Bug 1213568

Summary: firewalld creates new unwanted zones after updates
Product: [openSUSE] openSUSE Distribution Reporter: Stefan Schäfer <stefan.schaefer>
Component: OtherAssignee: Mohd Saquib <mohd.saquib>
Status: RESOLVED WORKSFORME QA Contact: E-mail List <qa-bugs>
Severity: Major    
Priority: P5 - None CC: stefan.schaefer
Version: Leap 15.4   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Stefan Schäfer 2023-07-23 10:27:06 UTC 
Our Situation:

We define two network interfaces named "intern" and "extern" by udev-rules, these interfaces are assigned to corresponding zones "internal" and "external".

After Leap Updates/Upgrades using YOU or zypper both interfaces are removed from their zones and are assigned to the new created zone "public"

Result: No more connection to our servers possible! Very bad if we work remote an the servers are in far distance...

In /etc/firewalld.conf we define the zone "external" as default zone for new devices. 

"# default zone
# The default zone used if an empty zone string is used.
# Default: public
DefaultZone=external"

zypper, yast or whatever should not touch the existing firewall-configuration.

Stefan
Comment 1 Stefan Schäfer 2023-07-23 10:30:02 UTC 
Additional info: we use wicked for the network and interface management.
Comment 2 Andreas Stieger 2023-07-23 15:07:02 UTC 
(In reply to Stefan Schäfer from comment #0)
> After Leap Updates/Upgrades 

Which one? openSUSE-SLE-15.4-2023-1668 with 0.9.3-150400.8.9.1 is from March.

> zypper, yast or whatever should not touch the existing
> firewall-configuration.

Consider setting up a pre-production environment.
Comment 3 Stefan Schäfer 2023-07-23 15:26:43 UTC 
(In reply to Andreas Stieger from comment #2)
> (In reply to Stefan Schäfer from comment #0)
> > After Leap Updates/Upgrades 
> 
> Which one? openSUSE-SLE-15.4-2023-1668 with 0.9.3-150400.8.9.1 is from March.

Its openSUSE Leap 15.4 with firewalld-0.9.3-150400.8.9.1. But we have recognized this behavior also on earlier openSUSE leap versions.

> 
> > zypper, yast or whatever should not touch the existing
> > firewall-configuration.
> 
> Consider setting up a pre-production environment.

How?
Comment 4 Stefan Schäfer 2023-07-24 06:01:26 UTC 
I found the problem.

In /etc/sysconfig/network/ifcdg-[ex|in]tern both interfaces are assigned to zone public. This causes the reconfiguration.

We have to remember this at setup.