File SuSEfirewall2.changes of Package SuSEfirewall2.568
-------------------------------------------------------------------
Tue Jun 19 11:41:59 UTC 2012 - lnussel@suse.de
- allow icmpv6 in FW_SERVICES_*_*
- allow ICMPv6 Multicast Listener Query (bnc#767392)
-------------------------------------------------------------------
Wed Apr 6 07:22:36 UTC 2011 - lnussel@suse.de
- fix reverse direction of forwarding rules (bnc#679192)
-------------------------------------------------------------------
Tue Feb 1 13:16:53 UTC 2011 - lnussel@suse.de
- introduce rpcusers file to allow statd to run as non-root
(bnc#668553)
-------------------------------------------------------------------
Wed Jan 19 14:04:48 UTC 2011 - lnussel@suse.de
- add zonein and zoneout parameters for FW_FORWARD
- fix typos
-------------------------------------------------------------------
Mon Jan 10 13:15:05 UTC 2011 - lnussel@suse.de
- don't start in runlevel 4 by default (bnc#656520)
- cut off long zone names (bnc#644527)
- fix and enhance output of log command (bnc#663262)
-------------------------------------------------------------------
Thu Dec 2 13:33:59 UTC 2010 - lnussel@suse.de
- don't unload rules when using systemd
-------------------------------------------------------------------
Tue Nov 16 15:01:04 UTC 2010 - lnussel@suse.de
- list some known rpc services as Should-Start
- don't filter outgoing packets at all
- fix an example (bnc#641907)
- fix status check in SuSEfirewall2_init (bnc#628751)
-------------------------------------------------------------------
Mon Aug 16 07:32:31 UTC 2010 - lnussel@suse.de
- don't use fillup anymore as it keeps corrupting the config file
(bnc#340926)
-------------------------------------------------------------------
Tue Jun 29 12:20:30 UTC 2010 - lnussel@suse.de
- remove "batch committing..." message
- read defaults from separate file
- warn if highports config options are set
- finally drop 'highports' misfeature
- remove kernel ipv6 module detection (bnc#617033)
- silence warning about default zone (bnc#616841)
- SuSEfirewall2-open: don't add values multiple times
- Use multiprotocol xt_conntrack
-------------------------------------------------------------------
Mon May 31 08:11:54 UTC 2010 - lnussel@suse.de
- only directories in /sys/class/net are real interfaces (bnc#609810)
-------------------------------------------------------------------
Fri Mar 19 13:34:10 UTC 2010 - lnussel@suse.de
- add entry about drbd to FAQ
- update docu
- implement FW_BOOT_FULL_INIT
-------------------------------------------------------------------
Tue Feb 16 13:51:48 UTC 2010 - lnussel@suse.de
- use new versioning scheme after switch of repo to git
- update and rebuild docu
- remove really old rc.config conversion code from spec file
-------------------------------------------------------------------
Tue Sep 15 13:33:06 UTC 2009 - lnussel@suse.de
- fix spelling error in sysconfig file (bnc#537427)
- polishing of log drop policy (bnc#538053)
* drop multicast packets silently
* separate drop rule for broadcast packets at end of chain
* only consider NEW udp packets as critical
* don't log INVALID packets as critical
-------------------------------------------------------------------
Fri Aug 21 11:09:40 UTC 2009 - lnussel@suse.de
- implement runtime override of interface zones
- allow disabling NOTRACK rules on lo (bnc#519526)
-------------------------------------------------------------------
Fri Jul 17 10:04:48 UTC 2009 - lnussel@suse.de
- remove chkconfig calls (bnc#522268)
-------------------------------------------------------------------
Thu Jul 9 13:50:47 UTC 2009 - lnussel@suse.de
- add note about use as bridging firewall
- allow to set FW_ZONE_DEFAULT via config file
- deprecate fw_custom_before_antispoofing and
fw_custom_after_antispoofing, use fw_custom_after_chain_creation
instead
-------------------------------------------------------------------
Tue Jun 9 14:19:27 UTC 2009 - lnussel@suse.de
- add note that ulog doesn't work with IPv6 (bnc#442756)
- fix version number in help text
- allow service files to specify kernel modules and allow related packets
- silence an error from bash if a service config file is not available (bnc#487870)
- better wording for BROADCAST in template
- update firewall hook script (patch by Marius)
-------------------------------------------------------------------
Thu Nov 6 13:18:31 CET 2008 - lnussel@suse.de
- check whether IPv6 support is available when stopping the firewall
(bnc#442118)
- point to correct path for service files (bnc#425187)
-------------------------------------------------------------------
Wed Oct 15 15:50:36 CEST 2008 - lnussel@suse.de
- check status of SuSEfirewall2 without triggering module load (bnc#435653)
- add missing iptables-batch commitpoint for IPv4
-------------------------------------------------------------------
Tue Sep 30 10:48:19 CEST 2008 - lnussel@suse.de
- don't modify the ip local port range
- allow negated rules via ! in FW_FORWARD_MASQ (bnc#413046)
- explain some common pitfalls around FW_SERVICES_ACCEPT_EXT
- SuSEfirewall2_init: don't fail if /usr is not available (bnc#429899)
-------------------------------------------------------------------
Tue Sep 2 11:22:53 CEST 2008 - lnussel@suse.de
- fix "recent" match (bnc#421806)
-------------------------------------------------------------------
Mon Aug 25 01:44:41 CEST 2008 - ro@suse.de
- remove outdated start variables from fillup_and_insserv call
-------------------------------------------------------------------
Thu Jul 31 19:21:51 CEST 2008 - werner@suse.de
- Make boot script know about new upcoming startpar and insserv
-------------------------------------------------------------------
Tue Jul 22 10:48:18 CEST 2008 - lnussel@suse.de
- add NOTRACK/raw table support (fate#978788)
-------------------------------------------------------------------
Mon Jul 14 09:32:40 CEST 2008 - lnussel@suse.de
- use correct rules to accept RELATED icmpv6 packets (bnc#396667)
-------------------------------------------------------------------
Mon Jun 30 17:27:30 CEST 2008 - lnussel@suse.de
- allow empty protocol in FW_SERVICES_ACCEPT_RELATED,
FW_SERVICES_REJECT, FW_SERVICES_DROP, FW_SERVICES_ACCEPT (bnc#376758)
-------------------------------------------------------------------
Tue Apr 22 11:10:10 CEST 2008 - lnussel@suse.de
- accept icmp RELATED packets (bnc#382004)
-------------------------------------------------------------------
Thu Apr 17 14:55:17 CEST 2008 - lnussel@suse.de
- sysconfig file documentation improvements
-------------------------------------------------------------------
Fri Apr 4 10:06:20 CEST 2008 - lnussel@suse.de
- remove X-UnitedLinux tags from init scripts
- update links in docu
- auto detect bridge interfaces and permit traffic
-------------------------------------------------------------------
Fri Mar 28 14:39:59 CET 2008 - lnussel@suse.de
- fix typo in comment (bnc#350651)
- don't check for /proc/net/stat/nf_conntrack when checking for ipv6 support
- allow to ignore certain broadcasts even if broadcasts in general
are allowed which is the expected behavior
- change handling of RELATED packages and make that configurable
(fate#300970)
-------------------------------------------------------------------
Wed Nov 28 12:13:31 CET 2007 - lnussel@suse.de
- don't reject port 113 by default anymore (#344337)
-------------------------------------------------------------------
Tue Aug 7 14:56:41 CEST 2007 - lnussel@suse.de
- use hwdesc2iface to convert old eth-id-* and eth-bus-* interface
specifications to actual interface names.
-------------------------------------------------------------------
Mon Aug 6 16:22:44 CEST 2007 - lnussel@suse.de
- don't try to load ip6tables modules if ipv6 is disabled (#297621)
-------------------------------------------------------------------
Fri Jul 6 15:27:53 CEST 2007 - lnussel@suse.de
- New configuration options: FW_NOMASQ_NETS, FW_FORWARD_REJECT,
FW_FORWARD_DROP
-------------------------------------------------------------------
Thu Jun 21 09:18:42 CEST 2007 - lnussel@suse.de
- manually move SuSEfirewall2_init from boot.d to runlevel directory
(#285872)
-------------------------------------------------------------------
Mon Jun 18 17:05:55 CEST 2007 - lnussel@suse.de
- start SuSEfirewall2_init as normal init script rather than during
boot.d
-------------------------------------------------------------------
Wed Jun 13 16:45:51 CEST 2007 - lnussel@suse.de
- move removing the boot lock file from init script to
/sbin/SuSEfirewall2
- add separate bootlock and bootunlock actions
- use if-up script instead of NetworkManager specific script
-------------------------------------------------------------------
Fri Mar 23 14:01:14 CET 2007 - lnussel@suse.de
- enhance FW_ALLOW_CLASS_ROUTING to allow routing in specific zones only
- prevent unintended inter-class routing when masquerading is enabled on
multiple interfaces in the same zone
- disable extra rules for established/related icmp packets as those
are useless
- accept icmpv6 in the OUTPUT chain to avoid excessive errors in log
- add IPv6 support for FW_ALLOW_CLASS_ROUTING and FW_FORWARD
-------------------------------------------------------------------
Thu Mar 8 11:45:44 CET 2007 - lnussel@suse.de
- remove checks for binaries that are not requried anymore anyways
- fix package dependencies
-------------------------------------------------------------------
Thu Mar 1 16:50:12 CET 2007 - lnussel@suse.de
- use /etc/sysconfig/SuSEfirewall2.d/services (#247352)
-------------------------------------------------------------------
Thu Feb 22 13:14:02 CET 2007 - sbrabec@suse.cz
- Removed directory ownership of /usr/share/SuSEfirewall2*
(#247435).
-------------------------------------------------------------------
Tue Feb 13 09:58:55 CET 2007 - lnussel@suse.de
- fix FW_DEV_* not working (#244917)
-------------------------------------------------------------------
Mon Feb 12 12:16:42 CET 2007 - lnussel@suse.de
- use /sys/class/net instead of /proc/sys/net/ipv[46]/conf/ to
determine whether an interface exists. Side effect: interfaces
without ip also get filtering rules
- read FW_ZONE variable from ifcfg files for interfaces that are not
listed in FW_DEV_*
- always use default zone for interfaces that are neither listed in
FW_DEV_* nor have FW_ZONE set
- FW_DEV_*="any" sets default zone
- FW_MASQ_DEV="$FW_DEV_EXT" does not work with ifcfg method of
specifying a zone. Use FW_MASQ_DEV="zone:ext" instead.
- remove old interface autodetection code
- add a name tag to meta info of service template
- fix some typos found by Eric Auer
- set version to 3.6
-------------------------------------------------------------------
Wed Nov 15 13:55:23 CET 2006 - lnussel@suse.de
- only log errors in the output chain if logging is actually enabled
(#219108)
-------------------------------------------------------------------
Wed Sep 20 14:50:34 CEST 2006 - lnussel@suse.de
- honor zone specific FW_REJECT_* variables and reject instead of
dropping packets from the internal zone by default (#147263)
- fix wrong default value in sysconfig metadata for
FW_SERVICES_ACCEPT_EXT
-------------------------------------------------------------------
Sun Aug 13 16:27:42 CEST 2006 - ro@suse.de
- remove update-messages
-------------------------------------------------------------------
Wed Jul 19 16:42:37 CEST 2006 - lnussel@suse.de
- add support for ipt_recent (#104602)
-------------------------------------------------------------------
Mon Jul 17 11:08:54 CEST 2006 - lnussel@suse.de
- add support for service configuration files in
/usr/share/SuSEfirewall2/services via FW_CONFIGURATIONS_* (fate
#300687)
- support alternative logging targets (#180078)
- start version 3.5
-------------------------------------------------------------------
Tue Jun 6 09:16:53 CEST 2006 - lnussel@suse.de
- install rule for interface 'any' last in order to make it work
with additional zones like DMZ (#181308)
-------------------------------------------------------------------
Mon May 22 13:39:38 CEST 2006 - lnussel@suse.de
- fix FW_FORWARD not working with ipsec flag (#170530)
-------------------------------------------------------------------
Thu Mar 30 11:13:22 CEST 2006 - lnussel@suse.de
- don't change igmp_max_memberships, correct docu for
FW_KERNEL_SECURITY (#162086)
-------------------------------------------------------------------
Tue Mar 28 16:19:52 CEST 2006 - lnussel@suse.de
- introduce FW_FORWARD_ALWAYS_INOUT_DEV for use with XEN (#154133)
-------------------------------------------------------------------
Mon Mar 6 16:32:34 CET 2006 - lnussel@suse.de
- log and drop multicast packets separately in order to prevent
flooding other log targets (#155326)
-------------------------------------------------------------------
Thu Mar 2 14:51:26 CET 2006 - lnussel@suse.de
- don't try to use v6 state matching if /proc/net/stat/nf_conntrack
doesn't exist as it won't work without (#151776)
- reject v6 packets by default to avoid timeouts (#145758)
-------------------------------------------------------------------
Mon Feb 20 14:23:57 CET 2006 - lnussel@suse.de
- allow FW_FORWARD_MASQ without FW_MASQ_NETS (#151795)
-------------------------------------------------------------------
Fri Feb 3 15:03:56 CET 2006 - lnussel@suse.de
- add dispatcher script for NetworkManager (#147671)
-------------------------------------------------------------------
Wed Feb 1 15:52:05 CET 2006 - lnussel@suse.de
- also check for xt_state to finally get IPv6 state matching again
(#145758)
-------------------------------------------------------------------
Wed Jan 25 21:45:39 CET 2006 - mls@suse.de
- converted neededforbuild to BuildRequires
-------------------------------------------------------------------
Tue Jan 10 13:46:59 CET 2006 - lnussel@suse.de
- don't change setting for ECN and TCP syncookies as those are
already configurable via /etc/sysconfig/sysctl
-------------------------------------------------------------------
Tue Jan 3 11:12:03 CET 2006 - lnussel@suse.de
- fix initscript status reporting (#124869)
-------------------------------------------------------------------
Mon Aug 1 16:35:03 CEST 2005 - lnussel@suse.de
- fall back to normal iptables if iptables-batch fails
- always add ip6tables drop rule in case REJECT doesn't work for some
reason
-------------------------------------------------------------------
Mon Aug 1 10:19:21 CEST 2005 - lnussel@suse.de
- don't load ftp conntrack modules by default
-------------------------------------------------------------------
Wed Jul 20 15:48:43 CEST 2005 - lnussel@suse.de
- discard errors from rpcinfo as some people don't have it running
all the time
- don't print warning if ipv6 support is disabled
- mark FW_ALLOW_INCOMING_HIGHPORTS_* as deprecated
- permit empty port in FW_TRUSTED_NETS
- fix FW_ALLOW_INCOMING_HIGHPORTS_UDP
-------------------------------------------------------------------
Mon May 9 15:00:25 CEST 2005 - lnussel@suse.de
- fix check for iptables-batch
-------------------------------------------------------------------
Fri Apr 22 11:17:28 CEST 2005 - lnussel@suse.de
- use iptables-batch by default if available
- use full path to getopt and logger (#76703)
- fix FW_ALLOW_CLASS_ROUTING (#75319)
- start version 3.4
-------------------------------------------------------------------
Wed Mar 16 14:02:57 CET 2005 - lnussel@suse.de
- include all sysctl in FW_KERNEL_SECURITY (#61429)
- allow basic IPv6 tcp and icmp despite missing conntrack (#72865)
-------------------------------------------------------------------
Mon Mar 14 14:51:23 CET 2005 - lnussel@suse.de
- fix rejecting of IPv6 packets if state matching is not available (#72414)
- fix "any" interface (#72428)
- fix docu stylesheet to make programlistings have a grey background again
-------------------------------------------------------------------
Fri Mar 11 17:19:01 CET 2005 - lnussel@suse.de
- install desktop file to integrate docu in susehelp
-------------------------------------------------------------------
Tue Mar 1 16:59:50 CET 2005 - lnussel@suse.de
- support forwarding of decrypted IPsec packets independent of
FW_IPSEC_TRUST (#66664)
-------------------------------------------------------------------
Mon Feb 21 11:39:58 CET 2005 - lnussel@suse.de
- reorder rule creation to keep window where packets are dropped small
- fix missing space at some log messages
-------------------------------------------------------------------
Fri Feb 18 14:20:06 CET 2005 - lnussel@suse.de
- add port to FW_FORWARD reply packet match rule
-------------------------------------------------------------------
Thu Feb 17 17:01:36 CET 2005 - lnussel@suse.de
- cleanup and enhance docu
-------------------------------------------------------------------
Thu Feb 3 16:53:20 CET 2005 - lnussel@suse.de
- disable workaround for #46818
- use proof-read text for broadcast update message
-------------------------------------------------------------------
Tue Feb 1 13:12:32 CET 2005 - lnussel@suse.de
- parse zones before interface evaluation
- convert broadcast variables to new syntax
- add update message for broadcast variable conversion
- remove more obsolete variables from config file
-------------------------------------------------------------------
Fri Jan 28 18:18:04 CET 2005 - lnussel@suse.de
- fix init script requires tag (#50231)
-------------------------------------------------------------------
Wed Jan 26 14:04:42 CET 2005 - lnussel@suse.de
- add note about inconsistent iptables behavior (#49739)
- allow protocols without port in FW_DROP*
- make warnings about deprecated variables more specific
- allow to define additional zones through FW_ZONES
- remove FW_ALLOW_FW_TRACEROUTE from config file
-------------------------------------------------------------------
Tue Jan 11 17:39:40 CET 2005 - lnussel@suse.de
- implement FW_SERVICES_ACCEPT_*
- allow source port in FW_SERVICES_{REJECT,DROP}
- recognise special protocol _rpc_ in FW_SERVICES_{ACCEPT,REJECT,DROP}_*
- do not load ipv6 modules if FW_IPv6=no (#47545)
- add -q (quiet) option, used during boot
- don't warn if FW_MASQ_NETS is set to default 0/0
- create boot lock file in SuSEfirewall2_init to prevent useless
firewall starts in rcnetwork (#49068)
- use only SuSEfirewall2_init and ..._setup during boot
- run SuSEfirewall2_init before entering runlevel already
-------------------------------------------------------------------
Wed Dec 8 17:15:01 CET 2004 - lnussel@suse.de
- move qdisc settings into separate file
- do not call "ip" anymore as ip addresses are not used anyway
- drop tos settings
- reduce log messages for dropped icmp packets
-------------------------------------------------------------------
Tue Dec 7 15:44:48 CET 2004 - lnussel@suse.de
- do not rely on int, ext, dmz anymore
- PROTECT_FROM_INTERNAL -> PROTECT_FROM_$zone
- fix replies to forwarded packets (#48793)
- split broadcast stuff into separate zone specific variables
- only create rules for zones that are actually needed => less
rules, less forks, more speed.
- remove traces of personal-firewall
-------------------------------------------------------------------
Thu Dec 2 18:16:49 CET 2004 - lnussel@suse.de
- remove icmp output rules
- first steps toward configurable zones
- match redirected packets with fwmark so the port does not need to
be opened (Carl-Daniel)
- drop auto protect and anti spoof stuff
-------------------------------------------------------------------
Wed Dec 1 17:04:56 CET 2004 - lnussel@suse.de
- more cleanup
- add temporary workaround for #46818
- set version to 3.3
-------------------------------------------------------------------
Tue Sep 28 23:05:51 CEST 2004 - schwab@suse.de
- Fix typo in last change.
-------------------------------------------------------------------
Tue Sep 28 18:20:10 CEST 2004 - lnussel@suse.de
- finally allow ESTABLISHED,RELATED tcp and udp always to fix
problems with DHCP (#46237)
-------------------------------------------------------------------
Mon Sep 27 15:38:33 CEST 2004 - lnussel@suse.de
- some typo fixes from Volker Kuhlmann
- add feature FW_DEV_EXT=any to prevent common pitfall of packets on
unconfigured interfaces beeing dropped (#46164, #46168)
-------------------------------------------------------------------
Wed Sep 22 11:39:36 CEST 2004 - lnussel@suse.de
- fix opening of ports in zones other than external (#45776)
-------------------------------------------------------------------
Mon Sep 20 12:17:31 CEST 2004 - lnussel@suse.de
- better detection if state matching is supported
- really don't use REJECT if ip6tables has no reject target
- fix debug mode
- fix output log message
-------------------------------------------------------------------
Tue Sep 14 15:23:04 CEST 2004 - lnussel@suse.de
- do not set ip_conntrack_max (#44846)
-------------------------------------------------------------------
Tue Sep 14 12:48:52 CEST 2004 - lnussel@suse.de
- add 'open' parameter to have SuSEfirewall open the specified services
-------------------------------------------------------------------
Fri Sep 3 16:18:00 CEST 2004 - lnussel@suse.de
- do not run ip6tables if network in FW_SERVICES_{REJECT,DROP}_*
looks like an IPv4 address and vice versa.
- add "on" and "off" commandline parameters to quickly add and
remove the initscripts together with starting and stopping the
firewall.
-------------------------------------------------------------------
Mon Aug 30 17:02:27 CEST 2004 - lnussel@suse.de
- set FW_MASQ_DEV to zero if personal-firewall is enabled without
masquerading (#44076)
-------------------------------------------------------------------
Mon Aug 30 16:06:31 CEST 2004 - lnussel@suse.de
- support invidual services in FW_ALLOW_FW_BROADCAST (#44393)
- always also open portmapper port if any rpc services are to be opened
- fix $AWK not set in quickmode
-------------------------------------------------------------------
Thu Aug 26 12:07:26 CEST 2004 - lnussel@suse.de
- allow related connections even in 'close' mode to allow DNS replies during
boot (#44202, #44268)
- add net parameter to FW_SERVICES_DROP_* and FW_SERVICES_REJECT_*
- set default log limit to 3/minute
- remove accidently slipped in default drop of ssh
- fix typo: "will used" -> "will be used"
-------------------------------------------------------------------
Mon Aug 23 12:25:07 CEST 2004 - lnussel@suse.de
- initial stateful IPv6 support
- rephrase more comments in sysconfig file
- use new update message mechanism (#44041)
- new parameter 'log' to display firewall related log messages
- don't install perl helper scripts with executable bits set to not
depend on perl
-------------------------------------------------------------------
Thu Aug 12 14:34:11 CEST 2004 - lnussel@suse.de
- use perl helper script to determine ports of RPC services.
Services that did not open their port as root are ignored.
-------------------------------------------------------------------
Fri Aug 6 15:55:22 CEST 2004 - lnussel@suse.de
- major cleanup
- use ipsec policy match to match ipsec packets
- use pkttype to match broadcast packges
- new variables: FW_LOG_LIMIT, FW_SERVICES_DROP_EXT, FW_SERVICES_REJECT_EXT
- obsolete: FW_SERVICE_DHCLIENT, FW_SERVICE_DHCPD, FW_SERVICE_SAMBA
- switch autoprotoect and protect from internal off by default
-------------------------------------------------------------------
Wed May 26 12:17:26 CEST 2004 - lnussel@suse.de
- drop special support for named and squid, the stateful rules should suffice
- fix icmp usage in FW_MASQ_NETS (patch by Carl-Daniel Hailfinger)
- don't send mail about changed FW_LOG if FW_LOG was empty
- remove comment about kernel 2.4 (#40127)
- consider kernel 2.7 as supported
-------------------------------------------------------------------
Wed May 5 13:04:51 CEST 2004 - lnussel@suse.de
- make masquerading work when external interface is set to "auto" (#39914)
-------------------------------------------------------------------
Wed Mar 31 12:18:19 CEST 2004 - lnussel@suse.de
- use getcfg-interface to support config names in FW_DEV_EXT, FW_DEV_INT, FW_DEV_DMZ,
FW_MASQ_DEV and FW_HTB_TUNE_DEV (#37643).
-------------------------------------------------------------------
Tue Mar 16 12:19:32 CET 2004 - lnussel@suse.de
- replace FW_LOG in sysconfig file with default value and send a notify mail to
root (#36066)
- getconfig-interface was renamed to getcfg-interface, so call that one in
SuSEfirewall2-autointerface.sh (#36067)
-------------------------------------------------------------------
Thu Feb 26 16:16:42 CET 2004 - lnussel@suse.de
- determine dynamic portnumbers for RPC services to be able to run e.g. an nfs
server in a firewalled zone (SuSEfirewall2-3.1-rpcserver.diff, #32033)
-------------------------------------------------------------------
Mon Feb 16 18:21:59 CET 2004 - lnussel@suse.de
- allow IPsec packets to be trusted (SuSEfirewall2-ipsec.diff)
-------------------------------------------------------------------
Mon Feb 16 14:35:43 CET 2004 - lnussel@suse.de
- allow to change IPv6 policy independent of IPv4
(SuSEfirewall2-3.1-close-ipv6.diff).
- change handling of broadcasts. Allow them on interal interfaces
per default (SuSEfirewall2-noantispoof.diff).
- rely on rp_filter instead of generating anti-spoofing rules
(SuSEfirewall2-noantispoof.diff).
- optional automatic detection of external and internal interface
(SuSEfirewall2-auto.diff).
- use stateful filtering to allow related incoming tcp and udp
packets on any port (SuSEfirewall2-highports.diff).
- update SuSEfirewall2-3.1-newlog.diff: don't add logging options in
sysconfig file but instead use default if empty.
-------------------------------------------------------------------
Fri Feb 6 17:45:31 CET 2004 - lnussel@suse.de
- clean up spec file
- get rid of compatability stuff for <= 8.0
- build as user
- merge some patches
- install files with less paranoid permissions
-------------------------------------------------------------------
Mon Jan 12 15:31:15 CET 2004 - ug@suse.de
- static quantum added in the HTB patch to avoid a
warning about a too small quantum calculated automatically
- deleting qdisc before creating new one to avoid
warning on second start with no stop in-between
-------------------------------------------------------------------
Fri Oct 24 17:22:33 CEST 2003 - garloff@suse.de
- Use logging prefixes with more information.
-------------------------------------------------------------------
Fri Oct 24 16:49:35 CEST 2003 - garloff@suse.de
- Don't use REJECT target for IPv6.
-------------------------------------------------------------------
Fri Oct 24 15:22:00 CEST 2003 - garloff@suse.de
- #32032: When closing down IPv6, we do a bit too much. As local
host resolves to ::1, we should allow traffic on lo to not break
mozilla.
- #30789: Disable warning about not running named. named does only
need port 53 in many configs and then the warning is bogus.
-------------------------------------------------------------------
Sat Sep 20 22:48:14 CEST 2003 - garloff@suse.de
- #27661: Close down IPv6 traffic as we can not yet filter it.
- Patch to detect conflicts in antispoofing rules between ipsec
interfaces in internal networks and external interfaces.
- Fix one bug with logging logic.
- Start SuSEfirewall2_setup after named. (#30789)
-------------------------------------------------------------------
Sat Sep 20 22:23:31 CEST 2003 - garloff@suse.de
- #27316: Fix determination of external interface in Personal-
Firewall Mode.
-------------------------------------------------------------------
Tue Sep 2 01:03:23 CEST 2003 - mmj@suse.de
- Add sysconfig metadata [#28808]
-------------------------------------------------------------------
Thu Jul 31 16:34:07 CEST 2003 - kukuk@suse.de
- serial was renamed to setserial [Bug #28353]
-------------------------------------------------------------------
Mon Mar 24 16:31:52 CET 2003 - garloff@suse.de
- Dec 30 change was too restrictive. Instead fix log messages.
[bug #25453]
-------------------------------------------------------------------
Tue Mar 11 16:03:19 CET 2003 - garloff@suse.de
- Fix for optional rate limiting (HTB) feature: In full mode, the
qdisc_settings need to be redone after the last TOS settings.
Contributed by Uwe Gansert.
-------------------------------------------------------------------
Mon Mar 10 15:37:04 CET 2003 - garloff@suse.de
- Return 6 if no interface is specified. [bug #24438]
-------------------------------------------------------------------
Fri Feb 21 18:40:51 CET 2003 - garloff@suse.de
- Put metadata also in personal-firewall sysconfig.
-------------------------------------------------------------------
Fri Feb 21 18:04:38 CET 2003 - garloff@suse.de
- Change sysconfig metadata path to Network/Firewall/SuSEfirewall2
[bug #23878]
- Integrate optional support for limiting the rate of outgoing
packets. Contributed by Uwe Gansert.
-------------------------------------------------------------------
Thu Feb 6 10:50:29 CET 2003 - garloff@suse.de
- Add Obsoletes & Provides: SuSEfirewall [#19561]
-------------------------------------------------------------------
Thu Jan 23 17:47:36 CET 2003 - garloff@suse.de
- Add sysconfig metainfo. [#22586]
-------------------------------------------------------------------
Tue Jan 21 21:25:36 CET 2003 - garloff@suse.de
- Path in comment in sysconfig file to custom rules was wrong.
[bug #21651]
- Sort SuSEfirewall2_final to the end.
-------------------------------------------------------------------
Mon Dec 30 17:34:04 CET 2002 - garloff@suse.de
- Fix reversed logic in evaluation on ALLOW_INCOMING_HIGHPORTS_TCP.
Thanks to Gernot Hillier for analyzing and reporting.
-------------------------------------------------------------------
Wed Oct 30 18:03:44 MET 2002 - garloff@suse.de
- Fix masquerading in quick mode/pfw compat mode.
- custom_before_port_handling back to old name (for compatibility),
new custom_after_antospoofing() function instead.
-------------------------------------------------------------------
Mon Oct 21 18:26:34 CEST 2002 - draht@suse.de
- SuSEfirewall2-3.1.personal-firewall-compat.diff changed to remove
error in testing for interfaces in REJECT_ALL_INCOMING_CONNECTIONS
-------------------------------------------------------------------
Tue Oct 15 12:52:00 MEST 2002 - garloff@suse.de
- When using FW_SERVICES_QUICK, the log messages could log packets
which in the end are not dropped.
- Try to handle exotic protocols (Appletalk), #20414.
- Move custom_before_port_handling before we split the rulechains
into input_XXX and forward_XXX and introduce custom_after_port
_handling at old position.
-------------------------------------------------------------------
Sun Oct 6 01:05:18 MEST 2002 - garloff@suse.de
- Consolidate patches:
* Integrate fixes for FW_SERVICES_QUICK in it
* Integrate fixes for service_noext in it
* DEV_IP parsing is obsolete because of fix-parse-bcast
- Restrict DHCP by specifying interface in INPUT chain rather than
putting rules in input_XXX chains: Broadcasts did not get there.
- Fix spec file for SL 8.0.
-------------------------------------------------------------------
Thu Oct 3 11:51:35 MEST 2002 - garloff@suse.de
- Create input/forward rulechains before inserting special services
on them. Mea maxima culpa.
Fixes bug #20093.
- Shorten too long log prefix.
-------------------------------------------------------------------
Thu Oct 3 11:19:00 MEST 2002 - garloff@suse.de
- Explicitly require #!/bin/bash.
-------------------------------------------------------------------
Wed Oct 2 19:03:30 MEST 2002 - garloff@suse.de
- Fix iptables usage error for FW_SERVICE_QUICK_XXX.
-------------------------------------------------------------------
Wed Oct 2 16:40:02 MEST 2002 - garloff@suse.de
- Fix more parsing issues: Use read instead of awk (much faster)
and handle interfaces without braodcast address. [Bug #20414]
-------------------------------------------------------------------
Wed Oct 2 11:34:32 MEST 2002 - garloff@suse.de
- Fix split of adress/netmasks for masqueraded nets. [Bug #20093]
-------------------------------------------------------------------
Sun Sep 15 17:39:51 CEST 2002 - draht@suse.de
- added missing -j option to iptables. Fix in
SuSEfirewall2-3.1.correct-reject.diff
-------------------------------------------------------------------
Wed Sep 11 01:57:54 CEST 2002 - draht@suse.de
- bug in interface address parsing from ifconfig output (#19384)
-------------------------------------------------------------------
Sun Sep 8 14:21:47 CEST 2002 - kukuk@suse.de
- Add "Provides: personal-firewall" [Bug #19097]
-------------------------------------------------------------------
Thu Sep 5 14:06:11 MEST 2002 - garloff@suse.de
- Fix syntax error in pers-fw part.
-------------------------------------------------------------------
Thu Sep 5 13:53:34 MEST 2002 - garloff@suse.de
- Merge personal-firewall compatibility fixes from draht.
-------------------------------------------------------------------
Thu Sep 5 13:40:57 MEST 2002 - garloff@suse.de
- Allow DHClient in all networks even for "yes".
-------------------------------------------------------------------
Thu Sep 5 12:30:51 MEST 2002 - garloff@suse.de
- Fix bug #18336:
* The switches FW_SERVICE_DNS, FW_SERVICE_DHCLIENT, FW_SERVICE_
DHCPD, FW_SERVICE_SQUID and FW_SERVICE_SAMBA, as well as the
magical FW_SERVICE_AUTODETECT have four possible values now.
* no: not open (unchanged)
* yes: open to internal networks (formerly: to all)
* dmz: open to internal and DMZ networks (new)
* ext: open to everywhere (new, corresponds to old yes)
-------------------------------------------------------------------
Thu Sep 5 11:26:37 MEST 2002 - garloff@suse.de
- Fix rcSuSEfirewall2 status report (it probes for reject_func
rulechain now).
- Add optional FW_SERVICES_QUICK_ to make QUICK mode useful for
many more people. Defaults to empty of course.
-------------------------------------------------------------------
Thu Sep 5 01:25:48 MEST 2002 - garloff@suse.de
- Unify spec file for older version of SL using %if %suse_version.
-------------------------------------------------------------------
Thu Sep 5 00:20:07 MEST 2002 - garloff@suse.de
- Added Obsoletes: personal-firewall (#18691)
- Update to 3.1:
* Contains some of the previously applied fixes
* Speedup by avoiding forks
* Bugfix for accepting related and established connections
* FW_FORWARD_MASQ bug: Demasquerading was too global and was
overriding other rules for the same port.
-------------------------------------------------------------------
Mon Aug 19 02:26:45 MEST 2002 - garloff@suse.de
- Add filesystem PreReq: (#17776)
-------------------------------------------------------------------
Wed Aug 14 13:13:14 MEST 2002 - garloff@suse.de
- Reenable no-rmmod patch: Current kernels still can hang on rmmod
of ipt modules.
- Remove some Should-Start comments from SuSEfirewall2_init, so it
can be started earlier.
-------------------------------------------------------------------
Mon Aug 12 17:06:29 MEST 2002 - garloff@suse.de
- Don't refuse to run on 2.5 or 2.6 kernels.
-------------------------------------------------------------------
Mon Aug 12 03:16:57 MEST 2002 - garloff@suse.de
- Update to SuSEfirewall2-3.0:
* FW_QUICKMODE, only needing FW_DEV_EXT and FW_MASQ_DEV
to be configured, replacing SuSE's personal-firewall.
* FW_REJECT option: Instead of dropping packets, we reject them.
* FW_FORWARD fix for icmp types
* Target IP address for FW_FORWARD_MASQ
* Skip _final run if not needed (only needed if autoprotecting
features are present)
* Docu fixes
- Revert FW_STOP_KEEP_ROUTING_STATE="yes" default (2002-07-12)
due to security concerns.
-------------------------------------------------------------------
Sun Aug 11 18:27:38 MEST 2002 - garloff@suse.de
- Don't add /var/log/firewall to syslog file automatically any more
as it might cause problems at installation time. (#17421)
-------------------------------------------------------------------
Sat Aug 3 19:05:37 CEST 2002 - kukuk@suse.de
- Add PreRequires.
-------------------------------------------------------------------
Fri Jul 12 02:03:10 MEST 2002 - garloff@suse.de
- Set FW_STOP_KEEP_ROUTING_STATE="yes" by default. (bug #11785)
-------------------------------------------------------------------
Thu Jul 11 11:39:53 MEST 2002 - garloff@suse.de
- Make SQUID_PORT and DNS_PORT greps on lsof output handle the
situation when the named/squid are bind to an IP address (#16350)
-------------------------------------------------------------------
Thu Jul 11 10:34:46 MEST 2002 - garloff@suse.de
- Adapt to new init info comments (X-UnitedLinux-Should-Start)
- Provide Short-Description
- Remove Dep-Only flag (bug #15650)
-------------------------------------------------------------------
Fri Mar 8 15:06:21 MET 2002 - garloff@suse.de
- Some people don't like colons. (bug #14700)
Remove them from initscripts. Compensation here ::::::
-------------------------------------------------------------------
Thu Mar 7 16:36:25 MET 2002 - draht@suse.de,lnussel@suse.de
- cosmetic fixes in fillup template
(SuSEfirewall2-2.1.cosmetics-in-fillup.diff)
functionality enhancements to cooprtate with the y2 frontend,
reflected in the changed
SuSEfirewall2-2.1.syntax-for-y2-config.diff
-------------------------------------------------------------------
Mon Mar 4 18:05:36 MET 2002 - draht@suse.de
- fixes for SuSEfirewall2 to cooperate with the y2 frontend.
SuSEfirewall2-2.1.syntax-for-y2-config.diff
-------------------------------------------------------------------
Fri Mar 1 11:49:42 CET 2002 - pthomas@suse.de
- Fix notification mail.
-------------------------------------------------------------------
Fri Jan 18 18:19:05 MET 2002 - garloff@suse.de
- UNALLOWED -> UNAUTHORIZED (bug #12859)
-------------------------------------------------------------------
Mon Jan 14 12:22:05 MET 2002 - garloff@suse.de
- Use LC_ALL to unset language specific support.
- Remove /etc/sysconfig/SuSEfirewall2 from %file list.
-------------------------------------------------------------------
Fri Jan 11 18:47:57 MET 2002 - garloff@suse.de
- Moved SuSEfirewall2 config files away from network to
/etc/sysconfig resp. /etc/sysconfig/scripts/
- More docu fixes
- Init script fixes for new sysconfig (incl. dep. info)
-------------------------------------------------------------------
Fri Jan 11 04:37:32 MET 2002 - garloff@suse.de
- Update to new runlevel and configuration scheme:
* config files are /etc/sysconfig/network/SuSEfirewall2 and
/etc/sysconfig/network/scripts/SuSEfitrewall2-custom now
* Startup behaviour is controlled by the existence of rc?.d
symlinks.
* Old config files should be saved and moved
-------------------------------------------------------------------
Fri Jan 11 02:28:12 MET 2002 - garloff@suse.de
- Update to SuSEfirewall-2.1:
* Improved logging
* FW_*_ALLOW_HIGH_PORT: related connections always allowed now,
therefore INCOMING_HIGHPORTS_TCP="no" by default now.
* '!' support for FW_REDIRECT
-------------------------------------------------------------------
Wed Nov 28 00:29:57 MET 2001 - garloff@suse.de
- Update to SuSEfirewall2-2.0:
* Typo which created probs for ADSL users fixed.
- Update to SuSEfirewall2-1.8:
* Private network detection for FW_MASQ_NETS fixed
* Better log output
-------------------------------------------------------------------
Thu Sep 20 13:59:04 MEST 2001 - draht@suse.de
- rmmod of ip_tables modules can cause rmmod (and the system
startup) to hang. Removing modules is racey and should not be
required. rmmod of legacy ipfwadm and ipchains modules is
untouched.
-------------------------------------------------------------------
Wed Sep 19 17:13:09 MEST 2001 - draht@suse.de
- Added restart2 section into rc scripts to work around open
packet filter rules during yast2-triggered rules reload.
-------------------------------------------------------------------
Tue Sep 4 10:11:01 MEST 2001 - garloff@suse.de
- Disabled automatic ip-up updating for the release of SuSE Linux
7.3 (not needed, so avoid any risks).
-------------------------------------------------------------------
Tue Sep 4 09:01:11 MEST 2001 - garloff@suse.de
- Update to SuSEfirewall2-1.7:
* Fixed a bug in FW_FORWARD_MASQ when target ports were ranges.
* Fixed some bugs in the documentation.
* When stopping SuSEfirewall2, all modules are now removed.
- bzip2 sources.
-------------------------------------------------------------------
Fri Aug 3 16:37:12 MEST 2001 - garloff@suse.de
- Update to SuSEfirewall-1.6:
* Error checking for FW_MASQ_NETS.
* Added an additional EXAMPLE with an ipsec setup and a FAQ
section.
-------------------------------------------------------------------
Thu Jul 26 21:17:19 MEST 2001 - garloff@suse.de
- Update to SuSEfirewall2-1.5:
* Already include most patches applied to 1.3
* Fix firewall2.rc.config syntax to be YaST(2) compliant
* Fix bug WRT timeout for first DNS lookup that triggered
autodialing
* SQUID udp ports support
* Fix problem with error logging
- Provide automatic update for /etc/ppp/ip-up for SuSE Linux 7.2
users and warn others.
-------------------------------------------------------------------
Tue Jul 17 11:48:28 MEST 2001 - garloff@suse.de
- rcSuSEfirewall2 symlink points to _setup now, as that one's
capable of doing a start and a stop.
- Use rc.status functions
-------------------------------------------------------------------
Tue Jul 17 09:06:44 MEST 2001 - garloff@suse.de
- Use ispell to fix docus. Strip CR from LICENCE.
-------------------------------------------------------------------
Tue Jul 17 08:14:11 MEST 2001 - garloff@suse.de
- Initial creation of package SuSEfirewall2:
* checkin version 1.3
* create package description and specfile
- Some changes to the startup scripts:
* LSB conformant comments
