[Bug 732884] New: firewall activation during install(default) causes firewall deactivation with install finishing - user do not see that!
https://bugzilla.novell.com/show_bug.cgi?id=732884 https://bugzilla.novell.com/show_bug.cgi?id=732884#c0 Summary: firewall activation during install(default) causes firewall deactivation with install finishing - user do not see that! Classification: openSUSE Product: openSUSE 12.1 Version: Final Platform: x86-64 OS/Version: SuSE Other Status: NEW Severity: Major Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: melchiaros@aol.com QAContact: qa@suse.de Found By: --- Blocker: --- Created an attachment (id=464186) --> (http://bugzilla.novell.com/attachment.cgi?id=464186) yast2, message, warn, zypper User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1 I´ve tried it with two independent openSUSE12.1 final 64bit installations: The firewall is set to active during installation by default, but: In the finished installation the firewall is in fact !deactivated!!! -> instead of the default firewall activation setting in the install system(which I have not changed). A user have to manually check thatover the yast2 firewall module and have to activate it manually for the session and also have to activate the firewall start by system start. -> Both has to be done when the firewall activation is set by the installation system! Reproducible: Always Steps to Reproduce: 1.start the openSUSE12.1 final 64bit installation from the full4.7GB DVD 2.Do the default installation of the sytem(I have switched off the seperate home partition) 3.See in the final summary dialog that firewall is set to active by default and let it be like this. 4.Finish the installation and wait for the first start of the system. 5.After the first start of the system call yast2 -> firewall 6.See in the yast2 firewall module that the firewall is not active and also not starting with system start! -> that is the opposite of what the user has chosen!!! Actual Results: Not working firewall after install by activating firewall during installation. -> the opposite behavior of what is chosen in the installation system. Expected Results: The firewall should behave like it is set in the installation dailog. -> By default the firewall should start, when it is set to start during installation( and by default. There are tree thinks to say about that(see it as personal comment): 1.I remember that such a problem was also there in openSUSE11.4 and may be 11.3(and may be before ; do not remember for that). -> When a failure occurs regularly there should be a point in the shipping procedure during development cycle that point on checks for that. 2.I have as standard some server(also apache) installed. Just for figuring arround. To have it quick there when I just need it, so that I do not spend extra time it such moments for installing and enabling. -> I be sure that much other handle it like this. 3.You should think about your packager. A local installation of obs has a working apache server in it´s dependence as far as I remember -> It would be not so greatfull when passwords for the official obs would get lost or spec files would get manipulated that would later find their way unrecognized of the manipulation with upload to the official obs. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=732884 https://bugzilla.novell.com/show_bug.cgi?id=732884#c1 Ludwig Nussel <lnussel@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |lnussel@suse.com AssignedTo|security-team@suse.de |yast2-maintainers@suse.de --- Comment #1 from Ludwig Nussel <lnussel@suse.com> 2011-11-28 10:31:55 CET --- Looks like you installed a xen host and then changed the network config which involves a Wireless interface. Maybe this confuses YaST. From the logs I can't see the errors. AFAICT SuSEfirewall2 is running. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=732884 https://bugzilla.novell.com/show_bug.cgi?id=732884#c Ludwig Nussel <lnussel@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Component|Security |YaST2 AssignedTo|yast2-maintainers@suse.de |bnc-team-screening@forge.pr | |ovo.novell.com QAContact|qa@suse.de |jsrain@suse.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=732884 https://bugzilla.novell.com/show_bug.cgi?id=732884#c2 --- Comment #2 from melchiaros melchiaros <melchiaros@aol.com> 2011-11-28 11:19:17 UTC --- "Looks like you installed a xen host": -> No, not really, I´ve installed The xen pattern during installation(and some more pattern -> have not written this), but not set it up explicit with all what is there for(e.g ethernet bridge). -> Also when xen would setup there, a automatic firewall switch off(completely) should not be. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=732884 https://bugzilla.novell.com/show_bug.cgi?id=732884#c3 --- Comment #3 from melchiaros melchiaros <melchiaros@aol.com> 2011-11-28 18:03:37 UTC --- Yes, an installation with the software without additional packages has an working firewall. Anyway it does not help, even when the xen packages are installed, the firewall should work. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=732884 https://bugzilla.novell.com/show_bug.cgi?id=732884#c Martin Vidner <mvidner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team-screening@forge.pr |locilka@suse.com |ovo.novell.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=732884 https://bugzilla.novell.com/show_bug.cgi?id=732884#c4 Lukas Ocilka <locilka@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |locilka@suse.com AssignedTo|locilka@suse.com |jdouglas@suse.com --- Comment #4 from Lukas Ocilka <locilka@suse.com> 2011-12-01 11:59:22 UTC --- OK, the problem is actually "enabling the firewall", of course, firewall was set to be started and enabled. Enabling service SuSEfirewall2_init insserv: Service syslog is missed in the runlevels 4 to use service xenstored Note: This output shows SysV services only and does not include native systemd services. SysV configuration data might be overridden by native systemd configuration. Enabling service SuSEfirewall2_setup insserv: Service syslog is missed in the runlevels 4 to use service xenstored Note: This output shows SysV services only and does not include native systemd services. SysV configuration data might be overridden by native systemd configuration. Finally, firewall is started but it's not enabled... reassigning -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=732884 https://bugzilla.novell.com/show_bug.cgi?id=732884#c5 Charles Arnold <carnold@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO CC| |carnold@suse.com, | |jfehlig@suse.com, | |ohering@suse.com InfoProvider| |locilka@suse.com --- Comment #5 from Charles Arnold <carnold@suse.com> 2011-12-05 15:58:21 UTC --- Lukas, Could you explain how this is a Xen specific problem? We are not understanding and would like some clarification. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=732884 https://bugzilla.novell.com/show_bug.cgi?id=732884#c6 Lukas Ocilka <locilka@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|locilka@suse.com | --- Comment #6 from Lukas Ocilka <locilka@suse.com> 2011-12-08 13:55:54 UTC --- It only happens when Xen is used. It seems that there is an issue with xenstored service which makes insserv unable to enable SuSEfirewall2_init and SuSEfirewall2_setup services. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=732884 https://bugzilla.novell.com/show_bug.cgi?id=732884#c7 --- Comment #7 from Olaf Hering <ohering@suse.com> 2011-12-08 15:24:07 CET --- Does insserv now really misbehave if a runlevel script happens to have number 4 in it?! Or is the output from comment #4 just a debug output? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=732884 https://bugzilla.novell.com/show_bug.cgi?id=732884#c Charles Arnold <carnold@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|jdouglas@suse.com |ohering@suse.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=732884 https://bugzilla.novell.com/show_bug.cgi?id=732884#c8 Olaf Hering <ohering@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED --- Comment #8 from Olaf Hering <ohering@suse.com> 2012-01-02 11:03:37 CET --- I have added a patch to trunk which removes 4 from Default-start/stop in the various LSB headers. But I'm not yet convinced this change will fix this bug, and if it does the bug is in the tools, not in the LSB headers. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=732884 https://bugzilla.novell.com/show_bug.cgi?id=732884#c9 Olaf Hering <ohering@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO InfoProvider| |locilka@suse.com --- Comment #9 from Olaf Hering <ohering@suse.com> 2012-01-02 17:17:34 CET --- I tried to reproduce this, with a vnc install, xen pattern selected and automatic setup. After the initial boot vnc is still not accessible. I assume the firewall became active anyway: .. Not shown: 998 filtered ports PORT STATE SERVICE 5801/tcp closed vnc-http-1 5901/tcp closed vnc-1 .. Looking at the fresh installation from the rescue system, I see: ls /mnt/etc/init.d/rc3.d/S S01SuSEfirewall2_init S04haveged S09ntp S01acpid S04splash_early S10cups S01cpufreq S07kbd S10nscd S01dbus S08alsasound S10postfix S01earlysyslog S08avahi-daemon S10xend S01fbset S08bluez-coldplug S11cron S01microcode.ctl S08mcelog S11smartd S01purge-kernels S08network-remotefs S11xendomains S01random S08splash S12xinetd S02network S08sshd S13SuSEfirewall2_setup S03syslog S08xencommons Which means the firewall was enabled during second stage. Lukas, what makes you think the runlevel 4 is the issue? Was there some hint in the provided yast logs? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=732884 https://bugzilla.novell.com/show_bug.cgi?id=732884#c10 --- Comment #10 from Olaf Hering <ohering@suse.com> 2012-01-03 10:24:58 CET --- I tried a fresh install in a hyperv guest, with xen pattern selected. The firewall is active according to yast2 firewall. What other extra patterns are required to trigger the bug? xen alone does not seem to be enough. Lukas, comment #6 sounds to me like you were able to reproduce it yourself? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=732884 https://bugzilla.novell.com/show_bug.cgi?id=732884#c11 Lukas Ocilka <locilka@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED InfoProvider|locilka@suse.com | --- Comment #11 from Lukas Ocilka <locilka@suse.com> 2012-01-03 11:45:15 UTC --- Everything I know comes from the logs provided in the initial comment. Other installation (not using Xen) didn't suffer from this issue. Why I think it's caused by Xen is this log entry: --- cut --- Enabling service SuSEfirewall2_init insserv: Service syslog is missed in the runlevels 4 to use service xenstored Note: This output shows SysV services only and does not include native systemd services. SysV configuration data might be overridden by native systemd configuration. --- cut --- summarized in comment #4 If you still have issues with patched system, please provide YaST logs and I can try to find another (?) reason for this issue. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=732884 https://bugzilla.novell.com/show_bug.cgi?id=732884#c12 --- Comment #12 from Olaf Hering <ohering@suse.com> 2012-01-03 13:09:53 CET --- (In reply to comment #11)
Other installation (not using Xen) didn't suffer from this issue.
Yes, thats whats mentioned in the initial comments.
Why I think it's caused by Xen is this log entry: --- cut --- Enabling service SuSEfirewall2_init insserv: Service syslog is missed in the runlevels 4 to use service xenstored Note: This output shows SysV services only and does not include native systemd services. SysV configuration data might be overridden by native systemd configuration. --- cut --- summarized in comment #4
This insserv output is just a warning.
If you still have issues with patched system, please provide YaST logs and
I use the official iso image, so I can eventually reproduce the bug. But so far it does not happen for me. I will try it on bare hardware later this week. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=732884 https://bugzilla.novell.com/show_bug.cgi?id=732884#c13 --- Comment #13 from Olaf Hering <ohering@suse.com> 2012-01-03 17:04:22 CET --- Now I was able to reproduce it. For 12.1 this submit request was ignored, and as a result no networkcard was recognized. https://build.opensuse.org/request/show/87584 (bnc#716708) Before I booted into the system, all runlevel 4 entries were removed. But the firewall was disabled anyway once the network card was configured manually. So it must be something else than runlevel 4. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=732884 https://bugzilla.novell.com/show_bug.cgi?id=732884#c14 Lukas Ocilka <locilka@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO InfoProvider| |ohering@suse.com --- Comment #14 from Lukas Ocilka <locilka@suse.com> 2012-01-03 16:12:48 UTC --- YaST logs would definitely help with debugging :))) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=732884 https://bugzilla.novell.com/show_bug.cgi?id=732884#c15 --- Comment #15 from Olaf Hering <ohering@suse.com> 2012-01-09 17:19:19 CET --- (In reply to comment #14)
YaST logs would definitely help with debugging :)))
I was not able to reproduce it with native hardware, but it did happen in a hyper-v guest for some reason. I will reproduce it once more and attach logs from that host. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=732884 https://bugzilla.novell.com/show_bug.cgi?id=732884#c16 Olaf Hering <ohering@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED InfoProvider|ohering@suse.com | --- Comment #16 from Olaf Hering <ohering@suse.com> 2012-01-09 18:10:35 CET --- Created an attachment (id=470300) --> (http://bugzilla.novell.com/attachment.cgi?id=470300) bug732884.tar.xz this is what I did in a 12.1 hyperv guest: boot install with 'kexec_boot=0 panic=9' use new install with automatic setup use Europe/Germany, UTC use KDE desktop use whole disk, no home partition enable xen pattern in software selection start installation after initial bootup and autologin, start a shell, become root. remove symlinks to xencommons in /etc/init.d/rc4.d edit xencommons and remove default-start: 4 verify that SuSEfirewall* scripts are enabled in rc5.d start yast2, create a new network card with hv_netvsc driver and DHCP, leave other settings as they are. Once yast is done, eth0 got an IP, but the SuSEfirewall* symlinks in rc5.d are gone. I attached some logs. The host is hammer175.arch.suse.de, root is the password -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=732884 https://bugzilla.novell.com/show_bug.cgi?id=732884#c Olaf Hering <ohering@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|ohering@suse.com |locilka@suse.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=732884 https://bugzilla.novell.com/show_bug.cgi?id=732884#c17 Lukas Ocilka <locilka@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P2 - High AssignedTo|locilka@suse.com |mvidner@suse.com --- Comment #17 from Lukas Ocilka <locilka@suse.com> 2012-01-10 15:20:07 UTC --- For some reason, YaST Network has disabled the Firewall network/lan/address.ycp:1200 ShowAndRun: `next SuSEFirewall.ycp:1637 Removing interface 'eth0' from 'INT' zone. SuSEFirewall.ycp:1637 Removing interface 'eth0' from 'DMZ' zone. SuSEFirewall.ycp:1637 Removing interface 'eth0' from 'EXT' zone. SuSEFirewall4Network.ycp:156 Disabling firewall, no interfaces are protected. SuSEFirewall.ycp:1209 Setting enable-firewall to false SuSEFirewall.ycp:1173 Setting start-firewall to false -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=732884 https://bugzilla.novell.com/show_bug.cgi?id=732884#c18 --- Comment #18 from Olaf Hering <ohering@suse.com> 2012-01-10 16:29:11 CET --- (In reply to comment #17)
For some reason, YaST Network has disabled the Firewall
Is this also the case in the logs from the initial report? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=732884 https://bugzilla.novell.com/show_bug.cgi?id=732884#c19 --- Comment #19 from Lukas Ocilka <locilka@suse.com> 2012-01-13 15:39:46 UTC --- I personally still believe it has something to do with Xen. But from your comments it seems all Xen "possible" issues were harmless. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=732884 https://bugzilla.novell.com/show_bug.cgi?id=732884#c20 Markus Abt <abt@comet.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |abt@comet.de --- Comment #20 from Markus Abt <abt@comet.de> 2012-01-30 20:44:39 UTC --- I can confirm this problem. On three desktop systems, I have discovered that the firewall is not starting when booting. In contrast, on a laptop, the firewall does start when booting. All four system where installed similarly, a basic lxde installation with manual hardware configuration. Firewall was activated (with sshd allowed). Xen has not been installed. In /var/log/Yast2/y2log, I can read: -------------------- SuSEFirewall.ycp:1637 Removing interface 'eth0' from 'INT' zone. SuSEFirewall.ycp:1637 Removing interface 'eth0' from 'DMZ' zone. SuSEFirewall.ycp:1637 Removing interface 'eth0' from 'EXT' zone. [...] SuSEFirewall4Network.ycp:156 Disabling firewall, no interfaces are protected. SuSEFirewall.ycp:1209 Setting enable-firewall to false SuSEFirewall.ycp:1173 Setting start-firewall to false -------------------- Only on the laptop, I can see later in the same file: -------------------- SuSEFirewall4Network.ycp:143 Enabling firewall because of 'wlan0' interface SuSEFirewall.ycp:1670 Adding interface 'wlan0' into 'EXT' zone. SuSEFirewall.ycp:1209 Setting enable-firewall to true SuSEFirewall.ycp:1173 Setting start-firewall to true -------------------- So on the laptop, the firewall start was re-enabled due to the wlan card. When starting the firewall manually on the desktops, it blocks incoming traffic, albeit eth0 is not assigned to external zone. In some earlier versions of openSUSE, IIRC "any" was assigned to external zone. This seems not be true any longer. Arguably, I missed to explicitly assign eth0 to the external zone during manual network configuration. But this should not silently disable the firewall in my opinion. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=732884 https://bugzilla.novell.com/show_bug.cgi?id=732884#c21 Martin Vidner <mvidner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|mvidner@suse.com |mfilka@suse.com --- Comment #21 from Martin Vidner <mvidner@suse.com> 2013-09-09 14:47:02 CEST --- yast2-network bugs -> Michal, the current maintainer -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=732884 https://bugzilla.novell.com/show_bug.cgi?id=732884#c22 Michal Filka <mfilka@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED --- Comment #22 from Michal Filka <mfilka@suse.com> 2014-01-27 12:12:42 UTC --- Seems similar to bnc#843646, bnc#803616 The issue should be fixed in: - yast2-network 3.1.5 - yast2-firewall 3.1.1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com