fixes #1999 "log() does not work" Using built-in utitlity "command" to verify that all the tools generated script needs to function properly are available and can be accessed either via direct full path or are in the PATH variable. This includes the check for the logger tool that is used to make log record when firewall is activated.
see #1823 "Add Preference option for Advanced / Power users". Added checkbox to the Preferences dialog, this checkbox turns off some tooltips that can be annoying for users who are sufficiently familiar with the GUI
SOK Cmd Tool 8.3 (batch) Serial Key
Download File: https://urllio.com/2vzOTM
fixed #1730 "Add background help text and images to empty policy window". Showing tooltip in the empty space in the rule set view, this tooltip provides hints on how to edit rules which should be useful for the beginners.
fixed #1744 "Add tooltip to the rule number". The column in the RuleSetView? where rule number is shown now has a tooltip to remind the user that they can click right mouse button to the the context menu and use keyboard shortcut "x" to compile the rule
Added text to the tooltips shown for the "Direction" and "Action" rule elements to remind user that to change these rule parameters they need to click right mouse button to open list of possible settings
There are several new features in this version including: Support for Address Table objects that use the iptables ipset module
Integrated SSH tools (plink.exe and pscp.exe) in Windows installer package
New toolbar shortcut to view complete generated firewall configuration files in the GUI
Shortcut buttons in the main window to help new users get started more easily
Updated many dialog window sizes to work better for users with smaller displays (1024x768)
Added a new mode for stopping the firewall script called 'block'
See #1346. Viewer panel that can be used to inspect generated firewall configuration files from within the GUI. The panel can be opened using a button in the mini-toolbar above firewall rules or as a page in the compile and install wizard.
fixes #1457 "tooltips for rule options seem to be broken". Tooltip always includes the line telling of the rule is "stateful" or "stateless", the function almost never returns empty string now. Added missing hashlimit parameters to the rule options tooltip. Some of the more rarely used hashlimit parameters are still not included in the tooltip. Improved tooltip formatting using html table.
Changes in the GUI
Changes in the Standard Objects library
Common changes in all policy compilers
Support for High Availability configurations
Cluster configuration for PIX
Changes in the support for bridging firewalls
Changes in support for iptables
Support for IPCOP
Support for OpenWRT
Support for DD-WRT
Changes in support for PF
Changes in support for Cisco IOS ACL
Changes in support for Cisco ASA (PIX)
Changes in the command line tool fwbedit
Error and warning messages generated by the policy compilers are highlighted using red and blue colors in the compiler output panel when you compile single rule. When you compile all rules of the firewall using toolbar buttons or main menu items "Compile" or "Install", errors and warnings are also highlighted in the dialog. Clicking on the error or warning message opens corresponding firewall and selects the rule that caused it.
Create your firewall objects. Assign platform and host OS and name interfaces as usual. Do not add any policy or NAT rules. These are your real (member) firewalls. Interfaces should have their real IP addresses (not CARP or VRRP addresses).
Create a Cluster object which you configure with proper platform and host OS. Use the usual "New Object" menu or toolbar button to create this object. Note that in order for the firewall object to become a member of a cluster, their platform and host OS settings must match.
The program guides you through the process of creation of the new Cluster object using wizard-like dialog. You start with the list of firewall objects where you choose which firewalls should become members of the cluster. Next, the program finds interfaces of the member firewalls that have the same name and can be part of the cluster and creates cluster interfaces with the same name. Not all interfaces are eligible, for example bridge ports, bonding interface slaves or parents of vlan interfaces can not be used for the cluster. Cluster interfaces define failover groups. You can add, remove or rename cluster interfaces, as well as change which interfaces of the member firewalls are used with each one. On the next page of the wizard you can change failover protocols and add, remove or change IP addresses of cluster interfaces. Not all failover protocols require IP addresses, for example VRRP or CARP do but heartbeat or OpenAIS don't. Finally, you can choose to use policy and NAT rules of one of the member firewalls to populate Policy and NAT rule sets of the new cluster. If this is done, all references to the original member firewall and its interfaces in rules are replaced with references to the cluster and its interfaces. The program also creates backup copies of the member firewall objects with the name with suffix "-bak" and clears Policy and NAT rule sets of the member firewall objects used with the cluster before new cluster is created.
OpenBSD or FreeBSD cluster gets carp interfaces. Name them "carp0", "carp1" or whatever indexes they have on your machines. You can add CARP password and ID at the same time, but if you don't, you can add them later.
If you use heartbeat or OpenAIS (on Linux) for failover, cluster interfaces should have the same names as corresponding member firewall interfaces. In this case, cluster interfaces are virtual entities that represent interfaces of the corresponding member firewalls. The program will make substitution when it compiles rules. This is also how it works for PIX failover configuration.
Each cluster interface has child "Failover group" object with the name "firewall:carp0:members" or similar. This is where you configure associated member firewall interfaces. Double click this object in the tree and then click "Manage Members" button in the dialog. Select interfaces of the member firewalls in the panel on the left hand side and click arrow button to add them to the list on the right. Use checkbox to select master. Click OK when done. The platform and host OS of the cluster object and members must match, otherwise firewall objects do not appear in the "members" dialog panel.
Besides interfaces, the Cluster object has a new child object "State Sync Group". This group represents state synchronization protocol. Currently pfsync is supported for OpenBSD and conntrackd for Linux. To configure, double click it in the tree to open it in the dialog and click "Manage Members". Select interfaces of the member firewalls in the panel on the left hand side and click arrow button to add them to the list on the right. Use checkbox to select master. Click OK when done. They should appear in the "members" table in the State Sync Group dialog. The platform and host OS of the cluster object and members must match, otherwise firewall objects do not appear in the "members" dialog panel.
Button "Edit protocol parameters" allows you to edit some parameters for chosen failover protocol. This is where you can configure an address and port for heartbeat and OpenAIS.
There are few new checkboxes in the "Script" tab of the firewall object dialog. These allow you to control whether the program will add shell commands to create and configure bonding, bridge and VLAN interfaces.
Compile by clicking right mouse button on the cluster object and using menu item "Compile". This will in fact compile each member firewall separately so you'll get .fw and .conf files for both of them.
Again, you configure all the rules in the policy and NAT rule sets that belong to the cluster object. If you put cluster's interfaces in rules, the program replaces them with interfaces of the member firewall when it compiles rules. If you put cluster object in a rule, it is like if you put member firewall object there instead, except the program automatically picks the member firewall it compiles the policy for.
First, the program looks at Policy and NAT rule set objects of the cluster and member firewalls and compares their names. If there is rule set object with the same name in both the cluster and member firewall and both have non-zero number of rules, the rule set object from the member is used and the one from the cluster is ignored. The program prints a warning message when this is done. If rule set objects with the same name exist but the one in the member firewall has zero rules, it is ignored and the one from the cluster is used (no warning is issued). Likewise, if there are rule sets with the same name but the one in the cluster has zero rules, it is ignored.
Here is what you need to do if you want to have most rules defined in the cluster so they will translate into rules for all member firewalls, but have some rules defined in the members so you can make configurations of the members slightly different: Create separate rule set object in the cluster and in each member. Use name different from "Policy" or "NAT". Lets use name "member_override".
Create a rule with action "Branch" in the main Policy or NAT rule set of the cluster, drag rule set object "member_override" that belongs to the cluster to the well in the Branch action parameters dialog.
Leave "member_override" rule set that is a child of the cluster object empty (no rules)
Add rules to the rule set "member_override" in each member firewall
Make sure rule set "member_override" is not marked as "Top ruleset" in the cluster and each member. This rule set translates into user-defined chain (iptables) or anchor (PF) and should not be the "top ruleset".
This method works for both policy and NAT rules for all platforms. 2ff7e9595c
Comments