Index index by Group index by Distribution index by Vendor index by creation date index by Name Mirrors Help Search

SuSEfirewall2-3.6.378-1.33 RPM for noarch

From OpenSuSE Leap 15.6 for noarch

Name: SuSEfirewall2 Distribution: SUSE Linux Enterprise 15
Version: 3.6.378 Vendor: SUSE LLC <>
Release: 1.33 Build date: Fri May 25 20:32:23 2018
Group: Productivity/Networking/Security Build host: sheep27
Size: 305778 Source RPM: SuSEfirewall2-3.6.378-1.33.src.rpm
Summary: Stateful Packet Filter Using iptables and netfilter
SuSEfirewall2 implements a packet filter that protects hosts and
routers by limiting which services or networks are accessible on the
host or via the router.

SuSEfirewall2 uses the iptables/netfilter packet filtering
infrastructure to create a flexible rule set for a stateful firewall.






* Tue Jan 16 2018
  - Fixed a regression in setting up the final LOG/DROP/REJECT rules for IPv6 (bnc#1075251)
  - Set RPC related rules also for IPv6 (bnc#1074933)
* Tue Nov 28 2017
  - logging: correctly set the PID of the logging process
* Tue Nov 28 2017
  - main script: remove duplicate rules in the rpc rules area (bnc#1069760)
  - main script: support --trace messages
* Thu Nov 23 2017
  - Replace references to /var/adm/fillup-templates with new
    %_fillupdir macro (boo#1069468)
* Wed Oct 18 2017
  - rpcinfo: recognize execution errors of the perl script and terminate accordingly
  - rpcinfo: fixed security issue with too open implicit portmapper rules
    (bnc#1064127): A source net restriction for _rpc_ services was not taken
    into account for the implicitly added rules for port 111, making the portmap
    service accessible to everyone in the affected zone.
* Fri Jul 28 2017
  - Removed bogus nfs alias units, added correct nfs-client target in
    SuSEfirewall2.service (bnc#946325).
    The nfs alias units are false friends, because they don't fix the startup
    ordering between nfs and SuSEfirewall2.
    The missing nfs-client target could cause nfs mounts for nfs versions < 4.1
    to be unable to receive callbacks from the server, when the nfs client was
    started before the SuSEfirewall2 was started on boot.
* Wed Jul 12 2017
  - sysctl settings: make list of sysctl.d directories configurable via
    FW_SYSCTL_PATHS (bnc#1044523)
* Thu Jul 06 2017
  - clarified warning message about FW_ROUTE being enabled but ip_forwarding not configured
  - sysctl.d: avoid error messages if no /etc/sysctl.d/*.conf files are existing (bnc#1044523)
* Wed Jun 28 2017
  - Only consider *.conf files to ignore backup files and similar (bnc#1044523)
* Tue Jun 20 2017
  - Also check /etc/sysctl.d for custom sysctl overrides (bnc#1044523)
  - improved documentation of FW_SERVICES_DROP_... to mention "all" protocols
* Mon Apr 24 2017
  - implementation of feature FATE#316295: allow incremental update of rpc
    By calling "/usr/sbin/SuSEfirewall2 update-rpc [-s service]" you can now
    cause SuSEfirewall to update its rpc related firewall rules to reflect the
    current portmapper state in the system, without affecting the rest of the
    firewall rule set.
    This can for example be put in systemd unit files as ExecStartPost
    directives, to always keep port mapping rules up to date, for certain rpc
    services. Note that you still need to configure the rpc rules in
    /etc/sysconfig/SuSEfirewall2 to make this work. See configuration variables:
  - conntrack helpers: explicitly load kernel module to make sure conntrack
    helper rules can be applied and to avoid errors messages if kernel module is
    not loaded
* Tue Apr 18 2017
  Update to new git release 3.6.351:
  - ship ftp-client service file for allowing active ftp client connections
    easily. Also fix use of connection tracker helper on kernel >= 4.7 for ftp.
* Mon Mar 20 2017
  Update to new git release 3.6.346:
  - harmonized the logic of setting IPv4/IPv6 forwarding when FW_ROUTE is set to
    "yes". Previously only IPv4 forwarding was exclusively set by SuSEfirewall2,
    while IPv6 forwarding could only be set via "yast2 firewall". With this
    update you should always configure IPv4/IPv6 forwarding with yast.
    SuSEfirewall2 will still provide backwards compatibility to temporarily
    enable IPv4/IPv6 forwarding if not already enabled system wide. Also
    forwarding can now be configured separately for IPv4/IPv6 if only one of
    both is required. See FW_ROUTE documentation. (bnc#572202)
  - ignore the bootlock when incremental updates for hotplugged or virtual
    devices are coming in during boot. This prevents lockups for example when
    drbd is used with FB_BOOT_FULL_INIT. (bnc#785299)
  - fixed a race condition in systemd unit files that could cause the
    SuSEfirewall2_init unit to sporadically fail, because /tmp was not
    there/writable yet. (bnc#1014987)
  - support new kernels >= 4.7 that run with
    net.netfilter.nf_conntrack_helper = 0
    by default. Currently only netbios/samba is fully covered. (bnc#986527)
  - allow mdns multicast packets input in unconfigured firewall setups (no zones
    configured) to make zeroconf setups (like avahi) work out of the box for
    typical desktops connecting via DSL/WiFi router scenarios. (bnc#959707)
  - refurbished the documentation in /usr/share/doc. (bnc#884037)
  - updated GPL license texts with the current address from FSF
  - support for IPv6 in FW_TRUSTED_NETS config variable. (bnc#841046)
  - don't log dropped broadcast IPv6 broadcast/multicast packets by default to
    avoid cluttering the kernel log. (bnc#847193)
  - recognize a running libvirtd instance and cause it to recreate its custom
    firewall rules on SuSEfirewall2 reload, to not break VM networking.
  - only apply FW_KERNEL_SECURITY proc settings, if not overriden by the
    administrator in /etc/sysctl.conf (bnc#906136). This allows you to benefit
    from some of the kernel security settings, while overwriting others.
  - don't enable FW_LO_NOTRACK by default any more, because it breaks expected
    behaviour in some scenarios (bnc#916771)
  - increase security when sourcing external script files by checking file
    ownership and permissions first (to avoid sourcing untrusted files owned by
    non-root or world-writable)
  - fixed "/usr/sbin/SUSEfirewall log" pretty logfile parsing functionality when
    running under systemd with journald.
* Tue Mar 07 2017
  - Install symlink to SuSEfirewall2 with the updated SUSE spelling
    (bsc#938727, FATE#316521)
  - Added rpmlintrc file to suppress some bogus warnings during building
* Fri Feb 10 2017
  - Remove unused PreReq for insserv and fillup
* Wed Feb 10 2016
  - add nfs-server.service too as dependency, remove again
    as it makes trouble (bsc#963740)
  - and SuSEfirewall2 have a loop, remove it bsc#961258
* Tue Feb 09 2016
  - change dependencies of SUSEfirewall2_init, so it gets run after systemd
    version update brought new dependencies somehow (bsc#963969)
* Thu Jan 28 2016
  - add, so SuSEfirewall2 final will be started after
    all other services. This is relevant for rpc services like the NFS rpc
    process group, where ports are opened dynamically. bsc#963740
* Mon Jan 18 2016
  - Merge pull request #5 from hwoarang/firewalld-conflict
  - SuSEfirewall2{,_init}.service: Conflict with firewalld service
* Fri Jan 15 2016
  - basic.service -> (bsc#961258)
* Wed Jun 24 2015
  - reduce amount of setprocinfo set values, adjusted to existence and
    also current kernel defaults.
  - missing IPv6 commands to enable broadcast (e.g.: avahi over ipv6)
* Mon Aug 18 2014
  - perl-Net-DNS is only needed by some ancillary helper tool but not for the
    core features. So set it to Recommended.
* Fri Aug 15 2014
  - hosting moved to
  - added a sysvinit -> systemd conversion hack (bnc#891669)
* Thu Jul 31 2014
  - SuSEfirewall2, ACCEPT from services is a local variable, otherwise
    "ACCEPT" would be used a service name (bnc#889406 bnc#889555 bnc#887040)
* Wed Jun 11 2014
* Tue May 27 2014
  - Allow incoming DHCPv6 replies, currently unlimited.
  - typo fix customary -> custom bnc#835677
* Fri Dec 27 2013
  - add perl-Net-DNS requires for "SuSEfirewall2 log" (bnc#856705)
* Wed Aug 21 2013
  - adjust service files so manual starts work better (bnc#819499)
* Mon May 06 2013
  - license update: GPL-2.0
    Various GPL-2.0 (only) licensed files
* Fri May 03 2013
  - clarify what the default is in FW_MASQ_NETS (bnc#817233)
  - removed the --rttl option in recent matches, as this could also be used by attackers (bnc#800719)
* Tue Jan 29 2013
  - do not add dependency information about YaST2 Second Stage (bnc#800365)
* Thu Jan 17 2013
  - fix defaultl value docu for FW_PROTECT_FROM_INT (bnc#798834)
* Thu Dec 13 2012
  - move to /usr, remove init scripts
* Wed Dec 12 2012
  - adjust for starting via systemd service files
  - move lock files to /run
  - just CT instead of NOTRACK (bnc#793459)
* Tue Sep 11 2012
  - getdevinfo is gone as per commit 0c5ac93 (bnc#777271)
* Fri Jul 13 2012
  - honor FW_IPv6 setting also in debug mode (bnc#769411)
* Tue Jun 19 2012
  - fix logging in test mode
* Mon Jun 18 2012
  - allow icmpv6 in FW_SERVICES_*_*
* Mon Jun 18 2012
  - allow ICMPv6 Multicast Listener Query (bnc#767392)
* Tue May 29 2012
  - fix typo spotted by Frederic
* Wed Jan 18 2012
  - assume all interface names are correct (bnc#739084)
* Wed Dec 14 2011
  - fix forward masquerading (bnc#736205)
  - compat syntax for negated options no longer works (bnc#660156, bnc#731088)
  - enhance debug mode
* Mon Nov 07 2011
  - use /sbin/rpcinfo as /usr/sbin/rpcinfo is gone (bnc#727438)
* Wed Nov 02 2011
  - set SYSTEMD_NO_WRAP for status (bnc#727445)
* Fri Oct 14 2011
  - fix manual rcSuSEfirewall2 stop with sytemd (bnc#717583)
* Tue Oct 04 2011
  - fix typo (bnc#721845)
  - atomic zone status writing
* Sat Sep 17 2011
  - Remove redundant tags/sections from specfile
* Wed Sep 07 2011
  - sanitize FW_ZONE_DEFAULT (bnc#716013)
  - add warning about iptables-batch to SuSEfirewall2-custom
  - fix warning about /proc/net/ip_tables_names not readable
  - don't install input rules for interfaces in default zone
  - Add hook fw_custom_after_finished
  - update FAQ (bnc#694464)
  - clean up overrides when stopping the firewall (bnc#630961)
  - change default FW_LOG_ACCEPT_CRIT to "no"
  - allow redir without port specification
  - make FW_SERVICES_{REJECT,DROP}_* take precedende before ACCEPT (bnc#671997)
  - fix zonein and zoneout parameters
  - fix reverse direction of forwarding rules (bnc#679192)
* Tue Feb 01 2011
  - introduce rpcusers file to allow statd to run as non-root
* Wed Jan 19 2011
  - add zonein and zoneout parameters for FW_FORWARD
  - fix typos
* Mon Jan 10 2011
  - don't start in runlevel 4 by default (bnc#656520)
  - cut off long zone names (bnc#644527)
  - fix and enhance output of log command (bnc#663262)
* Thu Dec 02 2010
  - don't unload rules when using systemd
* Tue Nov 16 2010
  - list some known rpc services as Should-Start
  - don't filter outgoing packets at all
  - fix an example (bnc#641907)
  - fix status check in SuSEfirewall2_init (bnc#628751)
* Mon Aug 16 2010
  - don't use fillup anymore as it keeps corrupting the config file
* Tue Jun 29 2010
  - remove "batch committing..." message
  - read defaults from separate file
  - warn if highports config options are set
  - finally drop 'highports' misfeature
  - remove kernel ipv6 module detection (bnc#617033)
  - silence warning about default zone (bnc#616841)
  - SuSEfirewall2-open: don't add values multiple times
  - Use multiprotocol xt_conntrack
* Mon May 31 2010
  - only directories in /sys/class/net are real interfaces (bnc#609810)
* Fri Mar 19 2010
  - add entry about drbd to FAQ
  - update docu
  - implement FW_BOOT_FULL_INIT
* Tue Feb 16 2010
  - use new versioning scheme after switch of repo to git
  - update and rebuild docu
  - remove really old rc.config conversion code from spec file
* Tue Sep 15 2009
  - fix spelling error in sysconfig file (bnc#537427)
  - polishing of log drop policy (bnc#538053)
    * drop multicast packets silently
    * separate drop rule for broadcast packets at end of chain
    * only consider NEW udp packets as critical
    * don't log INVALID packets as critical
* Fri Aug 21 2009
  - implement runtime override of interface zones
  - allow disabling NOTRACK rules on lo (bnc#519526)
* Fri Jul 17 2009
  - remove chkconfig calls (bnc#522268)
* Thu Jul 09 2009
  - add note about use as bridging firewall
  - allow to set FW_ZONE_DEFAULT via config file
  - deprecate fw_custom_before_antispoofing and
    fw_custom_after_antispoofing, use fw_custom_after_chain_creation
* Tue Jun 09 2009
  - add note that ulog doesn't work with IPv6 (bnc#442756)
  - fix version number in help text
  - allow service files to specify kernel modules and allow related packets
  - silence an error from bash if a service config file is not available (bnc#487870)
  - better wording for BROADCAST in template
  - update firewall hook script (patch by Marius)



Generated by rpm2html 1.8.1

Fabrice Bellet, Tue Jul 9 19:58:50 2024