This release includes fixes for a number of minor bugs as well being the first release to officially support HP ProCurve ACL configuration. Thanks to a generous donation of several switches from Hewlett Packard we were able to test and finalize the ProCurve support. This release also fixes a critical bug in V4.1 related to Cisco IOS ACL configurations. Some configurations would cause Firewall Builder to incorrectly generate and error with the message "Can not find interface with network zone that includes address A.B.C.D.".
v4.1.1 has been tested, and we believe it to be ready for production use, but if you do find a bug or issue please let us know.
Built-in policy installer now works with HP Procurve switches. Currently installer can only execute generated configurarion lines one-by-one on the switch; installation method using scp that is available for Cisco routers is not supported yet. This has been tested with Procurve firmware K14.31 on ProCurve J9470A Switch 3500-24. Caveat: manager access should not be configured with user name (that is, no "password manager user-name foo")
fixed #1683 When user creates new firewall using snmp scan, fwbuilder will now guess and assign the type to interfaces that look like vlans for the given platform and host OS.
fixed #1683 class procurveInterfaces interprets interface "DEFAULT_VLAN" as vlan interface with vlan id 1.
fixed #1693 SF bug 3048516 "NAT rule with 'Use SNAT instead MASQ' doesn't work". NAT rule using combination of the option "Use SNAT instead of MASQ", dynamic address of an interface and source port translation produced iptables command with incorrect syntax.
see #1685 "iptables redirecting NAT rules in the OUTPUT chain". This fix makes it possible to create iptables NAT rule with target REDIRECT in the OUTPUT chain. The rule should have firewall object in OSrc and TDst rule elements.
fixed #1685 "iptables redirecting NAT rules in the OUTPUT chain". NAT rules should be allowed to translate from CustomService to TCP or UDP service, provided CustomService object is configured with matching protocol.
fixed #1686 "can not generate basic NAT branching rule". NAT branching rules were not generated in single rule compile mode because compiler needs information about targets used in the branch rule set rules to decide which chain the branching rule should be placed in. Now it will use PREROUTING and POSTROUTING in single compile mode but issue a warning.
No changes support for PF in this release
fixed #1690 "IOS ACL and Procurve ACL compilers fail because interfaces are not assumed to have network zone any anymore". Compilers for Cisco IOS ACL and Procurve ACL always assumed all interfaces have network zone "any". Recent changes made in 4.1.0 changed that and compilers stopped working for some rule configurations. This bug caused compiler to fail with error message "Can not find interface with network zone that includes address A.B.C.D"
No changes in support for PIX in this release
fixed #1688 "Procurve ACL remarks should be in quotes if they include space"
fixed #1687 "temporary access list commands syntax is incorrect". Temporary ACL generated for the Procurve platform was incorrect.
Built-in installer has been tested and now works with ProCurve switches.