Hello community, here is the log from the commit of package SuSEfirewall2 checked in at Mon Jul 14 21:28:41 CEST 2008. -------- --- SuSEfirewall2/SuSEfirewall2.changes 2008-06-30 17:28:01.000000000 +0200 +++ SuSEfirewall2/SuSEfirewall2.changes 2008-07-14 09:33:06.000000000 +0200 @@ -1,0 +2,5 @@ +Mon Jul 14 09:32:40 CEST 2008 - lnussel@suse.de + +- use correct rules to accept RELATED icmpv6 packets (bnc#396667) + +------------------------------------------------------------------- Old: ---- SuSEfirewall2-3.6_SVNr196.tar.bz2 New: ---- SuSEfirewall2-3.6_SVNr197.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ SuSEfirewall2.spec ++++++ --- /var/tmp/diff_new_pack.I11511/_old 2008-07-14 21:10:37.000000000 +0200 +++ /var/tmp/diff_new_pack.I11511/_new 2008-07-14 21:10:37.000000000 +0200 @@ -1,5 +1,5 @@ # -# spec file for package SuSEfirewall2 (Version 3.6_SVNr196) +# spec file for package SuSEfirewall2 (Version 3.6_SVNr197) # # Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. # This file and all modifications and additions to the pristine @@ -13,7 +13,7 @@ Name: SuSEfirewall2 -Version: 3.6_SVNr196 +Version: 3.6_SVNr197 Release: 1 License: GPL v2 or later Group: Productivity/Networking/Security @@ -188,6 +188,8 @@ rm -rf %{buildroot} %changelog +* Mon Jul 14 2008 lnussel@suse.de +- use correct rules to accept RELATED icmpv6 packets (bnc#396667) * Mon Jun 30 2008 lnussel@suse.de - allow empty protocol in FW_SERVICES_ACCEPT_RELATED, FW_SERVICES_REJECT, FW_SERVICES_DROP, FW_SERVICES_ACCEPT (bnc#376758) ++++++ SuSEfirewall2-3.6_SVNr196.tar.bz2 -> SuSEfirewall2-3.6_SVNr197.tar.bz2 ++++++ diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/SuSEfirewall2-3.6_SVNr196/SuSEfirewall2 new/SuSEfirewall2-3.6_SVNr197/SuSEfirewall2 --- old/SuSEfirewall2-3.6_SVNr196/SuSEfirewall2 2008-06-30 17:26:50.000000000 +0200 +++ new/SuSEfirewall2-3.6_SVNr197/SuSEfirewall2 2008-07-14 09:31:17.000000000 +0200 @@ -569,10 +569,6 @@ $LAA $iptables -A INPUT ${LOG}"-IN-ACC-EST " -m state --state ESTABLISHED $iptables -A INPUT -j "$ACCEPT" -m state --state ESTABLISHED - # need to accept icmp RELATED packets (bnc#382004) - $LAA $iptables -A INPUT ${LOG}"-IN-ACC-REL " -p icmp -m state --state RELATED - $iptables -A INPUT -j "$ACCEPT" -p icmp -m state --state RELATED - # if two hosts have a tcp connection on fixed ports and # one of the hosts crashes it will send a SYN to the # peer if it comes back up. The peer sends back ACK as @@ -582,6 +578,12 @@ # $LDA $iptables -A INPUT ${LOG}"-IN-REJECT-ACK " -m state --state INVALID -p tcp --tcp-flags SYN,RST,ACK ACK # $iptables -A INPUT -j "$REJECT" -m state --state INVALID -p tcp --tcp-flags SYN,RST,ACK ACK done + + # need to accept icmp RELATED packets (bnc#382004) + $LAA $IPTABLES -A INPUT ${LOG}"-IN-ACC-REL " -p icmp -m state --state RELATED + $IPTABLES -A INPUT -j "$ACCEPT" -p icmp -m state --state RELATED + $LAA $IP6TABLES -A INPUT ${LOG}"-IN-ACC-REL " -p icmpv6 -m state --state RELATED + $IP6TABLES -A INPUT -j "$ACCEPT" -p icmpv6 -m state --state RELATED } have_bridgeinterfaces() ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org
participants (1)
-
root@Hilbert.suse.de