Hello community, here is the log from the commit of package SuSEfirewall2 checked in at Mon Feb 12 13:07:46 CET 2007. -------- --- SuSEfirewall2/SuSEfirewall2.changes 2006-11-15 13:55:32.000000000 +0100 +++ /mounts/work_src_done/NOARCH/SuSEfirewall2/SuSEfirewall2.changes 2007-02-12 12:17:27.000000000 +0100 @@ -1,0 +2,18 @@ +Mon Feb 12 12:16:42 CET 2007 - lnussel@suse.de + +- use /sys/class/net instead of /proc/sys/net/ipv[46]/conf/ to + determine whether an interface exists. Side effect: interfaces + without ip also get filtering rules +- read FW_ZONE variable from ifcfg files for interfaces that are not + listed in FW_DEV_* +- always use default zone for interfaces that are neither listed in + FW_DEV_* nor have FW_ZONE set +- FW_DEV_*="any" sets default zone +- FW_MASQ_DEV="$FW_DEV_EXT" does not work with ifcfg method of + specifying a zone. Use FW_MASQ_DEV="zone:ext" instead. +- remove old interface autodetection code +- add a name tag to meta info of service template +- fix some typos found by Eric Auer +- set version to 3.6 + +------------------------------------------------------------------- Old: ---- SuSEfirewall2-3.5_SVNr159.tar.bz2 New: ---- SuSEfirewall2-3.6_SVNr164.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ SuSEfirewall2.spec ++++++ --- /var/tmp/diff_new_pack.KL9658/_old 2007-02-12 13:07:34.000000000 +0100 +++ /var/tmp/diff_new_pack.KL9658/_new 2007-02-12 13:07:34.000000000 +0100 @@ -1,7 +1,7 @@ # -# spec file for package SuSEfirewall2 (Version 3.5_SVNr159) +# spec file for package SuSEfirewall2 (Version 3.6_SVNr164) # -# Copyright (c) 2006 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany. # This file and all modifications and additions to the pristine # package are under the same license as the package itself. # @@ -12,7 +12,7 @@ # icecream 0 Name: SuSEfirewall2 -Version: 3.5_SVNr159 +Version: 3.6_SVNr164 Release: 1 License: GNU General Public License (GPL) Group: Productivity/Networking/Security @@ -78,12 +78,10 @@ %config /etc/init.d/SuSEfirewall2_init %config /etc/init.d/SuSEfirewall2_setup /usr/share/SuSEfirewall2 -/etc/sysconfig/scripts/SuSEfirewall2-autointerface.sh /etc/sysconfig/scripts/SuSEfirewall2-rpcinfo /etc/sysconfig/scripts/SuSEfirewall2-showlog /etc/sysconfig/scripts/SuSEfirewall2-open /etc/sysconfig/scripts/SuSEfirewall2-batch -/etc/sysconfig/scripts/SuSEfirewall2-bashhash /etc/sysconfig/scripts/SuSEfirewall2-qdisc /etc/sysconfig/scripts/SuSEfirewall2-oldbroadcast /sbin/rcSuSEfirewall2 @@ -181,12 +179,35 @@ %{remove_and_set -n SuSEfirewall2 FW_IGNORE_FW_BROADCAST FW_ALLOW_FW_BROADCAST} ) fi +if [ -e etc/sysconfig/SuSEfirewall2 ] \ + && grep -q '^FW_MASQ_DEV="\$FW_DEV_EXT"$' etc/sysconfig/SuSEfirewall2; then + sed 's/^FW_MASQ_DEV="\$FW_DEV_EXT"$/FW_MASQ_DEV="zone:ext"/' \ + < etc/sysconfig/SuSEfirewall2 \ + > etc/sysconfig/SuSEfirewall2.new \ + && mv etc/sysconfig/SuSEfirewall2.new etc/sysconfig/SuSEfirewall2 \ + && echo "FW_MASQ_DEV converted" +fi exit 0 %clean rm -rf %{buildroot} %changelog -n SuSEfirewall2 +* Mon Feb 12 2007 - lnussel@suse.de +- use /sys/class/net instead of /proc/sys/net/ipv[46]/conf/ to + determine whether an interface exists. Side effect: interfaces + without ip also get filtering rules +- read FW_ZONE variable from ifcfg files for interfaces that are not + listed in FW_DEV_* +- always use default zone for interfaces that are neither listed in + FW_DEV_* nor have FW_ZONE set +- FW_DEV_*="any" sets default zone +- FW_MASQ_DEV="$FW_DEV_EXT" does not work with ifcfg method of + specifying a zone. Use FW_MASQ_DEV="zone:ext" instead. +- remove old interface autodetection code +- add a name tag to meta info of service template +- fix some typos found by Eric Auer +- set version to 3.6 * Wed Nov 15 2006 - lnussel@suse.de - only log errors in the output chain if logging is actually enabled (#219108) ++++++ SuSEfirewall2-3.5_SVNr159.tar.bz2 -> SuSEfirewall2-3.6_SVNr164.tar.bz2 ++++++ diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/SuSEfirewall2-3.5_SVNr159/EXAMPLES.html new/SuSEfirewall2-3.6_SVNr164/EXAMPLES.html --- old/SuSEfirewall2-3.5_SVNr159/EXAMPLES.html 2006-05-22 13:37:06.000000000 +0200 +++ new/SuSEfirewall2-3.6_SVNr164/EXAMPLES.html 2007-02-12 11:54:24.000000000 +0100 @@ -1,12 +1,12 @@ <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> -<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>SuSEfirewall2 configuration examples</title><link rel="stylesheet" href="susebooks.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.69.1" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h1 class="title"><a id="id2410859"></a>SuSEfirewall2 configuration examples</h1></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id2483342">1. Simple dialup</a></span></dt><dt><span class="section"><a href="#id2483363">2. Small home network</a></span></dt><dt><span class="section"><a href="#id2483386">3. Small home network with additional WLAN</a></span></dt><dt><span class="section"><a href="#id2460778">4. Small company with external mail and web server</a></span></dt><dt><span class="section"><a href="#id2460810">5. Company with IPsec tunnel to subsidiary</a></span></dt><dt><span class="section"><a href="#id2460884">6. Company with web server in DMZ</a></span></dt><dt><span class="section"><a href="#id2460336">7. Complex scenario</a></span></dt><dt><span class="section"><a href="#id2460459">8. Laptop in private network but with additional public IP adresses</a></span></dt></dl></div><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p> +<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>SuSEfirewall2 configuration examples</title><link rel="stylesheet" href="susebooks.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.71.1" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h1 class="title"><a id="id2245331"></a>SuSEfirewall2 configuration examples</h1></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id2503018">1. Simple dialup</a></span></dt><dt><span class="section"><a href="#id2503039">2. Small home network</a></span></dt><dt><span class="section"><a href="#id2503062">3. Small home network with additional WLAN</a></span></dt><dt><span class="section"><a href="#id2503086">4. Small company with external mail and web server</a></span></dt><dt><span class="section"><a href="#id2480558">5. Company with IPsec tunnel to subsidiary</a></span></dt><dt><span class="section"><a href="#id2480633">6. Company with web server in DMZ</a></span></dt><dt><span class="section"><a href="#id2480045">7. Complex scenario</a></span></dt><dt><span class="section"><a href="#id2480169">8. Laptop in private network but with additional public IP adresses</a></span></dt></dl></div><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p> All options <span class="emphasis"><em>not</em></span> mentioned in a scenario should be left as they are in the default <code class="filename">sysconfig/SuSEfirewall2</code> config file. Backup default config: <code class="filename">/usr/share/doc/packages/SuSEfirewall2/SuSEfirewall2.sysconfig</code> - </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2483342"></a>1. Simple dialup</h2></div></div></div><p> + </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2503018"></a>1. Simple dialup</h2></div></div></div><p> A user with his nice SUSE Linux PC wants to be protected when connected to the internet via the ISDN dialup of his ISP. He wants to offer no services to the internet. He is not connected to any other network, nor @@ -15,7 +15,7 @@ </p><div class="informalexample"><pre class="programlisting"> FW_DEV_EXT="ippp0"</pre></div><p> - </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2483363"></a>2. Small home network</h2></div></div></div><p> + </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2503039"></a>2. Small home network</h2></div></div></div><p> A family owns multiple PCs, a SUSE Linux PC is connected to the internet via DSL. The family's LAN uses private IPs therefore masquerading has to be used. The Firewall provides no services whatsoever. The address of the @@ -27,7 +27,7 @@ FW_MASQUERADE="yes" FW_MASQ_NETS="192.168.10.0/24"</pre></div><p> - </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2483386"></a>3. Small home network with additional WLAN</h2></div></div></div><p> + </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2503062"></a>3. Small home network with additional WLAN</h2></div></div></div><p> Same network as above but additionally the Firewall is also connected to a wireless network. Hosts in the wireless network should get internet access but are not allowed to communicate with the internal network. The @@ -41,7 +41,7 @@ FW_MASQUERADE="yes" FW_MASQ_NETS="192.168.10.0/24 192.168.20.0/24"</pre></div><p> - </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2460778"></a>4. Small company with external mail and web server</h2></div></div></div><p> + </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2503086"></a>4. Small company with external mail and web server</h2></div></div></div><p> A company uses it's SUSE Linux PC to access the internet via an ISDN dialup of it's ISP. It has got a static IP address and a web server running on the PC plus it's mail-/pop3-server for the company. Squid is @@ -56,7 +56,7 @@ FW_SERVICES_INT_UDP="domain" FW_PROTECT_FROM_INT="yes"</pre></div><p> - </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2460810"></a>5. Company with IPsec tunnel to subsidiary</h2></div></div></div><p> + </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2480558"></a>5. Company with IPsec tunnel to subsidiary</h2></div></div></div><p> A small company wants access to the internet for it's client PCs. Additionally the subsidiariaries client PCs should get access to the local network through an IPsec tunnel. Internet traffic should be @@ -83,7 +83,7 @@ flow. </p></div><p> - </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2460884"></a>6. Company with web server in DMZ</h2></div></div></div><p> + </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2480633"></a>6. Company with web server in DMZ</h2></div></div></div><p> This company has got a more complex setup: @@ -149,7 +149,7 @@ target port of 53 (DNS) or 25 (Mail) to the local servers on the firewall. - </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2460336"></a>7. Complex scenario</h2></div></div></div><p> + </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2480045"></a>7. Complex scenario</h2></div></div></div><p> </p><pre class="screen"> Internet @@ -207,7 +207,7 @@ # internet access to web server and trusted company access to internal Server FW_FORWARD_MASQ="0/0,10.0.10.2,tcp,80 0/0,10.0.10.2,tcp,443 \ 192.168.1.0/24,10.0.2.3,tcp,22"</pre></div><p> - </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2460459"></a>8. Laptop in private network but with additional public IP adresses</h2></div></div></div><p> + </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2480169"></a>8. Laptop in private network but with additional public IP adresses</h2></div></div></div><p> </p><pre class="screen"> Internet diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/SuSEfirewall2-3.5_SVNr159/FAQ.html new/SuSEfirewall2-3.6_SVNr164/FAQ.html --- old/SuSEfirewall2-3.5_SVNr159/FAQ.html 2006-05-22 13:37:09.000000000 +0200 +++ new/SuSEfirewall2-3.6_SVNr164/FAQ.html 2007-02-12 11:54:25.000000000 +0100 @@ -1,39 +1,39 @@ <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> -<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>SuSEfirewall2 FAQ</title><link rel="stylesheet" href="susebooks.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.69.1" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h1 class="title"><a id="id2410859"></a>SuSEfirewall2 FAQ</h1></div></div><hr /></div><div class="qandaset"><dl><dt>1. <a href="#id2460136"> +<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>SuSEfirewall2 FAQ</title><link rel="stylesheet" href="susebooks.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.71.1" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h1 class="title"><a id="id2245331"></a>SuSEfirewall2 FAQ</h1></div></div><hr /></div><div class="qandaset"><dl><dt>1. <a href="#id2502969"> How do I allow access to my application XYZ on my firewall? - </a></dt><dt>2. <a href="#id2483366"> + </a></dt><dt>2. <a href="#id2503032"> How can I reduce the generated rule set as much as possible? - </a></dt><dt>3. <a href="#id2460819"> + </a></dt><dt>3. <a href="#id2480564"> How can I be sure that the firewall rules are active when I connect to the internet? - </a></dt><dt>4. <a href="#id2460873"> + </a></dt><dt>4. <a href="#id2480621"> How many interfaces are supported for each zone (EXT/DMZ/INT)? - </a></dt><dt>5. <a href="#id2460891"> + </a></dt><dt>5. <a href="#id2480639"> Why is communication between two interfaces in the same zone not working? - </a></dt><dt>6. <a href="#id2460265"> + </a></dt><dt>6. <a href="#id2480668"> I have set a web server in my DMZ. How do I configure SuSEfirewall2 to let people on the internet access my pages? - </a></dt><dt>7. <a href="#id2460298"> + </a></dt><dt>7. <a href="#id2480008"> What if my Server has a private IP address, how do I enable external access then? - </a></dt><dt>8. <a href="#id2460346">Some service does not work when the firewall is enabled. How do I find out what's wrong? - </a></dt><dt>9. <a href="#id2460419"> + </a></dt><dt>8. <a href="#id2480056">Some service does not work when the firewall is enabled. How do I find out what's wrong? + </a></dt><dt>9. <a href="#id2480130"> Some web site that offers port scanning claims my system is not protected properly as it still responds to ICMP echo requests (ping) - </a></dt><dt>10. <a href="#id2460443"> + </a></dt><dt>10. <a href="#id2480153"> Can't the evil guys detect whether my host is online if it responds to ICMP echo requests? - </a></dt><dt>11. <a href="#id2460463"> + </a></dt><dt>11. <a href="#id2480173"> SuSEfirewall2 drops most packets but it doesn't fully hide the presence of my machine. Isn't that a security hole? - </a></dt><dt>12. <a href="#id2460484"> + </a></dt><dt>12. <a href="#id2480194"> The ipsec0 interface I had with kernel 2.4 is gone. How do I assign IPsec traffic to a different zone now? - </a></dt><dt>13. <a href="#id2460535"> + </a></dt><dt>13. <a href="#id2480245"> Why is SuSEfirewall2 so slow? / Can't you just use iptables-restore? - </a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%" /><tbody><tr class="question"><td align="left" valign="top"><a id="id2460136"></a><a id="id2483312"></a><b>1.</b></td><td align="left" valign="top"><p> + </a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%" /><tbody><tr class="question"><td align="left" valign="top"><a id="id2502969"></a><a id="id2480507"></a><b>1.</b></td><td align="left" valign="top"><p> How do I allow access to my application XYZ on my firewall? - </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p> + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> Usually you need an entry in <code class="varname">FW_SERVICES_EXT_TCP</code> or <code class="varname">FW_SERVICES_EXT_UDP</code>. The most common problem is @@ -48,9 +48,9 @@ into <code class="varname">FW_SERVICES_EXT_TCP</code> and execute <span><strong class="command">SuSEfirewall2</strong></span> again. - </p></td></tr><tr class="question"><td align="left" valign="top"><a id="id2483366"></a><a id="id2483369"></a><b>2.</b></td><td align="left" valign="top"><p> + </p></td></tr><tr class="question"><td align="left" valign="top"><a id="id2503032"></a><a id="id2503034"></a><b>2.</b></td><td align="left" valign="top"><p> How can I reduce the generated rule set as much as possible? - </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><div class="itemizedlist"><ul type="disc"><li><p> + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><div class="itemizedlist"><ul type="disc"><li><p> Set <code class="varname">FW_PROTECT_FROM_INTERNAL</code> to <code class="literal">"no"</code> </p></li><li><p> Disable Logging @@ -65,10 +65,10 @@ Then you will have got much less rules, but also a lesser security. Better spend 50$ on a faster processor and more ram instead of using an old 486 as firewall. - </p></li></ul></div></td></tr><tr class="question"><td align="left" valign="top"><a id="id2460819"></a><a id="id2460821"></a><b>3.</b></td><td align="left" valign="top"><p> + </p></li></ul></div></td></tr><tr class="question"><td align="left" valign="top"><a id="id2480564"></a><a id="id2480566"></a><b>3.</b></td><td align="left" valign="top"><p> How can I be sure that the firewall rules are active when I connect to the internet? - </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p> + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> Make sure that the <code class="literal">SuSEfirewall2</code> boot scripts are enabled and that <code class="filename">/etc/sysconfig/network/config</code> @@ -78,13 +78,13 @@ packet filtering rules are actually installed with the command <span><strong class="command">SuSEfirewall2 status</strong></span> - </p></td></tr><tr class="question"><td align="left" valign="top"><a id="id2460873"></a><a id="id2460875"></a><b>4.</b></td><td align="left" valign="top"><p> + </p></td></tr><tr class="question"><td align="left" valign="top"><a id="id2480621"></a><a id="id2480623"></a><b>4.</b></td><td align="left" valign="top"><p> How many interfaces are supported for each zone (EXT/DMZ/INT)? - </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p> + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> Any number you want - </p></td></tr><tr class="question"><td align="left" valign="top"><a id="id2460891"></a><a id="id2460893"></a><b>5.</b></td><td align="left" valign="top"><p> + </p></td></tr><tr class="question"><td align="left" valign="top"><a id="id2480639"></a><a id="id2480641"></a><b>5.</b></td><td align="left" valign="top"><p> Why is communication between two interfaces in the same zone not working? - </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p> + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> For security reasons, no network may communicate to another until configured otherwise. Even if both are "trusted" internal networks. @@ -93,19 +93,19 @@ traffic with <code class="varname">FW_FORWARD</code>. Keep in mind that this affects all interfaces in all zones. - </p></td></tr><tr class="question"><td align="left" valign="top"><a id="id2460265"></a><a id="id2460267"></a><b>6.</b></td><td align="left" valign="top"><p> + </p></td></tr><tr class="question"><td align="left" valign="top"><a id="id2480668"></a><a id="id2480670"></a><b>6.</b></td><td align="left" valign="top"><p> I have set a web server in my DMZ. How do I configure SuSEfirewall2 to let people on the internet access my pages? - </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p> + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> Lets say your web server has got an official IP address of 1.1.1.1 which you received from your ISP. You would just configure <code class="varname">FW_FORWARD_TCP</code> like this: </p><div class="informalexample"><pre class="programlisting">FW_FORWARD="0/0,1.1.1.1,tcp,80"</pre></div><p> - </p></td></tr><tr class="question"><td align="left" valign="top"><a id="id2460298"></a><a id="id2460300"></a><b>7.</b></td><td align="left" valign="top"><p> + </p></td></tr><tr class="question"><td align="left" valign="top"><a id="id2480008"></a><a id="id2480010"></a><b>7.</b></td><td align="left" valign="top"><p> What if my Server has a private IP address, how do I enable external access then? - </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p> + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> You can use reverse masquerading. For this you need to set <code class="varname">FW_ROUTE</code> and <code class="varname">FW_MASQUERADE</code> to @@ -118,8 +118,8 @@ FW_MASQUERADE="yes" FW_FORWARD_MASQ="0/0,10.0.0.1,tcp,80"</pre></div><p> - </p></td></tr><tr class="question"><td align="left" valign="top"><a id="id2460346"></a><a id="id2460348"></a><b>8.</b></td><td align="left" valign="top"><p>Some service does not work when the firewall is enabled. How do I find out what's wrong? - </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p> + </p></td></tr><tr class="question"><td align="left" valign="top"><a id="id2480056"></a><a id="id2480058"></a><b>8.</b></td><td align="left" valign="top"><p>Some service does not work when the firewall is enabled. How do I find out what's wrong? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> Enable logging of all dropped packets and disable the log limit in <code class="filename">/etc/sysconfig/SuSEfirewall2</code>: @@ -146,32 +146,32 @@ If everything works again don't forget to set the log options back to normal to not fill up you log files. - </p></td></tr><tr class="question"><td align="left" valign="top"><a id="id2460419"></a><a id="id2460422"></a><b>9.</b></td><td align="left" valign="top"><p> + </p></td></tr><tr class="question"><td align="left" valign="top"><a id="id2480130"></a><a id="id2480132"></a><b>9.</b></td><td align="left" valign="top"><p> Some web site that offers port scanning claims my system is not protected properly as it still responds to ICMP echo requests (ping) - </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p> + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> ICMP echo requests are harmless however they are a fundametal means to determine whether hosts are still reachable. Blocking them would seriously impact the ability to track down network problems. It is therefore not considered nice behaviour for an internet citizen to drop pings. - </p></td></tr><tr class="question"><td align="left" valign="top"><a id="id2460443"></a><a id="id2460445"></a><b>10.</b></td><td align="left" valign="top"><p> + </p></td></tr><tr class="question"><td align="left" valign="top"><a id="id2480153"></a><a id="id2480155"></a><b>10.</b></td><td align="left" valign="top"><p> Can't the evil guys detect whether my host is online if it responds to ICMP echo requests? - </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p> + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> Yes but they can detect that anyways. The router at your provider behaves different depending on whether someone is dialed in or not. - </p></td></tr><tr class="question"><td align="left" valign="top"><a id="id2460463"></a><a id="id2460465"></a><b>11.</b></td><td align="left" valign="top"><p> + </p></td></tr><tr class="question"><td align="left" valign="top"><a id="id2480173"></a><a id="id2480176"></a><b>11.</b></td><td align="left" valign="top"><p> SuSEfirewall2 drops most packets but it doesn't fully hide the presence of my machine. Isn't that a security hole? - </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p> + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> You machine is never fully invisible, see previous question. The purpose of dropping packets is not to hide your machine but to slow down port scans. - </p></td></tr><tr class="question"><td align="left" valign="top"><a id="id2460484"></a><a id="id2460486"></a><b>12.</b></td><td align="left" valign="top"><p> + </p></td></tr><tr class="question"><td align="left" valign="top"><a id="id2480194"></a><a id="id2480196"></a><b>12.</b></td><td align="left" valign="top"><p> The <code class="literal">ipsec0</code> interface I had with kernel 2.4 is gone. How do I assign IPsec traffic to a different zone now? - </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p> + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> Set the variable <code class="varname">FW_IPSEC_TRUST</code> to the zone you would have put the <code class="literal">ipsec0</code> into before. For example @@ -184,9 +184,9 @@ FW_SERVICES_EXT_UDP="isakmp" FW_PROTECT_FROM_INT="no"</pre></div><p> - </p></td></tr><tr class="question"><td align="left" valign="top"><a id="id2460535"></a><a id="id2460537"></a><b>13.</b></td><td align="left" valign="top"><p> + </p></td></tr><tr class="question"><td align="left" valign="top"><a id="id2480245"></a><a id="id2480247"></a><b>13.</b></td><td align="left" valign="top"><p> Why is SuSEfirewall2 so slow? / Can't you just use iptables-restore? - </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p> + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> <code class="literal">SuSEfirewall2</code> is implemented in bourne shell which is not exactly the fastest thing on earth especially if it has that much work to do as diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/SuSEfirewall2-3.5_SVNr159/Makefile new/SuSEfirewall2-3.6_SVNr164/Makefile --- old/SuSEfirewall2-3.5_SVNr159/Makefile 2006-08-10 16:00:31.000000000 +0200 +++ new/SuSEfirewall2-3.6_SVNr164/Makefile 2007-02-12 11:52:34.000000000 +0100 @@ -1,4 +1,4 @@ -VERSION=3.5 +VERSION=3.6 NAME=SuSEfirewall2 SVNVER=$(shell svnversion .) NVER=$(NAME)-$(VERSION)_SVNr$(SVNVER) @@ -7,10 +7,8 @@ SuSEfirewall2-open \ SuSEfirewall2-showlog \ SuSEfirewall2-rpcinfo \ - SuSEfirewall2-bashhash \ SuSEfirewall2-qdisc \ SuSEfirewall2-oldbroadcast \ - SuSEfirewall2-autointerface.sh DESTDIR= diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/SuSEfirewall2-3.5_SVNr159/README.html new/SuSEfirewall2-3.6_SVNr164/README.html --- old/SuSEfirewall2-3.5_SVNr159/README.html 2006-05-22 13:37:12.000000000 +0200 +++ new/SuSEfirewall2-3.6_SVNr164/README.html 2007-02-12 11:54:27.000000000 +0100 @@ -1,6 +1,6 @@ <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> -<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>SuSEfirewall2</title><link rel="stylesheet" href="susebooks.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.69.1" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h1 class="title"><a id="id2410859"></a>SuSEfirewall2</h1></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id2460134">1. Introduction</a></span></dt><dt><span class="section"><a href="#id2483396">2. Quickstart</a></span></dt><dd><dl><dt><span class="section"><a href="#id2483402">2.1. YaST2 firewall module</a></span></dt><dt><span class="section"><a href="#id2460784">2.2. Manual configuration</a></span></dt></dl></dd><dt><span class="section"><a href="#id2460842">3. Some words about security</a></span></dt><dt><span class="section"><a href="#id2460290">4. Reporting bugs</a></span></dt><dt><span class="section"><a href="#id2460315">5. Links</a></span></dt></dl></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2460134"></a>1. Introduction</h2></div></div></div><p> +<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>SuSEfirewall2</title><link rel="stylesheet" href="susebooks.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.71.1" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h1 class="title"><a id="id2245331"></a>SuSEfirewall2</h1></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id2502966">1. Introduction</a></span></dt><dt><span class="section"><a href="#id2503072">2. Quickstart</a></span></dt><dd><dl><dt><span class="section"><a href="#id2503078">2.1. YaST2 firewall module</a></span></dt><dt><span class="section"><a href="#id2480530">2.2. Manual configuration</a></span></dt></dl></dd><dt><span class="section"><a href="#id2480589">3. Some words about security</a></span></dt><dt><span class="section"><a href="#id2479999">4. Reporting bugs</a></span></dt><dt><span class="section"><a href="#id2480024">5. Links</a></span></dt></dl></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2502966"></a>1. Introduction</h2></div></div></div><p> <code class="literal">SuSEfirewall2</code> is a shell script wrapper for the Linux firewall setup tool (<code class="literal">iptables</code>). It's controlled by a @@ -12,14 +12,14 @@ </p><div class="itemizedlist"><ul type="disc"><li><p>sets up secure filter rules by default</p></li><li><p>easy to configure</p></li><li><p>requires only a small configuration effort</p></li><li><p>zone based setup. Interfaces are grouped into zones</p></li><li><p>supports an arbitrary number of zones</p></li><li><p>supports forwarding, masquerading, port redirection</p></li><li><p>supports RPC services with dynamically assigned ports</p></li><li><p>allows special treatment of IPsec packets</p></li><li><p>IPv6 support (no forwarding/masquerading)</p></li><li><p>allows insertion of custom rules through hooks</p></li></ul></div><p> - </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2483396"></a>2. Quickstart</h2></div></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id2483402"></a>2.1. YaST2 firewall module</h3></div></div></div><p> + </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2503072"></a>2. Quickstart</h2></div></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id2503078"></a>2.1. YaST2 firewall module</h3></div></div></div><p> The YaST2 firewall module is the recommended tool for configuring SuSEfirewall2. It offers the most common features with a nice user interface and help texts. It also takes care of proper activation of the init scripts. - </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id2460784"></a>2.2. Manual configuration</h3></div></div></div><p> + </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id2480530"></a>2.2. Manual configuration</h3></div></div></div><p> Enable the SuSEfirewall2 boot scripts: @@ -37,7 +37,7 @@ <code class="filename">EXAMPLES</code> file in <code class="filename">/usr/share/doc/packages/SuSEfirewall2</code> - </p></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2460842"></a>3. Some words about security</h2></div></div></div><p> + </p></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2480589"></a>3. Some words about security</h2></div></div></div><p> SuSEfirewall2 is a frontend for iptables which sets up kernel packet filters, nothing more and nothing less. This means that you are not @@ -76,13 +76,13 @@ Check your log files regularly for unusual entries. </p></li></ul></div><p> - </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2460290"></a>4. Reporting bugs</h2></div></div></div><p> + </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2479999"></a>4. Reporting bugs</h2></div></div></div><p> Report any problems via <a href="http://www.suse.de/feedback" target="_top">http://www.suse.de/feedback</a>. For discussion about SuSEfirewall2 join the <a href="http://www.suse.com/us/private/support/online_help/mailinglists/index.html" target="_top">suse-security</a> mailinglist. - </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2460315"></a>5. Links</h2></div></div></div><p> + </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2480024"></a>5. Links</h2></div></div></div><p> <a href="EXAMPLES.html" target="_top">Examples</a> </p><p> <a href="FAQ.html" target="_top">Frequently Asked Questions</a> diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/SuSEfirewall2-3.5_SVNr159/susebooks.css new/SuSEfirewall2-3.6_SVNr164/susebooks.css --- old/SuSEfirewall2-3.5_SVNr159/susebooks.css 2006-05-22 13:37:03.000000000 +0200 +++ new/SuSEfirewall2-3.6_SVNr164/susebooks.css 2007-02-12 11:54:21.000000000 +0100 @@ -224,3 +224,10 @@ } /* EOF */ pre.programlisting { background-color: #E0E0E0; } +div.refnamediv h2, \ + div.refsynopsisdiv h2, \ + div.refsect1 h2 { \ + font-family: Arial, Helvetica, sans-serif; \ + font-size: medium; \ + } +h3.title { font-family: Arial, Helvetica, sans-serif; } diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/SuSEfirewall2-3.5_SVNr159/SuSEfirewall2 new/SuSEfirewall2-3.6_SVNr164/SuSEfirewall2 --- old/SuSEfirewall2-3.5_SVNr159/SuSEfirewall2 2006-11-15 13:52:14.000000000 +0100 +++ new/SuSEfirewall2-3.6_SVNr164/SuSEfirewall2 2007-02-12 11:51:20.000000000 +0100 @@ -161,6 +161,7 @@ BOOTLOCKFILE="/var/lock/SuSEfirewall2.booting" FW_CUSTOMRULES="" +FW_ZONE_DEFAULT="" USE_IPTABLES_BATCH='' # whether ip6tables supports state matching @@ -709,8 +710,7 @@ local dev=`getcfg-interface "$1"` if [ "$?" -ne 0 -o -z "$dev" \ - -o \( ! -e /proc/sys/net/ipv4/conf/"$dev" \ - -a ! -e /proc/sys/net/ipv6/conf/"$dev" \) ]; then + -o \( ! -e /sys/class/net/"$dev" \ ]; then return 1 fi @@ -728,46 +728,6 @@ fi } - -auto_detect_done=0 -auto_detect_interfaces() -{ - [ "$auto_detect_done" = 1 ] && return - local zone - while read line; do - set -- $line - zone="$1" - shift - case "$zone" in - External:) - FW_DEV_EXT_AUTO="$*" - ;; - Internal:) - FW_DEV_INT_AUTO="$*" - ;; - esac - done < <(/bin/bash $SCRIPTSDIR/SuSEfirewall2-autointerface.sh) - auto_detect_done=1 -} - -# auto interface detection -auto_detect_all_interfaces() -{ - if [ "$FW_DEV_EXT" = "auto" ]; then - auto_detect_interfaces - FW_DEV_EXT="$FW_DEV_EXT_AUTO" - fi - - if [ "$FW_DEV_INT" = "auto" ]; then - auto_detect_interfaces - FW_DEV_INT="$FW_DEV_INT_AUTO" - fi - - if [ "$FW_MASQ_DEV" = "auto" ]; then - FW_MASQ_DEV="$FW_DEV_EXT" - fi -} - setlock() { ### Locking mechanism @@ -815,11 +775,19 @@ evaluateinterfaces() { local devs="" - local dev_any="" - local dev + local var dev + var="$1" + eval set -- \$$var for dev in "$@" ; do if [ "$dev" = 'any' ]; then - dev_any='any' + if [ -n "$FW_ZONE_DEFAULT" ]; then + error "zone '$FW_ZONE_DEFAULT' is already default, ignoring 'any' in '$var'" + else + FW_ZONE_DEFAULT="$zone" + fi + continue + elif [ "$dev" = 'auto' ]; then + warning "ignoring deprecated interface 'auto' in $var" continue fi dev=`getdevinfo "$dev"` || continue @@ -827,7 +795,70 @@ devs="$devs $dev" done - echo $dev_any $devs + eval $var="\$devs" +} + +#sets iface_$name=$zone +check_interfaces_unique() +{ + local zone devs d z + for zone in $all_zones; do + eval devs="\$FW_DEV_$zone" + for d in $devs; do + [ -z "$d" ] && continue + d=${d//[^A-Za-z0-9]/_} + eval z=\${iface_$d} + if [ -z "$z" ]; then + eval iface_$d=$zone + else + error "$d aleady in zone '$z' but also configured for '$zone'" + fi + done + done +} + +source_config_for_iface() +{ + local iface="$1" + local dir=/etc/sysconfig/network + if [ -x /sbin/getcfg ] ; then + eval `/sbin/getcfg -d $dir -f ifcfg- -- $iface 2>/dev/null` + cfg="$HWD_CONFIG_0" + fi + if [ -z "$cfg" ]; then + cfg=$iface + fi + . $dir/ifcfg-$cfg 2>/dev/null +} + +autodetect_interfaces() +{ + local d z + set -- `cd /sys/class/net; echo *` 2>/dev/null + for d in "$@"; do + [ -z "$d" -o "$d" = 'lo' -o "$d" = 'sit0' ] && continue + d=${d//[^A-Za-z0-9]/_} + eval z=\${iface_$d} + [ -n "$z" ] && continue + eval [ -n "\"\$seen_$d\"" ] && continue + eval local seen_$d=1 + z=`source_config_for_iface $d && echo $FW_ZONE` + if [ -n "$z" ]; then + if eval [ -n "\"\$zone_$z\"" ]; then + eval FW_DEV_$z="\"\$FW_DEV_$z \$d\"" + eval iface_$d=$z + else + error "invalid zone '$z' specified for interface '$d'" + fi + elif [ -n "$FW_ZONE_DEFAULT" ]; then + message "using default zone '$FW_ZONE_DEFAULT' for interface $d" + z="$FW_ZONE_DEFAULT" + eval FW_DEV_$z="\"\$FW_DEV_$z \$d\"" + eval iface_$d=$z + else + warning "no firewall zone defined for interface $d" + fi + done } parse_interfaces() @@ -835,19 +866,38 @@ local zone devs var for zone in $all_zones; do - eval devs="\$FW_DEV_`cibiz $zone`" - set -- `evaluateinterfaces $devs` - if [ "$1" = 'any' ]; then - eval DEV_${zone}_ANY="yes" - shift - fi - eval FW_DEV_$zone="\"$*\"" + evaluateinterfaces FW_DEV_`cibiz $zone` done + if [ -z "$FW_ZONE_DEFAULT" ]; then + FW_ZONE_DEFAULT='ext' + warning "no default firewall zone defined, assuming 'ext'" + fi +} - set -- `evaluateinterfaces $FW_MASQ_DEV` - [ "$1" = 'any' ] && shift - FW_MASQ_DEV="$*" +process_masq_dev() +{ + local devs="" + local dev + set -- $FW_MASQ_DEV + for dev in "$@" ; do + if [ "$dev" = 'auto' ]; then + warning "ignoring deprecated interface 'auto' in FW_MASQ_DEV" + continue + fi + # zone specified? + if [ "$dev" != "${dev#zone:}" ]; then + dev=${dev#zone:} + if eval [ -n "\"\$zone_$dev\"" ]; then + eval devs="\"\$devs \$FW_DEV_$dev\"" + continue + fi + fi + dev=`getdevinfo "$dev"` || continue + case "$dev" in *:*) continue; ;; esac + devs="$devs $dev" + done + FW_MASQ_DEV="$devs" } load_customrules() @@ -1059,18 +1109,26 @@ case $zone in [Ii][Nn][Tt]|[Ee][Xx][Tt]|[Dd][Mm][Zz]) error "FW_ZONES=$zone ignored" ;; - *) all_zones="$all_zones $zone" ;; + *) + if [ "$zone" != "${zone//[^A-Za-z0-9]/_}" ]; then + error "ignoring invalid zone name $zone in FW_ZONES" + else + all_zones="$all_zones $zone" + fi + ;; esac done + for zone in $all_zones; do + eval "zone_$zone=0" + done } remove_unused_zones() { - local zone zones devs any + local zone zones devs for zone in $all_zones; do eval devs="\$FW_DEV_$zone" - eval any="\$DEV_${zone}_ANY" - if [ -n "$devs" -o "$ipsec_chain" = $zone -o "$any" = 'yes' ]; then + if [ -n "$devs" -o "$ipsec_chain" = $zone -o "$FW_ZONE_DEFAULT" = "$zone" ]; then if [ -z "$zones" ]; then zones=$zone else @@ -1082,15 +1140,6 @@ [ "$all_zones" != "$zones" ] && all_zones="$zones" } -create_zones_hash() -{ - local zone - need bashhash - for zone in $all_zones; do - hashadd zones $zone 1 - done -} - # convert if built in zone, eg ext -> EXT cibiz() { @@ -1142,8 +1191,6 @@ local zone local dev local devs - local any - local anyzone='' for iptables in "$IPTABLES" "$IP6TABLES"; do for zone in $saved_input_zones; do @@ -1151,18 +1198,9 @@ for dev in $devs; do $iptables -A INPUT -j input_$zone -i $dev done - eval any="\$DEV_${zone}_ANY" - if [ "$any" = 'yes' ]; then - if [ -n "$anyzone" ]; then - [ "$iptables" != ':' ] && warning "interface 'any' already in zone '$anyzone', ignoring '$zone'" - else - anyzone=$zone - fi - fi done - if [ -n "$anyzone" ]; then - $iptables -A INPUT -j input_$anyzone - anyzone='' + if [ -n "$FW_ZONE_DEFAULT" ]; then + $iptables -A INPUT -j "input_$FW_ZONE_DEFAULT" fi if [ "$FW_ROUTE" = yes ]; then for zone in $forward_zones; do @@ -1319,7 +1357,7 @@ chain=forward_$zone $LAA $IPTABLES -A $chain ${LOG}"-`rulelog $chain`-ACC-PING " -p icmp --icmp-type echo-reply $IPTABLES -A $chain -j "$ACCEPT" -m state --state ESTABLISHED -p icmp --icmp-type echo-reply - $LAA $IP6TABLES -A $chan ${LOG}"-`rulelog $chain`-ACC-PING " -p icmpv6 --icmpv6-type echo-reply + $LAA $IP6TABLES -A $chain ${LOG}"-`rulelog $chain`-ACC-PING " -p icmpv6 --icmpv6-type echo-reply $IP6TABLES -A $chain -j "$ACCEPT" -m state --state ESTABLISHED -p icmpv6 --icmpv6-type echo-reply done # drop rule for forwarding chains are at the end of the forwarding rules @@ -1778,7 +1816,7 @@ $LAA $IPTABLES -A $chain ${LOG}"-`rulelog $chain`-ACC-MASQ " -s $net1 $net2 $proto $port -o $dev $IPTABLES -A $chain -j "$ACCEPT" -m state --state NEW,ESTABLISHED,RELATED -s $net1 $net2 $proto $port -o $dev # we need to allow the replies as well - $LAA $IPTABLES -A $chain -d $net1 $snet2 $proto $rport -i $dev ${LOG}"-`rulelog $CHAIN`-ACC-MASQ " -m state --state ESTABLISHED,RELATED + $LAA $IPTABLES -A $chain -d $net1 $snet2 $proto $rport -i $dev ${LOG}"-`rulelog $chain`-ACC-MASQ " -m state --state ESTABLISHED,RELATED $IPTABLES -A $chain -d $net1 $snet2 $proto $rport -i $dev -j "$ACCEPT" -m state --state ESTABLISHED,RELATED done $IPTABLES -A POSTROUTING -j MASQUERADE -t nat -s $net1 $net2 $proto $port -o $dev @@ -1984,10 +2022,11 @@ message "Setting up rules from $FWCONFIG ..." parse_zones - -auto_detect_all_interfaces - parse_interfaces +check_interfaces_unique +autodetect_interfaces +process_masq_dev + load_customrules check_interfaces @@ -2002,8 +2041,6 @@ input_zones="$all_zones" saved_input_zones="$input_zones" # need that for fork_to_chains -#create_zones_hash - parse_configurations # Set default rules + flush diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/SuSEfirewall2-3.5_SVNr159/SuSEfirewall2-autointerface.sh new/SuSEfirewall2-3.6_SVNr164/SuSEfirewall2-autointerface.sh --- old/SuSEfirewall2-3.5_SVNr159/SuSEfirewall2-autointerface.sh 2005-06-28 10:02:27.000000000 +0200 +++ new/SuSEfirewall2-3.6_SVNr164/SuSEfirewall2-autointerface.sh 1970-01-01 01:00:00.000000000 +0100 @@ -1,120 +0,0 @@ -#!/bin/bash -# -# SuSEfirewall2-autointerface.sh - helper script for SuSEfirewall2 -# Copyright (C) 2004 SUSE Linux AG -# -# Author: Ludwig Nussel -# -# Please send feedback via http://www.suse.de/feedback -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License -# version 2 as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - -# determine which network devices are internal and which are external -# -# The external device is always the one where the default route points at. If -# there is no default route, then there is also no external device. -# -# Active devices except the external one are considered as candidates for -# internal. Devices that are configured for pppoe in -# /etc/sysconfig/network/ifcfg-dsl* are removed from the active list. If only -# one device is left after that filter, it's considered as internal. -# -# => only one external and one internal possible -# => if you only have one device with no default route it's internal -# -# All packets that arrive on devices that are neither internal nor external -# will be dropped by the firewall - -# print the device where the default route points at -get_default_route_dev() -{ - while read line; do - set -- $line - [ "$1" != default ] && continue; - # interface name comes after a "dev" token - while [ "$1" != dev -a $# -gt 0 ]; do shift; done - if [ "$1" = dev ]; then - echo $2 - break; - fi - done < <(ip route show) -} - -# print active interfaces except lo -get_active_interfaces() -{ - while read line; do - set -- $line - case "$3" in - *UP*) - dev=${2%%:} - [ "$dev" != "lo" ] && echo $dev - ;; - esac - done < <(ip -o link show) -} - -# first parameter is device to filter from rest of arguments -filter_one_dev() -{ - filter="$1" - shift - if [ -z "$filter" ]; then - echo "$@" - return; - fi - for i in "$@"; do - [ "$filter" = "$i" ] && continue - echo $i - done -} - -# filter devices for which a pppoe link is configured. exit with status 1 if -# more than one device is left -filter_pppoe_devs() -{ - for i in /etc/sysconfig/network/ifcfg-dsl*; do - . $i - [ -z "$DEVICE" -o $PPPMODE != pppoe ] && continue - if [ -x "/sbin/getcfg-interface" ] && ! ip link show dev "$DEVICE" > /dev/null 2>&1; then - DEVICE=`/sbin/getcfg-interface "$DEVICE"` || continue - fi - set -- `filter_one_dev "$DEVICE" "$@"` - done - echo "$@" - [ "$#" -gt 1 ] && return 1 - return 0 -} - -shopt -s nullglob - -internal= -external=`get_default_route_dev` - -# all active devices -active=`get_active_interfaces` - -# active devices except the default route device -filtered=`filter_one_dev "$external" $active` - -# active devices minus pppoe devices -filtered2=`filter_pppoe_devs $filtered` -[ "$?" = 0 ] && internal=$filtered2 - -echo "External: $external" -echo "Internal: $internal" - -#echo "Active: $active" -#echo "Filtered: $filtered" -#echo "Filtered2: $filtered2" diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/SuSEfirewall2-3.5_SVNr159/SuSEfirewall2-bashhash new/SuSEfirewall2-3.6_SVNr164/SuSEfirewall2-bashhash --- old/SuSEfirewall2-3.5_SVNr159/SuSEfirewall2-bashhash 2005-06-28 10:02:27.000000000 +0200 +++ new/SuSEfirewall2-3.6_SVNr164/SuSEfirewall2-bashhash 1970-01-01 01:00:00.000000000 +0100 @@ -1,96 +0,0 @@ -#!/bin/bash -# SuSEfirewall2-bashhash - hash emulation in bash -# Copyright (C) 2004 SUSE LINUX Products GmbH -# -# Author: Ludwig Nussel -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License -# version 2 as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - -# isn't that sick? - -hashlookup() -{ - local h hmatch key q - if [ "$1" = "-q" ]; then - q=1 - shift - fi - h="hash_$1" - key="$2" - eval hmatch="\$hash_match_$h" - - case "$key" in - *\ *|*-*|*/*) return 1 ;; - esac - - eval "case $key in - $hmatch) - [ -z "$q" ] && eval echo '\$hash_key_${h}_$key' - return 0 - ;; - esac" - return 1 -} - -hashadd() -{ - local h hmatch key val - h="hash_$1" - key="$2" - val="$3" - eval hmatch="\$hash_match_$h" - case $key in - $hmatch) ;; - *) - if [ -z "$hmatch" ]; then - eval hash_match_$h="\"\$key\"" - else - eval hash_match_$h="\"\$hmatch|\$key\"" - fi - ;; - esac - - eval hash_key_${h}_$key="\$val" -} - -hashallkeys() -{ - local h hmatch i - h="hash_$1" - eval hmatch="\$hash_match_$h" - IFS="|" eval echo "\$hmatch" -} - -if [ "$1" = "test" ]; then - hashadd h "foo" "bar" - hashadd h "bla" "blub" - hashadd h "red" "blue" - hashadd h "green" "yellow" - - for i in ${!hash*}; do - eval echo \"$i=\$$i\" - done - - hashlookup h foo || echo foo not in hash - hashlookup h blue || echo blue not in hash - hashlookup h green || echo green not in hash - hashlookup -q h green || echo green not in hash - hashlookup h "x y" || echo "\"x y\" invalid" - hashlookup h x-y || echo "x-y invalid" - - echo -n "all keys: " - hashallkeys h -fi - -# vim:sw=4 diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/SuSEfirewall2-3.5_SVNr159/SuSEfirewall2.service.TEMPLATE new/SuSEfirewall2-3.6_SVNr164/SuSEfirewall2.service.TEMPLATE --- old/SuSEfirewall2-3.5_SVNr159/SuSEfirewall2.service.TEMPLATE 2006-07-17 11:06:20.000000000 +0200 +++ new/SuSEfirewall2-3.6_SVNr164/SuSEfirewall2.service.TEMPLATE 2007-02-08 10:14:04.000000000 +0100 @@ -8,7 +8,8 @@ # the comments for FW_SERVICES_*_EXT in /etc/sysconfig/SuSEfirewall2 # -## Description: TEMPLATE +## Name: template service +## Description: opens ports for foo in order to allow bar # space separated list of allowed TCP ports TCP="" diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/SuSEfirewall2-3.5_SVNr159/SuSEfirewall2.sysconfig new/SuSEfirewall2-3.6_SVNr164/SuSEfirewall2.sysconfig --- old/SuSEfirewall2-3.5_SVNr159/SuSEfirewall2.sysconfig 2006-09-20 14:46:59.000000000 +0200 +++ new/SuSEfirewall2-3.6_SVNr164/SuSEfirewall2.sysconfig 2007-02-12 12:04:14.000000000 +0100 @@ -1,20 +1,20 @@ # Copyright (c) 2000-2002 SuSE GmbH Nuernberg, Germany. All rights reserved. # Copyright (c) 2003,2004 SuSE Linux AG Nuernberg, Germany. All rights reserved. -# Copyright (c) 2005 SUSE LINUX Products GmbH Nuernberg, Germany. All rights reserved. +# Copyright (c) 2005-2007 SUSE LINUX Products GmbH Nuernberg, Germany. All rights reserved. # # Author: Marc Heuse, 2002 -# Ludwig Nussel, 2004 +# Ludwig Nussel, 2004-2007 # # /etc/sysconfig/SuSEfirewall2 # -# for use with /sbin/SuSEfirewall2 version 3.3 +# for use with /sbin/SuSEfirewall2 version 3.6 # # ------------------------------------------------------------------------ # # PLEASE NOTE THE FOLLOWING: # # Just by configuring these settings and using the SuSEfirewall2 you # are not secure per se! There is *not* such a thing you install and -# hence you are safed from all (security) hazards. +# hence you are saved from all (security) hazards. # # To ensure your security, you need also: # @@ -22,7 +22,7 @@ # (internet) You can do this by using software which has been # designed with security in mind (like postfix, vsftpd, ssh), # setting these up without misconfiguration and praying, that -# they have got really no holes. SuSEcompartment can help in +# they have got really no holes. Apparmor can help in # most circumstances to reduce the risk. # * Do not run untrusted software. (philosophical question, can # you trust SuSE or any other software distributor?) @@ -47,9 +47,10 @@ # /usr/share/doc/packages/SuSEfirewall2/EXAMPLES or use YaST # # -# If you are a end-user who is NOT connected to two networks (read: you have -# got a single user system and are using a dialup to the internet) you just -# have to configure (all other settings are OK): 2) and maybe 9). +# If you are an end-user who is NOT connected to two networks (read: +# you have got a single user system and are using a dialup to the +# internet) you just have to configure (all other settings are OK): +# 2) and maybe 9). # # If this server is a firewall, which should act like a proxy (no direct # routing between both networks), or you are an end-user connected to the @@ -83,16 +84,13 @@ # # Format: space separated list of interface or configuration names # -# The special keyword "auto" means to use the device of the default -# route. "auto" cannot be mixed with other interface names. -# # The special keyword "any" means that packets arriving on interfaces not # explicitly configured as int, ext or dmz will be considered external. Note: # this setting only works for packets destined for the local machine. If you # want forwarding or masquerading you still have to add the external interfaces # individually. "any" can be mixed with other interface names. # -# Examples: "eth-id-00:e0:4c:9f:61:9a", "ippp0 ippp1", "auto", "any dsl0" +# Examples: "eth-id-00:e0:4c:9f:61:9a", "ippp0 ippp1", "any dsl0" # # Note: alias interfaces (like eth0:1) are ignored # @@ -178,16 +176,23 @@ FW_MASQUERADE="no" ## Type: string -## Default: $FW_DEV_EXT +## Default: zone:ext # # 6a.) -# You must also define on which interfaces to masquerade on. Those -# are usually the same as the external interfaces. Most users can -# leave the default. +# You also have to define on which interfaces to masquerade on. +# Those are usually the same as the external interfaces. Most users +# can leave the default. +# +# The special string "zone:" concatenated with the name of a zone +# means to take all interfaces in the specified zone. +# +# Old version of SuSEfirewall2 used a shell variable ($FW_DEV_EXT) +# here. That method is deprecated as it breaks auto detection of +# interfaces. Please use zone:ext instead. # -# Examples: "ippp0", "$FW_DEV_EXT" +# Examples: "ippp0", "zone:ext" # -FW_MASQ_DEV="$FW_DEV_EXT" +FW_MASQ_DEV="zone:ext" ## Type: string ## Default: 0/0 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org