SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for SuSEfirewall2-3.6.312.333-10.1.noarch.rpm :
Tue Nov 28 13:00:00 2017 matthias.gerstnerAATTsuse.com
- remove duplicate rules created in the context of dynamic rpc rules
(bnc#1069760).
0004-support-trace-messages.patch
0005-remove-duplicate-rules-in-the-rpc-rules.patch
- fixed an issue in the logging logic to show the correct PID and avoid losing
log lines:
0006-logging-correctly-set-the-PID-of-the-logging-process.patch
- Set RPC related rules also for IPv6 (bnc#1074933)
0007-Set-RPC-related-rules-also-for-IPv6-bnc-1074933.patch
- Fixed a regression in setting up the final LOG/DROP/REJECT rules for IPv6 (bnc#1075251)
0008-Fixed-a-regression-in-setting-up-the-final-LOG-DROP.patch

Thu Oct 19 14:00:00 2017 matthias.gerstnerAATTsuse.com
- rpcinfo: fixed security issue with too open implicit portmapper rules
(bnc#1064127, CVE-2017-15638): A source net restriction for _rpc_ services
was not taken into account for the implicitly added rules for port 111,
making the portmap service accessible to everyone in the affected zone.
0003-rpcinfo-improve-implicit-portmapper-rules-logic.patch

Fri Jul 28 14:00:00 2017 matthias.gerstnerAATTsuse.com
- follow-up bugfix for bnc#946325:
Removed bogus nfs alias units, added correct nfs-client target in
SuSEfirewall2.service.
The nfs alias units are false friends, because they don\'t fix the startup
ordering between nfs and SuSEfirewall2.
The missing nfs-client target could cause nfs mounts for nfs versions < 4.1
to be unable to receive callbacks from the server, when the nfs client was
started before the SuSEfirewall2 was started on boot.
renamed 0002-fix-nfs-server-dependency.patch to
0002-fix-nfs-dependencies.patch to fix both client and server issues

Tue Jul 25 14:00:00 2017 matthias.gerstnerAATTsuse.com
- correct boot order between SuSEfirewall2 and nfs-server to fix
bnc#946325, bsc#963740. Without this fix the NFS server ports might not have
been correctly opened after boot when both SuSEfirewall2 and nfs-server have
been enabled in systemd.
0002-fix-nfs-server-dependency.patch

Mon Jul 17 14:00:00 2017 matthias.gerstnerAATTsuse.com
- improve/fix consideration of sysctl values in the system (bnc#1044523).
SuSEfirewall2 will now also check for existing configuration in sysctl.d
style directories in some default locations. Custom directories can be
configured via the new configuration variable FW_SYSCTL_PATHS. This is a
follow-up to (bnc#906136).
0001-backport-of-sysctl.d-feature-from-master-bnc-1044523.patch

Thu May 4 14:00:00 2017 matthias.gerstnerAATTsuse.com
Merged some lines from the factory spec file, to actually implement:
- Install symlink to SuSEfirewall2 with the updated SUSE spelling
(bsc#938727, FATE#316521)

Tue Apr 25 14:00:00 2017 matthias.gerstnerAATTsuse.com
Update to new version 3.6.312.333 from SLE12-SP3 branch:
- implementation of feature FATE#316295: allow incremental update of rpc rules

Thu Apr 13 14:00:00 2017 matthias.gerstnerAATTsuse.com
Update to new version 3.6.312.330 from SLE12-SP3 branch:
- Install symlink to SuSEfirewall2 with the updated SUSE spelling
(bsc#938727, FATE#316521)
- basic.target and SuSEfirewall2 have a loop, remove it bsc#961258
- ignore the bootlock when incremental updates for hotplugged or virtual
devices are coming in during boot. This prevents lockups for example when
drbd is used with FW_BOOT_FULL_INIT. (bnc#785299)
- support for IPv6 in FW_TRUSTED_NETS config variable. (bnc#841046)
- don\'t log dropped broadcast IPv6 broadcast/multicast packets by default to
avoid cluttering the kernel log. (bnc#847193)
- only apply FW_KERNEL_SECURITY proc settings, if not overriden by the
administrator in /etc/sysctl.conf (bnc#906136). This allows you to benefit
from some of the kernel security settings, while overwriting others.
- fixed a race condition in systemd unit files that could cause the
SuSEfirewall2_init unit to sporadically fail, because /tmp was not
there/writable yet. (bnc#1014987)
- cooperate with libvirtd NAT guest networking (bsc#884398)
- refurbished the documentation in /usr/share/doc. (bnc#884037)
- allow mdns multicast packets input in unconfigured firewall setups (no zones
configured) to make zeroconf setups (like avahi) work out of the box for
typical desktops connecting via DSL/WiFi router scenarios. (bnc#959707)
- increase security when sourcing external script files by checking file
ownership and permissions first (to avoid sourcing untrusted files owned by
non-root or world-writable)
- don\'t enable FW_LO_NOTRACK by default any more, because it breaks expected
behaviour in some scenarios (bnc#916771)
- fixed \'SuSEfirewall showlog\' functionality to be compatible with journalctl

Fri Aug 15 14:00:00 2014 meissnerAATTsuse.com
- hosting moved to github.com/opensuse/susefirewall2
- added a sysvinit -> systemd conversion hack (bnc#891669)

Thu Jul 31 14:00:00 2014 meissnerAATTsuse.com
- SuSEfirewall2, ACCEPT from services is a local variable, otherwise
\"ACCEPT\" would be used a service name (bnc#889406 bnc#889555 bnc#887040)

Wed Jun 11 14:00:00 2014 mtAATTsuse.com
- Added ACCEPT to TEMPLATE using FW_SERVICES_ACCEPT

Tue May 27 14:00:00 2014 meissnerAATTsuse.com
- Allow incoming DHCPv6 replies, currently unlimited.
bnc#867819,bnc#868031,bnc#783002,bnc#822959
- typo fix customary -> custom bnc#835677

Fri Dec 27 13:00:00 2013 meissnerAATTsuse.com
- add perl-Net-DNS requires for \"SuSEfirewall2 log\" (bnc#856705)

Wed Aug 21 14:00:00 2013 lnusselAATTsuse.de
- adjust service files so manual starts work better (bnc#819499)

Mon May 6 14:00:00 2013 cfarrellAATTsuse.com
- license update: GPL-2.0
Various GPL-2.0 (only) licensed files

Fri May 3 14:00:00 2013 meissnerAATTsuse.com
- clarify what the default is in FW_MASQ_NETS (bnc#817233)
- removed the --rttl option in recent matches, as this could also be used by attackers (bnc#800719)

Tue Jan 29 13:00:00 2013 lnusselAATTsuse.de
- do not add dependency information about YaST2 Second Stage (bnc#800365)

Thu Jan 17 13:00:00 2013 lnusselAATTsuse.de
- fix defaultl value docu for FW_PROTECT_FROM_INT (bnc#798834)

Thu Dec 13 13:00:00 2012 lnusselAATTsuse.de
- move to /usr, remove init scripts

Wed Dec 12 13:00:00 2012 lnusselAATTsuse.de
- adjust for starting via systemd service files
- move lock files to /run
- just CT instead of NOTRACK (bnc#793459)

Tue Sep 11 14:00:00 2012 lnusselAATTsuse.de
- getdevinfo is gone as per commit 0c5ac93 (bnc#777271)

Fri Jul 13 14:00:00 2012 lnusselAATTsuse.de
- honor FW_IPv6 setting also in debug mode (bnc#769411)

Tue Jun 19 14:00:00 2012 lnusselAATTsuse.de
- fix logging in test mode

Mon Jun 18 14:00:00 2012 lnusselAATTsuse.de
- allow icmpv6 in FW_SERVICES_
*_
*

Mon Jun 18 14:00:00 2012 lnusselAATTsuse.de
- allow ICMPv6 Multicast Listener Query (bnc#767392)

Tue May 29 14:00:00 2012 lnusselAATTsuse.de
- fix typo spotted by Frederic

Wed Jan 18 13:00:00 2012 lnusselAATTsuse.de
- assume all interface names are correct (bnc#739084)

Wed Dec 14 13:00:00 2011 lnusselAATTsuse.de
- fix forward masquerading (bnc#736205)
- compat syntax for negated options no longer works (bnc#660156, bnc#731088)
- enhance debug mode

Mon Nov 7 13:00:00 2011 lnusselAATTsuse.de
- use /sbin/rpcinfo as /usr/sbin/rpcinfo is gone (bnc#727438)

Wed Nov 2 13:00:00 2011 lnusselAATTsuse.de
- set SYSTEMD_NO_WRAP for status (bnc#727445)

Fri Oct 14 14:00:00 2011 lnusselAATTsuse.de
- fix manual rcSuSEfirewall2 stop with sytemd (bnc#717583)

Tue Oct 4 14:00:00 2011 lnusselAATTsuse.de
- fix typo (bnc#721845)
- atomic zone status writing

Sat Sep 17 14:00:00 2011 jengelhAATTmedozas.de
- Remove redundant tags/sections from specfile

Wed Sep 7 14:00:00 2011 lnusselAATTsuse.de
- sanitize FW_ZONE_DEFAULT (bnc#716013)
- add warning about iptables-batch to SuSEfirewall2-custom
- fix warning about /proc/net/ip_tables_names not readable
- don\'t install input rules for interfaces in default zone
- Add hook fw_custom_after_finished
- update FAQ (bnc#694464)
- clean up overrides when stopping the firewall (bnc#630961)
- change default FW_LOG_ACCEPT_CRIT to \"no\"
- allow redir without port specification
- make FW_SERVICES_{REJECT,DROP}_
* take precedende before ACCEPT (bnc#671997)
- fix zonein and zoneout parameters
- fix reverse direction of forwarding rules (bnc#679192)

Tue Feb 1 13:00:00 2011 lnusselAATTsuse.de
- introduce rpcusers file to allow statd to run as non-root
(bnc#668553)

Wed Jan 19 13:00:00 2011 lnusselAATTsuse.de
- add zonein and zoneout parameters for FW_FORWARD
- fix typos

Mon Jan 10 13:00:00 2011 lnusselAATTsuse.de
- don\'t start in runlevel 4 by default (bnc#656520)
- cut off long zone names (bnc#644527)
- fix and enhance output of log command (bnc#663262)

Thu Dec 2 13:00:00 2010 lnusselAATTsuse.de
- don\'t unload rules when using systemd

Tue Nov 16 13:00:00 2010 lnusselAATTsuse.de
- list some known rpc services as Should-Start
- don\'t filter outgoing packets at all
- fix an example (bnc#641907)
- fix status check in SuSEfirewall2_init (bnc#628751)

Mon Aug 16 14:00:00 2010 lnusselAATTsuse.de
- don\'t use fillup anymore as it keeps corrupting the config file
(bnc#340926)

Tue Jun 29 14:00:00 2010 lnusselAATTsuse.de
- remove \"batch committing...\" message
- read defaults from separate file
- warn if highports config options are set
- finally drop \'highports\' misfeature
- remove kernel ipv6 module detection (bnc#617033)
- silence warning about default zone (bnc#616841)
- SuSEfirewall2-open: don\'t add values multiple times
- Use multiprotocol xt_conntrack

Mon May 31 14:00:00 2010 lnusselAATTsuse.de
- only directories in /sys/class/net are real interfaces (bnc#609810)

Fri Mar 19 13:00:00 2010 lnusselAATTsuse.de
- add entry about drbd to FAQ
- update docu
- implement FW_BOOT_FULL_INIT

Tue Feb 16 13:00:00 2010 lnusselAATTsuse.de
- use new versioning scheme after switch of repo to git
- update and rebuild docu
- remove really old rc.config conversion code from spec file

Tue Sep 15 14:00:00 2009 lnusselAATTsuse.de
- fix spelling error in sysconfig file (bnc#537427)
- polishing of log drop policy (bnc#538053)

* drop multicast packets silently

* separate drop rule for broadcast packets at end of chain

* only consider NEW udp packets as critical

* don\'t log INVALID packets as critical

Fri Aug 21 14:00:00 2009 lnusselAATTsuse.de
- implement runtime override of interface zones
- allow disabling NOTRACK rules on lo (bnc#519526)

Fri Jul 17 14:00:00 2009 lnusselAATTsuse.de
- remove chkconfig calls (bnc#522268)

Thu Jul 9 14:00:00 2009 lnusselAATTsuse.de
- add note about use as bridging firewall
- allow to set FW_ZONE_DEFAULT via config file
- deprecate fw_custom_before_antispoofing and
fw_custom_after_antispoofing, use fw_custom_after_chain_creation
instead

Tue Jun 9 14:00:00 2009 lnusselAATTsuse.de
- add note that ulog doesn\'t work with IPv6 (bnc#442756)
- fix version number in help text
- allow service files to specify kernel modules and allow related packets
- silence an error from bash if a service config file is not available (bnc#487870)
- better wording for BROADCAST in template
- update firewall hook script (patch by Marius)


  
ICM