Thursday, December 10, 2009

Test builds of upcoming Firewall Builder v4.0 available

A lot of new features and improvements in the GUI and compilers. Most important ones are support for high availability configurations (clusters), redesign of the GUI, implementation of the "undo" function in the GUI and "immediate compile" feature.

Discussion is going on on the fwbuilder-discussion mailing list (subscribe the list here)

New packages are available as Firewall Builder v3.1. This version number is temporary and the code will be released as Firewall Builder v4.0 when it is ready. I do not want to imply that this is public beta of v4.0 just yet, although it is very close.

I would like to know your opinion on the new GUI before I go full public beta.

Please take a look at the new version. It has a many new features and overall I feel it has matured a lot. Come on, we now have undo :-)

Packages are available in the usual place:

As always, grab the latest build for testing.

Quick summary of new features in v3.1 (to be released as v4.0) :

- undo for all operations with objects and rules

- use main menu View/Undo stack to open a window that shows undo stack. Clicking a row in this window executes all commands up to that row, including the command shown in it. Highlighted row corresponds to the last command that has been executed.

- Object editor picks up and saves changes into the object when you hit Return in all text input fields or move keyboard focus away from the entry field (i.e. click on another one). This works almost identical to the "automatic save changes" mode of the v3.0.x except in v3.0 the change was saved into the object when you opened different object in the editor.

- "Immediate compile". Just highlight a rule in policy or NAT rule set and hit 'x' key (or use context menu item). This compiles this one rule and shows generated script or configuration lines in the bottom panel in the GUI. This is great to quickly check what is being generated for some rule you are trying

- The editor panel, object tree and undo stack are now docable windows. You can insert them into the main window (this is the default) or detach them and move around on the screen. In the detached state they can overlap the main window which should help when you use application on a small screen (laptop)

- the tree, rules and the editor are not tightly synchronized anymore. Before, single click in the tree would open object in the editor. This caused problems if you wanted to populate a group of objects and needed to switch between object libraries or open many tree branches. This tended to switch the object shown in the editor even if you did not want or need to. In the new version this does not happen. The group opened in the editor stays there and you can navigate the tree and click in it freely until you find the object you want, and then just drag it into the group.

- support for HA configurations. This includes new object type "Cluster" that encapsulates abstraction of the cluster, its interfaces and rules. Following
failover protocols are supported: on Linux heartbeat, OpenAIS, VRRP, on BSD CARP, on PIX its own protocol (I guess it does not have special name). State synchronization protocols are supported as well.

- support for these HA protocols means the program can automatically add rules to permit packets that carry these protocols between firewalls
and can configure VRRP interfaces with their own addresses and all. I tried to explain this in more details in the Release Notes which is shown when you start the program.

- on Linux we can now generate script to configure VLANs, bonding interfaces, bridges, dynamically update all of these and also dynamically update ip addresses of interfaces. In the older versions, including v3.0, generated script removed all secondary addresses from interfaces and then added them back. New version only removes addresses that have been removed in the GUI and adds new ones.

- generated Linux/iptables script has standard structure with command line options "start", "stop" and few others

- generated scripts are assembled from fragments that we call "configlets". You can override configlets that come with the package and use your own to modify generated script. This means you can make changes to the generated script without having to modify C++ code and rebuild the application

- configlets use very simple macro language that supports variable expansion and "if" construct for conditionals

- there has been a change in the generated script for the rules that use dynamic interfaces . I implemented change suggested by one of the users who noticed that dynamic ipv6 addresses were not handled properly in v3.0.x and suggested a fix. Now behavior has changed as follows: 1) if you use dynamic interface in the rule, the program generates shell function that reads all ip addresses of this interface and uses them in the rule (before it would only read and use the first address) 2) it does the same for ipv6 addresses if the rule belongs to ipv6 rule set

Thank you