Hello community, here is the log from the commit of package SuSEfirewall2 checked in at Wed Sep 20 16:23:09 CEST 2006. -------- --- SuSEfirewall2/SuSEfirewall2.changes 2006-08-13 16:27:56.000000000 +0200 +++ SuSEfirewall2/SuSEfirewall2.changes 2006-09-20 14:51:21.000000000 +0200 @@ -1,0 +2,8 @@ +Wed Sep 20 14:50:34 CEST 2006 - lnussel@suse.de + +- honor zone specific FW_REJECT_* variables and reject instead of + dropping packets from the internal zone by default (#147263) +- fix wrong default value in sysconfig metadata for + FW_SERVICES_ACCEPT_EXT + +------------------------------------------------------------------- Old: ---- SuSEfirewall2-3.5_SVNr154.tar.bz2 New: ---- SuSEfirewall2-3.5_SVNr158.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ SuSEfirewall2.spec ++++++ --- /var/tmp/diff_new_pack.lQwuG5/_old 2006-09-20 16:19:17.000000000 +0200 +++ /var/tmp/diff_new_pack.lQwuG5/_new 2006-09-20 16:19:17.000000000 +0200 @@ -1,5 +1,5 @@ # -# spec file for package SuSEfirewall2 (Version 3.5_SVNr154) +# spec file for package SuSEfirewall2 (Version 3.5_SVNr158) # # Copyright (c) 2006 SUSE LINUX Products GmbH, Nuernberg, Germany. # This file and all modifications and additions to the pristine @@ -12,8 +12,8 @@ # icecream 0 Name: SuSEfirewall2 -Version: 3.5_SVNr154 -Release: 2 +Version: 3.5_SVNr158 +Release: 1 License: GPL Group: Productivity/Networking/Security Requires: lsof iptables @@ -187,6 +187,11 @@ rm -rf %{buildroot} %changelog -n SuSEfirewall2 +* Wed Sep 20 2006 - lnussel@suse.de +- honor zone specific FW_REJECT_* variables and reject instead of + dropping packets from the internal zone by default (#147263) +- fix wrong default value in sysconfig metadata for + FW_SERVICES_ACCEPT_EXT * Sun Aug 13 2006 - ro@suse.de - remove update-messages * Wed Jul 19 2006 - lnussel@suse.de ++++++ SuSEfirewall2-3.5_SVNr154.tar.bz2 -> SuSEfirewall2-3.5_SVNr158.tar.bz2 ++++++ diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/SuSEfirewall2-3.5_SVNr154/Makefile new/SuSEfirewall2-3.5_SVNr158/Makefile --- old/SuSEfirewall2-3.5_SVNr154/Makefile 2006-07-17 11:09:36.000000000 +0200 +++ new/SuSEfirewall2-3.5_SVNr158/Makefile 2006-08-10 16:00:31.000000000 +0200 @@ -47,7 +47,7 @@ ln $$i $(NVER)/$$dest; \ done ln doc/susebooks.css $(NVER)/ - tar --owner=root --group=root -cjf $(ARCHIVE) $(NVER) + tar --owner=root --group=root --force-local -cjf $(ARCHIVE) $(NVER) rm -rf $(NVER) install: diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/SuSEfirewall2-3.5_SVNr154/SuSEfirewall2 new/SuSEfirewall2-3.5_SVNr158/SuSEfirewall2 --- old/SuSEfirewall2-3.5_SVNr154/SuSEfirewall2 2006-07-19 16:44:19.000000000 +0200 +++ new/SuSEfirewall2-3.5_SVNr158/SuSEfirewall2 2006-09-20 13:49:41.000000000 +0200 @@ -587,6 +587,8 @@ function set_basic_rules() { + local itype + load_modules ip_tables ip_conntrack $FW_LOAD_MODULES if [ "$FW_IPv6" != no ]; then @@ -1845,20 +1847,27 @@ drop_all() { local chain - local itype - local chains + local zone + local drop + local chainprefix='input_' - for chain in $input_zones; do - chains="$chains input_$chain" - done + for zone in $input_zones '--' $forward_zones; do + + if [ "$zone" = '--' ]; then + [ "$FW_ROUTE" != 'yes' ] && break + chainprefix='forward_' + continue + fi + + chain="$chainprefix$zone" + + eval drop="\$FW_REJECT_`cibiz $zone`" + if [ "$drop" = "yes" ]; then + drop="$REJECT" + else + drop="$DROP" + fi - if [ "$FW_ROUTE" = yes ]; then - for chain in $forward_zones; do - chains="$chains forward_$chain" - done - fi - - for chain in $chains; do # log and drop multicast packets separately to not flood # other log targets (#155326) $LDC $IPTABLES -A $chain ${LOG}"-`rulelog $chain`-DROP-DEFLT " -m pkttype --pkt-type multicast @@ -1877,9 +1886,9 @@ fi # log anything else $LDA $IPTABLES -A $chain ${LOG}"-`rulelog $chain`-DROP-DEFLT " - $IPTABLES -A $chain -j "$DROP" + $IPTABLES -A $chain -j "$drop" $LDA $IP6TABLES -A $chain ${LOG}"-`rulelog $chain`-DROP-DEFLT " - $IP6TABLES -A $chain -j "$DROP" + $IP6TABLES -A $chain -j "$drop" done } diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/SuSEfirewall2-3.5_SVNr154/SuSEfirewall2.sysconfig new/SuSEfirewall2-3.5_SVNr158/SuSEfirewall2.sysconfig --- old/SuSEfirewall2-3.5_SVNr154/SuSEfirewall2.sysconfig 2006-07-19 16:36:16.000000000 +0200 +++ new/SuSEfirewall2-3.5_SVNr158/SuSEfirewall2.sysconfig 2006-09-20 14:46:59.000000000 +0200 @@ -225,6 +225,8 @@ # the firewall. # # defaults to "yes" if not set +# +# see also FW_REJECT_INT # FW_PROTECT_FROM_INT="no" @@ -383,7 +385,7 @@ FW_SERVICES_REJECT_EXT="0/0,tcp,113" ## Type: string -## Default: 0/0,tcp,113 +## Default: # # Services to allow. This is a more generic form of FW_SERVICES_{IP,UDP,TCP} # and more specific than FW_TRUSTED_NETS @@ -836,8 +838,22 @@ # # Defaults to "no" if not set # +# You may override this value on a per zone basis by using a zone +# specific variable, e.g. FW_REJECT_DMZ="yes" +# FW_REJECT="" +## Type: yesno +## Default: no +# +# see FW_REJECT for description +# +# default config file setting is "yes" assuming that slowing down +# portscans is not strictly required in the internal zone even if +# you protect yourself from the internal zone +# +FW_REJECT_INT="yes" + ## Type: string # # 27.) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org
participants (1)
-
root@suse.de