Sunday, October 12, 2008

What is new in Firewall Builder v3.0.2 ?

I started working on 3.0.2 even before I released 3.0.1. I had few bugs / feature requests that were too big to squeeze them into 3.0.1 that was almost ready for release so I put them off for 3.0.2. Now most important ones are done, here is the list:

  • The most noticeable of all is major rewrite of the built-in policy installer. It looks the same UI-wise, but internally it is now quite different. Most importantly, it uses scp to copy generated policy script to the firewall which makes it work much much faster. I have no esitmates of the speed-up but we are talking 10x at least on large scripts. This also helps a lot if you store a copy of the .fwb data file on the firewall because .fwb files tend to be quite big and it took forever to copy them line by line as old installer did. On Windows installer uses pscp.exe, you'll need to install it separately and configure path to it in the SSH tab of the Preferences dialog.
  • An option to compress .fwb data file on disk. This option is controlled by a checkbox in the "Data file" tab of the Preferences dialog and it is off by default. Looks like compressed .fwb files are at least 10 times smaller. This may not matter as far as disk space on the management workstation is concerned, but if you save a copy of the .fwb file on the firewall it matters when the firewall is embedded device with a tiny filesystem.
  • Improvements in the internationalization support. One of the old standing problems was program's inability to properly handle firewall name with non-ascii characters. Firewall object name is used for the name of generated configuration file/script and these non-ascii characters caused problems when a file with this name was saved on the disk but installer could not find it. Now this works in all components. I am still testing new code, in particular I need to test it with putty sessions on Windows. However I wanted to offer this new version for beta testing as soon as possible because of the huge benefits it
    brings. Please test and let me know what you find.
Support for international characters in firewall object name comes with some caveats:

  • I had to link compilers with QT in order to implement this. Until now, policy compilers did not use QT libraries and did not depend on them.
  • Dependency on QT libraries means compilers can not be deployed on the firewall or machine without X11 and QT separately from the GUI.
  • pscp.exe on Windows does not seem to be able to pick up file with non-ascii characters in name when program runs on Windows with standard English locale. I could not test on Windows running with national locale. As a workaround, user can specify alternative name for the generated script in the firewall settings dialog (tab "Compiler").
  • Support for non-ascii firewall object and generated script names is currently only available in compiler for iptables
  • Installer can not take advantage of scp to copy generated configuration to PIX and Cisco routers because of the way these platforms are configured.
As usual, 3.0.2 packages are posted to the nightly builds site at when they become available.


1 comment:

Cretu Ciprian said...

Sehr n├╝tzlicher Beitrag. Dies ist mein erstes Mal hier. Ich fand so viele interessante Sachen in Ihrem Blog vor allem seine Diskussion. Wirklich sein gro├čer Artikel. Mach weiter!