Changelog for
SuSEfirewall2-3.6.378-4.43.noarch.rpm :
* Mon Mar 19 2018 matthias.gerstnerAATTsuse.com- Reverted previous change. The rpm level conflict between the old and new default firewall result in migration issues. Also the original problem cannot be reproduced (bnc#1085260, bnc#1084177).
* Fri Mar 09 2018 matthias.gerstnerAATTsuse.com- Have SuSEfirewall2 conflict firewalld to avoid a messed up netfilter setup (bnc#1084177)
* Tue Jan 16 2018 matthias.gerstnerAATTsuse.com- Fixed a regression in setting up the final LOG/DROP/REJECT rules for IPv6 (bnc#1075251)- Set RPC related rules also for IPv6 (bnc#1074933)
* Tue Nov 28 2017 matthias.gerstnerAATTsuse.com- logging: correctly set the PID of the logging process
* Tue Nov 28 2017 matthias.gerstnerAATTsuse.com- main script: remove duplicate rules in the rpc rules area (bnc#1069760)- main script: support --trace messages
* Thu Nov 23 2017 rbrownAATTsuse.com- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)
* Wed Oct 18 2017 matthias.gerstnerAATTsuse.com- rpcinfo: recognize execution errors of the perl script and terminate accordingly- rpcinfo: fixed security issue with too open implicit portmapper rules (bnc#1064127): A source net restriction for _rpc_ services was not taken into account for the implicitly added rules for port 111, making the portmap service accessible to everyone in the affected zone.
* Fri Jul 28 2017 matthias.gerstnerAATTsuse.com- Removed bogus nfs alias units, added correct nfs-client target in SuSEfirewall2.service (bnc#946325). The nfs alias units are false friends, because they don\'t fix the startup ordering between nfs and SuSEfirewall2. The missing nfs-client target could cause nfs mounts for nfs versions < 4.1 to be unable to receive callbacks from the server, when the nfs client was started before the SuSEfirewall2 was started on boot.
* Wed Jul 12 2017 matthias.gerstnerAATTsuse.com- sysctl settings: make list of sysctl.d directories configurable via FW_SYSCTL_PATHS (bnc#1044523)
* Thu Jul 06 2017 matthias.gerstnerAATTsuse.com- clarified warning message about FW_ROUTE being enabled but ip_forwarding not configured- sysctl.d: avoid error messages if no /etc/sysctl.d/
*.conf files are existing (bnc#1044523)
* Wed Jun 28 2017 matthias.gerstnerAATTsuse.com- Only consider
*.conf files to ignore backup files and similar (bnc#1044523)
* Tue Jun 20 2017 matthias.gerstnerAATTsuse.com- Also check /etc/sysctl.d for custom sysctl overrides (bnc#1044523)- improved documentation of FW_SERVICES_DROP_... to mention \"all\" protocols
* Mon Apr 24 2017 matthias.gerstnerAATTsuse.com- implementation of feature FATE#316295: allow incremental update of rpc rules: By calling \"/usr/sbin/SuSEfirewall2 update-rpc [-s service]\" you can now cause SuSEfirewall to update its rpc related firewall rules to reflect the current portmapper state in the system, without affecting the rest of the firewall rule set. This can for example be put in systemd unit files as ExecStartPost directives, to always keep port mapping rules up to date, for certain rpc services. Note that you still need to configure the rpc rules in /etc/sysconfig/SuSEfirewall2 to make this work. See configuration variables: FW_SERVICES_DROP_{EXT,INT,DMZ} FW_SERVICES_ACCEPT_{EXT,INT,DMZ} FW_SERVICES_{EXT,INT,DMZ}_RPC- conntrack helpers: explicitly load kernel module to make sure conntrack helper rules can be applied and to avoid errors messages if kernel module is not loaded
* Tue Apr 18 2017 matthias.gerstnerAATTsuse.comUpdate to new git release 3.6.351:- ship ftp-client service file for allowing active ftp client connections easily. Also fix use of connection tracker helper on kernel >= 4.7 for ftp. (boo#1034341)
* Mon Mar 20 2017 mgerstnerAATTsuse.deUpdate to new git release 3.6.346:- harmonized the logic of setting IPv4/IPv6 forwarding when FW_ROUTE is set to \"yes\". Previously only IPv4 forwarding was exclusively set by SuSEfirewall2, while IPv6 forwarding could only be set via \"yast2 firewall\". With this update you should always configure IPv4/IPv6 forwarding with yast. SuSEfirewall2 will still provide backwards compatibility to temporarily enable IPv4/IPv6 forwarding if not already enabled system wide. Also forwarding can now be configured separately for IPv4/IPv6 if only one of both is required. See FW_ROUTE documentation. (bnc#572202)- ignore the bootlock when incremental updates for hotplugged or virtual devices are coming in during boot. This prevents lockups for example when drbd is used with FB_BOOT_FULL_INIT. (bnc#785299)- fixed a race condition in systemd unit files that could cause the SuSEfirewall2_init unit to sporadically fail, because /tmp was not there/writable yet. (bnc#1014987)- support new kernels >= 4.7 that run with net.netfilter.nf_conntrack_helper = 0 by default. Currently only netbios/samba is fully covered. (bnc#986527)- allow mdns multicast packets input in unconfigured firewall setups (no zones configured) to make zeroconf setups (like avahi) work out of the box for typical desktops connecting via DSL/WiFi router scenarios. (bnc#959707)- refurbished the documentation in /usr/share/doc. (bnc#884037)- updated GPL license texts with the current address from FSF- support for IPv6 in FW_TRUSTED_NETS config variable. (bnc#841046)- don\'t log dropped broadcast IPv6 broadcast/multicast packets by default to avoid cluttering the kernel log. (bnc#847193)- recognize a running libvirtd instance and cause it to recreate its custom firewall rules on SuSEfirewall2 reload, to not break VM networking. (bnc#884398)- only apply FW_KERNEL_SECURITY proc settings, if not overriden by the administrator in /etc/sysctl.conf (bnc#906136). This allows you to benefit from some of the kernel security settings, while overwriting others.- don\'t enable FW_LO_NOTRACK by default any more, because it breaks expected behaviour in some scenarios (bnc#916771)- increase security when sourcing external script files by checking file ownership and permissions first (to avoid sourcing untrusted files owned by non-root or world-writable)- fixed \"/usr/sbin/SUSEfirewall log\" pretty logfile parsing functionality when running under systemd with journald.
* Tue Mar 07 2017 mgerstnerAATTsuse.de- Install symlink to SuSEfirewall2 with the updated SUSE spelling (bsc#938727, FATE#316521)- Added rpmlintrc file to suppress some bogus warnings during building
* Fri Feb 10 2017 kukukAATTsuse.de- Remove unused PreReq for insserv and fillup
* Wed Feb 10 2016 meissnerAATTsuse.com:- add nfs-server.service too as dependency, remove default.target again as it makes trouble (bsc#963740)- basic.target and SuSEfirewall2 have a loop, remove it bsc#961258
* Tue Feb 09 2016 meissnerAATTsuse.com- change dependencies of SUSEfirewall2_init, so it gets run after systemd version update brought new dependencies somehow (bsc#963969)
* Thu Jan 28 2016 meissnerAATTsuse.com- add default.target, so SuSEfirewall2 final will be started after all other services. This is relevant for rpc services like the NFS rpc process group, where ports are opened dynamically. bsc#963740
* Mon Jan 18 2016 meissnerAATTsuse.com- Merge pull request #5 from hwoarang/firewalld-conflict- SuSEfirewall2{,_init}.service: Conflict with firewalld service
* Fri Jan 15 2016 meissnerAATTsuse.com- basic.service -> basic.target (bsc#961258)
* Wed Jun 24 2015 meissnerAATTsuse.com- reduce amount of setprocinfo set values, adjusted to existence and also current kernel defaults.- missing IPv6 commands to enable broadcast (e.g.: avahi over ipv6) (bsc#935716)
