commit SuSEfirewall2 for openSUSE:Factory

19 Mar 2010

Hello community,

here is the log from the commit of package SuSEfirewall2 for openSUSE:Factory
checked in at Fri Mar 19 15:22:18 CET 2010.



--------

--- SuSEfirewall2/SuSEfirewall2.changes	2010-02-16 14:53:55.000000000 +0100
+++ SuSEfirewall2/SuSEfirewall2.changes	2010-03-19 15:15:57.000000000 +0100
@@ -1,0 +2,7 @@
+Fri Mar 19 13:34:10 UTC 2010 - lnussel@suse.de
+
+- add entry about drbd to FAQ
+- update docu
+- implement FW_BOOT_FULL_INIT
+
+-------------------------------------------------------------------

calling whatdependson for head-i586


Old:
----
  SuSEfirewall2-3.6.231.tar.bz2

New:
----
  SuSEfirewall2-3.6.238.tar.bz2

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ SuSEfirewall2.spec ++++++
--- /var/tmp/diff_new_pack.8kBY2T/_old	2010-03-19 15:21:49.000000000 +0100
+++ /var/tmp/diff_new_pack.8kBY2T/_new	2010-03-19 15:21:49.000000000 +0100
@@ -1,5 +1,5 @@
 #
-# spec file for package SuSEfirewall2 (Version 3.6.231)
+# spec file for package SuSEfirewall2 (Version 3.6.238)
 #
 # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
@@ -20,7 +20,7 @@
 
 
 Name:           SuSEfirewall2
-Version:        3.6.231
+Version:        3.6.238
 Release:        1
 License:        GPLv2+
 Group:          Productivity/Networking/Security

++++++ SuSEfirewall2-3.6.231.tar.bz2 -> SuSEfirewall2-3.6.238.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/SuSEfirewall2-3.6.231/SuSEfirewall2.sysconfig new/SuSEfirewall2-3.6.238/SuSEfirewall2.sysconfig
--- old/SuSEfirewall2-3.6.231/SuSEfirewall2.sysconfig	2010-02-16 16:18:45.000000000 +0100
+++ new/SuSEfirewall2-3.6.238/SuSEfirewall2.sysconfig	2010-03-19 15:14:46.000000000 +0100
@@ -586,8 +586,6 @@
 
 ## Type:	string
 #
-# 13a.)
-#
 # same as FW_FORWARD but packages are rejected instead of accepted
 #
 # Requires: FW_ROUTE
@@ -596,8 +594,6 @@
 
 ## Type:	string
 #
-# 13b.)
-#
 # same as FW_FORWARD but packages are dropped instead of accepted
 #
 # Requires: FW_ROUTE
@@ -1010,7 +1006,6 @@
 ## Type:	yesno
 ## Default:	yes
 #
-# 28a.)
 # Reject outgoing IPv6 Packets?
 #
 # Set to yes to avoid timeouts because of dropped IPv6 Packets. This Option
@@ -1189,3 +1184,15 @@
 # Defaults to "yes" if not set
 #
 FW_LO_NOTRACK=
+
+## Type:	yesno
+## Default:	no
+#
+# Specifies whether /etc/init.d/SuSEfirewall2_init should install the
+# full rule set already. Default is to just install minimum rules
+# that block incoming traffic. Set to "yes" if you user services
+# such as drbd that require open ports during boot already. 
+#
+# Defaults to "no" if not set
+# 
+FW_BOOT_FULL_INIT=""
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/SuSEfirewall2-3.6.231/SuSEfirewall2_init new/SuSEfirewall2-3.6.238/SuSEfirewall2_init
--- old/SuSEfirewall2-3.6.231/SuSEfirewall2_init	2010-02-16 16:18:45.000000000 +0100
+++ new/SuSEfirewall2-3.6.238/SuSEfirewall2_init	2010-03-19 15:14:46.000000000 +0100
@@ -25,6 +25,11 @@
 test -x $SUSEFWALL || exit 5
 test -r /etc/sysconfig/SuSEfirewall2 || exit 6
 
+startmode=close
+if (. /etc/sysconfig/SuSEfirewall2; test "$FW_BOOT_FULL_INIT" = yes); then
+	startmode=start
+fi >/dev/null 2>&1
+
 . /etc/rc.status
 
 rc_reset
@@ -35,7 +40,7 @@
 	if test -x /usr/sbin/iptables; then
 		echo -n '(phase 1 of 2) '
 		/bin/rm -rf /var/run/SuSEfirewall2
-		$SUSEFWALL --bootlock -q close
+		$SUSEFWALL --bootlock -q $startmode
 	else
 		echo -n "${extd}iptables not available (yet)${norm}"
 		rc_failed 5
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/SuSEfirewall2-3.6.231/doc/FAQ.SuSEfirewall2.html new/SuSEfirewall2-3.6.238/doc/FAQ.SuSEfirewall2.html
--- old/SuSEfirewall2-3.6.231/doc/FAQ.SuSEfirewall2.html	2010-02-16 16:18:45.000000000 +0100
+++ new/SuSEfirewall2-3.6.238/doc/FAQ.SuSEfirewall2.html	2010-03-19 15:14:46.000000000 +0100
@@ -1,88 +1,30 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>SuSEfirewall2 FAQ</title><link rel="stylesheet" href="susebooks.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /></head><body><div class="article" title="SuSEfirewall2 FAQ"><div class="titlepage"><div><div><h2 class="title"><a id="id311997"></a>SuSEfirewall2 FAQ</h2></div></div><hr /></div><div class="qandaset" title="Frequently Asked Questions"><a id="id312008"></a><dl><dt>1. <a href="#id312011">
-	  How do I allow access to my application XYZ on my firewall?
-	</a></dt><dt>2. <a href="#id274901">
-	  How can I reduce the generated rule set as much as possible?
-	</a></dt><dt>3. <a href="#id274280">
-	  How can I be sure that the firewall rules are active when I connect
-	  to the internet?
-	</a></dt><dt>4. <a href="#id274340">
-	  How many interfaces are supported for each zone (EXT/DMZ/INT)?
-	</a></dt><dt>5. <a href="#id274358">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>SuSEfirewall2 FAQ</title><link rel="stylesheet" href="susebooks.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /></head><body><div class="article" title="SuSEfirewall2 FAQ"><div class="titlepage"><div><div><h2 class="title"><a id="id301529"></a>SuSEfirewall2 FAQ</h2></div></div><hr /></div><div class="qandaset" title="Frequently Asked Questions"><a id="id301543"></a><dl><dt>1. <a href="#id301545">
 	  Why is communication between two interfaces in the same zone not working?
-	</a></dt><dt>6. <a href="#id274386">
-	  I have set a web server in my DMZ. How do I configure SuSEfirewall2 to let
-	  people on the internet access my pages?
-	</a></dt><dt>7. <a href="#id293638">
-	  What if my Server has a private IP address, how do I enable external access then?
-	</a></dt><dt>8. <a href="#id293686">Some service does not work when the firewall is enabled. How do I find out what's wrong?
-	</a></dt><dt>9. <a href="#id273985">
+	</a></dt><dt>2. <a href="#id265830">Some service does not work when the firewall is enabled. How do I find out what's wrong?
+	</a></dt><dt>3. <a href="#id297412">
 	  Some web site that offers port scanning claims my system is not
 	  protected properly as it still responds to ICMP echo requests (ping)
-	</a></dt><dt>10. <a href="#id274007">
+	</a></dt><dt>4. <a href="#id304338">
 	  Can't the evil guys detect whether my host is online if it responds
 	  to ICMP echo requests?
-	</a></dt><dt>11. <a href="#id274028">
+	</a></dt><dt>5. <a href="#id305185">
 	  SuSEfirewall2 drops most packets but it doesn't fully hide the
 	  presence of my machine. Isn't that a security hole?
-	</a></dt><dt>12. <a href="#id274048">
+	</a></dt><dt>6. <a href="#id292467">
 	  The ipsec0 interface I had with kernel 2.4 is
 	  gone. How do I assign IPsec traffic to a different zone now?
-	</a></dt><dt>13. <a href="#id274099">
+	</a></dt><dt>7. <a href="#id300867">
 	  Why is SuSEfirewall2 so slow? / Can't you just use iptables-restore?
-	</a></dt></dl><table border="0" width="100%" summary="Q and A Set"><col align="left" width="1%" /><col /><tbody><tr class="question" title="1."><td align="left" valign="top"><a id="id312011"></a><a id="id312013"></a><p><b>1.</b></p></td><td align="left" valign="top"><p>
-	  How do I allow access to my application XYZ on my firewall?
-	</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
-
-	  Usually you need an entry in <code class="varname">FW_SERVICES_EXT_TCP</code>
-	  or <code class="varname">FW_SERVICES_EXT_UDP</code>. The most common problem is
-	  to determine which port the application uses. Let's say you are
-	  running an apache web server and want to allow access to it. Execute
-	  <span class="command"><strong>netstat -tunlp</strong></span> and look for httpd. You will
-	  see a line like this:
-
-	  </p><div class="informalexample"><pre class="screen">tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      4497/httpd</pre></div><p>
-
-	  The number 80 is the port you are looking for. In this example put it
-	  into <code class="varname">FW_SERVICES_EXT_TCP</code> and execute
-	  <span class="command"><strong>SuSEfirewall2</strong></span> again.
-
-	</p></td></tr><tr class="question" title="2."><td align="left" valign="top"><a id="id274901"></a><a id="id274904"></a><p><b>2.</b></p></td><td align="left" valign="top"><p>
-	  How can I reduce the generated rule set as much as possible?
-	</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>
-	      Set <code class="varname">FW_PROTECT_FROM_INTERNAL</code> to <code class="literal">"no"</code>
-	    </p></li><li class="listitem"><p>
-	      Disable Logging
-	    </p></li><li class="listitem"><p>
-	      Set all <code class="varname">FW_ALLOW_*</code> and
-	      <code class="varname">FW_SERVICE_*</code> to no
-	    </p></li><li class="listitem"><p>
-	      Do not use routing or masquerading
-	    </p></li><li class="listitem"><p>
-	      Only enable routing/services you really need and make the statements
-	      as general as possible to reduce the number of definitions.
-	      Then you will have got much less rules, but also a lesser security.
-	      Better spend 50$ on a faster processor and more ram instead of
-	      using an old 486 as firewall.
-	    </p></li></ul></div></td></tr><tr class="question" title="3."><td align="left" valign="top"><a id="id274280"></a><a id="id274283"></a><p><b>3.</b></p></td><td align="left" valign="top"><p>
-	  How can I be sure that the firewall rules are active when I connect
-	  to the internet?
-	</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
-
-	  Make sure that the <code class="literal">SuSEfirewall2</code> boot scripts are
-	  enabled and that <code class="filename">/etc/sysconfig/network/config</code>
-	  contains <code class="literal">FIREWALL=yes</code>. Also check that the
-	  <code class="filename">/etc/sysconfig/network/ifcfg-*</code> files don't
-	  contain <code class="literal">FIREWALL="no"</code>. You can check whether
-	  packet filtering rules are actually installed with the command
-	  <span class="command"><strong>SuSEfirewall2 status</strong></span>
-
-	</p></td></tr><tr class="question" title="4."><td align="left" valign="top"><a id="id274340"></a><a id="id274342"></a><p><b>4.</b></p></td><td align="left" valign="top"><p>
-	  How many interfaces are supported for each zone (EXT/DMZ/INT)?
-	</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
-	  Any number you want
-	</p></td></tr><tr class="question" title="5."><td align="left" valign="top"><a id="id274358"></a><a id="id274361"></a><p><b>5.</b></p></td><td align="left" valign="top"><p>
+	</a></dt><dt>8. <a href="#id283911">
+	  Enabling drbd blocks the boot process. How to get around that?
+	</a></dt><dt>9. <a href="#id265332">
+	  My wireless LAN network interface is configured for the
+	  external zone. Sometimes I need to connect to trusted
+	  networks that offer e.g. printing or file sharing. How can
+	  I solve that without opening ports in the external zone?
+	</a></dt></dl><table border="0" width="100%" summary="Q and A Set"><col align="left" width="1%" /><col /><tbody><tr class="question" title="1."><td align="left" valign="top"><a id="id301545"></a><a id="id301547"></a><p><b>1.</b></p></td><td align="left" valign="top"><p>
 	  Why is communication between two interfaces in the same zone not working?
 	</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
 
@@ -93,32 +35,7 @@
 	  traffic with <code class="varname">FW_FORWARD</code>. Keep in mind that this
 	  affects all interfaces in all zones.
 
-	</p></td></tr><tr class="question" title="6."><td align="left" valign="top"><a id="id274386"></a><a id="id293606"></a><p><b>6.</b></p></td><td align="left" valign="top"><p>
-	  I have set a web server in my DMZ. How do I configure SuSEfirewall2 to let
-	  people on the internet access my pages?
-	</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
-
-	  Lets say your web server has got an official
-	  IP address of 1.1.1.1 which you received from your ISP. You would
-	  just configure <code class="varname">FW_FORWARD_TCP</code> like this:
-	  </p><div class="informalexample"><pre class="programlisting">FW_FORWARD="0/0,1.1.1.1,tcp,80"</pre></div><p>
-
-	</p></td></tr><tr class="question" title="7."><td align="left" valign="top"><a id="id293638"></a><a id="id293641"></a><p><b>7.</b></p></td><td align="left" valign="top"><p>
-	  What if my Server has a private IP address, how do I enable external access then?
-	</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
-
-	  You can use reverse masquerading. For this you need to set
-	  <code class="varname">FW_ROUTE</code> and <code class="varname">FW_MASQUERADE</code> to
-	  <code class="literal">"yes"</code>, and additionally
-	  <code class="varname">FW_FORWARD_MASQ</code> for the web servers private IP
-	  (lets say it is 10.0.0.1):
-
-	  </p><div class="informalexample"><pre class="programlisting">
-FW_ROUTE="yes"
-FW_MASQUERADE="yes"
-FW_FORWARD_MASQ="0/0,10.0.0.1,tcp,80"</pre></div><p>
-
-	</p></td></tr><tr class="question" title="8."><td align="left" valign="top"><a id="id293686"></a><a id="id293689"></a><p><b>8.</b></p></td><td align="left" valign="top"><p>Some service does not work when the firewall is enabled. How do I find out what's wrong?
+	</p></td></tr><tr class="question" title="2."><td align="left" valign="top"><a id="id265830"></a><a id="id265832"></a><p><b>2.</b></p></td><td align="left" valign="top"><p>Some service does not work when the firewall is enabled. How do I find out what's wrong?
 	</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
 
 	  Enable logging of all dropped packets and disable the log limit in
@@ -146,7 +63,7 @@
 	  If everything works again don't forget to set the log options back to
 	  normal to not fill up you log files.
 
-	</p></td></tr><tr class="question" title="9."><td align="left" valign="top"><a id="id273985"></a><a id="id273988"></a><p><b>9.</b></p></td><td align="left" valign="top"><p>
+	</p></td></tr><tr class="question" title="3."><td align="left" valign="top"><a id="id297412"></a><a id="id291503"></a><p><b>3.</b></p></td><td align="left" valign="top"><p>
 	  Some web site that offers port scanning claims my system is not
 	  protected properly as it still responds to ICMP echo requests (ping)
 	</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
@@ -155,20 +72,20 @@
 	  seriously impact the ability to track down network problems. It is
 	  therefore not considered nice behaviour for an internet citizen to
 	  drop pings.
-	</p></td></tr><tr class="question" title="10."><td align="left" valign="top"><a id="id274007"></a><a id="id274010"></a><p><b>10.</b></p></td><td align="left" valign="top"><p>
+	</p></td></tr><tr class="question" title="4."><td align="left" valign="top"><a id="id304338"></a><a id="id292572"></a><p><b>4.</b></p></td><td align="left" valign="top"><p>
 	  Can't the evil guys detect whether my host is online if it responds
 	  to ICMP echo requests?
 	</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
 	  Yes but they can detect that anyways. The router at your provider
 	  behaves different depending on whether someone is dialed in or not.
-	</p></td></tr><tr class="question" title="11."><td align="left" valign="top"><a id="id274028"></a><a id="id274030"></a><p><b>11.</b></p></td><td align="left" valign="top"><p>
+	</p></td></tr><tr class="question" title="5."><td align="left" valign="top"><a id="id305185"></a><a id="id302781"></a><p><b>5.</b></p></td><td align="left" valign="top"><p>
 	  SuSEfirewall2 drops most packets but it doesn't fully hide the
 	  presence of my machine. Isn't that a security hole?
 	</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
 	  You machine is never fully invisible, see previous question. The
 	  purpose of dropping packets is not to hide your machine but to slow
 	  down port scans.
-	</p></td></tr><tr class="question" title="12."><td align="left" valign="top"><a id="id274048"></a><a id="id274051"></a><p><b>12.</b></p></td><td align="left" valign="top"><p>
+	</p></td></tr><tr class="question" title="6."><td align="left" valign="top"><a id="id292467"></a><a id="id293084"></a><p><b>6.</b></p></td><td align="left" valign="top"><p>
 	  The <code class="literal">ipsec0</code> interface I had with kernel 2.4 is
 	  gone. How do I assign IPsec traffic to a different zone now?
 	</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
@@ -184,21 +101,89 @@
 FW_SERVICES_EXT_UDP="isakmp"
 FW_PROTECT_FROM_INT="no"</pre></div><p>
 
-	</p></td></tr><tr class="question" title="13."><td align="left" valign="top"><a id="id274099"></a><a id="id274102"></a><p><b>13.</b></p></td><td align="left" valign="top"><p>
+	</p></td></tr><tr class="question" title="7."><td align="left" valign="top"><a id="id300867"></a><a id="id292485"></a><p><b>7.</b></p></td><td align="left" valign="top"><p>
 	  Why is SuSEfirewall2 so slow? / Can't you just use iptables-restore?
 	</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
 
 	  <code class="literal">SuSEfirewall2</code> is implemented in bourne shell which is not exactly the
 	  fastest thing on earth especially if it has that much work to do as
 	  <code class="literal">SuSEfirewall2</code>. Administrators still prefer bourne shell scripts
-	  because of readability <span class="emphasis"><em>*cough*</em></span>. To be able to
-	  use <span class="command"><strong>iptables-restore</strong></span>
-	  <code class="literal">SuSEfirewall2</code> would need a lot more logic than
-	  what is be possible with bourne shell as it would need to sort and
-	  reorder the rules for example. Furthermore interfaces are not static.
-	  They can arbitrarily appear and disapper with different names so a
-	  generic solution can't just dump the rules with
-	  <span class="command"><strong>iptables-store</strong></span> and re-apply them with
-	  <span class="command"><strong>iptables-restore</strong></span>.
+	  because of readability <span class="emphasis"><em>*cough*</em></span>.
+	</p><p>
+	  <code class="literal">SuSEfirewall2</code> already uses a method
+	  similar to <code class="literal">iptables-restore</code> to apply
+	  as much filter rules as possible at once.
+	  <code class="literal">SuSEfirewall2</code> doesn't use
+	  <code class="literal">iptables-restore</code> natively to be able to
+	  easily fall back to individual <code class="literal">iptables</code>
+	  calls in case of error.
+	</p></td></tr><tr class="question" title="8."><td align="left" valign="top"><a id="id283911"></a><a id="id283913"></a><p><b>8.</b></p></td><td align="left" valign="top"><p>
+	  Enabling drbd blocks the boot process. How to get around that?
+	</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
+
+	  During boot process all incoming traffic is blocked
+	  unconditionally. The very last boot script then sets up
+	  the configured firewall rules. The problem is that drbd
+	  blocks the boot process while waiting for incoming
+	  connection from other nodes. Therefore configuring the
+	  drbd port in <code class="literal">SuSEfirewall2</code> has no
+	  effect.
+
+	</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>
+	      SLES10
+	    </p><p>
+	      Add a manual iptables call to
+	      <code class="literal">/etc/init.d/boot.local</code>:
+	    </p><div class="informalexample"><pre class="programlisting">iptables -A INPUT -p tcp --dport 7788 -j ACCEPT</pre></div><p>
+
+	    </p></li><li class="listitem"><p>
+	      SLES11, openSUSE <= 11.2
+	    </p><p>
+	      On SLES11 SuSEfirewall2_init is called after
+	      boot.local, therefore the method for SLES10
+	      doesn't work anymore. It's possible to modify the
+	      dependencies of the SuSEfirewall2_setup script to run
+	      before drbd though:
+	      </p><div class="itemizedlist"><ul class="itemizedlist" type="circle"><li class="listitem"><p>
+		    Create the directory
+		    <code class="filename">/etc/insserv/overrides</code>
+		  </p></li><li class="listitem"><p>
+		    Create a new file
+		    <code class="filename">/etc/insserv/overrides/SuSEfirewall2_setup</code>
+		  </p></li><li class="listitem"><p>
+		    Copy the the LSB header (the part between and
+		    including the lines "<code class="literal">### BEGIN INIT
+		      INFO</code>" and "<code class="literal">### END INIT
+		      INFO</code>") from
+		    <code class="filename">/etc/init.d/SuSEfirewall2_setup</code>
+		    to
+		    <code class="filename">/etc/insserv/overrides/SuSEfirewall2_setup</code>
+		  </p></li><li class="listitem"><p>
+		    Replace <code class="literal">$ALL</code> with
+		    <code class="literal">$null</code> and add the following
+		    line:
+		    </p><div class="informalexample"><pre class="programlisting"># X-Start-Before: drbd</pre></div><p>
+
+		  </p></li><li class="listitem"><p>
+		    run <span class="command"><strong>/sbin/insserv</strong></span>
+		  </p></li></ul></div><p>
+
+	    </p></li><li class="listitem"><p>
+	      openSUSE >= 11.3
+	    </p><p>
+	      Configure the open ports for <code class="literal">drbd</code> and set
+	    </p><div class="informalexample"><pre class="programlisting">FW_BOOT_FULL_INIT="yes"</pre></div><p>
+
+	    </p></li></ul></div></td></tr><tr class="question" title="9."><td align="left" valign="top"><a id="id265332"></a><a id="id265334"></a><p><b>9.</b></p></td><td align="left" valign="top"><p>
+	  My wireless LAN network interface is configured for the
+	  external zone. Sometimes I need to connect to trusted
+	  networks that offer e.g. printing or file sharing. How can
+	  I solve that without opening ports in the external zone?
+	</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
+
+	  The <a class="ulink" href="http://lizards.opensuse.org/2009/08/28/firewall-zone-switcher-updated/" target="_top">Firewall
+	    Zone Switcher applet</a> allows desktop users to
+	  switch zones with only few mouse clicks. It's included in
+	  openSUSE since version 11.2.
 
 	</p></td></tr></tbody></table></div></div></body></html>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/SuSEfirewall2-3.6.231/doc/FAQ.SuSEfirewall2.txt new/SuSEfirewall2-3.6.238/doc/FAQ.SuSEfirewall2.txt
--- old/SuSEfirewall2-3.6.231/doc/FAQ.SuSEfirewall2.txt	2010-02-16 16:18:45.000000000 +0100
+++ new/SuSEfirewall2-3.6.238/doc/FAQ.SuSEfirewall2.txt	2010-03-19 15:14:46.000000000 +0100
@@ -2,158 +2,144 @@
 
 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
 
-1. How do I allow access to my application XYZ on my firewall?
-2. How can I reduce the generated rule set as much as possible?
-3. How can I be sure that the firewall rules are active when I connect to the
-    internet?
-4. How many interfaces are supported for each zone (EXT/DMZ/INT)?
-5. Why is communication between two interfaces in the same zone not working?
-6. I have set a web server in my DMZ. How do I configure SuSEfirewall2 to let
-    people on the internet access my pages?
-7. What if my Server has a private IP address, how do I enable external access
-    then?
-8. Some service does not work when the firewall is enabled. How do I find out
+1. Why is communication between two interfaces in the same zone not working?
+2. Some service does not work when the firewall is enabled. How do I find out
     what's wrong?
-9. Some web site that offers port scanning claims my system is not protected
+3. Some web site that offers port scanning claims my system is not protected
     properly as it still responds to ICMP echo requests (ping)
-10. Can't the evil guys detect whether my host is online if it responds to ICMP
+4. Can't the evil guys detect whether my host is online if it responds to ICMP
     echo requests?
-11. SuSEfirewall2 drops most packets but it doesn't fully hide the presence of
+5. SuSEfirewall2 drops most packets but it doesn't fully hide the presence of
     my machine. Isn't that a security hole?
-12. The ipsec0 interface I had with kernel 2.4 is gone. How do I assign IPsec
+6. The ipsec0 interface I had with kernel 2.4 is gone. How do I assign IPsec
     traffic to a different zone now?
-13. Why is SuSEfirewall2 so slow? / Can't you just use iptables-restore?
+7. Why is SuSEfirewall2 so slow? / Can't you just use iptables-restore?
+8. Enabling drbd blocks the boot process. How to get around that?
+9. My wireless LAN network interface is configured for the external zone.
+    Sometimes I need to connect to trusted networks that offer e.g. printing or
+    file sharing. How can I solve that without opening ports in the external
+    zone?
 
-1.  How do I allow access to my application XYZ on my firewall?
+1. Why is communication between two interfaces in the same zone not working?
 
-    Usually you need an entry in FW_SERVICES_EXT_TCP or FW_SERVICES_EXT_UDP. The
-    most common problem is to determine which port the application uses. Let's say
-    you are running an apache web server and want to allow access to it. Execute
-    netstat -tunlp and look for httpd. You will see a line like this:
+   For security reasons, no network may communicate to another until configured
+   otherwise. Even if both are "trusted" internal networks. You can allow full
+   traffic with FW_ALLOW_CLASS_ROUTING or specifying all allowed traffic with
+   FW_FORWARD. Keep in mind that this affects all interfaces in all zones.
 
-    tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      4497/httpd
+2. Some service does not work when the firewall is enabled. How do I find out
+   what's wrong?
 
-    The number 80 is the port you are looking for. In this example put it into
-    FW_SERVICES_EXT_TCP and execute SuSEfirewall2 again.
+   Enable logging of all dropped packets and disable the log limit in /etc/
+   sysconfig/SuSEfirewall2:
 
-2.  How can I reduce the generated rule set as much as possible?
+   FW_LOG_DROP_CRIT="yes"
+   FW_LOG_DROP_ALL="yes"
+   FW_LOG_LIMIT="no"
 
-      ● Set FW_PROTECT_FROM_INTERNAL to "no"
+   Run SuSEfirewall2 again. /var/log/messages will now quickly fill up with log
+   messages about dropped packets when you try to use the not working service.
+   Those messages tell you the protocol and port you need to open.
 
-      ● Disable Logging
+   You may also run SuSEfirewall2 in test mode: SuSEfirewall2 test. Then try to
+   connect to the service in a way which failed before. It will work because
+   SuSEfirewall2 does not actually filter any packets this time. However, it
+   will still log all packets it normally would have dropped.
 
-      ● Set all FW_ALLOW_* and FW_SERVICE_* to no
+   If everything works again don't forget to set the log options back to normal
+   to not fill up you log files.
 
-      ● Do not use routing or masquerading
+3. Some web site that offers port scanning claims my system is not protected
+   properly as it still responds to ICMP echo requests (ping)
 
-      ● Only enable routing/services you really need and make the statements as
-        general as possible to reduce the number of definitions. Then you will have
-        got much less rules, but also a lesser security. Better spend 50$ on a
-        faster processor and more ram instead of using an old 486 as firewall.
+   ICMP echo requests are harmless however they are a fundametal means to
+   determine whether hosts are still reachable. Blocking them would seriously
+   impact the ability to track down network problems. It is therefore not
+   considered nice behaviour for an internet citizen to drop pings.
 
-3.  How can I be sure that the firewall rules are active when I connect to the
-    internet?
+4. Can't the evil guys detect whether my host is online if it responds to ICMP
+   echo requests?
 
-    Make sure that the SuSEfirewall2 boot scripts are enabled and that /etc/
-    sysconfig/network/config contains FIREWALL=yes. Also check that the /etc/
-    sysconfig/network/ifcfg-* files don't contain FIREWALL="no". You can check
-    whether packet filtering rules are actually installed with the command
-    SuSEfirewall2 status
+   Yes but they can detect that anyways. The router at your provider behaves
+   different depending on whether someone is dialed in or not.
 
-4.  How many interfaces are supported for each zone (EXT/DMZ/INT)?
+5. SuSEfirewall2 drops most packets but it doesn't fully hide the presence of
+   my machine. Isn't that a security hole?
 
-    Any number you want
+   You machine is never fully invisible, see previous question. The purpose of
+   dropping packets is not to hide your machine but to slow down port scans.
 
-5.  Why is communication between two interfaces in the same zone not working?
+6. The ipsec0 interface I had with kernel 2.4 is gone. How do I assign IPsec
+   traffic to a different zone now?
 
-    For security reasons, no network may communicate to another until configured
-    otherwise. Even if both are "trusted" internal networks. You can allow full
-    traffic with FW_ALLOW_CLASS_ROUTING or specifying all allowed traffic with
-    FW_FORWARD. Keep in mind that this affects all interfaces in all zones.
+   Set the variable FW_IPSEC_TRUST to the zone you would have put the ipsec0
+   into before. For example if your IPsec tunnel is set up on the external
+   interface but you want to grant the decrypted traffic access to all your
+   services as if it was in the internal zone:
 
-6.  I have set a web server in my DMZ. How do I configure SuSEfirewall2 to let
-    people on the internet access my pages?
+   FW_IPSEC_TRUST="int"
+   FW_SERVICES_EXT_IP="esp"
+   FW_SERVICES_EXT_UDP="isakmp"
+   FW_PROTECT_FROM_INT="no"
 
-    Lets say your web server has got an official IP address of 1.1.1.1 which you
-    received from your ISP. You would just configure FW_FORWARD_TCP like this:
+7. Why is SuSEfirewall2 so slow? / Can't you just use iptables-restore?
 
-    FW_FORWARD="0/0,1.1.1.1,tcp,80"
+   SuSEfirewall2 is implemented in bourne shell which is not exactly the
+   fastest thing on earth especially if it has that much work to do as
+   SuSEfirewall2. Administrators still prefer bourne shell scripts because of
+   readability *cough*.
 
-7.  What if my Server has a private IP address, how do I enable external access
-    then?
+   SuSEfirewall2 already uses a method similar to iptables-restore to apply as
+   much filter rules as possible at once. SuSEfirewall2 doesn't use
+   iptables-restore natively to be able to easily fall back to individual
+   iptables calls in case of error.
 
-    You can use reverse masquerading. For this you need to set FW_ROUTE and
-    FW_MASQUERADE to "yes", and additionally FW_FORWARD_MASQ for the web servers
-    private IP (lets say it is 10.0.0.1):
+8. Enabling drbd blocks the boot process. How to get around that?
 
-    FW_ROUTE="yes"
-    FW_MASQUERADE="yes"
-    FW_FORWARD_MASQ="0/0,10.0.0.1,tcp,80"
+   During boot process all incoming traffic is blocked unconditionally. The
+   very last boot script then sets up the configured firewall rules. The
+   problem is that drbd blocks the boot process while waiting for incoming
+   connection from other nodes. Therefore configuring the drbd port in
+   SuSEfirewall2 has no effect.
 
-8.  Some service does not work when the firewall is enabled. How do I find out
-    what's wrong?
+     ● SLES10
 
-    Enable logging of all dropped packets and disable the log limit in /etc/
-    sysconfig/SuSEfirewall2:
+       Add a manual iptables call to /etc/init.d/boot.local:
 
-    FW_LOG_DROP_CRIT="yes"
-    FW_LOG_DROP_ALL="yes"
-    FW_LOG_LIMIT="no"
-
-    Run SuSEfirewall2 again. /var/log/messages will now quickly fill up with log
-    messages about dropped packets when you try to use the not working service.
-    Those messages tell you the protocol and port you need to open.
-
-    You may also run SuSEfirewall2 in test mode: SuSEfirewall2 test. Then try to
-    connect to the service in a way which failed before. It will work because
-    SuSEfirewall2 does not actually filter any packets this time. However, it will
-    still log all packets it normally would have dropped.
+       iptables -A INPUT -p tcp --dport 7788 -j ACCEPT
 
-    If everything works again don't forget to set the log options back to normal to
-    not fill up you log files.
+     ● SLES11, openSUSE <= 11.2
 
-9.  Some web site that offers port scanning claims my system is not protected
-    properly as it still responds to ICMP echo requests (ping)
+       On SLES11 SuSEfirewall2_init is called after boot.local, therefore the
+       method for SLES10 doesn't work anymore. It's possible to modify the
+       dependencies of the SuSEfirewall2_setup script to run before drbd
+       though:
 
-    ICMP echo requests are harmless however they are a fundametal means to
-    determine whether hosts are still reachable. Blocking them would seriously
-    impact the ability to track down network problems. It is therefore not
-    considered nice behaviour for an internet citizen to drop pings.
+         ○ Create the directory /etc/insserv/overrides
 
-10. Can't the evil guys detect whether my host is online if it responds to ICMP
-    echo requests?
+         ○ Create a new file /etc/insserv/overrides/SuSEfirewall2_setup
 
-    Yes but they can detect that anyways. The router at your provider behaves
-    different depending on whether someone is dialed in or not.
+         ○ Copy the the LSB header (the part between and including the lines "#
+           ## BEGIN INIT INFO" and "### END INIT INFO") from /etc/init.d/
+           SuSEfirewall2_setup to /etc/insserv/overrides/SuSEfirewall2_setup
 
-11. SuSEfirewall2 drops most packets but it doesn't fully hide the presence of my
-    machine. Isn't that a security hole?
+         ○ Replace $ALL with $null and add the following line:
 
-    You machine is never fully invisible, see previous question. The purpose of
-    dropping packets is not to hide your machine but to slow down port scans.
+           # X-Start-Before: drbd
 
-12. The ipsec0 interface I had with kernel 2.4 is gone. How do I assign IPsec
-    traffic to a different zone now?
+         ○ run /sbin/insserv
+
+     ● openSUSE >= 11.3
+
+       Configure the open ports for drbd and set
+
+       FW_BOOT_FULL_INIT="yes"
+
+9. My wireless LAN network interface is configured for the external zone.
+   Sometimes I need to connect to trusted networks that offer e.g. printing or
+   file sharing. How can I solve that without opening ports in the external
+   zone?
 
-    Set the variable FW_IPSEC_TRUST to the zone you would have put the ipsec0 into
-    before. For example if your IPsec tunnel is set up on the external interface
-    but you want to grant the decrypted traffic access to all your services as if
-    it was in the internal zone:
-
-    FW_IPSEC_TRUST="int"
-    FW_SERVICES_EXT_IP="esp"
-    FW_SERVICES_EXT_UDP="isakmp"
-    FW_PROTECT_FROM_INT="no"
-
-13. Why is SuSEfirewall2 so slow? / Can't you just use iptables-restore?
-
-    SuSEfirewall2 is implemented in bourne shell which is not exactly the fastest
-    thing on earth especially if it has that much work to do as SuSEfirewall2.
-    Administrators still prefer bourne shell scripts because of readability *cough*
-    . To be able to use iptables-restore SuSEfirewall2 would need a lot more logic
-    than what is be possible with bourne shell as it would need to sort and reorder
-    the rules for example. Furthermore interfaces are not static. They can
-    arbitrarily appear and disapper with different names so a generic solution
-    can't just dump the rules with iptables-store and re-apply them with
-    iptables-restore.
+   The Firewall Zone Switcher applet allows desktop users to switch zones with
+   only few mouse clicks. It's included in openSUSE since version 11.2.
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/SuSEfirewall2-3.6.231/doc/FAQ.SuSEfirewall2.xml new/SuSEfirewall2-3.6.238/doc/FAQ.SuSEfirewall2.xml
--- old/SuSEfirewall2-3.6.231/doc/FAQ.SuSEfirewall2.xml	2010-02-16 16:18:45.000000000 +0100
+++ new/SuSEfirewall2-3.6.238/doc/FAQ.SuSEfirewall2.xml	2010-03-19 15:14:46.000000000 +0100
@@ -7,114 +7,6 @@
     <title>SuSEfirewall2 FAQ</title>
   </articleinfo>
   <qandaset>
-    <qandaentry>
-
-      <question>
-	<para>
-	  How do I allow access to my application XYZ on my firewall?
-	</para>
-      </question>
-
-      <answer>
-
-	<para>
-
-	  Usually you need an entry in <varname>FW_SERVICES_EXT_TCP</varname>
-	  or <varname>FW_SERVICES_EXT_UDP</varname>. The most common problem is
-	  to determine which port the application uses. Let's say you are
-	  running an apache web server and want to allow access to it. Execute
-	  <command>netstat -tunlp</command> and look for httpd. You will
-	  see a line like this:
-
-	  <informalexample>
-	    <screen>tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      4497/httpd</screen>
-	  </informalexample>
-
-	  The number 80 is the port you are looking for. In this example put it
-	  into <varname>FW_SERVICES_EXT_TCP</varname> and execute
-	  <command>SuSEfirewall2</command> again.
-
-	</para>
-
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  How can I reduce the generated rule set as much as possible?
-	</para>
-      </question>
-      <answer>
-	<itemizedlist>
-	  <listitem>
-	    <para>
-	      Set <varname>FW_PROTECT_FROM_INTERNAL</varname> to <literal>"no"</literal>
-	    </para>
-	  </listitem>
-	  <listitem>
-	    <para>
-	      Disable Logging
-	    </para>
-	  </listitem>
-	  <listitem>
-	    <para>
-	      Set all <varname>FW_ALLOW_*</varname> and
-	      <varname>FW_SERVICE_*</varname> to no
-	    </para>
-	  </listitem>
-	  <listitem>
-	    <para>
-	      Do not use routing or masquerading
-	    </para>
-	  </listitem>
-	  <listitem>
-	    <para>
-	      Only enable routing/services you really need and make the statements
-	      as general as possible to reduce the number of definitions.
-	      Then you will have got much less rules, but also a lesser security.
-	      Better spend 50$ on a faster processor and more ram instead of
-	      using an old 486 as firewall.
-	    </para>
-	  </listitem>
-	</itemizedlist>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  How can I be sure that the firewall rules are active when I connect
-	  to the internet?
-	</para>
-      </question>
-      <answer>
-	<para>
-
-	  Make sure that the <literal>SuSEfirewall2</literal> boot scripts are
-	  enabled and that <filename>/etc/sysconfig/network/config</filename>
-	  contains <literal>FIREWALL=yes</literal>. Also check that the
-	  <filename>/etc/sysconfig/network/ifcfg-*</filename> files don't
-	  contain <literal>FIREWALL="no"</literal>. You can check whether
-	  packet filtering rules are actually installed with the command
-	  <command>SuSEfirewall2 status</command>
-
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  How many interfaces are supported for each zone (EXT/DMZ/INT)?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  Any number you want
-	</para>
-      </answer>
-    </qandaentry>
 
     <qandaentry>
 
@@ -141,62 +33,6 @@
     </qandaentry>
 
     <qandaentry>
-      <question>
-	<para>
-	  I have set a web server in my DMZ. How do I configure SuSEfirewall2 to let
-	  people on the internet access my pages?
-	</para>
-      </question>
-
-      <answer>
-
-	<para>
-
-	  Lets say your web server has got an official
-	  IP address of 1.1.1.1 which you received from your ISP. You would
-	  just configure <varname>FW_FORWARD_TCP</varname> like this:
-	  <informalexample>
-	    <programlisting>FW_FORWARD="0/0,1.1.1.1,tcp,80"</programlisting>
-	  </informalexample>
-
-	</para>
-
-      </answer>
-
-    </qandaentry>
-
-    <qandaentry>
-
-      <question>
-	<para>
-	  What if my Server has a private IP address, how do I enable external access then?
-	</para>
-      </question>
-
-      <answer>
-
-	<para>
-
-	  You can use reverse masquerading. For this you need to set
-	  <varname>FW_ROUTE</varname> and <varname>FW_MASQUERADE</varname> to
-	  <literal>"yes"</literal>, and additionally
-	  <varname>FW_FORWARD_MASQ</varname> for the web servers private IP
-	  (lets say it is 10.0.0.1):
-
-	  <informalexample>
-	    <programlisting>
-FW_ROUTE="yes"
-FW_MASQUERADE="yes"
-FW_FORWARD_MASQ="0/0,10.0.0.1,tcp,80"</programlisting>
-	  </informalexample>
-
-	</para>
-
-      </answer>
-
-    </qandaentry>
-
-    <qandaentry>
 
       <question>
 	<para>Some service does not work when the firewall is enabled. How do I find out what's wrong?
@@ -345,15 +181,161 @@
 	  <literal>SuSEfirewall2</literal> is implemented in bourne shell which is not exactly the
 	  fastest thing on earth especially if it has that much work to do as
 	  <literal>SuSEfirewall2</literal>. Administrators still prefer bourne shell scripts
-	  because of readability <emphasis>*cough*</emphasis>. To be able to
-	  use <command>iptables-restore</command>
-	  <literal>SuSEfirewall2</literal> would need a lot more logic than
-	  what is be possible with bourne shell as it would need to sort and
-	  reorder the rules for example. Furthermore interfaces are not static.
-	  They can arbitrarily appear and disapper with different names so a
-	  generic solution can't just dump the rules with
-	  <command>iptables-store</command> and re-apply them with
-	  <command>iptables-restore</command>.
+	  because of readability <emphasis>*cough*</emphasis>.
+	</para>
+
+	<para>
+	  <literal>SuSEfirewall2</literal> already uses a method
+	  similar to <literal>iptables-restore</literal> to apply
+	  as much filter rules as possible at once.
+	  <literal>SuSEfirewall2</literal> doesn't use
+	  <literal>iptables-restore</literal> natively to be able to
+	  easily fall back to individual <literal>iptables</literal>
+	  calls in case of error.
+	</para>
+
+      </answer>
+
+    </qandaentry>
+
+    <qandaentry>
+
+      <question>
+	<para>
+	  Enabling drbd blocks the boot process. How to get around that?
+	</para>
+      </question>
+
+      <answer>
+
+	<para>
+
+	  During boot process all incoming traffic is blocked
+	  unconditionally. The very last boot script then sets up
+	  the configured firewall rules. The problem is that drbd
+	  blocks the boot process while waiting for incoming
+	  connection from other nodes. Therefore configuring the
+	  drbd port in <literal>SuSEfirewall2</literal> has no
+	  effect.
+
+	</para>
+
+	<itemizedlist>
+
+	  <listitem>
+	    <para>
+	      SLES10
+	    </para>
+	    <para>
+	      Add a manual iptables call to
+	      <literal>/etc/init.d/boot.local</literal>:
+	    <informalexample>
+	      <programlisting>iptables -A INPUT -p tcp --dport 7788 -j ACCEPT</programlisting>
+	    </informalexample>
+
+	    </para>
+	  </listitem>
+
+	  <listitem>
+	    <para>
+	      SLES11, openSUSE <= 11.2
+	    </para>
+	    <para>
+	      On SLES11 SuSEfirewall2_init is called after
+	      boot.local, therefore the method for SLES10
+	      doesn't work anymore. It's possible to modify the
+	      dependencies of the SuSEfirewall2_setup script to run
+	      before drbd though:
+	      <itemizedlist>
+
+		<listitem>
+		  <para>
+		    Create the directory
+		    <filename>/etc/insserv/overrides</filename>
+		  </para>
+		</listitem>
+
+		<listitem>
+		  <para>
+		    Create a new file
+		    <filename>/etc/insserv/overrides/SuSEfirewall2_setup</filename>
+		  </para>
+		</listitem>
+
+		<listitem>
+		  <para>
+		    Copy the the LSB header (the part between and
+		    including the lines "<literal>### BEGIN INIT
+		      INFO</literal>" and "<literal>### END INIT
+		      INFO</literal>") from
+		    <filename>/etc/init.d/SuSEfirewall2_setup</filename>
+		    to
+		    <filename>/etc/insserv/overrides/SuSEfirewall2_setup</filename>
+		  </para>
+		</listitem>
+
+		<listitem>
+		  <para>
+		    Replace <literal>$ALL</literal> with
+		    <literal>$null</literal> and add the following
+		    line:
+		    <informalexample>
+		      <programlisting># X-Start-Before: drbd</programlisting>
+		    </informalexample>
+
+		  </para>
+		</listitem>
+
+		<listitem>
+		  <para>
+		    run <command>/sbin/insserv</command>
+		  </para>
+		</listitem>
+
+	      </itemizedlist>
+
+	    </para>
+	  </listitem>
+
+	  <listitem>
+	    <para>
+	      openSUSE >= 11.3
+	    </para>
+	    <para>
+	      Configure the open ports for <literal>drbd</literal> and set
+	    <informalexample>
+	      <programlisting>FW_BOOT_FULL_INIT="yes"</programlisting>
+	    </informalexample>
+
+	    </para>
+	  </listitem>
+
+	</itemizedlist>
+
+      </answer>
+
+    </qandaentry>
+
+    <qandaentry>
+
+      <question>
+	<para>
+	  My wireless LAN network interface is configured for the
+	  external zone. Sometimes I need to connect to trusted
+	  networks that offer e.g. printing or file sharing. How can
+	  I solve that without opening ports in the external zone?
+	</para>
+      </question>
+
+      <answer>
+
+	<para>
+
+	  The <ulink
+	    url="http://lizards.opensuse.org/2009/08/28/firewall-zone-switcher-updated/">Firewall
+	    Zone Switcher applet</ulink> allows desktop users to
+	  switch zones with only few mouse clicks. It's included in
+	  openSUSE since version 11.2.
 
 	</para>
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/SuSEfirewall2-3.6.231/doc/README.SuSEfirewall2.html new/SuSEfirewall2-3.6.238/doc/README.SuSEfirewall2.html
--- old/SuSEfirewall2-3.6.231/doc/README.SuSEfirewall2.html	2010-02-16 16:18:45.000000000 +0100
+++ new/SuSEfirewall2-3.6.238/doc/README.SuSEfirewall2.html	2010-03-19 15:14:46.000000000 +0100
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>SuSEfirewall2</title><link rel="stylesheet" href="susebooks.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /></head><body><div class="article" title="SuSEfirewall2"><div class="titlepage"><div><div><h2 class="title"><a id="id311990"></a>SuSEfirewall2</h2></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id312001">1. Introduction</a></span></dt><dt><span class="section"><a href="#id274021">2. Quickstart</a></span></dt><dd><dl><dt><span class="section"><a href="#id274027">2.1. YaST2 firewall module</a></span></dt><dt><span class="section"><a href="#id274840">2.2. Manual configuration</a></span></dt></dl></dd><dt><span class="section"><a href="#id274901">3. Some words about security</a></span></dt><dt><span class="section"><a href="#id293680">4. Reporting bugs</a></span></dt><dt><span class="section"><a href="#id293705">5. Links</a></span></dt><dt><span class="section"><a href="#id293732">6. Author</a></span></dt></dl></div><div class="section" title="1. Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id312001"></a>1. Introduction</h2></div></div></div><p>
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>SuSEfirewall2</title><link rel="stylesheet" href="susebooks.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /></head><body><div class="article" title="SuSEfirewall2"><div class="titlepage"><div><div><h2 class="title"><a id="id301523"></a>SuSEfirewall2</h2></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id301537">1. Introduction</a></span></dt><dt><span class="section"><a href="#id265879">2. Quickstart</a></span></dt><dd><dl><dt><span class="section"><a href="#id265884">2.1. YaST2 firewall module</a></span></dt><dt><span class="section"><a href="#id265896">2.2. Manual configuration</a></span></dt></dl></dd><dt><span class="section"><a href="#id283926">3. Some words about security</a></span></dt><dt><span class="section"><a href="#id265245">4. Source Code</a></span></dt><dt><span class="section"><a href="#id265261">5. Reporting bugs</a></span></dt><dt><span class="section"><a href="#id265283">6. Links</a></span></dt><dt><span class="section"><a href="#id265307">7. Author</a></span></dt></dl></div><div class="section" title="1. Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id301537"></a>1. Introduction</h2></div></div></div><p>
 
       <code class="literal">SuSEfirewall2</code> is a shell script wrapper for the Linux
       firewall setup tool (<code class="literal">iptables</code>). It's controlled by a
@@ -10,16 +10,17 @@
 
       Main features of SuSEfirewall2:
 
-      </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>sets up secure filter rules by default</p></li><li class="listitem"><p>easy to configure</p></li><li class="listitem"><p>requires only a small configuration effort</p></li><li class="listitem"><p>zone based setup. Interfaces are grouped into zones</p></li><li class="listitem"><p>supports an arbitrary number of zones</p></li><li class="listitem"><p>supports forwarding, masquerading, port redirection</p></li><li class="listitem"><p>supports RPC services with dynamically assigned ports</p></li><li class="listitem"><p>allows special treatment of IPsec packets</p></li><li class="listitem"><p>IPv6 support</p></li><li class="listitem"><p>allows insertion of custom rules through hooks</p></li></ul></div><p>
+      </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>sets up secure filter rules by default</p></li><li class="listitem"><p>easy to configure</p></li><li class="listitem"><p>requires only a small configuration effort</p></li><li class="listitem"><p>zone based setup. Interfaces are grouped into zones</p></li><li class="listitem"><p>supports an arbitrary number of zones</p></li><li class="listitem"><p>supports forwarding, masquerading, port redirection</p></li><li class="listitem"><p>supports RPC services with dynamically assigned ports</p></li><li class="listitem"><p>allows special treatment of IPsec packets</p></li><li class="listitem"><p>IPv6 support</p></li><li class="listitem"><p>allows insertion of custom rules through hooks</p></li><li class="listitem"><p>graphical <a class="ulink" href="http://lizards.opensuse.org/2009/08/28/firewall-zone-switcher-updated/" target="_top">zone
+	      switcher applet</a> for desktop use</p></li></ul></div><p>
 
-    </p></div><div class="section" title="2. Quickstart"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id274021"></a>2. Quickstart</h2></div></div></div><div class="section" title="2.1. YaST2 firewall module"><div class="titlepage"><div><div><h3 class="title"><a id="id274027"></a>2.1. YaST2 firewall module</h3></div></div></div><p>
+    </p></div><div class="section" title="2. Quickstart"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id265879"></a>2. Quickstart</h2></div></div></div><div class="section" title="2.1. YaST2 firewall module"><div class="titlepage"><div><div><h3 class="title"><a id="id265884"></a>2.1. YaST2 firewall module</h3></div></div></div><p>
 
 	The YaST2 firewall module is the recommended tool for configuring
 	SuSEfirewall2. It offers the most common features with a nice user
 	interface and help texts. It also takes care of proper activation of
 	the init scripts.
 
-      </p></div><div class="section" title="2.2. Manual configuration"><div class="titlepage"><div><div><h3 class="title"><a id="id274840"></a>2.2. Manual configuration</h3></div></div></div><p>
+      </p></div><div class="section" title="2.2. Manual configuration"><div class="titlepage"><div><div><h3 class="title"><a id="id265896"></a>2.2. Manual configuration</h3></div></div></div><p>
 
 	Enable the SuSEfirewall2 boot scripts:
 
@@ -37,7 +38,7 @@
 	<code class="filename">EXAMPLES</code> file in
 	<code class="filename">/usr/share/doc/packages/SuSEfirewall2</code>
 
-      </p></div></div><div class="section" title="3. Some words about security"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id274901"></a>3. Some words about security</h2></div></div></div><p>
+      </p></div></div><div class="section" title="3. Some words about security"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id283926"></a>3. Some words about security</h2></div></div></div><p>
 
       SuSEfirewall2 is a frontend for iptables which sets up kernel packet
       filters, nothing more and nothing less. This means that you are not
@@ -76,17 +77,22 @@
 	    Check your log files regularly for unusual entries.
 	  </p></li></ul></div><p>
 
-    </p></div><div class="section" title="4. Reporting bugs"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id293680"></a>4. Reporting bugs</h2></div></div></div><p>
+    </p></div><div class="section" title="4. Source Code"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id265245"></a>4. Source Code</h2></div></div></div><p>
+
+      Source code is available at 
+      <a class="ulink" href="http://gitorious.org/opensuse/susefirewall2" target="_top">Gitorious</a>
+
+    </p></div><div class="section" title="5. Reporting bugs"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id265261"></a>5. Reporting bugs</h2></div></div></div><p>
 
       Report any problems via <a class="ulink" href="https://bugzilla.novell.com/" target="_top">Bugzilla</a>.
       For discussion about SuSEfirewall2 join the <a class="ulink" href="http://en.opensuse.org/Communicate/Mailinglists" target="_top">opensuse-security</a>
       mailinglist.
 
-    </p></div><div class="section" title="5. Links"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id293705"></a>5. Links</h2></div></div></div><p>
+    </p></div><div class="section" title="6. Links"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id265283"></a>6. Links</h2></div></div></div><p>
       <a class="ulink" href="EXAMPLES.html" target="_top">Examples</a>
     </p><p>
       <a class="ulink" href="FAQ.html" target="_top">Frequently Asked Questions</a>
-    </p></div><div class="section" title="6. Author"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id293732"></a>6. Author</h2></div></div></div><p>
+    </p></div><div class="section" title="7. Author"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id265307"></a>7. Author</h2></div></div></div><p>
 
       SuSEfirewall2 was originally created by
       <span class="author"><span class="firstname">Marc</span> <span class="surname">Heuse</span></span>.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/SuSEfirewall2-3.6.231/doc/README.SuSEfirewall2.txt new/SuSEfirewall2-3.6.238/doc/README.SuSEfirewall2.txt
--- old/SuSEfirewall2-3.6.231/doc/README.SuSEfirewall2.txt	2010-02-16 16:18:45.000000000 +0100
+++ new/SuSEfirewall2-3.6.238/doc/README.SuSEfirewall2.txt	2010-03-19 15:14:46.000000000 +0100
@@ -11,9 +11,10 @@
     2.2. Manual configuration
 
 3. Some words about security
-4. Reporting bugs
-5. Links
-6. Author
+4. Source Code
+5. Reporting bugs
+6. Links
+7. Author
 
 1. Introduction
 
@@ -42,6 +43,8 @@
 
   ● allows insertion of custom rules through hooks
 
+  ● graphical zone switcher applet for desktop use
+
 2. Quickstart
 
 2.1. YaST2 firewall module
@@ -98,18 +101,22 @@
 
   ● Check your log files regularly for unusual entries.
 
-4. Reporting bugs
+4. Source Code
+
+Source code is available at Gitorious
+
+5. Reporting bugs
 
 Report any problems via Bugzilla. For discussion about SuSEfirewall2 join the
 opensuse-security mailinglist.
 
-5. Links
+6. Links
 
 Examples
 
 Frequently Asked Questions
 
-6. Author
+7. Author
 
 SuSEfirewall2 was originally created by Marc Heuse. Most of it got rewritten
 and enhanced by it's current maintainer Ludwig Nussel
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/SuSEfirewall2-3.6.231/doc/README.SuSEfirewall2.xml new/SuSEfirewall2-3.6.238/doc/README.SuSEfirewall2.xml
--- old/SuSEfirewall2-3.6.231/doc/README.SuSEfirewall2.xml	2010-02-16 16:18:45.000000000 +0100
+++ new/SuSEfirewall2-3.6.238/doc/README.SuSEfirewall2.xml	2010-03-19 15:14:46.000000000 +0100
@@ -37,6 +37,9 @@
 	<listitem><para>allows special treatment of IPsec packets</para></listitem>
 	<listitem><para>IPv6 support</para></listitem>
 	<listitem><para>allows insertion of custom rules through hooks</para></listitem>
+	<listitem><para>graphical <ulink
+	      url="http://lizards.opensuse.org/2009/08/28/firewall-zone-switcher-updated/">zone
+	      switcher applet</ulink> for desktop use</para></listitem>
       </itemizedlist>
 
     </para>
@@ -179,6 +182,17 @@
   </section>
 
   <section>
+    <title>Source Code</title>
+
+    <para>
+
+      Source code is available at 
+      <ulink url="http://gitorious.org/opensuse/susefirewall2">Gitorious</ulink>
+
+    </para>
+  </section>
+
+  <section>
     <title>Reporting bugs</title>
 
     <para>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/SuSEfirewall2-3.6.231/mkchanges new/SuSEfirewall2-3.6.238/mkchanges
--- old/SuSEfirewall2-3.6.231/mkchanges	1970-01-01 01:00:00.000000000 +0100
+++ new/SuSEfirewall2-3.6.238/mkchanges	2010-03-19 15:14:46.000000000 +0100
@@ -0,0 +1,7 @@
+#!/bin/sh
+# create log suitable for c&p into rpm changes file
+if [ -z "$1" ]; then
+	set -- remotes/origin/master..master
+fi
+# no idea why it always prints those commit lines
+git rev-list --pretty=format:"- %s" "$@" |grep -v ^commit
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/SuSEfirewall2-3.6.231/publish_web new/SuSEfirewall2-3.6.238/publish_web
--- old/SuSEfirewall2-3.6.231/publish_web	1970-01-01 01:00:00.000000000 +0100
+++ new/SuSEfirewall2-3.6.238/publish_web	2010-03-19 15:14:46.000000000 +0100
@@ -0,0 +1,9 @@
+#!/bin/bash
+web=~/public_html/SuSEfirewall2
+for i in doc/*SuSEfirewall2.html; do
+	dest=${i/.SuSEfirewall2/}
+	dest=${dest##*/}
+	echo $dest
+	install -m 644 $i $web/$dest
+done
+install -m 644 doc/susebooks.css $web


++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++



Remember to have fun...

-- 
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org

    

root＠Hilbert.suse.de

tags

participants (1)