can be turned off in the global Preferences dialog.
* Preferences.cpp: fixed #1505 move "Clip comments in rules"
checkbox to "Appearance" tab.
2010-06-14 Vadim Kurland <>
* release_notes_4.0.2.html: Added release notes for v4.0.2 to
the package. fixes #1515
* IPTImporter.cpp (IPTImporter::pushPolicyRule): fixed SF bug
3015641 "imported REJECT rule changed during compile". Importer of
iptables rules did not handle properly parameters of the REJECT
2010-06-12 Vadim Kurland <>
* IPTImporter.cpp (IPTImporter::pushPolicyRule): fixed #1516
policy importer for iptables should not use automatic ESTABLISHED
rule. (See also SF bug 3012953). Policy importer for iptables
always creates explicit rule to match ESTABLISHED,RELATED to make
sure it goes into the same chain as the original rule. Also in the
same fix, importer creates branch for iptables rules that match
both regular service and state ESTABLISHED,RELATED. The service is
matched in the main policy rule set, while ESTABLISHED,RELATED
state is matched in the branch.
* GroupObjectDialog.h (class GroupObjectDialog): fixed #1499
"GroupObjectDialogTest.cpp does not compile with gcc 3.4.6" and SF
bug 3015307. There is no reason to make method insertObject()
protected which caused problems (and hacky workaround) in the unit
* IPTImporter.cpp (IPTImporter::finalize): fixed SF bug #3015305
"compile error XML validity ". The problem was introduced with a
change that made policy importer cabaple of reproducing default
policies of main chains.
2010-06-11 Vadim Kurland <>
* fixed SF bug #3013743 "UI build warnings"
* longtextdialog_q.ui, objconflictresolutiondialog_q.ui: fixed
SF bug #3013735 "invalid pixmap properties during make". Fixed
uic warnings.
* IPServiceDialogTest.cpp (IPServiceDialogTest::testIpOptions):
fixed SF bug #3013855 "various fixes for run_tests". Applied
patch suggested by Michael J. Slifcak (with changes).
* DiscoveryDruid.cpp (DiscoveryDruid::browseForImport): fixed SF
bug #3013532 "file chooser dialog for import policy does not show
all files".
* IPTImporter.cpp (IPTImporter::finalize): fixed #1513 iptables
importer should check default policy in standard chains. Importer
creates rules at the bottom of the policy rule set to reproduce
default policies in the built-in chains INPUT,OUTPUT,FORWARD.
These rules are added only when default policy in these chains is
set to ACCEPT because generated iptables script always sets
default policies to DROP. Support for this in the mangle table is
limited so far, only default policies in PREROUTING, OUTPUT and
POSTROUTING can be implemented. Rules created for the commands
that set default policy in chains FORWARD and INPUT will generate
commands in PREROUTING chain instead. We will try to address this
in the future if there is sufficient demand.
2010-06-08 Vadim Kurland <>
* applied patch from to fix compiler
warnings. Patch applied partially since not all fixes were
appropriate. fixes #1510
* IPTImporter.cpp (IPTImporter::pushPolicyRule): fixed #1512 SF
bug 3012953: iptables importer sometimes does not recognize rule
with " ESTABLISHED,RELATED ". Parser properly processed iptables
rules with state "RELATED,ESTABLISHED" but not when states were
in the opposite order.
* IPTImporter.cpp (IPTImporter::pushPolicyRule): policy importer
for iptables can now parse numerical log levels.
* Importer.cpp (Importer::getUDPService): fixed sourceforge bug
3012953 name of UDP and TCP objects created during import should
follow the same pattern and not include "0-0" for the source ports
if they are equal to zero.
* IPTImporter.cpp (IPTImporter::IPTImporter): fixed #1511, SF bug 3012953:
iptables import parse error icmp_type any
2010-06-07 Vadim Kurland <>
* CompilerDriver_pix_run.cpp (CompilerDriver_pix::pixNetworkZoneChecks):
fixed #1491 fwb_pix crashes trying to compile simple rule. Compiler
should check validity of the object used as network zone of an interface.
* FWBSettings.cpp (FWBSettings::init): fixed #1501 call qsrand(seed)
to seed random generator before generating new UUID
* TransferDevice.h (fwtransfer): fixed #1490 compile problem with
Qt 4.7
* FWWindow.cpp (FWWindow::prepareRulesMenu): fixed #1489 removed
unnecessary debugging messages.
* interfaceProperties.cpp (interfaceProperties::manageIpAddresses):
fixed #1506 SF bug #3011516: generated iptables script tries to
update ip addresses of unnumbered interface.
* v4.0.2 started
2010-06-06 vadim <>
* FWBSettings.cpp (FWBSettings::FWBSettings): using separate
settings object and file in the .ini format to store instance uuid
to ensure uuid persistence on windows across upgrades done with
complete deinstall. Fixes #1497
* UserWorkflow.cpp (UserWorkflow::flagsToQueryString): added user
workflow progress flags for an attempted install and first
successful install. Both flags are boolean true/false indicating
that the even occurred. We do not track and do not report any
information about the firewall, platform, rules etc. These flags
will be used to determine how many users abandon the program
before even trying to run install for real because it is too
complicated or the UI is not good enough. Fixes #1495
* UserWorkflow.cpp (UserWorkflow::flagsToQueryString): added user
workflow flag indicating that ssh/scp have been configured in the
Prefereces dialog. The flag is boolean and registers only the fact
that something was entered in ssh and scp fields. Actual path and
programs used are not registered and reported. Fixes #1496
2010-06-03 vadim <>
* v4.0.1 released
2010-06-02 vadim <>
* Preprocessor.cpp (Preprocessor::findMultiAddressObjectsUsedInRules):
change in libfwbuilder: fixed #1485 "dns name object is recognized
as an empty group when it appears in shared rule set"
2010-06-02 yalovoy <>
* fixes #1484 "paste below" function pastes rules out of order
1) copy 2 complete rules
2) go to a(nother) policy
3) right click on rule 0, say "paste rules below"
=> BUG: the two rules from the buffer become rules 0+2, the original
rule 0 becomes rule 1
The original should stay rule 0, the two from buffer become 1+2
Affected files: FWCmdRule.cpp, FWCmdRule.h, RuleSetView.cpp
2010-06-01 vadim <>
* Help.cpp (Help::downloadComplete): fixed #1482 Class Help should
open window only after successful download
* ObjConflictResolutionDialog.cpp (ObjConflictResolutionDialog::run):
refs #1483 If program detects change in CustomService object and
the change just adds code string for a platform that was not
in the object in the user's data file, the change is accepted without
showing the dialog.
* ../src/res/ fixed #1483 "missing code in the
custom service object ESTABLISHED for ProCurve"
2010-05-31 vadim <>
* FWWindow.cpp (FWWindow::checkForUpgrade): added mechanism for
one-time announcements that can be pulled from the web site
when version check server says there is one. Announcement is
shown only once. To do this, I store time stamp when it was shown
in settings using hash of the announcement url.
* Help.cpp (Help::setSource): made class Help capable of
downloading contents via HTTP.
* FirewallDialog.cpp (FirewallDialog::fillVersion): fixed #1481
when user changes platform in the firewall object, its version
should change too.
2010-05-28 vadim <>
* ObjectManipulator.cpp (ObjectManipulator::editSelectedObject):
see #1447 Reverting change done for ticket #1447 in r2892 and
r2896 because of the user complaints. It appears to be more
convenient if Policy, NAT and Routing objects open in the rule set
view on double click but not in the editor. Second double clik
opens these objects in the editor.
2010-05-25 vadim <>
* (CPPUNIT_LIBS): fixed #1478 always use included
antlr run-time library. Because of the fixes I've made in
CircularQueue?.hpp in 2008 for 64 bit systems, we should always
link with antlr run-time that is included with fwbuilder code tree
rather than attempt to use the one that might be installed with
the OS.
2010-05-24 vadim <>
* UserWorkflow.cpp (UserWorkflow::report): see #1466 Implemented
instrumentation that should help us improve user experience. Will
track few things that new users do (or don't do) and report as a
combination of boolean flags at the end of the GUI
session. Reporting things such as if user ever looked at the
"Getting Started" tutorial, if they created their first firewall
object, modified any rules, tried to compile, install or import
existing rule set. Information passed in the report is strictly a
set of boolean flags, it is not identifiable and does not reveal
what firewall platform they are using or anything about their
objects and rules. List of flags is listed in the module UserWorkflow.h
2010-05-23 vadim <>
* FWCmdAddObject.cpp (FWCmdAddObject::redo): fixed #1468 Open new
object in the editor after it has been created.
* applied patch by Vadim Jukov <>, maintainer of
OpenBSD port. Patch fixes compile issues on OpenBSD
2010-05-22 yalovoy <>
* fixes #1463 Always show branch rule set name with action "Branch"
affected files: RuleSetView.cpp, RuleSetViewDelegate.cpp, RuleSetViewDelegate.h
* fixes #1469 some actions should always display argument, even when text labels for actions and directions is off
affected files: RuleSetViewDelegate.cpp
2010-05-21 vadim <>
* RuleOptionsDialog.cpp (RuleOptionsDialog::loadFWObject):
fixes #1467: "rule options dialog shows iptables parameters for
* FWObjectPropertiesFactory.cpp (FWObjectPropertiesFactory::getPolicyRuleOptions):
fixes #1457 "tooltips for rule options seem to be broken". Tooltip
always includes the line telling of the rule is "stateful" or
"stateless", the function almost never returns empty string now.
Added missing hashlimit parameters to the rule options
tooltip. Some of the more rarely used hashlimit parameters are
still not included in the tooltip. Improved tooltip formatting
using html table.
2010-05-20 vadim <>
* ProjectPanel.cpp (ProjectPanel::addRule): fixed #1461 Need
obvious button to add new rule to the empty rule set
* instDialog.cpp (instDialog::show): fixed #1462 "if you do a bulk
install, and then want to do a single install, bulk mode is
* ActionsDialog.cpp (ActionsDialog::setRule): fixed #1464
SourceForge bug 3004274: "Branch rule set object displays
improperly". Branch rule set attribute was not loaded properly
into Branch action dialog for rules of PF firewalls.
2010-05-17 vadim <>
* PolicyCompiler_iosacl_writers.cpp (PrintRule::_printRule):
restored function of the "comment the code" in the "Script
options" of the firewall settings dialog for Cisco IOS ACL and
ProCurve ACL. When this checkbox is off, comments are not
added to generated script.
* RuleSetViewDelegate.cpp (RuleSetViewDelegate::paintOptions):
fixed #1460 "when "show icons in rules" is turned off, there is no
way to tell when logging is turned on and non-default options are
present in a rule".
* fixed #1339 "Logging" icon appears looking the same as "Rule
options" icon on Mac
2010-05-15 Vadim Kurland <>
* linux24Interfaces.cpp (linux24Interfaces::basicValidateInterfaceName):
fixed #1458 Should permit interface name "br-lan" for bridge interface
on Linux. Bridge interfaces on Linux can have any name, including those
with "-". OpenWRT creates bridge interface with the name "br-lan" by
2010-05-14 Vadim Kurland <>
* update_addresses: fixed #1455 Function update_addresses() (host
OS linux24 and derivatives) uses both ip and ifconfig. Should stick
with /sbin/ip so the script works on systems where ifconfig is
not installed.
2010-05-13 Vadim Kurland <>
* FWObjectDropArea.cpp (FWObjectDropArea::editObject): fixed #1452
double click on a rule set in the branch action dialog should open
it in rule set view
* iptables.g (MATCH_RECENT_SET): see #1451 "policy importer should
support some popular iptables modules". Added support for module
"recent" and rules that match standard ip/icmp/udp/tcp protocols
and at the same time module "mark", "length", "limit" or "recent".
Rules like these are translated into a combination of a branching
rule and additional rule in a branch rule set that implements
module match.
* iptables.g (multiport_tcp_udp_port_spec): fixes #1453 "iptables
importer should parse multiport module parameter --ports". Module
multuport with parameter "--ports" matches either source or
destination port numbers. Importer creates two tcp (or udp)
service objects to implement this match.
* IPTImporter.cpp (IPTImporter::addSrv): See #1450, SourceForge
ticket 3000809: iptables parser can now import "mark" module
matches with hexadecimal parameters and "length" module
matches. Also added check in the importer for broken iptables-save
files where rules for any table are not terminated with "COMMIT".
2010-05-12 vadim <>
* configlets/procurve/installer_commands_pre_config: commands
for the installer for ProCurve
* instDialog.cpp (instDialog::isCiscoFamily): Using the same
built-in installer for Cisco and for ProCurve.
* procurveaclAdvancedDialog.cpp (procurveaclAdvancedDialog::procurveaclAdvancedDialog):
fixed #1449 options for ACL remarks and comments for ProCurve
* PolicyCompiler_procurve_acl_writers.cpp (PolicyCompiler_procurve_acl::printAccessGroupCmd):
generated commands that attach acl to a regular inetrface needed
newline after "exit".
* configlets/procurve/safety_net_acl: generating different
commands in "Safety net" install mode depending on whether
management interface is vlan or not.
2010-05-11 Vadim Kurland <>
* ObjectManipulatorTest.cpp (ObjectManipulatorTest::editSelectedObject):
see #1447 fixed unit test for this change
* ../src/res/configlets/dd-wrt-jffs/installer_commands_root:
fixes #1448 "need to commit nvram changes on DD-WRT".
* ObjectManipulator.cpp (ObjectManipulator::editSelectedObject):
fixes #1447: context menu item "Edit" associated with rule set
object in the tree opens it in the rule set view and the editor
panel. Menu item "Open" only opens it in the rule set view. This
eliminates strange behavior where it would open in the rule set
view on first click on "Edit" and then in the editor in the second
click on "Edit". Double click used to work the same, the first
double click opened in rule set view, the second in the
editor. Now double click always opens in rule set view and the
editor which is more consistent with the behavior for other object
* PolicyCompiler_procurve_acl_writers.cpp (PolicyCompiler_procurve_acl::printAccessGroupCmd):
ProCurve uses different syntax for vlan ACLs and ACLs bound to
switch ports. Enabled "advanced interface settings" dialog for
ProCurve interfaces.
* InterfaceDialog.cpp (InterfaceDialog::loadFWObject): button
"Advanced interface settings" is controlled by element
<supports_advanced_interface_options> in the host OS xml resource
file. Before, it was controlled by the element
<supports_subinterfaces>. I need this button and associated dialog
for vlan interfaces on ProCurves, where vlan interfaces are not
2010-05-10 vadim <>
* CompilerDriver_procurve_acl_run.cpp (CompilerDriver_procurve_acl::run):
See #1442 Support for HP ProCurve. Added experimental support for
HP ProCurve "intelligent" switches (L3). Code is based on the policy
compiler for Cisco IOS extended access lists. Differences include
';' character for comments, different naming convention for Vlan
interfaces ("VLAN 2", with a space), requirement to unbind an ACL
from interface before it can be cleared.
* CompilerDriver_iosacl.cpp (CompilerDriver_iosacl::safetyNetInstall):
using configlet "safety_net" to add temporary ACL for the "safety
net" install method.
2010-05-05 Vadim Kurland <>
* ProjectPanel_events.cpp (ProjectPanel::event): fixed #1443
GUI crashes compiling file opened read-only. If a file that was
added to RCS was opened read-only and then any firewall object
in it compiled, the GUI crashed trying to update "last_compiled"
* ssh_wrappers.cpp: fixed #1444 compile error on FreeBSD-Current
Compiler issues error "/usr/include/utmp.h:2:2: error: #error
<utmp.h> has been replaced by <utmpx.> h>"
* started work on v4.0.1. VERSION set to 4.0.1 in libfwbuilder and
2010-05-04 Vadim Kurland <>
* v 4.0.0 released
2010-05-02 Vadim Kurland <>
* Helper.cpp (Helper::findInterfaceByNetzone): fixed #1439 "ssh
access rule uses wrong interface in the generated PIX config"
* instDialog_ui_ops.cpp (instDialog::opError): fixed #1438
"installer crashes when user interrupts install to PIX". This only
affected installs to PIX cluster and only if user decided to
interrupt the process.
2010-05-01 vadim <>
* new_object.cpp (_modObject): fixed #1437: fwbedit should support
object type Cluster.