File SuSEfirewall2.spec of Package SuSEfirewall2
#
# spec file for package SuSEfirewall2 (Version 3.6_SVNr208)
#
# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
# norootforbuild
# icecream 0
Name: SuSEfirewall2
Version: 3.6_SVNr208
Release: 1
License: GPL v2 or later
Group: Productivity/Networking/Security
Provides: personal-firewall SuSEfirewall
Obsoletes: personal-firewall SuSEfirewall
PreReq: %fillup_prereq %insserv_prereq /bin/sed textutils fileutils grep filesystem
Requires: iptables coreutils perl sysconfig
Summary: Stateful Packet Filter Using iptables and netfilter
Source: SuSEfirewall2-%{version}.tar.bz2
BuildArch: noarch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
SuSEfirewall2 implements a packet filter that protects hosts and
routers by limiting which services or networks are accessible on the
host or via the router.
SuSEfirewall2 uses the iptables/netfilter packet filtering
infrastructure to create a flexible rule set for a stateful firewall.
Authors:
--------
Ludwig Nussel <ludwig.nussel@suse.de>
Marc Heuse
%prep
%setup
# please send patches to lnussel for inclusion in svn first
%build
%install
make DESTDIR="%{buildroot}" install
install -d -m 755 %{buildroot}/var/adm/fillup-templates/
install -m 644 SuSEfirewall2.sysconfig %{buildroot}/var/adm/fillup-templates/sysconfig.SuSEfirewall2
install -d -m 755 %{buildroot}%{_datadir}/susehelp/meta/Manuals/Productivity
install -m 644 SuSEfirewall2-doc.desktop \
%{buildroot}%{_datadir}/susehelp/meta/Manuals/Productivity/SuSEfirewall2.desktop
#
%files
%defattr(-, root, root)
%doc LICENCE EXAMPLES FAQ README
%doc *.html *.css
%doc SuSEfirewall2.sysconfig
%doc %{_datadir}/susehelp
%config(noreplace) /etc/sysconfig/scripts/SuSEfirewall2-custom
%config /etc/init.d/SuSEfirewall2_init
%config /etc/init.d/SuSEfirewall2_setup
/etc/sysconfig/SuSEfirewall2.d/services/*
/etc/sysconfig/scripts/SuSEfirewall2-rpcinfo
/etc/sysconfig/scripts/SuSEfirewall2-showlog
/etc/sysconfig/scripts/SuSEfirewall2-open
/etc/sysconfig/scripts/SuSEfirewall2-batch
/etc/sysconfig/scripts/SuSEfirewall2-qdisc
/etc/sysconfig/scripts/SuSEfirewall2-oldbroadcast
/etc/sysconfig/network/scripts/SuSEfirewall2
/etc/sysconfig/network/if-up.d/SuSEfirewall2
/sbin/rcSuSEfirewall2
/sbin/SuSEfirewall2
/var/adm/fillup-templates/sysconfig.SuSEfirewall2
%postun
%insserv_cleanup
%post
# rename old config file
if test -e etc/rc.config.d/firewall2.rc.config -a ! -e etc/sysconfig/SuSEfirewall2; then
sed 's#etc/rc.config.d/firewall2-custom.rc.config#etc/sysconfig/scripts/SuSEfirewall2-custom#' \
< etc/rc.config.d/firewall2.rc.config > etc/sysconfig/SuSEfirewall2
mv etc/rc.config.d/firewall2.rc.config etc/rc.config.d/firewall2.rc.config.rpmsave
fi
# save custom script
if test -e etc/rc.config.d/firewall2-custom.rc.config; then
mv etc/rc.config.d/firewall2-custom.rc.config etc/rc.config.d/firewall2-custom.rc.config.rpmorig
if test -e etc/sysconfig/scripts/SuSEfirewall2-custom; then
mv -f etc/sysconfig/scripts/SuSEfirewall2-custom etc/sysconfig/scripts/SuSEfirewall2-custom.rpmnew
fi
sed 's#etc/rc.config.d/firewall2-custom.rc.config#etc/sysconfig/scripts/SuSEfirewall2-custom#' \
< etc/rc.config.d/firewall2-custom.rc.config.bak > etc/sysconfig/scripts/SuSEfirewall2-custom
fi
dropvar=
# really old
dropvar="$dropvar FW_SERVICE_AUTODETECT FW_SERVICE_DNS FW_SERVICE_DHCLIENT"
dropvar="$dropvar FW_SERVICE_DHCPD FW_SERVICE_SQUID FW_SERVICE_SAMBA"
# obsolete after 9.1
dropvar="$dropvar FW_IPSEC_MARK"
# obsolete after 9.2
dropvar="$dropvar FW_ALLOW_FW_TRACEROUTE"
dropvar="$dropvar FW_AUTOPROTECT_SERVICES FW_ANTISPOOF FW_PROTECT_FROM_INTERNAL"
dropvar="$dropvar FW_QUICKMODE FW_SERVICES_QUICK_TCP FW_SERVICES_QUICK_UDP FW_SERVICES_QUICK_IP"
#
# remove FW_LOG because log prefix of <= 9.0 is too long
if [ -e etc/sysconfig/SuSEfirewall2 ] && \
(reset_fw_log=0; . etc/sysconfig/SuSEfirewall2 && \
set -- $FW_LOG && \
while [ "$#" != 0 ]; do
[ "$1" = "--log-prefix" -a "$2" = "SuSE-FW" ] && reset_fw_log=1; shift;
done
test "$reset_fw_log" != 0); then
dropvar="$dropvar FW_LOG"
fi
%{remove_and_set -n SuSEfirewall2 $dropvar}
# now merge new sysconfig files
%{fillup_and_insserv SuSEfirewall2_init SuSEfirewall2_setup}
# SuSEfirewall2_init is no longer a boot.d script, need to remove
# and add it again
for i in etc/init.d/boot.d/S??SuSEfirewall2_init; do
if [ -e "$i" ]; then
/sbin/insserv -r -f SuSEfirewall2_init
/sbin/insserv -f SuSEfirewall2_init
break
fi
done
# convert FW_PROTECT_FROM_INTERNAL
if [ -e etc/sysconfig/SuSEfirewall2 \
-a -n "$FW_PROTECT_FROM_INTERNAL" -a "$FW_PROTECT_FROM_INTERNAL" != "no" ]; then
sed 's/^FW_PROTECT_FROM_INT=.*/FW_PROTECT_FROM_INT="yes"/' \
< etc/sysconfig/SuSEfirewall2 \
> etc/sysconfig/SuSEfirewall2.new \
&& mv etc/sysconfig/SuSEfirewall2.new etc/sysconfig/SuSEfirewall2
fi
# convert old broadcast variables from <= 9.2 if needed
if [ -e etc/sysconfig/SuSEfirewall2 -a -e etc/sysconfig/scripts/SuSEfirewall2-oldbroadcast ]; then
(
. etc/sysconfig/SuSEfirewall2
have_old_allow=
have_old_ignore=
if [ -n "$FW_ALLOW_FW_BROADCAST" -a "$FW_ALLOW_FW_BROADCAST" != "int" ]; then
have_old_allow=1
fi
if [ -n "$FW_IGNORE_FW_BROADCAST" -a "$FW_IGNORE_FW_BROADCAST" != "no" ]; then
have_old_ignore=1
fi
if [ -n "$have_old_allow" -o -n "$have_old_ignore" ]; then
alias warning=:
. etc/sysconfig/scripts/SuSEfirewall2-oldbroadcast
convert_old_broadcast
fi
sedpattern=
if [ -n "$have_old_allow" ]; then
sedpattern="s/^FW_ALLOW_FW_BROADCAST_INT=.*/FW_ALLOW_FW_BROADCAST_INT=\"$FW_ALLOW_FW_BROADCAST_INT\"/"
sedpattern="$sedpattern;s/^FW_ALLOW_FW_BROADCAST_EXT=.*/FW_ALLOW_FW_BROADCAST_EXT=\"$FW_ALLOW_FW_BROADCAST_EXT\"/"
sedpattern="$sedpattern;s/^FW_ALLOW_FW_BROADCAST_DMZ=.*/FW_ALLOW_FW_BROADCAST_DMZ=\"$FW_ALLOW_FW_BROADCAST_DMZ\"/"
fi
if [ -n "$have_old_ignore" ]; then
sedpattern="$sedpattern;s/^FW_IGNORE_FW_BROADCAST_INT=.*/FW_IGNORE_FW_BROADCAST_INT=\"$FW_IGNORE_FW_BROADCAST_INT\"/"
sedpattern="$sedpattern;s/^FW_IGNORE_FW_BROADCAST_EXT=.*/FW_IGNORE_FW_BROADCAST_EXT=\"$FW_IGNORE_FW_BROADCAST_EXT\"/"
sedpattern="$sedpattern;s/^FW_IGNORE_FW_BROADCAST_DMZ=.*/FW_IGNORE_FW_BROADCAST_DMZ=\"$FW_IGNORE_FW_BROADCAST_DMZ\"/"
fi
if [ -n "$sedpattern" ]; then
sed "$sedpattern" < etc/sysconfig/SuSEfirewall2 \
> etc/sysconfig/SuSEfirewall2.new \
&& mv etc/sysconfig/SuSEfirewall2.new etc/sysconfig/SuSEfirewall2 \
&& echo "old broadcast variables converted"
fi
%{remove_and_set -n SuSEfirewall2 FW_IGNORE_FW_BROADCAST FW_ALLOW_FW_BROADCAST}
)
fi
if [ -e etc/sysconfig/SuSEfirewall2 ] \
&& grep -q '^FW_MASQ_DEV="\$FW_DEV_EXT"$' etc/sysconfig/SuSEfirewall2; then
sed 's/^FW_MASQ_DEV="\$FW_DEV_EXT"$/FW_MASQ_DEV="zone:ext"/' \
< etc/sysconfig/SuSEfirewall2 \
> etc/sysconfig/SuSEfirewall2.new \
&& mv etc/sysconfig/SuSEfirewall2.new etc/sysconfig/SuSEfirewall2 \
&& echo "FW_MASQ_DEV converted"
fi
exit 0
%clean
rm -rf %{buildroot}
%changelog
* Thu Nov 06 2008 lnussel@suse.de
- check whether IPv6 support is available when stopping the firewall
(bnc#442118)
- point to correct path for service files (bnc#425187)
* Wed Oct 15 2008 lnussel@suse.de
- check status of SuSEfirewall2 without triggering module load (bnc#435653)
- add missing iptables-batch commitpoint for IPv4
* Tue Sep 30 2008 lnussel@suse.de
- don't modify the ip local port range
- allow negated rules via ! in FW_FORWARD_MASQ (bnc#413046)
- explain some common pitfalls around FW_SERVICES_ACCEPT_EXT
- SuSEfirewall2_init: don't fail if /usr is not available (bnc#429899)
* Tue Sep 02 2008 lnussel@suse.de
- fix "recent" match (bnc#421806)
* Mon Aug 25 2008 ro@suse.de
- remove outdated start variables from fillup_and_insserv call
* Thu Jul 31 2008 werner@suse.de
- Make boot script know about new upcoming startpar and insserv
* Tue Jul 22 2008 lnussel@suse.de
- add NOTRACK/raw table support (fate#978788)
* Mon Jul 14 2008 lnussel@suse.de
- use correct rules to accept RELATED icmpv6 packets (bnc#396667)
* Mon Jun 30 2008 lnussel@suse.de
- allow empty protocol in FW_SERVICES_ACCEPT_RELATED,
FW_SERVICES_REJECT, FW_SERVICES_DROP, FW_SERVICES_ACCEPT (bnc#376758)
* Tue Apr 22 2008 lnussel@suse.de
- accept icmp RELATED packets (bnc#382004)
* Thu Apr 17 2008 lnussel@suse.de
- sysconfig file documentation improvements
* Fri Apr 04 2008 lnussel@suse.de
- remove X-UnitedLinux tags from init scripts
- update links in docu
- auto detect bridge interfaces and permit traffic
* Fri Mar 28 2008 lnussel@suse.de
- fix typo in comment (bnc#350651)
- don't check for /proc/net/stat/nf_conntrack when checking for ipv6 support
- allow to ignore certain broadcasts even if broadcasts in general
are allowed which is the expected behavior
- change handling of RELATED packages and make that configurable
(fate#300970)
* Wed Nov 28 2007 lnussel@suse.de
- don't reject port 113 by default anymore (#344337)
* Tue Aug 07 2007 lnussel@suse.de
- use hwdesc2iface to convert old eth-id-* and eth-bus-* interface
specifications to actual interface names.
* Mon Aug 06 2007 lnussel@suse.de
- don't try to load ip6tables modules if ipv6 is disabled (#297621)
* Fri Jul 06 2007 lnussel@suse.de
- New configuration options: FW_NOMASQ_NETS, FW_FORWARD_REJECT,
FW_FORWARD_DROP
* Thu Jun 21 2007 lnussel@suse.de
- manually move SuSEfirewall2_init from boot.d to runlevel directory
(#285872)
* Mon Jun 18 2007 lnussel@suse.de
- start SuSEfirewall2_init as normal init script rather than during
boot.d
* Wed Jun 13 2007 lnussel@suse.de
- move removing the boot lock file from init script to
/sbin/SuSEfirewall2
- add separate bootlock and bootunlock actions
- use if-up script instead of NetworkManager specific script
* Fri Mar 23 2007 lnussel@suse.de
- enhance FW_ALLOW_CLASS_ROUTING to allow routing in specific zones only
- prevent unintended inter-class routing when masquerading is enabled on
multiple interfaces in the same zone
- disable extra rules for established/related icmp packets as those
are useless
- accept icmpv6 in the OUTPUT chain to avoid excessive errors in log
- add IPv6 support for FW_ALLOW_CLASS_ROUTING and FW_FORWARD
* Thu Mar 08 2007 lnussel@suse.de
- remove checks for binaries that are not requried anymore anyways
- fix package dependencies
* Thu Mar 01 2007 lnussel@suse.de
- use /etc/sysconfig/SuSEfirewall2.d/services (#247352)
* Thu Feb 22 2007 sbrabec@suse.cz
- Removed directory ownership of /usr/share/SuSEfirewall2*
(#247435).
* Tue Feb 13 2007 lnussel@suse.de
- fix FW_DEV_* not working (#244917)
* Mon Feb 12 2007 lnussel@suse.de
- use /sys/class/net instead of /proc/sys/net/ipv[46]/conf/ to
determine whether an interface exists. Side effect: interfaces
without ip also get filtering rules
- read FW_ZONE variable from ifcfg files for interfaces that are not
listed in FW_DEV_*
- always use default zone for interfaces that are neither listed in
FW_DEV_* nor have FW_ZONE set
- FW_DEV_*="any" sets default zone
- FW_MASQ_DEV="$FW_DEV_EXT" does not work with ifcfg method of
specifying a zone. Use FW_MASQ_DEV="zone:ext" instead.
- remove old interface autodetection code
- add a name tag to meta info of service template
- fix some typos found by Eric Auer
- set version to 3.6
* Wed Nov 15 2006 lnussel@suse.de
- only log errors in the output chain if logging is actually enabled
(#219108)
* Wed Sep 20 2006 lnussel@suse.de
- honor zone specific FW_REJECT_* variables and reject instead of
dropping packets from the internal zone by default (#147263)
- fix wrong default value in sysconfig metadata for
FW_SERVICES_ACCEPT_EXT
* Sun Aug 13 2006 ro@suse.de
- remove update-messages
* Wed Jul 19 2006 lnussel@suse.de
- add support for ipt_recent (#104602)
* Mon Jul 17 2006 lnussel@suse.de
- add support for service configuration files in
/usr/share/SuSEfirewall2/services via FW_CONFIGURATIONS_* (fate
[#300687])
- support alternative logging targets (#180078)
- start version 3.5
* Tue Jun 06 2006 lnussel@suse.de
- install rule for interface 'any' last in order to make it work
with additional zones like DMZ (#181308)
* Mon May 22 2006 lnussel@suse.de
- fix FW_FORWARD not working with ipsec flag (#170530)
* Thu Mar 30 2006 lnussel@suse.de
- don't change igmp_max_memberships, correct docu for
FW_KERNEL_SECURITY (#162086)
* Tue Mar 28 2006 lnussel@suse.de
- introduce FW_FORWARD_ALWAYS_INOUT_DEV for use with XEN (#154133)
* Mon Mar 06 2006 lnussel@suse.de
- log and drop multicast packets separately in order to prevent
flooding other log targets (#155326)
* Thu Mar 02 2006 lnussel@suse.de
- don't try to use v6 state matching if /proc/net/stat/nf_conntrack
doesn't exist as it won't work without (#151776)
- reject v6 packets by default to avoid timeouts (#145758)
* Mon Feb 20 2006 lnussel@suse.de
- allow FW_FORWARD_MASQ without FW_MASQ_NETS (#151795)
* Fri Feb 03 2006 lnussel@suse.de
- add dispatcher script for NetworkManager (#147671)
* Wed Feb 01 2006 lnussel@suse.de
- also check for xt_state to finally get IPv6 state matching again
(#145758)
* Wed Jan 25 2006 mls@suse.de
- converted neededforbuild to BuildRequires
* Tue Jan 10 2006 lnussel@suse.de
- don't change setting for ECN and TCP syncookies as those are
already configurable via /etc/sysconfig/sysctl
* Tue Jan 03 2006 lnussel@suse.de
- fix initscript status reporting (#124869)
* Mon Aug 01 2005 lnussel@suse.de
- fall back to normal iptables if iptables-batch fails
- always add ip6tables drop rule in case REJECT doesn't work for some
reason
* Mon Aug 01 2005 lnussel@suse.de
- don't load ftp conntrack modules by default
* Wed Jul 20 2005 lnussel@suse.de
- discard errors from rpcinfo as some people don't have it running
all the time
- don't print warning if ipv6 support is disabled
- mark FW_ALLOW_INCOMING_HIGHPORTS_* as deprecated
- permit empty port in FW_TRUSTED_NETS
- fix FW_ALLOW_INCOMING_HIGHPORTS_UDP
* Mon May 09 2005 lnussel@suse.de
- fix check for iptables-batch
* Fri Apr 22 2005 lnussel@suse.de
- use iptables-batch by default if available
- use full path to getopt and logger (#76703)
- fix FW_ALLOW_CLASS_ROUTING (#75319)
- start version 3.4
* Wed Mar 16 2005 lnussel@suse.de
- include all sysctl in FW_KERNEL_SECURITY (#61429)
- allow basic IPv6 tcp and icmp despite missing conntrack (#72865)
* Mon Mar 14 2005 lnussel@suse.de
- fix rejecting of IPv6 packets if state matching is not available (#72414)
- fix "any" interface (#72428)
- fix docu stylesheet to make programlistings have a grey background again
* Fri Mar 11 2005 lnussel@suse.de
- install desktop file to integrate docu in susehelp
* Tue Mar 01 2005 lnussel@suse.de
- support forwarding of decrypted IPsec packets independent of
FW_IPSEC_TRUST (#66664)
* Mon Feb 21 2005 lnussel@suse.de
- reorder rule creation to keep window where packets are dropped small
- fix missing space at some log messages
* Fri Feb 18 2005 lnussel@suse.de
- add port to FW_FORWARD reply packet match rule
* Thu Feb 17 2005 lnussel@suse.de
- cleanup and enhance docu
* Thu Feb 03 2005 lnussel@suse.de
- disable workaround for #46818
- use proof-read text for broadcast update message
* Tue Feb 01 2005 lnussel@suse.de
- parse zones before interface evaluation
- convert broadcast variables to new syntax
- add update message for broadcast variable conversion
- remove more obsolete variables from config file
* Fri Jan 28 2005 lnussel@suse.de
- fix init script requires tag (#50231)
* Wed Jan 26 2005 lnussel@suse.de
- add note about inconsistent iptables behavior (#49739)
- allow protocols without port in FW_DROP*
- make warnings about deprecated variables more specific
- allow to define additional zones through FW_ZONES
- remove FW_ALLOW_FW_TRACEROUTE from config file
* Tue Jan 11 2005 lnussel@suse.de
- implement FW_SERVICES_ACCEPT_*
- allow source port in FW_SERVICES_{REJECT,DROP}
- recognise special protocol _rpc_ in FW_SERVICES_{ACCEPT,REJECT,DROP}_*
- do not load ipv6 modules if FW_IPv6=no (#47545)
- add -q (quiet) option, used during boot
- don't warn if FW_MASQ_NETS is set to default 0/0
- create boot lock file in SuSEfirewall2_init to prevent useless
firewall starts in rcnetwork (#49068)
- use only SuSEfirewall2_init and ..._setup during boot
- run SuSEfirewall2_init before entering runlevel already
* Wed Dec 08 2004 lnussel@suse.de
- move qdisc settings into separate file
- do not call "ip" anymore as ip addresses are not used anyway
- drop tos settings
- reduce log messages for dropped icmp packets
* Tue Dec 07 2004 lnussel@suse.de
- do not rely on int, ext, dmz anymore
- PROTECT_FROM_INTERNAL -> PROTECT_FROM_$zone
- fix replies to forwarded packets (#48793)
- split broadcast stuff into separate zone specific variables
- only create rules for zones that are actually needed => less
rules, less forks, more speed.
- remove traces of personal-firewall
* Thu Dec 02 2004 lnussel@suse.de
- remove icmp output rules
- first steps toward configurable zones
- match redirected packets with fwmark so the port does not need to
be opened (Carl-Daniel)
- drop auto protect and anti spoof stuff
* Wed Dec 01 2004 lnussel@suse.de
- more cleanup
- add temporary workaround for #46818
- set version to 3.3
* Tue Sep 28 2004 schwab@suse.de
- Fix typo in last change.
* Tue Sep 28 2004 lnussel@suse.de
- finally allow ESTABLISHED,RELATED tcp and udp always to fix
problems with DHCP (#46237)
* Mon Sep 27 2004 lnussel@suse.de
- some typo fixes from Volker Kuhlmann
- add feature FW_DEV_EXT=any to prevent common pitfall of packets on
unconfigured interfaces beeing dropped (#46164, #46168)
* Wed Sep 22 2004 lnussel@suse.de
- fix opening of ports in zones other than external (#45776)
* Mon Sep 20 2004 lnussel@suse.de
- better detection if state matching is supported
- really don't use REJECT if ip6tables has no reject target
- fix debug mode
- fix output log message
* Tue Sep 14 2004 lnussel@suse.de
- do not set ip_conntrack_max (#44846)
* Tue Sep 14 2004 lnussel@suse.de
- add 'open' parameter to have SuSEfirewall open the specified services
* Fri Sep 03 2004 lnussel@suse.de
- do not run ip6tables if network in FW_SERVICES_{REJECT,DROP}_*
looks like an IPv4 address and vice versa.
- add "on" and "off" commandline parameters to quickly add and
remove the initscripts together with starting and stopping the
firewall.
* Mon Aug 30 2004 lnussel@suse.de
- set FW_MASQ_DEV to zero if personal-firewall is enabled without
masquerading (#44076)
* Mon Aug 30 2004 lnussel@suse.de
- support invidual services in FW_ALLOW_FW_BROADCAST (#44393)
- always also open portmapper port if any rpc services are to be opened
- fix $AWK not set in quickmode
* Thu Aug 26 2004 lnussel@suse.de
- allow related connections even in 'close' mode to allow DNS replies during
boot (#44202, #44268)
- add net parameter to FW_SERVICES_DROP_* and FW_SERVICES_REJECT_*
- set default log limit to 3/minute
- remove accidently slipped in default drop of ssh
- fix typo: "will used" -> "will be used"
* Mon Aug 23 2004 lnussel@suse.de
- initial stateful IPv6 support
- rephrase more comments in sysconfig file
- use new update message mechanism (#44041)
- new parameter 'log' to display firewall related log messages
- don't install perl helper scripts with executable bits set to not
depend on perl
* Thu Aug 12 2004 lnussel@suse.de
- use perl helper script to determine ports of RPC services.
Services that did not open their port as root are ignored.
* Fri Aug 06 2004 lnussel@suse.de
- major cleanup
- use ipsec policy match to match ipsec packets
- use pkttype to match broadcast packges
- new variables: FW_LOG_LIMIT, FW_SERVICES_DROP_EXT, FW_SERVICES_REJECT_EXT
- obsolete: FW_SERVICE_DHCLIENT, FW_SERVICE_DHCPD, FW_SERVICE_SAMBA
- switch autoprotoect and protect from internal off by default
* Wed May 26 2004 lnussel@suse.de
- drop special support for named and squid, the stateful rules should suffice
- fix icmp usage in FW_MASQ_NETS (patch by Carl-Daniel Hailfinger)
- don't send mail about changed FW_LOG if FW_LOG was empty
- remove comment about kernel 2.4 (#40127)
- consider kernel 2.7 as supported
* Wed May 05 2004 lnussel@suse.de
- make masquerading work when external interface is set to "auto" (#39914)
* Wed Mar 31 2004 lnussel@suse.de
- use getcfg-interface to support config names in FW_DEV_EXT, FW_DEV_INT, FW_DEV_DMZ,
FW_MASQ_DEV and FW_HTB_TUNE_DEV (#37643).
* Tue Mar 16 2004 lnussel@suse.de
- replace FW_LOG in sysconfig file with default value and send a notify mail to
root (#36066)
- getconfig-interface was renamed to getcfg-interface, so call that one in
SuSEfirewall2-autointerface.sh (#36067)
* Thu Feb 26 2004 lnussel@suse.de
- determine dynamic portnumbers for RPC services to be able to run e.g. an nfs
server in a firewalled zone (SuSEfirewall2-3.1-rpcserver.diff, #32033)
* Mon Feb 16 2004 lnussel@suse.de
- allow IPsec packets to be trusted (SuSEfirewall2-ipsec.diff)
* Mon Feb 16 2004 lnussel@suse.de
- allow to change IPv6 policy independent of IPv4
(SuSEfirewall2-3.1-close-ipv6.diff).
- change handling of broadcasts. Allow them on interal interfaces
per default (SuSEfirewall2-noantispoof.diff).
- rely on rp_filter instead of generating anti-spoofing rules
(SuSEfirewall2-noantispoof.diff).
- optional automatic detection of external and internal interface
(SuSEfirewall2-auto.diff).
- use stateful filtering to allow related incoming tcp and udp
packets on any port (SuSEfirewall2-highports.diff).
- update SuSEfirewall2-3.1-newlog.diff: don't add logging options in
sysconfig file but instead use default if empty.
* Fri Feb 06 2004 lnussel@suse.de
- clean up spec file
- get rid of compatability stuff for <= 8.0
- build as user
- merge some patches
- install files with less paranoid permissions
* Mon Jan 12 2004 ug@suse.de
- static quantum added in the HTB patch to avoid a
warning about a too small quantum calculated automatically
- deleting qdisc before creating new one to avoid
warning on second start with no stop in-between
* Fri Oct 24 2003 garloff@suse.de
- Use logging prefixes with more information.
* Fri Oct 24 2003 garloff@suse.de
- Don't use REJECT target for IPv6.
* Fri Oct 24 2003 garloff@suse.de
- #32032: When closing down IPv6, we do a bit too much. As local
host resolves to ::1, we should allow traffic on lo to not break
mozilla.
- #30789: Disable warning about not running named. named does only
need port 53 in many configs and then the warning is bogus.
* Sat Sep 20 2003 garloff@suse.de
- #27661: Close down IPv6 traffic as we can not yet filter it.
- Patch to detect conflicts in antispoofing rules between ipsec
interfaces in internal networks and external interfaces.
- Fix one bug with logging logic.
- Start SuSEfirewall2_setup after named. (#30789)
* Sat Sep 20 2003 garloff@suse.de
- #27316: Fix determination of external interface in Personal-
Firewall Mode.
* Tue Sep 02 2003 mmj@suse.de
- Add sysconfig metadata [#28808]
* Thu Jul 31 2003 kukuk@suse.de
- serial was renamed to setserial [Bug #28353]
* Mon Mar 24 2003 garloff@suse.de
- Dec 30 change was too restrictive. Instead fix log messages.
[bug #25453]
* Tue Mar 11 2003 garloff@suse.de
- Fix for optional rate limiting (HTB) feature: In full mode, the
qdisc_settings need to be redone after the last TOS settings.
Contributed by Uwe Gansert.
* Mon Mar 10 2003 garloff@suse.de
- Return 6 if no interface is specified. [bug #24438]
* Fri Feb 21 2003 garloff@suse.de
- Put metadata also in personal-firewall sysconfig.
* Fri Feb 21 2003 garloff@suse.de
- Change sysconfig metadata path to Network/Firewall/SuSEfirewall2
[bug #23878]
- Integrate optional support for limiting the rate of outgoing
packets. Contributed by Uwe Gansert.
* Thu Feb 06 2003 garloff@suse.de
- Add Obsoletes & Provides: SuSEfirewall [#19561]
* Thu Jan 23 2003 garloff@suse.de
- Add sysconfig metainfo. [#22586]
* Tue Jan 21 2003 garloff@suse.de
- Path in comment in sysconfig file to custom rules was wrong.
[bug #21651]
- Sort SuSEfirewall2_final to the end.
* Mon Dec 30 2002 garloff@suse.de
- Fix reversed logic in evaluation on ALLOW_INCOMING_HIGHPORTS_TCP.
Thanks to Gernot Hillier for analyzing and reporting.
* Wed Oct 30 2002 garloff@suse.de
- Fix masquerading in quick mode/pfw compat mode.
- custom_before_port_handling back to old name (for compatibility),
new custom_after_antospoofing() function instead.
* Mon Oct 21 2002 draht@suse.de
- SuSEfirewall2-3.1.personal-firewall-compat.diff changed to remove
error in testing for interfaces in REJECT_ALL_INCOMING_CONNECTIONS
* Tue Oct 15 2002 garloff@suse.de
- When using FW_SERVICES_QUICK, the log messages could log packets
which in the end are not dropped.
- Try to handle exotic protocols (Appletalk), #20414.
- Move custom_before_port_handling before we split the rulechains
into input_XXX and forward_XXX and introduce custom_after_port
_handling at old position.
* Sun Oct 06 2002 garloff@suse.de
- Consolidate patches:
* Integrate fixes for FW_SERVICES_QUICK in it
* Integrate fixes for service_noext in it
* DEV_IP parsing is obsolete because of fix-parse-bcast
- Restrict DHCP by specifying interface in INPUT chain rather than
putting rules in input_XXX chains: Broadcasts did not get there.
- Fix spec file for SL 8.0.
* Thu Oct 03 2002 garloff@suse.de
- Create input/forward rulechains before inserting special services
on them. Mea maxima culpa.
Fixes bug #20093.
- Shorten too long log prefix.
* Thu Oct 03 2002 garloff@suse.de
- Explicitly require #!/bin/bash.
* Wed Oct 02 2002 garloff@suse.de
- Fix iptables usage error for FW_SERVICE_QUICK_XXX.
* Wed Oct 02 2002 garloff@suse.de
- Fix more parsing issues: Use read instead of awk (much faster)
and handle interfaces without braodcast address. [Bug #20414]
* Wed Oct 02 2002 garloff@suse.de
- Fix split of adress/netmasks for masqueraded nets. [Bug #20093]
* Sun Sep 15 2002 draht@suse.de
- added missing -j option to iptables. Fix in
SuSEfirewall2-3.1.correct-reject.diff
* Wed Sep 11 2002 draht@suse.de
- bug in interface address parsing from ifconfig output (#19384)
* Sun Sep 08 2002 kukuk@suse.de
- Add "Provides: personal-firewall" [Bug #19097]
* Thu Sep 05 2002 garloff@suse.de
- Fix syntax error in pers-fw part.
* Thu Sep 05 2002 garloff@suse.de
- Merge personal-firewall compatibility fixes from draht.
* Thu Sep 05 2002 garloff@suse.de
- Allow DHClient in all networks even for "yes".
* Thu Sep 05 2002 garloff@suse.de
- Fix bug #18336:
* The switches FW_SERVICE_DNS, FW_SERVICE_DHCLIENT, FW_SERVICE_
DHCPD, FW_SERVICE_SQUID and FW_SERVICE_SAMBA, as well as the
magical FW_SERVICE_AUTODETECT have four possible values now.
* no: not open (unchanged)
* yes: open to internal networks (formerly: to all)
* dmz: open to internal and DMZ networks (new)
* ext: open to everywhere (new, corresponds to old yes)
* Thu Sep 05 2002 garloff@suse.de
- Fix rcSuSEfirewall2 status report (it probes for reject_func
rulechain now).
- Add optional FW_SERVICES_QUICK_ to make QUICK mode useful for
many more people. Defaults to empty of course.
* Thu Sep 05 2002 garloff@suse.de
- Unify spec file for older version of SL using %%if %%suse_version.
* Wed Sep 04 2002 garloff@suse.de
- Added Obsoletes: personal-firewall (#18691)
- Update to 3.1:
* Contains some of the previously applied fixes
* Speedup by avoiding forks
* Bugfix for accepting related and established connections
* FW_FORWARD_MASQ bug: Demasquerading was too global and was
overriding other rules for the same port.
* Mon Aug 19 2002 garloff@suse.de
- Add filesystem PreReq: (#17776)
* Wed Aug 14 2002 garloff@suse.de
- Reenable no-rmmod patch: Current kernels still can hang on rmmod
of ipt modules.
- Remove some Should-Start comments from SuSEfirewall2_init, so it
can be started earlier.
* Mon Aug 12 2002 garloff@suse.de
- Don't refuse to run on 2.5 or 2.6 kernels.
* Mon Aug 12 2002 garloff@suse.de
- Update to SuSEfirewall2-3.0:
* FW_QUICKMODE, only needing FW_DEV_EXT and FW_MASQ_DEV
to be configured, replacing SuSE's personal-firewall.
* FW_REJECT option: Instead of dropping packets, we reject them.
* FW_FORWARD fix for icmp types
* Target IP address for FW_FORWARD_MASQ
* Skip _final run if not needed (only needed if autoprotecting
features are present)
* Docu fixes
- Revert FW_STOP_KEEP_ROUTING_STATE="yes" default (2002-07-12)
due to security concerns.
* Sun Aug 11 2002 garloff@suse.de
- Don't add /var/log/firewall to syslog file automatically any more
as it might cause problems at installation time. (#17421)
* Sat Aug 03 2002 kukuk@suse.de
- Add PreRequires.
* Fri Jul 12 2002 garloff@suse.de
- Set FW_STOP_KEEP_ROUTING_STATE="yes" by default. (bug #11785)
* Thu Jul 11 2002 garloff@suse.de
- Make SQUID_PORT and DNS_PORT greps on lsof output handle the
situation when the named/squid are bind to an IP address (#16350)
* Thu Jul 11 2002 garloff@suse.de
- Adapt to new init info comments (X-UnitedLinux-Should-Start)
- Provide Short-Description
- Remove Dep-Only flag (bug #15650)
* Fri Mar 08 2002 garloff@suse.de
- Some people don't like colons. (bug #14700)
Remove them from initscripts. Compensation here ::::::
* Thu Mar 07 2002 draht@suse.de,lnussel@suse.de
- cosmetic fixes in fillup template
(SuSEfirewall2-2.1.cosmetics-in-fillup.diff)
functionality enhancements to cooprtate with the y2 frontend,
reflected in the changed
SuSEfirewall2-2.1.syntax-for-y2-config.diff
* Mon Mar 04 2002 draht@suse.de
- fixes for SuSEfirewall2 to cooperate with the y2 frontend.
SuSEfirewall2-2.1.syntax-for-y2-config.diff
* Fri Mar 01 2002 pthomas@suse.de
- Fix notification mail.
* Fri Jan 18 2002 garloff@suse.de
- UNALLOWED -> UNAUTHORIZED (bug #12859)
* Mon Jan 14 2002 garloff@suse.de
- Use LC_ALL to unset language specific support.
- Remove /etc/sysconfig/SuSEfirewall2 from %%file list.
* Fri Jan 11 2002 garloff@suse.de
- Moved SuSEfirewall2 config files away from network to
/etc/sysconfig resp. /etc/sysconfig/scripts/
- More docu fixes
- Init script fixes for new sysconfig (incl. dep. info)
* Fri Jan 11 2002 garloff@suse.de
- Update to new runlevel and configuration scheme:
* config files are /etc/sysconfig/network/SuSEfirewall2 and
/etc/sysconfig/network/scripts/SuSEfitrewall2-custom now
* Startup behaviour is controlled by the existence of rc?.d
symlinks.
* Old config files should be saved and moved
* Fri Jan 11 2002 garloff@suse.de
- Update to SuSEfirewall-2.1:
* Improved logging
* FW_*_ALLOW_HIGH_PORT: related connections always allowed now,
therefore INCOMING_HIGHPORTS_TCP="no" by default now.
* '!' support for FW_REDIRECT
* Wed Nov 28 2001 garloff@suse.de
- Update to SuSEfirewall2-2.0:
* Typo which created probs for ADSL users fixed.
- Update to SuSEfirewall2-1.8:
* Private network detection for FW_MASQ_NETS fixed
* Better log output
* Thu Sep 20 2001 draht@suse.de
- rmmod of ip_tables modules can cause rmmod (and the system
startup) to hang. Removing modules is racey and should not be
required. rmmod of legacy ipfwadm and ipchains modules is
untouched.
* Wed Sep 19 2001 draht@suse.de
- Added restart2 section into rc scripts to work around open
packet filter rules during yast2-triggered rules reload.
* Tue Sep 04 2001 garloff@suse.de
- Disabled automatic ip-up updating for the release of SuSE Linux
7.3 (not needed, so avoid any risks).
* Tue Sep 04 2001 garloff@suse.de
- Update to SuSEfirewall2-1.7:
* Fixed a bug in FW_FORWARD_MASQ when target ports were ranges.
* Fixed some bugs in the documentation.
* When stopping SuSEfirewall2, all modules are now removed.
- bzip2 sources.
* Fri Aug 03 2001 garloff@suse.de
- Update to SuSEfirewall-1.6:
* Error checking for FW_MASQ_NETS.
* Added an additional EXAMPLE with an ipsec setup and a FAQ
section.
* Thu Jul 26 2001 garloff@suse.de
- Update to SuSEfirewall2-1.5:
* Already include most patches applied to 1.3
* Fix firewall2.rc.config syntax to be YaST(2) compliant
* Fix bug WRT timeout for first DNS lookup that triggered
autodialing
* SQUID udp ports support
* Fix problem with error logging
- Provide automatic update for /etc/ppp/ip-up for SuSE Linux 7.2
users and warn others.
* Tue Jul 17 2001 garloff@suse.de
- rcSuSEfirewall2 symlink points to _setup now, as that one's
capable of doing a start and a stop.
- Use rc.status functions
* Tue Jul 17 2001 garloff@suse.de
- Use ispell to fix docus. Strip CR from LICENCE.
* Tue Jul 17 2001 garloff@suse.de
- Initial creation of package SuSEfirewall2:
* checkin version 1.3
* create package description and specfile
- Some changes to the startup scripts:
* LSB conformant comments
