[Bug 309092] New: SuSE yast2 firewall configuration lacks some features thus requiring the user to use custom rules .
https://bugzilla.novell.com/show_bug.cgi?id=309092 Summary: SuSE yast2 firewall configuration lacks some features thus requiring the user to use custom rules. Product: openSUSE 10.2 Version: Final Platform: Other OS/Version: openSUSE 10.2 Status: NEW Keywords: accessibility, Bad_Design, UI Severity: Major Priority: P5 - None Component: YaST2 AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: olli@digger.org.ru QAContact: jsrain@novell.com CC: olli@digger.org.ru Found By: --- If I disallow connects to higher ports (that is OK in many cases) via FW_ALLOW_INCOMING_HIGHPORTS_*="" setting (just leaving it default as recommended), I have no choice in configuration interface to make incoming exceptions on replies to DNS querries. Well, generally that is usually not needed, but after installing cisco vpn client I've noticed on drops (default policy) of DNS replies injected by vpn client (cisco vpn client, if I uderstood right, somehow modifies kernel w/ its own module, which creates interface & injects packets in some place inside the kernel packets routing. That may make connection tracking misunderstand the flow.). Well, the bugs are: 1. There's no DNS client in interface configuration (Though there's DHCP & some other clients). 2. There's no direction (in/out) specification method in advanced settings (so I guess allowing a port allows it on INPUT, but not on OUTPUT) & thus I can't specify that replies to port 53 should be accepted - the port 53 is meant to be on my side & no way to specify that it's on remote via GUI. And in general hidding direction of the flow from _advanced_ settings is a bad idea. PS: Yes, all of these can be solved via customising extra rules that are not visible via yast2 firewall configuration interface. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=309092
Olli Artemjev
https://bugzilla.novell.com/show_bug.cgi?id=309092
Andreas Jaeger
https://bugzilla.novell.com/show_bug.cgi?id=309092#c2
Lukas Ocilka
https://bugzilla.novell.com/show_bug.cgi?id=309092#c3
Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=309092#c4
--- Comment #4 from Olli Artemjev
"is nothing we can do about it" wrong, you may allow user to implicitly allow replies from udp 53. That will solve problem w/ "some proprietary vpn solution" w/o requirements to open configs w/ text editor.
is normally no need to open then explicitly Well.. "normally" is the key. Are you developing a _useful_ interface or just a stub for kitchen dummies? If the second - just ignore my request. :/
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=309092#c5
Lukas Ocilka
participants (1)
-
bugzilla_noreply@novell.com