Bug 132539

Summary: SuSEfirewall2 cannot be used with ntpd
Product: [openSUSE] SUSE LINUX 10.0 Reporter: Berthold Gunreben <bg>
Component: SecurityAssignee: Security Team bot <security-team>
Status: RESOLVED INVALID QA Contact: E-mail List <qa-bugs>
Severity: Major    
Priority: P5 - None CC: aj
Version: RC 4   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Berthold Gunreben 2005-11-07 12:43:26 UTC 
when SuSEfirewall2 is running and ntpd tries to use ipv6 addresses, ntp stays in .INIT mode and does not run properly. Lots of error messages like 

 7 Nov 13:32:05 ntpd[5182]: sendto(2001:780:101:0:209:6bff:fe00:3633): Operation not permitted

appear in /var/log/ntp, and ntpq -p gives something like:

     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 idun.suse.de    .INIT.          16 u    - 1024    0    0.000    0.000 4000.00
 thor.suse.de    .INIT.          16 u    - 1024    0    0.000    0.000 4000.00
 hermes.suse.de  .INIT.          16 u    - 1024    0    0.000    0.000 4000.00
Comment 1 Ludwig Nussel 2005-11-07 15:54:12 UTC 
Well, ip6tables only supports state matching on sles9/9.1. If state matching is not available SuSEfirewall2 is only able to install a very limited set of rules. It will magically start to work if you have a kernel with ip6tables state matching. Until someone ports that to our kernel again (it was decided that v6 support is not important enough for the box) you may set FW_IPv6=no to prevent SuSEfirewall2 from installing any v6 rules at all.