Hello community,
here is the log from the commit of package SuSEfirewall2 for openSUSE:Factory
checked in at Wed Sep 7 18:00:47 CEST 2011.
--------
--- SuSEfirewall2/SuSEfirewall2.changes 2011-02-01 14:17:18.000000000 +0100
+++ /mounts/work_src_done/STABLE/SuSEfirewall2/SuSEfirewall2.changes
2011-09-07 13:41:09.000000000 +0200
@@ -1,0 +2,16 @@
+Wed Sep 7 11:38:14 UTC 2011 - lnus...@suse.de
+
+- sanitize FW_ZONE_DEFAULT (bnc#716013)
+- add warning about iptables-batch to SuSEfirewall2-custom
+- fix warning about /proc/net/ip_tables_names not readable
+- don't install input rules for interfaces in default zone
+- Add hook fw_custom_after_finished
+- update FAQ (bnc#694464)
+- clean up overrides when stopping the firewall (bnc#630961)
+- change default FW_LOG_ACCEPT_CRIT to "no"
+- allow redir without port specification
+- make FW_SERVICES_{REJECT,DROP}_* take precedende before ACCEPT (bnc#671997)
+- fix zonein and zoneout parameters
+- fix reverse direction of forwarding rules (bnc#679192)
+
+-------------------------------------------------------------------
calling whatdependson for head-i586
Old:
----
SuSEfirewall2-3.6.261.tar.bz2
New:
----
SuSEfirewall2-3.6.277.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ SuSEfirewall2.spec ++++++
--- /var/tmp/diff_new_pack.NTJJNy/_old 2011-09-07 18:00:31.000000000 +0200
+++ /var/tmp/diff_new_pack.NTJJNy/_new 2011-09-07 18:00:31.000000000 +0200
@@ -20,7 +20,7 @@
Name: SuSEfirewall2
-Version: 3.6.261
+Version: 3.6.277
Release: 1
License: GPLv2+
Group: Productivity/Networking/Security
++++++ SuSEfirewall2-3.6.261.tar.bz2 -> SuSEfirewall2-3.6.277.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/SuSEfirewall2-3.6.261/SuSEfirewall2
new/SuSEfirewall2-3.6.277/SuSEfirewall2
--- old/SuSEfirewall2-3.6.261/SuSEfirewall2 2011-02-01 14:16:22.000000000
+0100
+++ new/SuSEfirewall2-3.6.277/SuSEfirewall2 2011-09-06 11:33:05.000000000
+0200
@@ -443,7 +443,7 @@
if [ "$FW_LOG_ACCEPT_ALL" != yes ]; then
LAA=":"
- if [ "$FW_LOG_ACCEPT_CRIT" = no ]; then
+ if [ "$FW_LOG_ACCEPT_CRIT" != yes ]; then
LAC=":"
LAAC=":"
fi
@@ -546,7 +546,13 @@
$IPTABLES -P OUTPUT $policy_output
$IPTABLES -P FORWARD $policy_forward
# yes we need cat for /proc
- for i in `sort < /proc/net/ip_tables_names`; do
+ local names
+ if [ -r /proc/net/ip_tables_names ]; then
+ names=`sort < /proc/net/ip_tables_names`
+ else
+ names="filter nat raw"
+ fi
+ for i in $names; do
$IPTABLES -t $i -F
$IPTABLES -t $i -X
done
@@ -554,7 +560,12 @@
$IP6TABLES -P INPUT $policy_input
$IP6TABLES -P OUTPUT $policy_output
$IP6TABLES -P FORWARD $policy_forward
- for i in `sort /proc/net/ip6_tables_names`; do
+ if [ -r /proc/net/ip6_tables_names ]; then
+ names=`sort < /proc/net/ip6_tables_names`
+ else
+ names="filter nat raw"
+ fi
+ for i in $names; do
$IP6TABLES -t $i -F
$IP6TABLES -t $i -X
done
@@ -840,6 +851,7 @@
fw_custom_before_port_handling() { true; }
fw_custom_before_masq() { true; }
fw_custom_before_denyall() { true; }
+fw_custom_after_finished() { true; }
evaluateinterfaces()
{
@@ -950,8 +962,8 @@
error "invalid zone '$z' specified for interface '$d'"
fi
elif [ -n "$FW_ZONE_DEFAULT" -a "$FW_ZONE_DEFAULT" != 'no' ]; then
- message "using default zone '$FW_ZONE_DEFAULT' for interface $d"
- z="$FW_ZONE_DEFAULT"
+ z=${FW_ZONE_DEFAULT//[^A-Za-z0-9]/_}
+ message "using default zone '$z' for interface $d"
eval FW_DEV_$z="\"\$FW_DEV_$z \$d\""
#" fix vim syntax
eval iface_$d=$z
@@ -1204,7 +1216,7 @@
for iptables in "$IPTABLES" "$IP6TABLES"; do
$iptables -N $chain
for dev in $devs; do
- $iptables -A $chain -j $target -i $dev
+ $iptables -A $chain -j $target -${dir:0:1} $dev
done
done
eval ${chain}_created=1
@@ -1406,6 +1418,10 @@
# already have rules for that
continue
fi
+ if [ -n "$FW_ZONE_DEFAULT" -a "$FW_ZONE_DEFAULT" = "$zone" ]; then
+ # default rule will catch it
+ continue
+ fi
eval devs="\$FW_DEV_$zone"
for dev in $devs; do
$iptables -A INPUT -j input_$zone -i $dev
@@ -1871,15 +1887,21 @@
if [ -n "$6" ]; then
error "Too many arguments in FW_REDIRECT -> $nets"
- elif [ -z "$net1" -o -z "$net2" -o -z "$proto" -o -z "$port1" -o -z
"$port2" ]; then
+ elif [ -z "$net1" -o -z "$net2" -o -z "$proto" ]; then
error "Missing parameter in FW_REDIRECT -> $nets"
elif [ "$proto" != tcp -a "$proto" != udp ]; then
error "FW_REDIRECT supports only tcp and udp -> $nets"
else
+ if [ -n "$port1" ]; then
+ port1="--dport $port1"
+ fi
+ if [ -n "$port2" ]; then
+ port2="--to-ports $port2"
+ fi
net1=${net1/\!/\! }
net2=${net2/\!/\! }
- $IPTABLES -A PREROUTING -t mangle -j MARK -p $proto -s $net1 -d
$net2 --dport $port1 --set-mark $mark_redir
- $IPTABLES -A PREROUTING -t nat -j REDIRECT -p $proto -s $net1 -d
$net2 --dport $port1 --to-ports $port2
+ $IPTABLES -A PREROUTING -t mangle -j MARK -p $proto -s $net1 -d
$net2 $port1 --set-mark $mark_redir
+ $IPTABLES -A PREROUTING -t nat -j REDIRECT -p $proto -s $net1 -d
$net2 $port1 $port2
redirectinstalled=1
fi
done
@@ -1987,7 +2009,7 @@
fi
for zone in $forward_zones; do
chain=forward_$zone
- set -- $iptables -A $chain -s $net1 -d $net2 $proto
$more_args_in
+ set -- $iptables -A $chain $proto $more_args_in
if [ -z "$zonein" -o "$zonein" = "$zone" ]; then
if [ -n "$zoneout" ]; then
create_cond_chain "$target" "out" "$zoneout"
@@ -1995,18 +2017,18 @@
else
jt="$target"
fi
- $LAC "$@" ${LOG}"-`rulelog $chain`-${target:0:3}-FORW "
$port -m conntrack --ctstate NEW $more_args_in
- $LAA "$@" ${LOG}"-`rulelog $chain`-${target:0:3}-FORW "
$port $more_args_in
- "$@" -j "$jt" -m conntrack --ctstate
NEW,ESTABLISHED,RELATED $port
+ $LAC "$@" -s $net1 -d $net2 ${LOG}"-`rulelog
$chain`-${target:0:3}-FORW " $port -m conntrack --ctstate NEW $more_args_in
+ $LAA "$@" -s $net1 -d $net2 ${LOG}"-`rulelog
$chain`-${target:0:3}-FORW " $port $more_args_in
+ "$@" -s $net1 -d $net2 -j "$jt" -m conntrack --ctstate
NEW,ESTABLISHED,RELATED $port
fi
if [ -z "$zoneout" -o "$zoneout" = "$zone" ]; then
if [ -n "$zonein" ]; then
- create_cond_chain "$target" "in" "$zonein"
- jt=${target}_if_in_$zonein
+ create_cond_chain "$target" "out" "$zonein"
+ jt=${target}_if_out_$zonein
else
jt="$target"
fi
- "$@" -j "$jt" -m conntrack --ctstate ESTABLISHED,RELATED
$rport
+ "$@" -s $net2 -d $net1 -j "$jt" -m conntrack --ctstate
ESTABLISHED,RELATED $rport
fi
if [ -n "$more_args_out" ]; then
if [ -z "$zonein" -o "$zonein" = "$zone" ]; then
@@ -2094,6 +2116,8 @@
}
# <source network>,<ip to forward to>,<protocol>,<port>[,redirect
port,[destination ip]]
+# XXX: really stupid syntax. That one would be more obvious:
+# <source network>,<destination>,<protocol>,<port>,<ip to forward
to>,<redirect port>
forward_masquerading_rules()
{
local nets net1 net2 proto port1 port2 lip
@@ -2262,6 +2286,7 @@
reset_rules
clear_qdisc_settings
handle_initscripts
+ rm -rf "$STATUSDIR"/{override,status}
[ -n "$USE_IPTABLES_BATCH" ] && commit_iptables_batch
die 0 "Firewall rules unloaded."
fi
@@ -2367,6 +2392,12 @@
process_trusted_nets
+if [ "$FW_LEGACY_ACCEPT_FIRST" != 'yes' ]; then
+ reject_or_drop_services DROP
+
+ reject_or_drop_services REJECT
+fi
+
allow_related
allow_ip_services
@@ -2379,9 +2410,11 @@
accept_services
-reject_or_drop_services DROP
+if [ "$FW_LEGACY_ACCEPT_FIRST" = 'yes' ]; then
+ reject_or_drop_services DROP
-reject_or_drop_services REJECT
+ reject_or_drop_services REJECT
+fi
warn_highports
@@ -2425,6 +2458,9 @@
handle_initscripts
+# HOOK
+fw_custom_after_finished
+
# END #
die 0 "Firewall rules successfully set"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/SuSEfirewall2-3.6.261/SuSEfirewall2-custom.sysconfig
new/SuSEfirewall2-3.6.277/SuSEfirewall2-custom.sysconfig
--- old/SuSEfirewall2-3.6.261/SuSEfirewall2-custom.sysconfig 2011-02-01
14:16:22.000000000 +0100
+++ new/SuSEfirewall2-3.6.277/SuSEfirewall2-custom.sysconfig 2011-09-06
11:33:05.000000000 +0200
@@ -7,12 +7,18 @@
# ------------------------------------------------------------------------
#
# This is file is for SuSEfirewall2 and is an example for using
-# the hooks which are supplied to load customized ipchains rules.
+# the hooks which are supplied to load customized iptables rules.
#
# THERE IS NO HELP FOR USING HOOKS EXCEPT THIS FILE ! SO READ CAREFULLY !
# IT IS USEFUL TO CROSS-READ /sbin/SuSEfirewall2 TO SEE HOW HOOKS WORK !
#
# ------------------------------------------------------------------------
+#
+# Note: always use iptables resp ip6tables without path. You are not actually
+# calling the binary here. SuSEfirewall2 internally defines an alias to
+# collect all rules and apply them in batch later. Set
+# FW_USE_IPTABLES_BATCH="no" if you need the rules to be applied
+# immediately.
fw_custom_after_chain_creation() {
# these rules will be loaded after the various input_* and forward_* chains
@@ -70,3 +76,9 @@
true
}
+
+fw_custom_after_finished() {
+ # these are the rules to be loaded after the firewall is fully configured
+
+ true
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/SuSEfirewall2-3.6.261/SuSEfirewall2.sysconfig
new/SuSEfirewall2-3.6.277/SuSEfirewall2.sysconfig
--- old/SuSEfirewall2-3.6.261/SuSEfirewall2.sysconfig 2011-02-01
14:16:22.000000000 +0100
+++ new/SuSEfirewall2-3.6.277/SuSEfirewall2.sysconfig 2011-09-06
11:33:05.000000000 +0200
@@ -118,8 +118,10 @@
# machines or allow access to the dmz (or internal machines, but
# this is not a good idea).
#
-# This option overrides IP_FORWARD from
-# /etc/sysconfig/network/options
+# This option overrides IP_FORWARD from /etc/sysconfig/sysctl and
+# net.ipv4.ip_forward settings in /etc/sysctl.conf
+# Note: IPv4 only. The IPv6 forwarding sysctl has to be turned on
+# manually.
#
# Setting this option one alone doesn't do anything. Either activate
# masquerading with FW_MASQUERADE below if you want to masquerade
@@ -157,11 +159,13 @@
# The special string "zone:" concatenated with the name of a zone
# means to take all interfaces in the specified zone.
#
-# Old version of SuSEfirewall2 used a shell variable ($FW_DEV_EXT)
-# here. That method is deprecated as it breaks auto detection of
-# interfaces. Please use zone:ext instead.
+# Note: Old version of SuSEfirewall2 used a shell variable
+# ($FW_DEV_EXT) here. That method is deprecated as it breaks auto
+# detection of interfaces. Please use zone:ext instead.
#
-# Examples: "ippp0", "zone:ext"
+# Examples: "ippp0", "zone:dmz"
+#
+# defaults to "zone:ext" if not set
#
FW_MASQ_DEV=""
@@ -368,7 +372,7 @@
## Type: string
#
-# Packets to silently drop without log message
+# Packets to drop.
#
# Format: space separated list of net,protocol[,port][,sport]
# Example: "0/0,tcp,445 0/0,udp,4662"
@@ -377,6 +381,9 @@
# interpreted as rpc service name. See FW_SERVICES_EXT_RPC for
# details.
#
+# Note: In older SuSEfirewall2 version this setting took place after
+# FW_SERVICES_ACCEPT_*, not it takes precedence.
+#
FW_SERVICES_DROP_EXT=""
## Type: string
@@ -392,9 +399,9 @@
## Type: string
## Default:
#
-# Packets to silently reject without log message. Common usage is
-# TCP port 113 which if dropped would cause long timeouts when
-# sending mail or connecting to IRC servers.
+# Packets to reject. Common usage is TCP port 113 which if dropped
+# would cause long timeouts when sending mail or connecting to IRC
+# servers.
#
# Format: space separated list of net,protocol[,dport][,sport]
# Example: "0/0,tcp,113"
@@ -403,6 +410,9 @@
# interpreted as rpc service name. See FW_SERVICES_EXT_RPC for
# details.
#
+# Note: In older SuSEfirewall2 version this setting took place after
+# FW_SERVICES_ACCEPT_*, not it takes precedence.
+#
FW_SERVICES_REJECT_EXT=""
## Type: string
@@ -591,8 +601,8 @@
# address 202.202.202.202 on port 80 will be forwarded
# to the internal server 10.0.0.10 on port 81
#
-# Note: du to inconsitent iptables behaviour only port numbers are possible but
-# no service names
(https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=273)
+# Note: du to inconsistent iptables behaviour only port numbers are possible
+# but no service names (http://bugzilla.netfilter.org/show_bug.cgi?id=273)
#
FW_FORWARD_MASQ=""
@@ -650,7 +660,7 @@
#
# Set to "no" for on systems with high traffic
#
-# defaults to "yes" if not set
+# defaults to "no" if not set
#
FW_LOG_ACCEPT_CRIT=""
@@ -712,10 +722,14 @@
## Type: yesno
#
-# Keep the routing set on, if the firewall rules are unloaded?
-# REQUIRES: FW_ROUTE
+# Whether ip routing should be disabled when the firewall is shut
+# down.
+#
+# Note: IPv4 only, IPv6 sysctls are left untouched
#
-# Choices "yes" or "no", if not set defaults to "no"
+# Requires: FW_ROUTE
+#
+# defaults to "no" if not set
#
FW_STOP_KEEP_ROUTING_STATE=""
@@ -1128,7 +1142,7 @@
#
# Specifies whether /etc/init.d/SuSEfirewall2_init should install the
# full rule set already. Default is to just install minimum rules
-# that block incoming traffic. Set to "yes" if you user services
+# that block incoming traffic. Set to "yes" if you use services
# such as drbd that require open ports during boot already.
#
# Defaults to "no" if not set
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/SuSEfirewall2-3.6.261/doc/EXAMPLES.SuSEfirewall2.html
new/SuSEfirewall2-3.6.277/doc/EXAMPLES.SuSEfirewall2.html
--- old/SuSEfirewall2-3.6.261/doc/EXAMPLES.SuSEfirewall2.html 2011-02-01
14:16:22.000000000 +0100
+++ new/SuSEfirewall2-3.6.277/doc/EXAMPLES.SuSEfirewall2.html 2011-09-06
11:33:05.000000000 +0200
@@ -1,12 +1,12 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
-<html xmlns="http://www.w3.org/1999/xhtml";><head><meta
http-equiv="Content-Type" content="text/html; charset=UTF-8"
/><title>SuSEfirewall2 configuration examples</title><link rel="stylesheet"
href="susebooks.css" type="text/css" /><meta name="generator" content="DocBook
XSL Stylesheets V1.75.2" /></head><body><div class="article"
title="SuSEfirewall2 configuration examples"><div
class="titlepage"><div><div><h2 class="title"><a
id="id311990"></a>SuSEfirewall2 configuration examples</h2></div></div><hr
/></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span
class="section"><a href="#id273963">1. Simple dialup</a></span></dt><dt><span
class="section"><a href="#id273986">2. Small home
network</a></span></dt><dt><span class="section"><a href="#id274007">3. Small
home network with additional WLAN</a></span></dt><dt><span class="section"><a
href="#id274029">4. Small company with external mail and web
server</a></span></dt><dt><span class="section"><a href="#id274860">5. Company
with IPsec tunnel to subsidiary</a></span></dt><dt><span class="section"><a
href="#id293728">6. Company with web server in DMZ</a></span></dt><dt><span
class="section"><a href="#id293690">7. Complex
scenario</a></span></dt><dt><span class="section"><a href="#id274298">8. Laptop
in private network but with additional public IP
adresses</a></span></dt></dl></div><div class="important" title="Important"
style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Important</h3><p>
+<html xmlns="http://www.w3.org/1999/xhtml";><head><meta
http-equiv="Content-Type" content="text/html; charset=UTF-8"
/><title>SuSEfirewall2 configuration examples</title><link rel="stylesheet"
href="susebooks.css" type="text/css" /><meta name="generator" content="DocBook
XSL Stylesheets V1.75.2" /></head><body><div class="article"
title="SuSEfirewall2 configuration examples"><div
class="titlepage"><div><div><h2 class="title"><a
id="id265940"></a>SuSEfirewall2 configuration examples</h2></div></div><hr
/></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span
class="section"><a href="#id265976">1. Simple dialup</a></span></dt><dt><span
class="section"><a href="#id284314">2. Small home
network</a></span></dt><dt><span class="section"><a href="#id284333">3. Small
home network with additional WLAN</a></span></dt><dt><span class="section"><a
href="#id284353">4. Small company with external mail and web
server</a></span></dt><dt><span class="section"><a href="#id284381">5. Company
with IPsec tunnel to subsidiary</a></span></dt><dt><span class="section"><a
href="#id282086">6. Company with web server in DMZ</a></span></dt><dt><span
class="section"><a href="#id294413">7. Complex
scenario</a></span></dt><dt><span class="section"><a href="#id266790">8. Laptop
in private network but with additional public IP
adresses</a></span></dt></dl></div><div class="important" title="Important"
style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Important</h3><p>
All options <span class="emphasis"><em>not</em></span> mentioned in a
scenario should be
left as they are in the default
<code class="filename">sysconfig/SuSEfirewall2</code> config file.
Backup default config:
<code
class="filename">/usr/share/doc/packages/SuSEfirewall2/SuSEfirewall2.sysconfig</code>
- </p></div><div class="section" title="1. Simple dialup"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="id273963"></a>1. Simple dialup</h2></div></div></div><p>
+ </p></div><div class="section" title="1. Simple dialup"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="id265976"></a>1. Simple dialup</h2></div></div></div><p>
A user with his nice SUSE Linux PC wants to be protected when connected
to
the internet via the ISDN dialup of his ISP. He wants to offer no
services to the internet. He is not connected to any other network, nor
@@ -15,7 +15,7 @@
</p><div class="informalexample"><pre class="programlisting">
FW_DEV_EXT="ippp0"</pre></div><p>
- </p></div><div class="section" title="2. Small home network"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="id273986"></a>2. Small home network</h2></div></div></div><p>
+ </p></div><div class="section" title="2. Small home network"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="id284314"></a>2. Small home network</h2></div></div></div><p>
A family owns multiple PCs, a SUSE Linux PC is connected to the internet
via DSL. The family's LAN uses private IPs therefore masquerading has to
be used. The Firewall provides no services whatsoever. The address of the
@@ -27,7 +27,7 @@
FW_MASQUERADE="yes"
FW_MASQ_NETS="192.168.10.0/24"</pre></div><p>
- </p></div><div class="section" title="3. Small home network with
additional WLAN"><div class="titlepage"><div><div><h2 class="title"
style="clear: both"><a id="id274007"></a>3. Small home network with additional
WLAN</h2></div></div></div><p>
+ </p></div><div class="section" title="3. Small home network with
additional WLAN"><div class="titlepage"><div><div><h2 class="title"
style="clear: both"><a id="id284333"></a>3. Small home network with additional
WLAN</h2></div></div></div><p>
Same network as above but additionally the Firewall is also connected to
a wireless network. Hosts in the wireless network should get internet
access but are not allowed to communicate with the internal network. The
@@ -41,7 +41,7 @@
FW_MASQUERADE="yes"
FW_MASQ_NETS="192.168.10.0/24 192.168.20.0/24"</pre></div><p>
- </p></div><div class="section" title="4. Small company with external
mail and web server"><div class="titlepage"><div><div><h2 class="title"
style="clear: both"><a id="id274029"></a>4. Small company with external mail
and web server</h2></div></div></div><p>
+ </p></div><div class="section" title="4. Small company with external mail
and web server"><div class="titlepage"><div><div><h2 class="title"
style="clear: both"><a id="id284353"></a>4. Small company with external mail
and web server</h2></div></div></div><p>
A company uses it's SUSE Linux PC to access the internet via an ISDN
dialup of it's ISP. It has got a static IP address and a web server
running on the PC plus it's mail-/pop3-server for the company. Squid is
@@ -56,7 +56,7 @@
FW_SERVICES_INT_UDP="domain"
FW_PROTECT_FROM_INT="yes"</pre></div><p>
- </p></div><div class="section" title="5. Company with IPsec tunnel to
subsidiary"><div class="titlepage"><div><div><h2 class="title" style="clear:
both"><a id="id274860"></a>5. Company with IPsec tunnel to
subsidiary</h2></div></div></div><p>
+ </p></div><div class="section" title="5. Company with IPsec tunnel to
subsidiary"><div class="titlepage"><div><div><h2 class="title" style="clear:
both"><a id="id284381"></a>5. Company with IPsec tunnel to
subsidiary</h2></div></div></div><p>
A small company wants access to the internet for it's client PCs.
Additionally the subsidiariaries client PCs should get access to the
local network through an IPsec tunnel. Internet traffic should be
@@ -83,7 +83,7 @@
flow.
</p></div><p>
- </p></div><div class="section" title="6. Company with web server in
DMZ"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="id293728"></a>6. Company with web server in DMZ</h2></div></div></div><p>
+ </p></div><div class="section" title="6. Company with web server in
DMZ"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="id282086"></a>6. Company with web server in DMZ</h2></div></div></div><p>
This company has got a more complex setup:
@@ -149,7 +149,7 @@
target port of 53 (DNS) or 25 (Mail) to the local servers on the
firewall.
- </p></div><div class="section" title="7. Complex scenario"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="id293690"></a>7. Complex scenario</h2></div></div></div><p>
+ </p></div><div class="section" title="7. Complex scenario"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="id294413"></a>7. Complex scenario</h2></div></div></div><p>
</p><pre class="screen">
Internet
@@ -207,7 +207,7 @@
# internet access to web server and trusted company access to internal Server
FW_FORWARD_MASQ="0/0,10.0.10.2,tcp,80 0/0,10.0.10.2,tcp,443 \
192.168.1.0/24,10.0.2.3,tcp,22"</pre></div><p>
- </p></div><div class="section" title="8. Laptop in private network
but with additional public IP adresses"><div class="titlepage"><div><div><h2
class="title" style="clear: both"><a id="id274298"></a>8. Laptop in private
network but with additional public IP adresses</h2></div></div></div><p>
+ </p></div><div class="section" title="8. Laptop in private network but
with additional public IP adresses"><div class="titlepage"><div><div><h2
class="title" style="clear: both"><a id="id266790"></a>8. Laptop in private
network but with additional public IP adresses</h2></div></div></div><p>
</p><pre class="screen">
Internet
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/SuSEfirewall2-3.6.261/doc/FAQ.SuSEfirewall2.html
new/SuSEfirewall2-3.6.277/doc/FAQ.SuSEfirewall2.html
--- old/SuSEfirewall2-3.6.261/doc/FAQ.SuSEfirewall2.html 2011-02-01
14:16:22.000000000 +0100
+++ new/SuSEfirewall2-3.6.277/doc/FAQ.SuSEfirewall2.html 2011-09-06
11:33:05.000000000 +0200
@@ -1,30 +1,31 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
-<html xmlns="http://www.w3.org/1999/xhtml";><head><meta
http-equiv="Content-Type" content="text/html; charset=UTF-8"
/><title>SuSEfirewall2 FAQ</title><link rel="stylesheet" href="susebooks.css"
type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets
V1.75.2" /></head><body><div class="article" title="SuSEfirewall2 FAQ"><div
class="titlepage"><div><div><h2 class="title"><a
id="id301529"></a>SuSEfirewall2 FAQ</h2></div></div><hr /></div><div
class="qandaset" title="Frequently Asked Questions"><a
id="id301543"></a><dl><dt>1. <a href="#id301545">
+<html xmlns="http://www.w3.org/1999/xhtml";><head><meta
http-equiv="Content-Type" content="text/html; charset=UTF-8"
/><title>SuSEfirewall2 FAQ</title><link rel="stylesheet" href="susebooks.css"
type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets
V1.75.2" /></head><body><div class="article" title="SuSEfirewall2 FAQ"><div
class="titlepage"><div><div><h2 class="title"><a
id="id265940"></a>SuSEfirewall2 FAQ</h2></div></div><hr /></div><div
class="qandaset" title="Frequently Asked Questions"><a
id="id265953"></a><dl><dt>1. <a href="#id265955">
Why is communication between two interfaces in the same zone not
working?
- </a></dt><dt>2. <a href="#id265830">Some service does not work when the
firewall is enabled. How do I find out what's wrong?
- </a></dt><dt>3. <a href="#id297412">
+ </a></dt><dt>2. <a href="#id284299">Some service does not work when the
firewall is enabled. How do I find out what's wrong?
+ </a></dt><dt>3. <a href="#id284177">
Some web site that offers port scanning claims my system is not
protected properly as it still responds to ICMP echo requests (ping)
- </a></dt><dt>4. <a href="#id304338">
+ </a></dt><dt>4. <a href="#id300911">
Can't the evil guys detect whether my host is online if it responds
to ICMP echo requests?
- </a></dt><dt>5. <a href="#id305185">
+ </a></dt><dt>5. <a href="#id287255">
SuSEfirewall2 drops most packets but it doesn't fully hide the
presence of my machine. Isn't that a security hole?
- </a></dt><dt>6. <a href="#id292467">
+ </a></dt><dt>6. <a href="#id283023">
The ipsec0 interface I had with kernel 2.4 is
gone. How do I assign IPsec traffic to a different zone now?
- </a></dt><dt>7. <a href="#id300867">
+ </a></dt><dt>7. <a href="#id296343">
Why is SuSEfirewall2 so slow? / Can't you just use iptables-restore?
- </a></dt><dt>8. <a href="#id283911">
+ </a></dt><dt>8. <a href="#id284377">
Enabling drbd blocks the boot process. How to get around that?
- </a></dt><dt>9. <a href="#id265332">
- My wireless LAN network interface is configured for the
- external zone. Sometimes I need to connect to trusted
- networks that offer e.g. printing or file sharing. How can
- I solve that without opening ports in the external zone?
- </a></dt></dl><table border="0" width="100%" summary="Q and A Set"><col
align="left" width="1%" /><col /><tbody><tr class="question" title="1."><td
align="left" valign="top"><a id="id301545"></a><a
id="id301547"></a><p><b>1.</b></p></td><td align="left" valign="top"><p>
+ </a></dt><dt>9. <a href="#id265660">
+ I need to connect to differntly trusted networks, e.g. to
+ use printing or file sharing. How can I solve that without
+ opening ports in the external zone?
+ </a></dt><dt>10. <a href="#id265685">
+ I'm executing an external script from within FW_CUSTOMRULES but the
rules my script installs vanish.
+ </a></dt></dl><table border="0" width="100%" summary="Q and A Set"><col
align="left" width="1%" /><col /><tbody><tr class="question" title="1."><td
align="left" valign="top"><a id="id265955"></a><a
id="id265958"></a><p><b>1.</b></p></td><td align="left" valign="top"><p>
Why is communication between two interfaces in the same zone not
working?
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td
align="left" valign="top"><p>
@@ -35,7 +36,7 @@
traffic with <code class="varname">FW_FORWARD</code>. Keep in mind
that this
affects all interfaces in all zones.
- </p></td></tr><tr class="question" title="2."><td align="left"
valign="top"><a id="id265830"></a><a id="id265832"></a><p><b>2.</b></p></td><td
align="left" valign="top"><p>Some service does not work when the firewall is
enabled. How do I find out what's wrong?
+ </p></td></tr><tr class="question" title="2."><td align="left"
valign="top"><a id="id284299"></a><a id="id284301"></a><p><b>2.</b></p></td><td
align="left" valign="top"><p>Some service does not work when the firewall is
enabled. How do I find out what's wrong?
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td
align="left" valign="top"><p>
Enable logging of all dropped packets and disable the log limit in
@@ -63,7 +64,7 @@
If everything works again don't forget to set the log options back to
normal to not fill up you log files.
- </p></td></tr><tr class="question" title="3."><td align="left"
valign="top"><a id="id297412"></a><a id="id291503"></a><p><b>3.</b></p></td><td
align="left" valign="top"><p>
+ </p></td></tr><tr class="question" title="3."><td align="left"
valign="top"><a id="id284177"></a><a id="id298654"></a><p><b>3.</b></p></td><td
align="left" valign="top"><p>
Some web site that offers port scanning claims my system is not
protected properly as it still responds to ICMP echo requests (ping)
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td
align="left" valign="top"><p>
@@ -72,20 +73,20 @@
seriously impact the ability to track down network problems. It is
therefore not considered nice behaviour for an internet citizen to
drop pings.
- </p></td></tr><tr class="question" title="4."><td align="left"
valign="top"><a id="id304338"></a><a id="id292572"></a><p><b>4.</b></p></td><td
align="left" valign="top"><p>
+ </p></td></tr><tr class="question" title="4."><td align="left"
valign="top"><a id="id300911"></a><a id="id280233"></a><p><b>4.</b></p></td><td
align="left" valign="top"><p>
Can't the evil guys detect whether my host is online if it responds
to ICMP echo requests?
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td
align="left" valign="top"><p>
Yes but they can detect that anyways. The router at your provider
behaves different depending on whether someone is dialed in or not.
- </p></td></tr><tr class="question" title="5."><td align="left"
valign="top"><a id="id305185"></a><a id="id302781"></a><p><b>5.</b></p></td><td
align="left" valign="top"><p>
+ </p></td></tr><tr class="question" title="5."><td align="left"
valign="top"><a id="id287255"></a><a id="id304035"></a><p><b>5.</b></p></td><td
align="left" valign="top"><p>
SuSEfirewall2 drops most packets but it doesn't fully hide the
presence of my machine. Isn't that a security hole?
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td
align="left" valign="top"><p>
You machine is never fully invisible, see previous question. The
purpose of dropping packets is not to hide your machine but to slow
down port scans.
- </p></td></tr><tr class="question" title="6."><td align="left"
valign="top"><a id="id292467"></a><a id="id293084"></a><p><b>6.</b></p></td><td
align="left" valign="top"><p>
+ </p></td></tr><tr class="question" title="6."><td align="left"
valign="top"><a id="id283023"></a><a id="id297483"></a><p><b>6.</b></p></td><td
align="left" valign="top"><p>
The <code class="literal">ipsec0</code> interface I had with kernel
2.4 is
gone. How do I assign IPsec traffic to a different zone now?
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td
align="left" valign="top"><p>
@@ -101,7 +102,7 @@
FW_SERVICES_EXT_UDP="isakmp"
FW_PROTECT_FROM_INT="no"</pre></div><p>
- </p></td></tr><tr class="question" title="7."><td align="left"
valign="top"><a id="id300867"></a><a id="id292485"></a><p><b>7.</b></p></td><td
align="left" valign="top"><p>
+ </p></td></tr><tr class="question" title="7."><td align="left"
valign="top"><a id="id296343"></a><a id="id292896"></a><p><b>7.</b></p></td><td
align="left" valign="top"><p>
Why is SuSEfirewall2 so slow? / Can't you just use iptables-restore?
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td
align="left" valign="top"><p>
@@ -117,7 +118,7 @@
<code class="literal">iptables-restore</code> natively to be able to
easily fall back to individual <code class="literal">iptables</code>
calls in case of error.
- </p></td></tr><tr class="question" title="8."><td align="left"
valign="top"><a id="id283911"></a><a id="id283913"></a><p><b>8.</b></p></td><td
align="left" valign="top"><p>
+ </p></td></tr><tr class="question" title="8."><td align="left"
valign="top"><a id="id284377"></a><a id="id284379"></a><p><b>8.</b></p></td><td
align="left" valign="top"><p>
Enabling drbd blocks the boot process. How to get around that?
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td
align="left" valign="top"><p>
@@ -174,11 +175,10 @@
Configure the open ports for <code class="literal">drbd</code>
and set
</p><div class="informalexample"><pre
class="programlisting">FW_BOOT_FULL_INIT="yes"</pre></div><p>
- </p></li></ul></div></td></tr><tr class="question" title="9."><td
align="left" valign="top"><a id="id265332"></a><a
id="id265334"></a><p><b>9.</b></p></td><td align="left" valign="top"><p>
- My wireless LAN network interface is configured for the
- external zone. Sometimes I need to connect to trusted
- networks that offer e.g. printing or file sharing. How can
- I solve that without opening ports in the external zone?
+ </p></li></ul></div></td></tr><tr class="question" title="9."><td
align="left" valign="top"><a id="id265660"></a><a
id="id265662"></a><p><b>9.</b></p></td><td align="left" valign="top"><p>
+ I need to connect to differntly trusted networks, e.g. to
+ use printing or file sharing. How can I solve that without
+ opening ports in the external zone?
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td
align="left" valign="top"><p>
The <a class="ulink"
href="http://lizards.opensuse.org/2009/08/28/firewall-zone-switcher-updated/";
target="_top">Firewall
@@ -186,4 +186,14 @@
switch zones with only few mouse clicks. It's included in
openSUSE since version 11.2.
+ </p></td></tr><tr class="question" title="10."><td align="left"
valign="top"><a id="id265685"></a><a
id="id265687"></a><p><b>10.</b></p></td><td align="left" valign="top"><p>
+ I'm executing an external script from within <code
class="literal">FW_CUSTOMRULES</code> but the rules my script installs vanish.
+ </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td
align="left" valign="top"><p>
+
+ When <code class="literal">FW_USE_IPTABLES_BATCH</code> is on (which
+ is the default) the <span
class="command"><strong>iptables</strong></span> command is
+ an alias that doesn't exist outside the script context of
+ SuSEfirewall2. So either must source your script or set
+ <code class="literal">FW_USE_IPTABLES_BATCH="no"</code>
+
</p></td></tr></tbody></table></div></div></body></html>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/SuSEfirewall2-3.6.261/doc/FAQ.SuSEfirewall2.txt
new/SuSEfirewall2-3.6.277/doc/FAQ.SuSEfirewall2.txt
--- old/SuSEfirewall2-3.6.261/doc/FAQ.SuSEfirewall2.txt 2011-02-01
14:16:22.000000000 +0100
+++ new/SuSEfirewall2-3.6.277/doc/FAQ.SuSEfirewall2.txt 2011-09-06
11:33:05.000000000 +0200
@@ -15,131 +15,140 @@
traffic to a different zone now?
7. Why is SuSEfirewall2 so slow? / Can't you just use iptables-restore?
8. Enabling drbd blocks the boot process. How to get around that?
-9. My wireless LAN network interface is configured for the external zone.
- Sometimes I need to connect to trusted networks that offer e.g. printing or
+9. I need to connect to differntly trusted networks, e.g. to use printing or
file sharing. How can I solve that without opening ports in the external
zone?
+10. I'm executing an external script from within FW_CUSTOMRULES but the rules
+ my script installs vanish.
-1. Why is communication between two interfaces in the same zone not working?
+1. Why is communication between two interfaces in the same zone not working?
- For security reasons, no network may communicate to another until configured
- otherwise. Even if both are "trusted" internal networks. You can allow full
- traffic with FW_ALLOW_CLASS_ROUTING or specifying all allowed traffic with
- FW_FORWARD. Keep in mind that this affects all interfaces in all zones.
+ For security reasons, no network may communicate to another until
+ configured otherwise. Even if both are "trusted" internal networks. You can
+ allow full traffic with FW_ALLOW_CLASS_ROUTING or specifying all allowed
+ traffic with FW_FORWARD. Keep in mind that this affects all interfaces in
+ all zones.
-2. Some service does not work when the firewall is enabled. How do I find out
- what's wrong?
+2. Some service does not work when the firewall is enabled. How do I find out
+ what's wrong?
- Enable logging of all dropped packets and disable the log limit in /etc/
- sysconfig/SuSEfirewall2:
+ Enable logging of all dropped packets and disable the log limit in /etc/
+ sysconfig/SuSEfirewall2:
- FW_LOG_DROP_CRIT="yes"
- FW_LOG_DROP_ALL="yes"
- FW_LOG_LIMIT="no"
+ FW_LOG_DROP_CRIT="yes"
+ FW_LOG_DROP_ALL="yes"
+ FW_LOG_LIMIT="no"
- Run SuSEfirewall2 again. /var/log/messages will now quickly fill up with log
- messages about dropped packets when you try to use the not working service.
- Those messages tell you the protocol and port you need to open.
+ Run SuSEfirewall2 again. /var/log/messages will now quickly fill up with
+ log messages about dropped packets when you try to use the not working
+ service. Those messages tell you the protocol and port you need to open.
- You may also run SuSEfirewall2 in test mode: SuSEfirewall2 test. Then try to
- connect to the service in a way which failed before. It will work because
- SuSEfirewall2 does not actually filter any packets this time. However, it
- will still log all packets it normally would have dropped.
+ You may also run SuSEfirewall2 in test mode: SuSEfirewall2 test. Then try
+ to connect to the service in a way which failed before. It will work
+ because SuSEfirewall2 does not actually filter any packets this time.
+ However, it will still log all packets it normally would have dropped.
- If everything works again don't forget to set the log options back to normal
- to not fill up you log files.
+ If everything works again don't forget to set the log options back to
+ normal to not fill up you log files.
-3. Some web site that offers port scanning claims my system is not protected
- properly as it still responds to ICMP echo requests (ping)
+3. Some web site that offers port scanning claims my system is not protected
+ properly as it still responds to ICMP echo requests (ping)
- ICMP echo requests are harmless however they are a fundametal means to
- determine whether hosts are still reachable. Blocking them would seriously
- impact the ability to track down network problems. It is therefore not
- considered nice behaviour for an internet citizen to drop pings.
+ ICMP echo requests are harmless however they are a fundametal means to
+ determine whether hosts are still reachable. Blocking them would seriously
+ impact the ability to track down network problems. It is therefore not
+ considered nice behaviour for an internet citizen to drop pings.
-4. Can't the evil guys detect whether my host is online if it responds to ICMP
- echo requests?
+4. Can't the evil guys detect whether my host is online if it responds to ICMP
+ echo requests?
- Yes but they can detect that anyways. The router at your provider behaves
- different depending on whether someone is dialed in or not.
+ Yes but they can detect that anyways. The router at your provider behaves
+ different depending on whether someone is dialed in or not.
-5. SuSEfirewall2 drops most packets but it doesn't fully hide the presence of
- my machine. Isn't that a security hole?
+5. SuSEfirewall2 drops most packets but it doesn't fully hide the presence of
+ my machine. Isn't that a security hole?
- You machine is never fully invisible, see previous question. The purpose of
- dropping packets is not to hide your machine but to slow down port scans.
+ You machine is never fully invisible, see previous question. The purpose of
+ dropping packets is not to hide your machine but to slow down port scans.
-6. The ipsec0 interface I had with kernel 2.4 is gone. How do I assign IPsec
- traffic to a different zone now?
+6. The ipsec0 interface I had with kernel 2.4 is gone. How do I assign IPsec
+ traffic to a different zone now?
- Set the variable FW_IPSEC_TRUST to the zone you would have put the ipsec0
- into before. For example if your IPsec tunnel is set up on the external
- interface but you want to grant the decrypted traffic access to all your
- services as if it was in the internal zone:
+ Set the variable FW_IPSEC_TRUST to the zone you would have put the ipsec0
+ into before. For example if your IPsec tunnel is set up on the external
+ interface but you want to grant the decrypted traffic access to all your
+ services as if it was in the internal zone:
- FW_IPSEC_TRUST="int"
- FW_SERVICES_EXT_IP="esp"
- FW_SERVICES_EXT_UDP="isakmp"
- FW_PROTECT_FROM_INT="no"
+ FW_IPSEC_TRUST="int"
+ FW_SERVICES_EXT_IP="esp"
+ FW_SERVICES_EXT_UDP="isakmp"
+ FW_PROTECT_FROM_INT="no"
-7. Why is SuSEfirewall2 so slow? / Can't you just use iptables-restore?
+7. Why is SuSEfirewall2 so slow? / Can't you just use iptables-restore?
- SuSEfirewall2 is implemented in bourne shell which is not exactly the
- fastest thing on earth especially if it has that much work to do as
- SuSEfirewall2. Administrators still prefer bourne shell scripts because of
- readability *cough*.
-
- SuSEfirewall2 already uses a method similar to iptables-restore to apply as
- much filter rules as possible at once. SuSEfirewall2 doesn't use
- iptables-restore natively to be able to easily fall back to individual
- iptables calls in case of error.
+ SuSEfirewall2 is implemented in bourne shell which is not exactly the
+ fastest thing on earth especially if it has that much work to do as
+ SuSEfirewall2. Administrators still prefer bourne shell scripts because of
+ readability *cough*.
-8. Enabling drbd blocks the boot process. How to get around that?
+ SuSEfirewall2 already uses a method similar to iptables-restore to apply as
+ much filter rules as possible at once. SuSEfirewall2 doesn't use
+ iptables-restore natively to be able to easily fall back to individual
+ iptables calls in case of error.
+
+8. Enabling drbd blocks the boot process. How to get around that?
- During boot process all incoming traffic is blocked unconditionally. The
- very last boot script then sets up the configured firewall rules. The
- problem is that drbd blocks the boot process while waiting for incoming
- connection from other nodes. Therefore configuring the drbd port in
- SuSEfirewall2 has no effect.
+ During boot process all incoming traffic is blocked unconditionally. The
+ very last boot script then sets up the configured firewall rules. The
+ problem is that drbd blocks the boot process while waiting for incoming
+ connection from other nodes. Therefore configuring the drbd port in
+ SuSEfirewall2 has no effect.
- ● SLES10
+ ● SLES10
- Add a manual iptables call to /etc/init.d/boot.local:
+ Add a manual iptables call to /etc/init.d/boot.local:
- iptables -A INPUT -p tcp --dport 7788 -j ACCEPT
+ iptables -A INPUT -p tcp --dport 7788 -j ACCEPT
- ● SLES11, openSUSE <= 11.2
+ ● SLES11, openSUSE <= 11.2
- On SLES11 SuSEfirewall2_init is called after boot.local, therefore the
- method for SLES10 doesn't work anymore. It's possible to modify the
- dependencies of the SuSEfirewall2_setup script to run before drbd
- though:
+ On SLES11 SuSEfirewall2_init is called after boot.local, therefore the
+ method for SLES10 doesn't work anymore. It's possible to modify the
+ dependencies of the SuSEfirewall2_setup script to run before drbd
+ though:
- ○ Create the directory /etc/insserv/overrides
+ ○ Create the directory /etc/insserv/overrides
- ○ Create a new file /etc/insserv/overrides/SuSEfirewall2_setup
+ ○ Create a new file /etc/insserv/overrides/SuSEfirewall2_setup
- ○ Copy the the LSB header (the part between and including the lines "#
- ## BEGIN INIT INFO" and "### END INIT INFO") from /etc/init.d/
- SuSEfirewall2_setup to /etc/insserv/overrides/SuSEfirewall2_setup
+ ○ Copy the the LSB header (the part between and including the lines "
+ ### BEGIN INIT INFO" and "### END INIT INFO") from /etc/init.d/
+ SuSEfirewall2_setup to /etc/insserv/overrides/SuSEfirewall2_setup
- ○ Replace $ALL with $null and add the following line:
+ ○ Replace $ALL with $null and add the following line:
- # X-Start-Before: drbd
+ # X-Start-Before: drbd
- ○ run /sbin/insserv
+ ○ run /sbin/insserv
- ● openSUSE >= 11.3
+ ● openSUSE >= 11.3
- Configure the open ports for drbd and set
+ Configure the open ports for drbd and set
+
+ FW_BOOT_FULL_INIT="yes"
+
+9. I need to connect to differntly trusted networks, e.g. to use printing or
+ file sharing. How can I solve that without opening ports in the external
+ zone?
- FW_BOOT_FULL_INIT="yes"
+ The Firewall Zone Switcher applet allows desktop users to switch zones with
+ only few mouse clicks. It's included in openSUSE since version 11.2.
-9. My wireless LAN network interface is configured for the external zone.
- Sometimes I need to connect to trusted networks that offer e.g. printing or
- file sharing. How can I solve that without opening ports in the external
- zone?
+10. I'm executing an external script from within FW_CUSTOMRULES but the rules
+ my script installs vanish.
- The Firewall Zone Switcher applet allows desktop users to switch zones with
- only few mouse clicks. It's included in openSUSE since version 11.2.
+ When FW_USE_IPTABLES_BATCH is on (which is the default) the iptables
+ command is an alias that doesn't exist outside the script context of
+ SuSEfirewall2. So either must source your script or set
+ FW_USE_IPTABLES_BATCH="no"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/SuSEfirewall2-3.6.261/doc/FAQ.SuSEfirewall2.xml
new/SuSEfirewall2-3.6.277/doc/FAQ.SuSEfirewall2.xml
--- old/SuSEfirewall2-3.6.261/doc/FAQ.SuSEfirewall2.xml 2011-02-01
14:16:22.000000000 +0100
+++ new/SuSEfirewall2-3.6.277/doc/FAQ.SuSEfirewall2.xml 2011-09-06
11:33:05.000000000 +0200
@@ -320,10 +320,9 @@
<question>
<para>
- My wireless LAN network interface is configured for the
- external zone. Sometimes I need to connect to trusted
- networks that offer e.g. printing or file sharing. How can
- I solve that without opening ports in the external zone?
+ I need to connect to differntly trusted networks, e.g. to
+ use printing or file sharing. How can I solve that without
+ opening ports in the external zone?
</para>
</question>
@@ -339,6 +338,30 @@
</para>
+ </answer>
+
+ </qandaentry>
+
+ <qandaentry>
+
+ <question>
+ <para>
+ I'm executing an external script from within
<literal>FW_CUSTOMRULES</literal> but the rules my script installs vanish.
+ </para>
+ </question>
+
+ <answer>
+
+ <para>
+
+ When <literal>FW_USE_IPTABLES_BATCH</literal> is on (which
+ is the default) the <command>iptables</command> command is
+ an alias that doesn't exist outside the script context of
+ SuSEfirewall2. So either must source your script or set
+ <literal>FW_USE_IPTABLES_BATCH="no"</literal>
+
+ </para>
+
</answer>
</qandaentry>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/SuSEfirewall2-3.6.261/doc/Makefile
new/SuSEfirewall2-3.6.277/doc/Makefile
--- old/SuSEfirewall2-3.6.261/doc/Makefile 2011-02-01 14:16:22.000000000
+0100
+++ new/SuSEfirewall2-3.6.277/doc/Makefile 2011-09-06 11:33:05.000000000
+0200
@@ -14,7 +14,4 @@
links: EXAMPLES.html FAQ.html README.html
-sync:
- rsync -rptLvP susebooks.css {README,FAQ,EXAMPLES}.html
forgeftp.novell.com:susefirewall2/web
-
-.PHONY: links sync
+.PHONY: links
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember to have fun...
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
