Hello community, here is the log from the commit of package SuSEfirewall2 checked in at Fri Mar 23 14:22:13 CET 2007. -------- --- SuSEfirewall2/SuSEfirewall2.changes 2007-03-08 11:45:52.000000000 +0100 +++ /mounts/work_src_done/NOARCH/SuSEfirewall2/SuSEfirewall2.changes 2007-03-23 14:03:07.000000000 +0100 @@ -1,0 +2,11 @@ +Fri Mar 23 14:01:14 CET 2007 - lnussel@suse.de + +- enhance FW_ALLOW_CLASS_ROUTING to allow routing in specific zones only +- prevent unintended inter-class routing when masquerading is enabled on + multiple interfaces in the same zone +- disable extra rules for established/related icmp packets as those + are useless +- accept icmpv6 in the OUTPUT chain to avoid excessive errors in log +- add IPv6 support for FW_ALLOW_CLASS_ROUTING and FW_FORWARD + +------------------------------------------------------------------- Old: ---- SuSEfirewall2-3.6_SVNr167.tar.bz2 New: ---- SuSEfirewall2-3.6_SVNr175.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ SuSEfirewall2.spec ++++++ --- /var/tmp/diff_new_pack.z20589/_old 2007-03-23 14:21:46.000000000 +0100 +++ /var/tmp/diff_new_pack.z20589/_new 2007-03-23 14:21:47.000000000 +0100 @@ -1,5 +1,5 @@ # -# spec file for package SuSEfirewall2 (Version 3.6_SVNr167) +# spec file for package SuSEfirewall2 (Version 3.6_SVNr175) # # Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany. # This file and all modifications and additions to the pristine @@ -12,7 +12,7 @@ # icecream 0 Name: SuSEfirewall2 -Version: 3.6_SVNr167 +Version: 3.6_SVNr175 Release: 1 License: GNU General Public License (GPL) Group: Productivity/Networking/Security @@ -193,6 +193,14 @@ rm -rf %{buildroot} %changelog +* Fri Mar 23 2007 - lnussel@suse.de +- enhance FW_ALLOW_CLASS_ROUTING to allow routing in specific zones only +- prevent unintended inter-class routing when masquerading is enabled on + multiple interfaces in the same zone +- disable extra rules for established/related icmp packets as those + are useless +- accept icmpv6 in the OUTPUT chain to avoid excessive errors in log +- add IPv6 support for FW_ALLOW_CLASS_ROUTING and FW_FORWARD * Thu Mar 08 2007 - lnussel@suse.de - remove checks for binaries that are not requried anymore anyways - fix package dependencies ++++++ SuSEfirewall2-3.6_SVNr167.tar.bz2 -> SuSEfirewall2-3.6_SVNr175.tar.bz2 ++++++ diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/SuSEfirewall2-3.6_SVNr167/README new/SuSEfirewall2-3.6_SVNr175/README --- old/SuSEfirewall2-3.6_SVNr167/README 2007-02-12 11:54:28.000000000 +0100 +++ new/SuSEfirewall2-3.6_SVNr175/README 2007-03-21 16:18:15.000000000 +0100 @@ -13,6 +13,7 @@ 3. Some words about security 4. Reporting bugs 5. Links +6. Author 1. Introduction @@ -37,7 +38,7 @@ ● allows special treatment of IPsec packets - ● IPv6 support (no forwarding/masquerading) + ● IPv6 support ● allows insertion of custom rules through hooks @@ -108,3 +109,8 @@ Frequently Asked Questions +6. Author + +SuSEfirewall2 was originally created by Marc Heuse. Most of it got rewritten +and enhanced by it's current maintainer Ludwig Nussel + diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/SuSEfirewall2-3.6_SVNr167/README.html new/SuSEfirewall2-3.6_SVNr175/README.html --- old/SuSEfirewall2-3.6_SVNr167/README.html 2007-02-12 11:54:27.000000000 +0100 +++ new/SuSEfirewall2-3.6_SVNr175/README.html 2007-03-21 16:18:14.000000000 +0100 @@ -1,6 +1,6 @@ <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> -<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>SuSEfirewall2</title><link rel="stylesheet" href="susebooks.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.71.1" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h1 class="title"><a id="id2245331"></a>SuSEfirewall2</h1></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id2502966">1. Introduction</a></span></dt><dt><span class="section"><a href="#id2503072">2. Quickstart</a></span></dt><dd><dl><dt><span class="section"><a href="#id2503078">2.1. YaST2 firewall module</a></span></dt><dt><span class="section"><a href="#id2480530">2.2. Manual configuration</a></span></dt></dl></dd><dt><span class="section"><a href="#id2480589">3. Some words about security</a></span></dt><dt><span class="section"><a href="#id2479999">4. Reporting bugs</a></span></dt><dt><span class="section"><a href="#id2480024">5. Links</a></span></dt></dl></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2502966"></a>1. Introduction</h2></div></div></div><p> +<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>SuSEfirewall2</title><link rel="stylesheet" href="susebooks.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.71.1" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h1 class="title"><a id="id2245331"></a>SuSEfirewall2</h1></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id2502966">1. Introduction</a></span></dt><dt><span class="section"><a href="#id2503072">2. Quickstart</a></span></dt><dd><dl><dt><span class="section"><a href="#id2503077">2.1. YaST2 firewall module</a></span></dt><dt><span class="section"><a href="#id2480530">2.2. Manual configuration</a></span></dt></dl></dd><dt><span class="section"><a href="#id2480588">3. Some words about security</a></span></dt><dt><span class="section"><a href="#id2479998">4. Reporting bugs</a></span></dt><dt><span class="section"><a href="#id2480023">5. Links</a></span></dt><dt><span class="section"><a href="#id2480048">6. Author</a></span></dt></dl></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2502966"></a>1. Introduction</h2></div></div></div><p> <code class="literal">SuSEfirewall2</code> is a shell script wrapper for the Linux firewall setup tool (<code class="literal">iptables</code>). It's controlled by a @@ -10,9 +10,9 @@ Main features of SuSEfirewall2: - </p><div class="itemizedlist"><ul type="disc"><li><p>sets up secure filter rules by default</p></li><li><p>easy to configure</p></li><li><p>requires only a small configuration effort</p></li><li><p>zone based setup. Interfaces are grouped into zones</p></li><li><p>supports an arbitrary number of zones</p></li><li><p>supports forwarding, masquerading, port redirection</p></li><li><p>supports RPC services with dynamically assigned ports</p></li><li><p>allows special treatment of IPsec packets</p></li><li><p>IPv6 support (no forwarding/masquerading)</p></li><li><p>allows insertion of custom rules through hooks</p></li></ul></div><p> + </p><div class="itemizedlist"><ul type="disc"><li><p>sets up secure filter rules by default</p></li><li><p>easy to configure</p></li><li><p>requires only a small configuration effort</p></li><li><p>zone based setup. Interfaces are grouped into zones</p></li><li><p>supports an arbitrary number of zones</p></li><li><p>supports forwarding, masquerading, port redirection</p></li><li><p>supports RPC services with dynamically assigned ports</p></li><li><p>allows special treatment of IPsec packets</p></li><li><p>IPv6 support</p></li><li><p>allows insertion of custom rules through hooks</p></li></ul></div><p> - </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2503072"></a>2. Quickstart</h2></div></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id2503078"></a>2.1. YaST2 firewall module</h3></div></div></div><p> + </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2503072"></a>2. Quickstart</h2></div></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id2503077"></a>2.1. YaST2 firewall module</h3></div></div></div><p> The YaST2 firewall module is the recommended tool for configuring SuSEfirewall2. It offers the most common features with a nice user @@ -37,7 +37,7 @@ <code class="filename">EXAMPLES</code> file in <code class="filename">/usr/share/doc/packages/SuSEfirewall2</code> - </p></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2480589"></a>3. Some words about security</h2></div></div></div><p> + </p></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2480588"></a>3. Some words about security</h2></div></div></div><p> SuSEfirewall2 is a frontend for iptables which sets up kernel packet filters, nothing more and nothing less. This means that you are not @@ -76,14 +76,23 @@ Check your log files regularly for unusual entries. </p></li></ul></div><p> - </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2479999"></a>4. Reporting bugs</h2></div></div></div><p> + </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2479998"></a>4. Reporting bugs</h2></div></div></div><p> Report any problems via <a href="http://www.suse.de/feedback" target="_top">http://www.suse.de/feedback</a>. For discussion about SuSEfirewall2 join the <a href="http://www.suse.com/us/private/support/online_help/mailinglists/index.html" target="_top">suse-security</a> mailinglist. - </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2480024"></a>5. Links</h2></div></div></div><p> + </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2480023"></a>5. Links</h2></div></div></div><p> <a href="EXAMPLES.html" target="_top">Examples</a> </p><p> <a href="FAQ.html" target="_top">Frequently Asked Questions</a> + </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2480048"></a>6. Author</h2></div></div></div><p> + + SuSEfirewall2 was originally created by + <span class="author"><span class="firstname">Marc</span> <span class="surname">Heuse</span></span>. + Most of it got rewritten and enhanced by it's current maintainer + <a href="mailto:ludwig.nussel@suse.de" target="_top"> + <span class="author"><span class="firstname">Ludwig</span> <span class="surname">Nussel</span></span> + </a> + </p></div></div></body></html> diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/SuSEfirewall2-3.6_SVNr167/SuSEfirewall2 new/SuSEfirewall2-3.6_SVNr175/SuSEfirewall2 --- old/SuSEfirewall2-3.6_SVNr167/SuSEfirewall2 2007-03-08 11:15:56.000000000 +0100 +++ new/SuSEfirewall2-3.6_SVNr175/SuSEfirewall2 2007-03-21 16:17:12.000000000 +0100 @@ -1291,22 +1291,24 @@ $IP6TABLES -A $chain -j "$ACCEPT" -p icmpv6 --icmpv6-type echo-request done fi - local icmp_types="$safe_icmp_replies" - for itype in $icmp_types; do - for chain in $input_zones; do - chain=input_$chain - $LAA $IPTABLES -A $chain ${LOG}"-`rulelog $chain`-ACC-ICMP " -m state --state ESTABLISHED,RELATED -p icmp --icmp-type $itype - $IPTABLES -A $chain -j "$ACCEPT" -m state --state ESTABLISHED,RELATED -p icmp --icmp-type $itype - done - done - icmp_types="$safe_icmpv6_replies" - for itype in $icmp_types; do - for chain in $input_zones; do - chain=input_$chain - $LAA $IP6TABLES -A $chain ${LOG}"-`rulelog $chain`-ACC-ICMP " -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type $itype - $IP6TABLES -A $chain -j "$ACCEPT" -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type $itype - done - done + +# not needed as there is a generic accept rule for ESTABLISHED,RELATED +# local icmp_types="$safe_icmp_replies" +# for itype in $icmp_types; do +# for chain in $input_zones; do +# chain=input_$chain +# $IPTABLES -A $chain ${LOG}"-`rulelog $chain`-ACC-ICMP " -m state --state ESTABLISHED,RELATED -p icmp --icmp-type $itype +# $IPTABLES -A $chain -j "$ACCEPT" -m state --state ESTABLISHED,RELATED -p icmp --icmp-type $itype +# done +# done +# icmp_types="$safe_icmpv6_replies" +# for itype in $icmp_types; do +# for chain in $input_zones; do +# chain=input_$chain +# $IP6TABLES -A $chain ${LOG}"-`rulelog $chain`-ACC-ICMP " -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type $itype +# $IP6TABLES -A $chain -j "$ACCEPT" -m state --state ESTABLISHED,RELATED -p icmpv6 --icmpv6-type $itype +# done +# done # DROP rules for input ICMP are after trusted handling (see below) # state matching for these does not work @@ -1318,6 +1320,7 @@ $IP6TABLES -A $chain -j "$ACCEPT" -p icmpv6 --icmpv6-type $itype done done + $IP6TABLES -A OUTPUT -j "$ACCEPT" -p icmpv6 # XXX: some are not catched by conntrack, should be fixed in kernel } allow_forward_icmp_echo() @@ -1690,20 +1693,26 @@ } -# parameters: zone interfaces -# assuming that only traffic from $zone interface enter the forward_$zone chain -# anyways, we don't need the -i parameter allow_class_routing() { - [ "$FW_ALLOW_CLASS_ROUTING" != yes ] && return + local chain iface devs zone iptables - local chain iface devs zone - for zone in $forward_zones; do + if [ "$FW_ALLOW_CLASS_ROUTING" = 'yes' ]; then + FW_ALLOW_CLASS_ROUTING="$forward_zones" + elif [ "$FW_ALLOW_CLASS_ROUTING" = 'no' ]; then + return + fi + + # assuming that only traffic from $zone interface enter the + # forward_$zone chain anyways, we don't need the -i parameter + for zone in $FW_ALLOW_CLASS_ROUTING; do eval devs="\$FW_DEV_$zone" chain=forward_$zone for iface in $devs; do - $LAA $IPTABLES -A $chain $LOG"-`rulelog $chain`-ACC-CLASS " -o $iface - $IPTABLES -A $chain -j "$ACCEPT" -o $iface + for iptables in "$IPTABLES" "$IP6TABLES"; do + $LAA $iptables -A $chain $LOG"-`rulelog $chain`-ACC-CLASS " -o $iface + $iptables -A $chain -j "$ACCEPT" -o $iface + done done done } @@ -1728,7 +1737,7 @@ # <source network>,<destination network>[,protocol[,port[,flags]]] forwarding_rules() { - local nets net1 net2 flags more_args_in more_args_out chain + local nets net1 net2 flags more_args_in more_args_out chain iptables for nets in $FW_FORWARD; do IFS=, eval set -- \$nets @@ -1758,17 +1767,22 @@ fi if [ -n "$net1" -a -n "$net2" ]; then + if [ "${net1//:/_}" != "$net1" -o "${net2//:/_}" != "$net2" ]; then + iptables=$IP6TABLES + else + iptables=$IPTABLES + fi for chain in $forward_zones; do chain=forward_$chain - $LAC $IPTABLES -A $chain ${LOG}"-`rulelog $chain`-ACC-FORW " -s $net1 -d $net2 $proto $port -m state --state NEW $more_args_in - $LAA $IPTABLES -A $chain ${LOG}"-`rulelog $chain`-ACC-FORW " -s $net1 -d $net2 $proto $port $more_args_in - $IPTABLES -A $chain -j "$ACCEPT" -m state --state NEW,ESTABLISHED,RELATED -s $net1 -d $net2 $proto $port $more_args_in - $IPTABLES -A $chain -j "$ACCEPT" -m state --state ESTABLISHED,RELATED -s $net2 -d $net1 $proto $rport $more_args_in + $LAC $iptables -A $chain ${LOG}"-`rulelog $chain`-ACC-FORW " -s $net1 -d $net2 $proto $port -m state --state NEW $more_args_in + $LAA $iptables -A $chain ${LOG}"-`rulelog $chain`-ACC-FORW " -s $net1 -d $net2 $proto $port $more_args_in + $iptables -A $chain -j "$ACCEPT" -m state --state NEW,ESTABLISHED,RELATED -s $net1 -d $net2 $proto $port $more_args_in + $iptables -A $chain -j "$ACCEPT" -m state --state ESTABLISHED,RELATED -s $net2 -d $net1 $proto $rport $more_args_in if [ -n "$more_args_out" ]; then - $LAC $IPTABLES -A $chain ${LOG}"-`rulelog $chain`-ACC-FORW " -s $net1 -d $net2 $proto $port -m state --state NEW $more_args_out - $LAA $IPTABLES -A $chain ${LOG}"-`rulelog $chain`-ACC-FORW " -s $net1 -d $net2 $proto $port $more_args_out - $IPTABLES -A $chain -j "$ACCEPT" -m state --state NEW,ESTABLISHED,RELATED -s $net1 -d $net2 $proto $port $more_args_out - $IPTABLES -A $chain -j "$ACCEPT" -m state --state ESTABLISHED,RELATED -s $net2 -d $net1 $proto $rport $more_args_out + $LAC $iptables -A $chain ${LOG}"-`rulelog $chain`-ACC-FORW " -s $net1 -d $net2 $proto $port -m state --state NEW $more_args_out + $LAA $iptables -A $chain ${LOG}"-`rulelog $chain`-ACC-FORW " -s $net1 -d $net2 $proto $port $more_args_out + $iptables -A $chain -j "$ACCEPT" -m state --state NEW,ESTABLISHED,RELATED -s $net1 -d $net2 $proto $port $more_args_out + $iptables -A $chain -j "$ACCEPT" -m state --state ESTABLISHED,RELATED -s $net2 -d $net1 $proto $rport $more_args_out fi done else @@ -1779,7 +1793,9 @@ masquerading_rules() { - local nets net1 net2 proto port dev chain snet2 sport + local nets net1 net2 proto port dev snet2 sport + local szone dzone sdev sdevs + local z d for nets in $FW_MASQ_NETS; do IFS=, eval set -- \$nets @@ -1803,14 +1819,30 @@ fi for dev in $FW_MASQ_DEV; do - for chain in $forward_zones; do - chain=forward_$chain - $LAA $IPTABLES -A $chain ${LOG}"-`rulelog $chain`-ACC-MASQ " -s $net1 $net2 $proto $port -o $dev - $IPTABLES -A $chain -j "$ACCEPT" -m state --state NEW,ESTABLISHED,RELATED -s $net1 $net2 $proto $port -o $dev - # we need to allow the replies as well - $LAA $IPTABLES -A $chain -d $net1 $snet2 $proto $rport -i $dev ${LOG}"-`rulelog $chain`-ACC-MASQ " -m state --state ESTABLISHED,RELATED - $IPTABLES -A $chain -d $net1 $snet2 $proto $rport -i $dev -j "$ACCEPT" -m state --state ESTABLISHED,RELATED + d=${dev//[^A-Za-z0-9]/_} + eval z=\${iface_$d} + + for dzone in $forward_zones; do + dzone=forward_$dzone + for szone in $forward_zones; do + [ "$z" = "$szone" ] && continue + eval sdevs="\$FW_DEV_$szone" + for sdev in $sdevs; do + [ "$sdev" = "$dev" ] && continue + if [ "forward_$z" != "$dzone" ]; then + #echo "$dzone: $sdev ($szone) -> $dev ($z)" + $LAA $IPTABLES -A $dzone ${LOG}"-`rulelog $dzone`-ACC-MASQ " -s $net1 $net2 $proto $port -i $sdev -o $dev + $IPTABLES -A $dzone -j "$ACCEPT" -m state --state NEW,ESTABLISHED,RELATED -s $net1 $net2 $proto $port -i $sdev -o $dev + else + #echo "$dzone: $sdev ($szone) <- $dev ($z)" + # we need to allow the replies as well + $LAA $IPTABLES -A $dzone -d $net1 $snet2 $proto $rport -i $dev -o $sdev ${LOG}"-`rulelog $dzone`-ACC-MASQ " -m state --state ESTABLISHED,RELATED + $IPTABLES -A $dzone -d $net1 $snet2 $proto $rport -i $dev -o $sdev -j "$ACCEPT" -m state --state ESTABLISHED,RELATED + fi + done + done done + $IPTABLES -A POSTROUTING -j MASQUERADE -t nat -s $net1 $net2 $proto $port -o $dev done fi diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/SuSEfirewall2-3.6_SVNr167/SuSEfirewall2.sysconfig new/SuSEfirewall2-3.6_SVNr175/SuSEfirewall2.sysconfig --- old/SuSEfirewall2-3.6_SVNr167/SuSEfirewall2.sysconfig 2007-02-12 12:04:14.000000000 +0100 +++ new/SuSEfirewall2-3.6_SVNr175/SuSEfirewall2.sysconfig 2007-03-21 16:22:58.000000000 +0100 @@ -500,6 +500,9 @@ # from 192.168.1.0/24 to 10.10.0.0/16 and vice versa # provided that both networks are connected via an # IPsec tunnel. +# - "fd76:9dbb:91a3:1::/64,fd76:9dbb:91a3:4::/64,tcp,ssh" +# allow ssh from one IPv6 network to another +# FW_FORWARD="" ## Type: string @@ -685,8 +688,10 @@ ## Default: no # # 19a.) -# Allow hosts in the dmz to be pinged by internal and external hosts -# REQUIRES: FW_ROUTE +# Allow hosts in the dmz to be pinged from hosts in other zones even +# if neither FW_FORWARD nor FW_MASQUERADE is set +# +# Requires: FW_ROUTE # # defaults to "no" if not set # @@ -696,25 +701,15 @@ ## Default: no # # 19b.) -# Allow external hosts to be pinged from internal or dmz hosts -# REQUIRES: FW_ROUTE +# Allow hosts in the external zone to be pinged from hosts in other +# zones even if neither FW_FORWARD nor FW_MASQUERADE is set +# +# Requires: FW_ROUTE # # defaults to "no" if not set # FW_ALLOW_PING_EXT="no" -## -# END of /etc/sysconfig/SuSEfirewall2 -## - -# # -#-------------------------------------------------------------------------# -# # -# EXPERT OPTIONS - all others please don't change these! # -# # -#-------------------------------------------------------------------------# -# # - ## Type: yesno ## Default: yes # @@ -800,18 +795,24 @@ # see comments for FW_IGNORE_FW_BROADCAST_EXT FW_IGNORE_FW_BROADCAST_DMZ="" -## Type: yesno +## Type: list(yes,no,int,ext,dmz,) ## Default: no # # 23.) -# Allow same class routing per default? -# REQUIRES: FW_ROUTE +# Specifies whether routing between interfaces of the same zone should be allowed +# Requires: FW_ROUTE="yes" # -# Do you want to allow routing between interfaces of the same class -# (e.g. between all internet interfaces, or all internal network interfaces) -# be default (so without the need setting up FW_FORWARD definitions)? +# Set this to allow routing between interfaces in the same zone, +# e.g. between all internet interfaces, or all internal network +# interfaces. +# +# Caution: Keep in mind that "yes" affects all zones. ie even if you +# need inter-zone routing only in the internal zone setting this +# parameter to "yes" would allow routing between all external +# interfaces as well. It's better to use +# FW_ALLOW_CLASS_ROUTING="int" in this case. # -# Choice: "yes" or "no", if not set defaults to "no" +# Choice: "yes", "no", or space separate list of zone names # # Defaults to "no" if not set # @@ -933,7 +934,7 @@ # FW_IPv6_REJECT_OUTGOING="" -## Type: list(yes,no,int,ext,dmz) +## Type: list(yes,no,int,ext,dmz,) ## Default: no # # 29.) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org