Hello community, here is the log from the commit of package SuSEfirewall2 checked in at Fri Apr 4 10:33:52 CEST 2008. -------- --- SuSEfirewall2/SuSEfirewall2.changes 2008-03-28 14:42:32.000000000 +0100 +++ /mounts/work_src_done/NOARCH/SuSEfirewall2/SuSEfirewall2.changes 2008-04-04 10:06:49.000000000 +0200 @@ -1,0 +2,7 @@ +Fri Apr 4 10:06:20 CEST 2008 - lnussel@suse.de + +- remove X-UnitedLinux tags from init scripts +- update links in docu +- auto detect bridge interfaces and permit traffic + +------------------------------------------------------------------- Old: ---- SuSEfirewall2-3.6_SVNr189.tar.bz2 New: ---- SuSEfirewall2-3.6_SVNr193.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ SuSEfirewall2.spec ++++++ --- /var/tmp/diff_new_pack.s25353/_old 2008-04-04 10:33:18.000000000 +0200 +++ /var/tmp/diff_new_pack.s25353/_new 2008-04-04 10:33:18.000000000 +0200 @@ -1,5 +1,5 @@ # -# spec file for package SuSEfirewall2 (Version 3.6_SVNr189) +# spec file for package SuSEfirewall2 (Version 3.6_SVNr193) # # Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. # This file and all modifications and additions to the pristine @@ -13,7 +13,7 @@ Name: SuSEfirewall2 -Version: 3.6_SVNr189 +Version: 3.6_SVNr193 Release: 1 License: GPL v2 or later Group: Productivity/Networking/Security @@ -27,21 +27,12 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-build %description -SuSEfirewall2 implements a packet filter to allow system administrators -to protect their computer and network by restricting the possibility of -other hosts connecting to them. This potentially saves you from -suffering under the design flaws and vulnerabilities that are found in -various daemons. - -SuSEfirewall2 uses the iptables and netfilter packet filtering -infrastructure, which allows a flexible rule setup and the creation of -a stateful firewall, because it keeps track of connections and has the -notion of related connections. - -For simply protecting a single host from attacks, you can set -SuSEfirewall2 in QUICK mode or use the personal-firewall configuration -file. Note that SuSEfirewall2 now includes the personal-firewall -functionality. +SuSEfirewall2 implements a packet filter that protects hosts and +routers by limiting which services or networks are accessible on the +host or via the router. + +SuSEfirewall2 uses the iptables/netfilter packet filtering +infrastructure to create a flexible rule set for a stateful firewall. @@ -197,6 +188,10 @@ rm -rf %{buildroot} %changelog +* Fri Apr 04 2008 lnussel@suse.de +- remove X-UnitedLinux tags from init scripts +- update links in docu +- auto detect bridge interfaces and permit traffic * Fri Mar 28 2008 lnussel@suse.de - fix typo in comment (bnc#350651) - don't check for /proc/net/stat/nf_conntrack when checking for ipv6 support @@ -508,13 +503,13 @@ mozilla. - #30789: Disable warning about not running named. named does only need port 53 in many configs and then the warning is bogus. -* Sat Sep 20 2003 garloff@suse.de +* Sun Sep 21 2003 garloff@suse.de - #27661: Close down IPv6 traffic as we can not yet filter it. - Patch to detect conflicts in antispoofing rules between ipsec interfaces in internal networks and external interfaces. - Fix one bug with logging logic. - Start SuSEfirewall2_setup after named. (#30789) -* Sat Sep 20 2003 garloff@suse.de +* Sun Sep 21 2003 garloff@suse.de - #27316: Fix determination of external interface in Personal- Firewall Mode. * Tue Sep 02 2003 mmj@suse.de ++++++ SuSEfirewall2-3.6_SVNr189.tar.bz2 -> SuSEfirewall2-3.6_SVNr193.tar.bz2 ++++++ diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/SuSEfirewall2-3.6_SVNr189/README new/SuSEfirewall2-3.6_SVNr193/README --- old/SuSEfirewall2-3.6_SVNr189/README 2007-03-21 16:18:15.000000000 +0100 +++ new/SuSEfirewall2-3.6_SVNr193/README 2008-04-04 10:05:42.000000000 +0200 @@ -78,7 +78,7 @@ postfix, vsftpd, OpenSSH). ● Do not expose services that are designed for use in a LAN to the internet - (like e.g. samba or NFS). + (like e.g. samba, NFS, cups). ● Do not run untrusted software. (philosophical question, can you trust SUSE or any other software distributor?) @@ -86,7 +86,7 @@ ● Run YaST Online Update on a regular basis or enable it's automatic mode to get the latest security fixes. - ● Subscribe to the suse-security-announce mailinglist to keep yourself + ● Subscribe to the opensuse-security-announce mailinglist to keep yourself informed about new and upcoming security issues. ● If you are using a server as a firewall/bastion host to the internet for an @@ -100,8 +100,8 @@ 4. Reporting bugs -Report any problems via http://www.suse.de/feedback. For discussion about -SuSEfirewall2 join the suse-security mailinglist. +Report any problems via Bugzilla. For discussion about SuSEfirewall2 join the +opensuse-security mailinglist. 5. Links diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/SuSEfirewall2-3.6_SVNr189/README.html new/SuSEfirewall2-3.6_SVNr193/README.html --- old/SuSEfirewall2-3.6_SVNr189/README.html 2007-03-21 16:18:14.000000000 +0100 +++ new/SuSEfirewall2-3.6_SVNr193/README.html 2008-04-04 10:05:41.000000000 +0200 @@ -1,6 +1,5 @@ -<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> -<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>SuSEfirewall2</title><link rel="stylesheet" href="susebooks.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.71.1" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h1 class="title"><a id="id2245331"></a>SuSEfirewall2</h1></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id2502966">1. Introduction</a></span></dt><dt><span class="section"><a href="#id2503072">2. Quickstart</a></span></dt><dd><dl><dt><span class="section"><a href="#id2503077">2.1. YaST2 firewall module</a></span></dt><dt><span class="section"><a href="#id2480530">2.2. Manual configuration</a></span></dt></dl></dd><dt><span class="section"><a href="#id2480588">3. Some words about security</a></span></dt><dt><span class="section"><a href="#id2479998">4. Reporting bugs</a></span></dt><dt><span class="section"><a href="#id2480023">5. Links</a></span></dt><dt><span class="section"><a href="#id2480048">6. Author</a></span></dt></dl></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2502966"></a>1. Introduction</h2></div></div></div><p> +<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>SuSEfirewall2</title><link rel="stylesheet" href="susebooks.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.73.1" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title"><a id="id2446949"></a>SuSEfirewall2</h2></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id2528553">1. Introduction</a></span></dt><dt><span class="section"><a href="#id2528661">2. Quickstart</a></span></dt><dd><dl><dt><span class="section"><a href="#id2528667">2.1. YaST2 firewall module</a></span></dt><dt><span class="section"><a href="#id2506190">2.2. Manual configuration</a></span></dt></dl></dd><dt><span class="section"><a href="#id2506249">3. Some words about security</a></span></dt><dt><span class="section"><a href="#id2505674">4. Reporting bugs</a></span></dt><dt><span class="section"><a href="#id2505697">5. Links</a></span></dt><dt><span class="section"><a href="#id2505722">6. Author</a></span></dt></dl></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2528553"></a>1. Introduction</h2></div></div></div><p> <code class="literal">SuSEfirewall2</code> is a shell script wrapper for the Linux firewall setup tool (<code class="literal">iptables</code>). It's controlled by a @@ -12,21 +11,21 @@ </p><div class="itemizedlist"><ul type="disc"><li><p>sets up secure filter rules by default</p></li><li><p>easy to configure</p></li><li><p>requires only a small configuration effort</p></li><li><p>zone based setup. Interfaces are grouped into zones</p></li><li><p>supports an arbitrary number of zones</p></li><li><p>supports forwarding, masquerading, port redirection</p></li><li><p>supports RPC services with dynamically assigned ports</p></li><li><p>allows special treatment of IPsec packets</p></li><li><p>IPv6 support</p></li><li><p>allows insertion of custom rules through hooks</p></li></ul></div><p> - </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2503072"></a>2. Quickstart</h2></div></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id2503077"></a>2.1. YaST2 firewall module</h3></div></div></div><p> + </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2528661"></a>2. Quickstart</h2></div></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id2528667"></a>2.1. YaST2 firewall module</h3></div></div></div><p> The YaST2 firewall module is the recommended tool for configuring SuSEfirewall2. It offers the most common features with a nice user interface and help texts. It also takes care of proper activation of the init scripts. - </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id2480530"></a>2.2. Manual configuration</h3></div></div></div><p> + </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id2506190"></a>2.2. Manual configuration</h3></div></div></div><p> Enable the SuSEfirewall2 boot scripts: </p><div class="informalexample"><p> - <span><strong class="command">chkconfig SuSEfirewall2_init on</strong></span> + <span class="command"><strong>chkconfig SuSEfirewall2_init on</strong></span> </p><p> - <span><strong class="command">chkconfig SuSEfirewall2_setup on</strong></span> + <span class="command"><strong>chkconfig SuSEfirewall2_setup on</strong></span> </p></div><p> Edit <code class="filename">/etc/sysconfig/SuSEfirewall2</code> with your @@ -37,7 +36,7 @@ <code class="filename">EXAMPLES</code> file in <code class="filename">/usr/share/doc/packages/SuSEfirewall2</code> - </p></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2480588"></a>3. Some words about security</h2></div></div></div><p> + </p></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2506249"></a>3. Some words about security</h2></div></div></div><p> SuSEfirewall2 is a frontend for iptables which sets up kernel packet filters, nothing more and nothing less. This means that you are not @@ -53,7 +52,7 @@ (like postfix, vsftpd, OpenSSH). </p></li><li><p> Do not expose services that are designed for use in a LAN to the - internet (like e.g. samba or NFS). + internet (like e.g. samba, NFS, cups). </p></li><li><p> Do not run untrusted software. (philosophical question, can you trust SUSE or any other software distributor?) @@ -61,7 +60,7 @@ Run YaST Online Update on a regular basis or enable it's automatic mode to get the latest security fixes. </p></li><li><p> - Subscribe to the <a href="http://www.suse.com/us/private/support/online_help/mailinglists/index.html" target="_top">suse-security-announce</a> + Subscribe to the <a class="ulink" href="http://en.opensuse.org/Communicate/Mailinglists" target="_top">opensuse-security-announce</a> mailinglist to keep yourself informed about new and upcoming security issues. </p></li><li><p> @@ -76,22 +75,22 @@ Check your log files regularly for unusual entries. </p></li></ul></div><p> - </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2479998"></a>4. Reporting bugs</h2></div></div></div><p> + </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2505674"></a>4. Reporting bugs</h2></div></div></div><p> - Report any problems via <a href="http://www.suse.de/feedback" target="_top">http://www.suse.de/feedback</a>. - For discussion about SuSEfirewall2 join the <a href="http://www.suse.com/us/private/support/online_help/mailinglists/index.html" target="_top">suse-security</a> + Report any problems via <a class="ulink" href="https://bugzilla.novell.com/" target="_top">Bugzilla</a>. + For discussion about SuSEfirewall2 join the <a class="ulink" href="http://en.opensuse.org/Communicate/Mailinglists" target="_top">opensuse-security</a> mailinglist. - </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2480023"></a>5. Links</h2></div></div></div><p> - <a href="EXAMPLES.html" target="_top">Examples</a> + </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2505697"></a>5. Links</h2></div></div></div><p> + <a class="ulink" href="EXAMPLES.html" target="_top">Examples</a> </p><p> - <a href="FAQ.html" target="_top">Frequently Asked Questions</a> - </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2480048"></a>6. Author</h2></div></div></div><p> + <a class="ulink" href="FAQ.html" target="_top">Frequently Asked Questions</a> + </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2505722"></a>6. Author</h2></div></div></div><p> SuSEfirewall2 was originally created by <span class="author"><span class="firstname">Marc</span> <span class="surname">Heuse</span></span>. Most of it got rewritten and enhanced by it's current maintainer - <a href="mailto:ludwig.nussel@suse.de" target="_top"> + <a class="ulink" href="mailto:ludwig.nussel@suse.de" target="_top"> <span class="author"><span class="firstname">Ludwig</span> <span class="surname">Nussel</span></span> </a> diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/SuSEfirewall2-3.6_SVNr189/SuSEfirewall2 new/SuSEfirewall2-3.6_SVNr193/SuSEfirewall2 --- old/SuSEfirewall2-3.6_SVNr189/SuSEfirewall2 2008-03-28 14:39:20.000000000 +0100 +++ new/SuSEfirewall2-3.6_SVNr193/SuSEfirewall2 2008-04-04 10:05:24.000000000 +0200 @@ -569,9 +569,39 @@ done } +have_bridgeinterfaces() +{ + local i + for i in /sys/class/net/*/bridge; do + [ -e "$i" ] && return 0 + done + return 1 +} + +allow_bridgetraffic() +{ + local iptables + case "$FW_FORWARD_ALLOW_BRIDGING" in + yes) ;; + no) + return + ;; + auto|'') + have_bridgeinterfaces || return + ;; + esac + for iptables in "$IPTABLES" "$IP6TABLES"; do + $iptables -A FORWARD -m physdev --physdev-is-bridged -j ACCEPT + done +} + xen_forward_hack() { local dev iptables + + if [ -n "$FW_FORWARD_ALWAYS_INOUT_DEV" ]; then + warning "FW_FORWARD_ALWAYS_INOUT_DEV is deprecated and most likely not needed at all anymore" + fi for iptables in "$IPTABLES" "$IP6TABLES"; do for dev in $FW_FORWARD_ALWAYS_INOUT_DEV; do $iptables -A FORWARD -i $dev -o $dev -j ACCEPT @@ -643,6 +673,7 @@ $IP6TABLES -A INPUT -j "$ACCEPT" -i lo $IP6TABLES -A OUTPUT -j "$ACCEPT" -o lo + allow_bridgetraffic xen_forward_hack # workaround for ip6tables without state matching diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/SuSEfirewall2-3.6_SVNr189/SuSEfirewall2_setup new/SuSEfirewall2-3.6_SVNr193/SuSEfirewall2_setup --- old/SuSEfirewall2-3.6_SVNr189/SuSEfirewall2_setup 2007-06-13 09:37:50.000000000 +0200 +++ new/SuSEfirewall2-3.6_SVNr193/SuSEfirewall2_setup 2008-04-04 10:05:24.000000000 +0200 @@ -10,7 +10,6 @@ # Required-Start: SuSEfirewall2_init $network $local_fs # Should-Start: $ALL # Required-Stop: $local_fs -# X-UnitedLinux-Should-Stop: # Default-Start: 3 4 5 # Default-Stop: 0 1 2 6 # Short-Description: SuSEfirewall2 phase 2 diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/SuSEfirewall2-3.6_SVNr189/SuSEfirewall2.sysconfig new/SuSEfirewall2-3.6_SVNr193/SuSEfirewall2.sysconfig --- old/SuSEfirewall2-3.6_SVNr189/SuSEfirewall2.sysconfig 2008-03-28 14:39:20.000000000 +0100 +++ new/SuSEfirewall2-3.6_SVNr193/SuSEfirewall2.sysconfig 2008-04-04 10:05:24.000000000 +0200 @@ -1095,7 +1095,25 @@ # # Format: list of interface names separated by space # +# Note: this option is deprecated, use FW_FORWARD_ALLOW_BRIDGING instead +# # Example: # FW_FORWARD_ALWAYS_INOUT_DEV="xenbr0" # FW_FORWARD_ALWAYS_INOUT_DEV= + +## Type: string +## Default: +# +# Whether traffic that is only bridged but not routed should be +# allowed. Such packets appear to pass though the forward chain so +# normally they would be dropped. +# +# Choice: +# - yes: always install a rule to allow bridge traffic +# - no: don't install a rule to allow bridge traffic +# - auto: install rule only if there are bridge interfaces +# +# Defaults to "auto" if not set +# +FW_FORWARD_ALLOW_BRIDGING= ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org
participants (1)
-
root@Hilbert.suse.de