Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
DISCONTINUED:openSUSE:11.1
SuSEfirewall2
SuSEfirewall2.spec
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File SuSEfirewall2.spec of Package SuSEfirewall2
# # spec file for package SuSEfirewall2 (Version 3.6_SVNr208) # # Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # # norootforbuild # icecream 0 Name: SuSEfirewall2 Version: 3.6_SVNr208 Release: 1 License: GPL v2 or later Group: Productivity/Networking/Security Provides: personal-firewall SuSEfirewall Obsoletes: personal-firewall SuSEfirewall PreReq: %fillup_prereq %insserv_prereq /bin/sed textutils fileutils grep filesystem Requires: iptables coreutils perl sysconfig Summary: Stateful Packet Filter Using iptables and netfilter Source: SuSEfirewall2-%{version}.tar.bz2 BuildArch: noarch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description SuSEfirewall2 implements a packet filter that protects hosts and routers by limiting which services or networks are accessible on the host or via the router. SuSEfirewall2 uses the iptables/netfilter packet filtering infrastructure to create a flexible rule set for a stateful firewall. Authors: -------- Ludwig Nussel <ludwig.nussel@suse.de> Marc Heuse %prep %setup # please send patches to lnussel for inclusion in svn first %build %install make DESTDIR="%{buildroot}" install install -d -m 755 %{buildroot}/var/adm/fillup-templates/ install -m 644 SuSEfirewall2.sysconfig %{buildroot}/var/adm/fillup-templates/sysconfig.SuSEfirewall2 install -d -m 755 %{buildroot}%{_datadir}/susehelp/meta/Manuals/Productivity install -m 644 SuSEfirewall2-doc.desktop \ %{buildroot}%{_datadir}/susehelp/meta/Manuals/Productivity/SuSEfirewall2.desktop # %files %defattr(-, root, root) %doc LICENCE EXAMPLES FAQ README %doc *.html *.css %doc SuSEfirewall2.sysconfig %doc %{_datadir}/susehelp %config(noreplace) /etc/sysconfig/scripts/SuSEfirewall2-custom %config /etc/init.d/SuSEfirewall2_init %config /etc/init.d/SuSEfirewall2_setup /etc/sysconfig/SuSEfirewall2.d/services/* /etc/sysconfig/scripts/SuSEfirewall2-rpcinfo /etc/sysconfig/scripts/SuSEfirewall2-showlog /etc/sysconfig/scripts/SuSEfirewall2-open /etc/sysconfig/scripts/SuSEfirewall2-batch /etc/sysconfig/scripts/SuSEfirewall2-qdisc /etc/sysconfig/scripts/SuSEfirewall2-oldbroadcast /etc/sysconfig/network/scripts/SuSEfirewall2 /etc/sysconfig/network/if-up.d/SuSEfirewall2 /sbin/rcSuSEfirewall2 /sbin/SuSEfirewall2 /var/adm/fillup-templates/sysconfig.SuSEfirewall2 %postun %insserv_cleanup %post # rename old config file if test -e etc/rc.config.d/firewall2.rc.config -a ! -e etc/sysconfig/SuSEfirewall2; then sed 's#etc/rc.config.d/firewall2-custom.rc.config#etc/sysconfig/scripts/SuSEfirewall2-custom#' \ < etc/rc.config.d/firewall2.rc.config > etc/sysconfig/SuSEfirewall2 mv etc/rc.config.d/firewall2.rc.config etc/rc.config.d/firewall2.rc.config.rpmsave fi # save custom script if test -e etc/rc.config.d/firewall2-custom.rc.config; then mv etc/rc.config.d/firewall2-custom.rc.config etc/rc.config.d/firewall2-custom.rc.config.rpmorig if test -e etc/sysconfig/scripts/SuSEfirewall2-custom; then mv -f etc/sysconfig/scripts/SuSEfirewall2-custom etc/sysconfig/scripts/SuSEfirewall2-custom.rpmnew fi sed 's#etc/rc.config.d/firewall2-custom.rc.config#etc/sysconfig/scripts/SuSEfirewall2-custom#' \ < etc/rc.config.d/firewall2-custom.rc.config.bak > etc/sysconfig/scripts/SuSEfirewall2-custom fi dropvar= # really old dropvar="$dropvar FW_SERVICE_AUTODETECT FW_SERVICE_DNS FW_SERVICE_DHCLIENT" dropvar="$dropvar FW_SERVICE_DHCPD FW_SERVICE_SQUID FW_SERVICE_SAMBA" # obsolete after 9.1 dropvar="$dropvar FW_IPSEC_MARK" # obsolete after 9.2 dropvar="$dropvar FW_ALLOW_FW_TRACEROUTE" dropvar="$dropvar FW_AUTOPROTECT_SERVICES FW_ANTISPOOF FW_PROTECT_FROM_INTERNAL" dropvar="$dropvar FW_QUICKMODE FW_SERVICES_QUICK_TCP FW_SERVICES_QUICK_UDP FW_SERVICES_QUICK_IP" # # remove FW_LOG because log prefix of <= 9.0 is too long if [ -e etc/sysconfig/SuSEfirewall2 ] && \ (reset_fw_log=0; . etc/sysconfig/SuSEfirewall2 && \ set -- $FW_LOG && \ while [ "$#" != 0 ]; do [ "$1" = "--log-prefix" -a "$2" = "SuSE-FW" ] && reset_fw_log=1; shift; done test "$reset_fw_log" != 0); then dropvar="$dropvar FW_LOG" fi %{remove_and_set -n SuSEfirewall2 $dropvar} # now merge new sysconfig files %{fillup_and_insserv SuSEfirewall2_init SuSEfirewall2_setup} # SuSEfirewall2_init is no longer a boot.d script, need to remove # and add it again for i in etc/init.d/boot.d/S??SuSEfirewall2_init; do if [ -e "$i" ]; then /sbin/insserv -r -f SuSEfirewall2_init /sbin/insserv -f SuSEfirewall2_init break fi done # convert FW_PROTECT_FROM_INTERNAL if [ -e etc/sysconfig/SuSEfirewall2 \ -a -n "$FW_PROTECT_FROM_INTERNAL" -a "$FW_PROTECT_FROM_INTERNAL" != "no" ]; then sed 's/^FW_PROTECT_FROM_INT=.*/FW_PROTECT_FROM_INT="yes"/' \ < etc/sysconfig/SuSEfirewall2 \ > etc/sysconfig/SuSEfirewall2.new \ && mv etc/sysconfig/SuSEfirewall2.new etc/sysconfig/SuSEfirewall2 fi # convert old broadcast variables from <= 9.2 if needed if [ -e etc/sysconfig/SuSEfirewall2 -a -e etc/sysconfig/scripts/SuSEfirewall2-oldbroadcast ]; then ( . etc/sysconfig/SuSEfirewall2 have_old_allow= have_old_ignore= if [ -n "$FW_ALLOW_FW_BROADCAST" -a "$FW_ALLOW_FW_BROADCAST" != "int" ]; then have_old_allow=1 fi if [ -n "$FW_IGNORE_FW_BROADCAST" -a "$FW_IGNORE_FW_BROADCAST" != "no" ]; then have_old_ignore=1 fi if [ -n "$have_old_allow" -o -n "$have_old_ignore" ]; then alias warning=: . etc/sysconfig/scripts/SuSEfirewall2-oldbroadcast convert_old_broadcast fi sedpattern= if [ -n "$have_old_allow" ]; then sedpattern="s/^FW_ALLOW_FW_BROADCAST_INT=.*/FW_ALLOW_FW_BROADCAST_INT=\"$FW_ALLOW_FW_BROADCAST_INT\"/" sedpattern="$sedpattern;s/^FW_ALLOW_FW_BROADCAST_EXT=.*/FW_ALLOW_FW_BROADCAST_EXT=\"$FW_ALLOW_FW_BROADCAST_EXT\"/" sedpattern="$sedpattern;s/^FW_ALLOW_FW_BROADCAST_DMZ=.*/FW_ALLOW_FW_BROADCAST_DMZ=\"$FW_ALLOW_FW_BROADCAST_DMZ\"/" fi if [ -n "$have_old_ignore" ]; then sedpattern="$sedpattern;s/^FW_IGNORE_FW_BROADCAST_INT=.*/FW_IGNORE_FW_BROADCAST_INT=\"$FW_IGNORE_FW_BROADCAST_INT\"/" sedpattern="$sedpattern;s/^FW_IGNORE_FW_BROADCAST_EXT=.*/FW_IGNORE_FW_BROADCAST_EXT=\"$FW_IGNORE_FW_BROADCAST_EXT\"/" sedpattern="$sedpattern;s/^FW_IGNORE_FW_BROADCAST_DMZ=.*/FW_IGNORE_FW_BROADCAST_DMZ=\"$FW_IGNORE_FW_BROADCAST_DMZ\"/" fi if [ -n "$sedpattern" ]; then sed "$sedpattern" < etc/sysconfig/SuSEfirewall2 \ > etc/sysconfig/SuSEfirewall2.new \ && mv etc/sysconfig/SuSEfirewall2.new etc/sysconfig/SuSEfirewall2 \ && echo "old broadcast variables converted" fi %{remove_and_set -n SuSEfirewall2 FW_IGNORE_FW_BROADCAST FW_ALLOW_FW_BROADCAST} ) fi if [ -e etc/sysconfig/SuSEfirewall2 ] \ && grep -q '^FW_MASQ_DEV="\$FW_DEV_EXT"$' etc/sysconfig/SuSEfirewall2; then sed 's/^FW_MASQ_DEV="\$FW_DEV_EXT"$/FW_MASQ_DEV="zone:ext"/' \ < etc/sysconfig/SuSEfirewall2 \ > etc/sysconfig/SuSEfirewall2.new \ && mv etc/sysconfig/SuSEfirewall2.new etc/sysconfig/SuSEfirewall2 \ && echo "FW_MASQ_DEV converted" fi exit 0 %clean rm -rf %{buildroot} %changelog * Thu Nov 06 2008 lnussel@suse.de - check whether IPv6 support is available when stopping the firewall (bnc#442118) - point to correct path for service files (bnc#425187) * Wed Oct 15 2008 lnussel@suse.de - check status of SuSEfirewall2 without triggering module load (bnc#435653) - add missing iptables-batch commitpoint for IPv4 * Tue Sep 30 2008 lnussel@suse.de - don't modify the ip local port range - allow negated rules via ! in FW_FORWARD_MASQ (bnc#413046) - explain some common pitfalls around FW_SERVICES_ACCEPT_EXT - SuSEfirewall2_init: don't fail if /usr is not available (bnc#429899) * Tue Sep 02 2008 lnussel@suse.de - fix "recent" match (bnc#421806) * Mon Aug 25 2008 ro@suse.de - remove outdated start variables from fillup_and_insserv call * Thu Jul 31 2008 werner@suse.de - Make boot script know about new upcoming startpar and insserv * Tue Jul 22 2008 lnussel@suse.de - add NOTRACK/raw table support (fate#978788) * Mon Jul 14 2008 lnussel@suse.de - use correct rules to accept RELATED icmpv6 packets (bnc#396667) * Mon Jun 30 2008 lnussel@suse.de - allow empty protocol in FW_SERVICES_ACCEPT_RELATED, FW_SERVICES_REJECT, FW_SERVICES_DROP, FW_SERVICES_ACCEPT (bnc#376758) * Tue Apr 22 2008 lnussel@suse.de - accept icmp RELATED packets (bnc#382004) * Thu Apr 17 2008 lnussel@suse.de - sysconfig file documentation improvements * Fri Apr 04 2008 lnussel@suse.de - remove X-UnitedLinux tags from init scripts - update links in docu - auto detect bridge interfaces and permit traffic * Fri Mar 28 2008 lnussel@suse.de - fix typo in comment (bnc#350651) - don't check for /proc/net/stat/nf_conntrack when checking for ipv6 support - allow to ignore certain broadcasts even if broadcasts in general are allowed which is the expected behavior - change handling of RELATED packages and make that configurable (fate#300970) * Wed Nov 28 2007 lnussel@suse.de - don't reject port 113 by default anymore (#344337) * Tue Aug 07 2007 lnussel@suse.de - use hwdesc2iface to convert old eth-id-* and eth-bus-* interface specifications to actual interface names. * Mon Aug 06 2007 lnussel@suse.de - don't try to load ip6tables modules if ipv6 is disabled (#297621) * Fri Jul 06 2007 lnussel@suse.de - New configuration options: FW_NOMASQ_NETS, FW_FORWARD_REJECT, FW_FORWARD_DROP * Thu Jun 21 2007 lnussel@suse.de - manually move SuSEfirewall2_init from boot.d to runlevel directory (#285872) * Mon Jun 18 2007 lnussel@suse.de - start SuSEfirewall2_init as normal init script rather than during boot.d * Wed Jun 13 2007 lnussel@suse.de - move removing the boot lock file from init script to /sbin/SuSEfirewall2 - add separate bootlock and bootunlock actions - use if-up script instead of NetworkManager specific script * Fri Mar 23 2007 lnussel@suse.de - enhance FW_ALLOW_CLASS_ROUTING to allow routing in specific zones only - prevent unintended inter-class routing when masquerading is enabled on multiple interfaces in the same zone - disable extra rules for established/related icmp packets as those are useless - accept icmpv6 in the OUTPUT chain to avoid excessive errors in log - add IPv6 support for FW_ALLOW_CLASS_ROUTING and FW_FORWARD * Thu Mar 08 2007 lnussel@suse.de - remove checks for binaries that are not requried anymore anyways - fix package dependencies * Thu Mar 01 2007 lnussel@suse.de - use /etc/sysconfig/SuSEfirewall2.d/services (#247352) * Thu Feb 22 2007 sbrabec@suse.cz - Removed directory ownership of /usr/share/SuSEfirewall2* (#247435). * Tue Feb 13 2007 lnussel@suse.de - fix FW_DEV_* not working (#244917) * Mon Feb 12 2007 lnussel@suse.de - use /sys/class/net instead of /proc/sys/net/ipv[46]/conf/ to determine whether an interface exists. Side effect: interfaces without ip also get filtering rules - read FW_ZONE variable from ifcfg files for interfaces that are not listed in FW_DEV_* - always use default zone for interfaces that are neither listed in FW_DEV_* nor have FW_ZONE set - FW_DEV_*="any" sets default zone - FW_MASQ_DEV="$FW_DEV_EXT" does not work with ifcfg method of specifying a zone. Use FW_MASQ_DEV="zone:ext" instead. - remove old interface autodetection code - add a name tag to meta info of service template - fix some typos found by Eric Auer - set version to 3.6 * Wed Nov 15 2006 lnussel@suse.de - only log errors in the output chain if logging is actually enabled (#219108) * Wed Sep 20 2006 lnussel@suse.de - honor zone specific FW_REJECT_* variables and reject instead of dropping packets from the internal zone by default (#147263) - fix wrong default value in sysconfig metadata for FW_SERVICES_ACCEPT_EXT * Sun Aug 13 2006 ro@suse.de - remove update-messages * Wed Jul 19 2006 lnussel@suse.de - add support for ipt_recent (#104602) * Mon Jul 17 2006 lnussel@suse.de - add support for service configuration files in /usr/share/SuSEfirewall2/services via FW_CONFIGURATIONS_* (fate [#300687]) - support alternative logging targets (#180078) - start version 3.5 * Tue Jun 06 2006 lnussel@suse.de - install rule for interface 'any' last in order to make it work with additional zones like DMZ (#181308) * Mon May 22 2006 lnussel@suse.de - fix FW_FORWARD not working with ipsec flag (#170530) * Thu Mar 30 2006 lnussel@suse.de - don't change igmp_max_memberships, correct docu for FW_KERNEL_SECURITY (#162086) * Tue Mar 28 2006 lnussel@suse.de - introduce FW_FORWARD_ALWAYS_INOUT_DEV for use with XEN (#154133) * Mon Mar 06 2006 lnussel@suse.de - log and drop multicast packets separately in order to prevent flooding other log targets (#155326) * Thu Mar 02 2006 lnussel@suse.de - don't try to use v6 state matching if /proc/net/stat/nf_conntrack doesn't exist as it won't work without (#151776) - reject v6 packets by default to avoid timeouts (#145758) * Mon Feb 20 2006 lnussel@suse.de - allow FW_FORWARD_MASQ without FW_MASQ_NETS (#151795) * Fri Feb 03 2006 lnussel@suse.de - add dispatcher script for NetworkManager (#147671) * Wed Feb 01 2006 lnussel@suse.de - also check for xt_state to finally get IPv6 state matching again (#145758) * Wed Jan 25 2006 mls@suse.de - converted neededforbuild to BuildRequires * Tue Jan 10 2006 lnussel@suse.de - don't change setting for ECN and TCP syncookies as those are already configurable via /etc/sysconfig/sysctl * Tue Jan 03 2006 lnussel@suse.de - fix initscript status reporting (#124869) * Mon Aug 01 2005 lnussel@suse.de - fall back to normal iptables if iptables-batch fails - always add ip6tables drop rule in case REJECT doesn't work for some reason * Mon Aug 01 2005 lnussel@suse.de - don't load ftp conntrack modules by default * Wed Jul 20 2005 lnussel@suse.de - discard errors from rpcinfo as some people don't have it running all the time - don't print warning if ipv6 support is disabled - mark FW_ALLOW_INCOMING_HIGHPORTS_* as deprecated - permit empty port in FW_TRUSTED_NETS - fix FW_ALLOW_INCOMING_HIGHPORTS_UDP * Mon May 09 2005 lnussel@suse.de - fix check for iptables-batch * Fri Apr 22 2005 lnussel@suse.de - use iptables-batch by default if available - use full path to getopt and logger (#76703) - fix FW_ALLOW_CLASS_ROUTING (#75319) - start version 3.4 * Wed Mar 16 2005 lnussel@suse.de - include all sysctl in FW_KERNEL_SECURITY (#61429) - allow basic IPv6 tcp and icmp despite missing conntrack (#72865) * Mon Mar 14 2005 lnussel@suse.de - fix rejecting of IPv6 packets if state matching is not available (#72414) - fix "any" interface (#72428) - fix docu stylesheet to make programlistings have a grey background again * Fri Mar 11 2005 lnussel@suse.de - install desktop file to integrate docu in susehelp * Tue Mar 01 2005 lnussel@suse.de - support forwarding of decrypted IPsec packets independent of FW_IPSEC_TRUST (#66664) * Mon Feb 21 2005 lnussel@suse.de - reorder rule creation to keep window where packets are dropped small - fix missing space at some log messages * Fri Feb 18 2005 lnussel@suse.de - add port to FW_FORWARD reply packet match rule * Thu Feb 17 2005 lnussel@suse.de - cleanup and enhance docu * Thu Feb 03 2005 lnussel@suse.de - disable workaround for #46818 - use proof-read text for broadcast update message * Tue Feb 01 2005 lnussel@suse.de - parse zones before interface evaluation - convert broadcast variables to new syntax - add update message for broadcast variable conversion - remove more obsolete variables from config file * Fri Jan 28 2005 lnussel@suse.de - fix init script requires tag (#50231) * Wed Jan 26 2005 lnussel@suse.de - add note about inconsistent iptables behavior (#49739) - allow protocols without port in FW_DROP* - make warnings about deprecated variables more specific - allow to define additional zones through FW_ZONES - remove FW_ALLOW_FW_TRACEROUTE from config file * Tue Jan 11 2005 lnussel@suse.de - implement FW_SERVICES_ACCEPT_* - allow source port in FW_SERVICES_{REJECT,DROP} - recognise special protocol _rpc_ in FW_SERVICES_{ACCEPT,REJECT,DROP}_* - do not load ipv6 modules if FW_IPv6=no (#47545) - add -q (quiet) option, used during boot - don't warn if FW_MASQ_NETS is set to default 0/0 - create boot lock file in SuSEfirewall2_init to prevent useless firewall starts in rcnetwork (#49068) - use only SuSEfirewall2_init and ..._setup during boot - run SuSEfirewall2_init before entering runlevel already * Wed Dec 08 2004 lnussel@suse.de - move qdisc settings into separate file - do not call "ip" anymore as ip addresses are not used anyway - drop tos settings - reduce log messages for dropped icmp packets * Tue Dec 07 2004 lnussel@suse.de - do not rely on int, ext, dmz anymore - PROTECT_FROM_INTERNAL -> PROTECT_FROM_$zone - fix replies to forwarded packets (#48793) - split broadcast stuff into separate zone specific variables - only create rules for zones that are actually needed => less rules, less forks, more speed. - remove traces of personal-firewall * Thu Dec 02 2004 lnussel@suse.de - remove icmp output rules - first steps toward configurable zones - match redirected packets with fwmark so the port does not need to be opened (Carl-Daniel) - drop auto protect and anti spoof stuff * Wed Dec 01 2004 lnussel@suse.de - more cleanup - add temporary workaround for #46818 - set version to 3.3 * Tue Sep 28 2004 schwab@suse.de - Fix typo in last change. * Tue Sep 28 2004 lnussel@suse.de - finally allow ESTABLISHED,RELATED tcp and udp always to fix problems with DHCP (#46237) * Mon Sep 27 2004 lnussel@suse.de - some typo fixes from Volker Kuhlmann - add feature FW_DEV_EXT=any to prevent common pitfall of packets on unconfigured interfaces beeing dropped (#46164, #46168) * Wed Sep 22 2004 lnussel@suse.de - fix opening of ports in zones other than external (#45776) * Mon Sep 20 2004 lnussel@suse.de - better detection if state matching is supported - really don't use REJECT if ip6tables has no reject target - fix debug mode - fix output log message * Tue Sep 14 2004 lnussel@suse.de - do not set ip_conntrack_max (#44846) * Tue Sep 14 2004 lnussel@suse.de - add 'open' parameter to have SuSEfirewall open the specified services * Fri Sep 03 2004 lnussel@suse.de - do not run ip6tables if network in FW_SERVICES_{REJECT,DROP}_* looks like an IPv4 address and vice versa. - add "on" and "off" commandline parameters to quickly add and remove the initscripts together with starting and stopping the firewall. * Mon Aug 30 2004 lnussel@suse.de - set FW_MASQ_DEV to zero if personal-firewall is enabled without masquerading (#44076) * Mon Aug 30 2004 lnussel@suse.de - support invidual services in FW_ALLOW_FW_BROADCAST (#44393) - always also open portmapper port if any rpc services are to be opened - fix $AWK not set in quickmode * Thu Aug 26 2004 lnussel@suse.de - allow related connections even in 'close' mode to allow DNS replies during boot (#44202, #44268) - add net parameter to FW_SERVICES_DROP_* and FW_SERVICES_REJECT_* - set default log limit to 3/minute - remove accidently slipped in default drop of ssh - fix typo: "will used" -> "will be used" * Mon Aug 23 2004 lnussel@suse.de - initial stateful IPv6 support - rephrase more comments in sysconfig file - use new update message mechanism (#44041) - new parameter 'log' to display firewall related log messages - don't install perl helper scripts with executable bits set to not depend on perl * Thu Aug 12 2004 lnussel@suse.de - use perl helper script to determine ports of RPC services. Services that did not open their port as root are ignored. * Fri Aug 06 2004 lnussel@suse.de - major cleanup - use ipsec policy match to match ipsec packets - use pkttype to match broadcast packges - new variables: FW_LOG_LIMIT, FW_SERVICES_DROP_EXT, FW_SERVICES_REJECT_EXT - obsolete: FW_SERVICE_DHCLIENT, FW_SERVICE_DHCPD, FW_SERVICE_SAMBA - switch autoprotoect and protect from internal off by default * Wed May 26 2004 lnussel@suse.de - drop special support for named and squid, the stateful rules should suffice - fix icmp usage in FW_MASQ_NETS (patch by Carl-Daniel Hailfinger) - don't send mail about changed FW_LOG if FW_LOG was empty - remove comment about kernel 2.4 (#40127) - consider kernel 2.7 as supported * Wed May 05 2004 lnussel@suse.de - make masquerading work when external interface is set to "auto" (#39914) * Wed Mar 31 2004 lnussel@suse.de - use getcfg-interface to support config names in FW_DEV_EXT, FW_DEV_INT, FW_DEV_DMZ, FW_MASQ_DEV and FW_HTB_TUNE_DEV (#37643). * Tue Mar 16 2004 lnussel@suse.de - replace FW_LOG in sysconfig file with default value and send a notify mail to root (#36066) - getconfig-interface was renamed to getcfg-interface, so call that one in SuSEfirewall2-autointerface.sh (#36067) * Thu Feb 26 2004 lnussel@suse.de - determine dynamic portnumbers for RPC services to be able to run e.g. an nfs server in a firewalled zone (SuSEfirewall2-3.1-rpcserver.diff, #32033) * Mon Feb 16 2004 lnussel@suse.de - allow IPsec packets to be trusted (SuSEfirewall2-ipsec.diff) * Mon Feb 16 2004 lnussel@suse.de - allow to change IPv6 policy independent of IPv4 (SuSEfirewall2-3.1-close-ipv6.diff). - change handling of broadcasts. Allow them on interal interfaces per default (SuSEfirewall2-noantispoof.diff). - rely on rp_filter instead of generating anti-spoofing rules (SuSEfirewall2-noantispoof.diff). - optional automatic detection of external and internal interface (SuSEfirewall2-auto.diff). - use stateful filtering to allow related incoming tcp and udp packets on any port (SuSEfirewall2-highports.diff). - update SuSEfirewall2-3.1-newlog.diff: don't add logging options in sysconfig file but instead use default if empty. * Fri Feb 06 2004 lnussel@suse.de - clean up spec file - get rid of compatability stuff for <= 8.0 - build as user - merge some patches - install files with less paranoid permissions * Mon Jan 12 2004 ug@suse.de - static quantum added in the HTB patch to avoid a warning about a too small quantum calculated automatically - deleting qdisc before creating new one to avoid warning on second start with no stop in-between * Fri Oct 24 2003 garloff@suse.de - Use logging prefixes with more information. * Fri Oct 24 2003 garloff@suse.de - Don't use REJECT target for IPv6. * Fri Oct 24 2003 garloff@suse.de - #32032: When closing down IPv6, we do a bit too much. As local host resolves to ::1, we should allow traffic on lo to not break mozilla. - #30789: Disable warning about not running named. named does only need port 53 in many configs and then the warning is bogus. * Sat Sep 20 2003 garloff@suse.de - #27661: Close down IPv6 traffic as we can not yet filter it. - Patch to detect conflicts in antispoofing rules between ipsec interfaces in internal networks and external interfaces. - Fix one bug with logging logic. - Start SuSEfirewall2_setup after named. (#30789) * Sat Sep 20 2003 garloff@suse.de - #27316: Fix determination of external interface in Personal- Firewall Mode. * Tue Sep 02 2003 mmj@suse.de - Add sysconfig metadata [#28808] * Thu Jul 31 2003 kukuk@suse.de - serial was renamed to setserial [Bug #28353] * Mon Mar 24 2003 garloff@suse.de - Dec 30 change was too restrictive. Instead fix log messages. [bug #25453] * Tue Mar 11 2003 garloff@suse.de - Fix for optional rate limiting (HTB) feature: In full mode, the qdisc_settings need to be redone after the last TOS settings. Contributed by Uwe Gansert. * Mon Mar 10 2003 garloff@suse.de - Return 6 if no interface is specified. [bug #24438] * Fri Feb 21 2003 garloff@suse.de - Put metadata also in personal-firewall sysconfig. * Fri Feb 21 2003 garloff@suse.de - Change sysconfig metadata path to Network/Firewall/SuSEfirewall2 [bug #23878] - Integrate optional support for limiting the rate of outgoing packets. Contributed by Uwe Gansert. * Thu Feb 06 2003 garloff@suse.de - Add Obsoletes & Provides: SuSEfirewall [#19561] * Thu Jan 23 2003 garloff@suse.de - Add sysconfig metainfo. [#22586] * Tue Jan 21 2003 garloff@suse.de - Path in comment in sysconfig file to custom rules was wrong. [bug #21651] - Sort SuSEfirewall2_final to the end. * Mon Dec 30 2002 garloff@suse.de - Fix reversed logic in evaluation on ALLOW_INCOMING_HIGHPORTS_TCP. Thanks to Gernot Hillier for analyzing and reporting. * Wed Oct 30 2002 garloff@suse.de - Fix masquerading in quick mode/pfw compat mode. - custom_before_port_handling back to old name (for compatibility), new custom_after_antospoofing() function instead. * Mon Oct 21 2002 draht@suse.de - SuSEfirewall2-3.1.personal-firewall-compat.diff changed to remove error in testing for interfaces in REJECT_ALL_INCOMING_CONNECTIONS * Tue Oct 15 2002 garloff@suse.de - When using FW_SERVICES_QUICK, the log messages could log packets which in the end are not dropped. - Try to handle exotic protocols (Appletalk), #20414. - Move custom_before_port_handling before we split the rulechains into input_XXX and forward_XXX and introduce custom_after_port _handling at old position. * Sun Oct 06 2002 garloff@suse.de - Consolidate patches: * Integrate fixes for FW_SERVICES_QUICK in it * Integrate fixes for service_noext in it * DEV_IP parsing is obsolete because of fix-parse-bcast - Restrict DHCP by specifying interface in INPUT chain rather than putting rules in input_XXX chains: Broadcasts did not get there. - Fix spec file for SL 8.0. * Thu Oct 03 2002 garloff@suse.de - Create input/forward rulechains before inserting special services on them. Mea maxima culpa. Fixes bug #20093. - Shorten too long log prefix. * Thu Oct 03 2002 garloff@suse.de - Explicitly require #!/bin/bash. * Wed Oct 02 2002 garloff@suse.de - Fix iptables usage error for FW_SERVICE_QUICK_XXX. * Wed Oct 02 2002 garloff@suse.de - Fix more parsing issues: Use read instead of awk (much faster) and handle interfaces without braodcast address. [Bug #20414] * Wed Oct 02 2002 garloff@suse.de - Fix split of adress/netmasks for masqueraded nets. [Bug #20093] * Sun Sep 15 2002 draht@suse.de - added missing -j option to iptables. Fix in SuSEfirewall2-3.1.correct-reject.diff * Wed Sep 11 2002 draht@suse.de - bug in interface address parsing from ifconfig output (#19384) * Sun Sep 08 2002 kukuk@suse.de - Add "Provides: personal-firewall" [Bug #19097] * Thu Sep 05 2002 garloff@suse.de - Fix syntax error in pers-fw part. * Thu Sep 05 2002 garloff@suse.de - Merge personal-firewall compatibility fixes from draht. * Thu Sep 05 2002 garloff@suse.de - Allow DHClient in all networks even for "yes". * Thu Sep 05 2002 garloff@suse.de - Fix bug #18336: * The switches FW_SERVICE_DNS, FW_SERVICE_DHCLIENT, FW_SERVICE_ DHCPD, FW_SERVICE_SQUID and FW_SERVICE_SAMBA, as well as the magical FW_SERVICE_AUTODETECT have four possible values now. * no: not open (unchanged) * yes: open to internal networks (formerly: to all) * dmz: open to internal and DMZ networks (new) * ext: open to everywhere (new, corresponds to old yes) * Thu Sep 05 2002 garloff@suse.de - Fix rcSuSEfirewall2 status report (it probes for reject_func rulechain now). - Add optional FW_SERVICES_QUICK_ to make QUICK mode useful for many more people. Defaults to empty of course. * Thu Sep 05 2002 garloff@suse.de - Unify spec file for older version of SL using %%if %%suse_version. * Wed Sep 04 2002 garloff@suse.de - Added Obsoletes: personal-firewall (#18691) - Update to 3.1: * Contains some of the previously applied fixes * Speedup by avoiding forks * Bugfix for accepting related and established connections * FW_FORWARD_MASQ bug: Demasquerading was too global and was overriding other rules for the same port. * Mon Aug 19 2002 garloff@suse.de - Add filesystem PreReq: (#17776) * Wed Aug 14 2002 garloff@suse.de - Reenable no-rmmod patch: Current kernels still can hang on rmmod of ipt modules. - Remove some Should-Start comments from SuSEfirewall2_init, so it can be started earlier. * Mon Aug 12 2002 garloff@suse.de - Don't refuse to run on 2.5 or 2.6 kernels. * Mon Aug 12 2002 garloff@suse.de - Update to SuSEfirewall2-3.0: * FW_QUICKMODE, only needing FW_DEV_EXT and FW_MASQ_DEV to be configured, replacing SuSE's personal-firewall. * FW_REJECT option: Instead of dropping packets, we reject them. * FW_FORWARD fix for icmp types * Target IP address for FW_FORWARD_MASQ * Skip _final run if not needed (only needed if autoprotecting features are present) * Docu fixes - Revert FW_STOP_KEEP_ROUTING_STATE="yes" default (2002-07-12) due to security concerns. * Sun Aug 11 2002 garloff@suse.de - Don't add /var/log/firewall to syslog file automatically any more as it might cause problems at installation time. (#17421) * Sat Aug 03 2002 kukuk@suse.de - Add PreRequires. * Fri Jul 12 2002 garloff@suse.de - Set FW_STOP_KEEP_ROUTING_STATE="yes" by default. (bug #11785) * Thu Jul 11 2002 garloff@suse.de - Make SQUID_PORT and DNS_PORT greps on lsof output handle the situation when the named/squid are bind to an IP address (#16350) * Thu Jul 11 2002 garloff@suse.de - Adapt to new init info comments (X-UnitedLinux-Should-Start) - Provide Short-Description - Remove Dep-Only flag (bug #15650) * Fri Mar 08 2002 garloff@suse.de - Some people don't like colons. (bug #14700) Remove them from initscripts. Compensation here :::::: * Thu Mar 07 2002 draht@suse.de,lnussel@suse.de - cosmetic fixes in fillup template (SuSEfirewall2-2.1.cosmetics-in-fillup.diff) functionality enhancements to cooprtate with the y2 frontend, reflected in the changed SuSEfirewall2-2.1.syntax-for-y2-config.diff * Mon Mar 04 2002 draht@suse.de - fixes for SuSEfirewall2 to cooperate with the y2 frontend. SuSEfirewall2-2.1.syntax-for-y2-config.diff * Fri Mar 01 2002 pthomas@suse.de - Fix notification mail. * Fri Jan 18 2002 garloff@suse.de - UNALLOWED -> UNAUTHORIZED (bug #12859) * Mon Jan 14 2002 garloff@suse.de - Use LC_ALL to unset language specific support. - Remove /etc/sysconfig/SuSEfirewall2 from %%file list. * Fri Jan 11 2002 garloff@suse.de - Moved SuSEfirewall2 config files away from network to /etc/sysconfig resp. /etc/sysconfig/scripts/ - More docu fixes - Init script fixes for new sysconfig (incl. dep. info) * Fri Jan 11 2002 garloff@suse.de - Update to new runlevel and configuration scheme: * config files are /etc/sysconfig/network/SuSEfirewall2 and /etc/sysconfig/network/scripts/SuSEfitrewall2-custom now * Startup behaviour is controlled by the existence of rc?.d symlinks. * Old config files should be saved and moved * Fri Jan 11 2002 garloff@suse.de - Update to SuSEfirewall-2.1: * Improved logging * FW_*_ALLOW_HIGH_PORT: related connections always allowed now, therefore INCOMING_HIGHPORTS_TCP="no" by default now. * '!' support for FW_REDIRECT * Wed Nov 28 2001 garloff@suse.de - Update to SuSEfirewall2-2.0: * Typo which created probs for ADSL users fixed. - Update to SuSEfirewall2-1.8: * Private network detection for FW_MASQ_NETS fixed * Better log output * Thu Sep 20 2001 draht@suse.de - rmmod of ip_tables modules can cause rmmod (and the system startup) to hang. Removing modules is racey and should not be required. rmmod of legacy ipfwadm and ipchains modules is untouched. * Wed Sep 19 2001 draht@suse.de - Added restart2 section into rc scripts to work around open packet filter rules during yast2-triggered rules reload. * Tue Sep 04 2001 garloff@suse.de - Disabled automatic ip-up updating for the release of SuSE Linux 7.3 (not needed, so avoid any risks). * Tue Sep 04 2001 garloff@suse.de - Update to SuSEfirewall2-1.7: * Fixed a bug in FW_FORWARD_MASQ when target ports were ranges. * Fixed some bugs in the documentation. * When stopping SuSEfirewall2, all modules are now removed. - bzip2 sources. * Fri Aug 03 2001 garloff@suse.de - Update to SuSEfirewall-1.6: * Error checking for FW_MASQ_NETS. * Added an additional EXAMPLE with an ipsec setup and a FAQ section. * Thu Jul 26 2001 garloff@suse.de - Update to SuSEfirewall2-1.5: * Already include most patches applied to 1.3 * Fix firewall2.rc.config syntax to be YaST(2) compliant * Fix bug WRT timeout for first DNS lookup that triggered autodialing * SQUID udp ports support * Fix problem with error logging - Provide automatic update for /etc/ppp/ip-up for SuSE Linux 7.2 users and warn others. * Tue Jul 17 2001 garloff@suse.de - rcSuSEfirewall2 symlink points to _setup now, as that one's capable of doing a start and a stop. - Use rc.status functions * Tue Jul 17 2001 garloff@suse.de - Use ispell to fix docus. Strip CR from LICENCE. * Tue Jul 17 2001 garloff@suse.de - Initial creation of package SuSEfirewall2: * checkin version 1.3 * create package description and specfile - Some changes to the startup scripts: * LSB conformant comments
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor