[Bug 931152] New: During Default Installation Suse Firewall does NOT Assign any ZONE to the Network Interface Card
http://bugzilla.opensuse.org/show_bug.cgi?id=931152 Bug ID: 931152 Summary: During Default Installation Suse Firewall does NOT Assign any ZONE to the Network Interface Card Classification: openSUSE Product: openSUSE 12.3 Version: Final Hardware: x86-64 OS: openSUSE 12.3 Status: NEW Severity: Major Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: secure@aphofis.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- I’ve have 4 x 12.3 Default Installations. 3 KDE 1 Gnome On inspection each and every PC showed the NIC as not being assigned to be in ANY Zone of the Suse2Firewall. You can easily identify this by watching the boot log from ESC during Start-up and you find that Suseefirewall doesn’t even start as such. In the unlikely event you cant validate this I'll do a fresh install for you and send you logs but sending you Yast Logs for any installation that is moths old, may yield little practice help due size and other extraneous issues. O.T Thanks for bashing out the Bug fixes and wow thanks for putting the graphical Bug numbers back on screen. A development project without public access to numbers as it has been for a few years when it disappeared off our screens....well I wont say the obvious but Hey, unreal work being done to fix bugs if the daily updates are any example -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=931152 Andreas Stieger <astieger@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED CC| |astieger@suse.com Resolution|--- |WONTFIX --- Comment #1 from Andreas Stieger <astieger@suse.com> --- (In reply to Scott Couston from comment #0)
I’ve have 4 x 12.3 Default Installations. 3 KDE 1 Gnome On inspection each and every PC showed the NIC as not being assigned to be in ANY Zone of the Suse2Firewall. You can easily identify this by watching the boot log from ESC during Start-up and you find that Suseefirewall doesn’t even start as such.
In the unlikely event you cant validate this I'll do a fresh install for you and send you logs but sending you Yast Logs for any installation that is moths old, may yield little practice help due size and other extraneous issues.
Hello Scott, thanks for reporting. However we are not accepting security issue reports against 12.3 anymore as it has reached it's end of life: http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00003.html Please check if the problem still persists on 13.1, 13.2 or Tumbleweed. If so, please re-open this issue, updating the relevant product/version fields and adding any updated information. Thanks! -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=931152 Scott Couston <secure@aphofis.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |secure@aphofis.com Component|Security |Security Product|openSUSE 12.3 |openSUSE 13.1 Target Milestone|--- |Final OS|openSUSE 12.3 |openSUSE 13.2 --- Comment #2 from Scott Couston <secure@aphofis.com> --- Apologies for version error. My earlier statement that susefirewall not being present as started and running in start-up log is incorrect but definately a default install assigns NO zone to the NIC -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=931152 Scott Couston <secure@aphofis.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|WONTFIX |--- --- Comment #3 from Scott Couston <secure@aphofis.com> --- Version number in text should read 13.2 not 12.3...apologies -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=931152 Andreas Stieger <astieger@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |NEW Flags| |needinfo?(secure@aphofis.co | |m) --- Comment #4 from Andreas Stieger <astieger@suse.com> --- Please outline what you think is the security impact of not having a zone assigned? "Interfaces not explicitly configured as int, ext or dmz will be considered external." The secure default behaves as if the ext zone was assigned, applying all default rules. You can verify this by looking the configured iptables rules in such a system. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=931152 Andreas Stieger <astieger@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Component|Security |Security Version|Final |13.2 Product|openSUSE 13.1 |openSUSE Distribution Target Milestone|Final |13.2 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=931152 http://bugzilla.opensuse.org/show_bug.cgi?id=931152#c5 Scott Couston <secure@aphofis.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(secure@aphofis.co | |m) | --- Comment #5 from Scott Couston <secure@aphofis.com> --- Sure I can see now that the absence of a zone has no impact on the previous default since 9.0 of assigning the default interface to the external zone. It is difficult sometimes to test the efficacy of the firewall for example an NFS client can be configured via the interface whether or not the 'open firewall' is ticked or not. Thanks -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=931152 http://bugzilla.opensuse.org/show_bug.cgi?id=931152#c6 Andreas Stieger <astieger@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |INVALID --- Comment #6 from Andreas Stieger <astieger@suse.com> --- Closing.. no zone implies external interface. Thanks for your concern. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=931152 http://bugzilla.opensuse.org/show_bug.cgi?id=931152#c7 Joachim Wagner <jwagner@computing.dcu.ie> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jwagner@computing.dcu.ie --- Comment #7 from Joachim Wagner <jwagner@computing.dcu.ie> --- Posts 2 and 9 of https://forums.opensuse.org/showthread.php/518486-In-Yast-no-zone-assigned-t... show that some users wrongly assume that the "No zone" is always closed, allowing only outgoing connections. If this zone is then used for the public network and the external zone for a more secure but still not fully trusted network, this opens up security issues. However, I don't think this is a big enough issue to change the software. Therefore, I submitted a documentation request as bug #989145 . -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=931152 Aaron Burgemeister <aburgemeister@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |ab@suse.com, | |aburgemeister@gmail.com -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com