Firewall Builder for PIX Release Notes

Version 1.1.2

Released 01/18/04
This policy compiler requires API library libfwbuilder version 1.0.2 and GUI v 1.1.0 or later

Bugs fixed in the policy compiler fwb_pix v1.1.2:

• fixed bug where fwb_pix would not allow to use multiple objects in "Translated Source" in the NAT rules. Rules like this are translated into a combination of one 'nat' command and multiple 'global' commands.

Version 1.1.1

Bugs fixed in the policy compiler fwb_pix v1.1.1:

• fixed bug where fwb_inst_pix would get stuck waiting for stdin if it were launched from the GUI working in the background. Need to close stdin once it is not needed anymore so that waitpid would not wait for something on stdin.
• fixed bug where fwb_inst_pix would use "object-group service" command while doing incremental install even for icmp-type object groups.
• properly converting port names to numbers in the configuration diff generated for the incremental install. This is necessary because PIX converts port numbers to names in "show object-groups" and "show run" commands, while fwb_pix uses numbers.
• object-group names now include group type as well; this makes name truly unique and helps avoid conflicts in incremental installs if change in the policy caused compiler to generate a service group of a different type for the same rule ('icmp-type' vs 'service').

Version 1.1.0

What's new

For the improvements and bug fixes in the Firewall Builder GUI v1.0.12 see corresponding Release Notes document shipped with the source or binary package, or on the web site at http://www.fwbuilder.org/archives/cat_release_notes.html

Improvements in the policy compiler for Cisco PIX:

Features that appeared in PIX v6.3:

• New fixup commands: 'ctiqbe', 'dns', 'icmp error', 'mgcp', 'pptp', 'sip udp', 'tftp'
• New logging features: syslog level and logging interval can be set for an individual ACL rule. Corresponding GUI controls have been added in fwbuilder and change has been made to permit rule options column and pop-up dialog, as well as logging icon.
• added support for "logging device-id" command
• added support for logging in EMBLEM format
• added support for marking ACL commands with original rule numbers using ACL remarks.
• Commands "sysopt route dnat" and "sysopt security fragguard" are deprecated in v6.3. Compiler is now aware of that.
• v6.3 permits using interface name in ACL. Compiler generates appropriate ACL using "interface nnnn" option if PIX OS version is 6.3 or later, compilation is aborted with an error if version is lower than 6.3.
• added support for policy NAT in both "nat" and "static" commands
• Added support for "max_conns" and "emb_limit" options in "nat" and "static" commands

• This version comes with an installer program fwb_inst_pix. The installer uses standard command line SSH client program to communicate with the firewall and can perform incremental policy install on PIX v6.3. Incremental install helps to avoid resetting PIX configuration in order to install the new one, as the result the firewall does not break sessions opened through it. The program comes with a manual page fwb_inst_pix(1); it has been tested on Linux, FreeBSD 4.8, 4.9, 5.1 and OpenBSD 3.3-current and 3.4-prerelease
• This version comes with a program fwb_pix_diff which takes two versions of the PIX config and produces a set of commands that should bring the state of the firewall from config1 to config2. This program is a command-line interface to the module used in fwb_inst_pix for incremental installs and can be used for testing and analysis.

Bugs fixed in the policy compiler fwb_pix:

• added check for recursive groups (fwbuilder bug #774834: compiler hangs on a group referencing itself)
• fixed bug (no #) where compiler declared a DNAT and SNAT rules overlapping if both used the same interface of the firewall, regardless whether it has static or dynamic address. Such rules were considered to create overlapping 'global pool' and 'static' commands.
• fixed bug (no #) where compiler declared two DNAT rules redundant or overlapping even if service objects used in OSrv were different.
• fixed bug (no #) when compiler tried to use object-group with "icmp", "telnet" and "ssh" commands (PIX does not support that).