Bug 139402

Summary: firewall off by default?
Product: [openSUSE] SUSE Linux 10.1 Reporter: Ludwig Nussel <lnussel>
Component: YaST2Assignee: Martin Vidner <mvidner>
Status: RESOLVED FIXED QA Contact: Klaus Kämpf <kkaempf>
Severity: Normal    
Priority: P5 - None CC: aj, locilka
Version: Alpha 4   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Ludwig Nussel 2005-12-15 17:33:27 UTC 
IIRC the firewall was just off in the network proposal by default. If that's not intentional it probably is a bug :-)
Comment 2 Lukas Ocilka 2005-12-15 18:06:34 UTC 
This is the default setting:
clients/firewall_proposal.ycp:32 Default firewall values: enable_firewall=true, enable_ssh=false

This is the firewall proposal:
SuSEFirewallProposal.ycp:185 Proposal based on configuration: Dial-up interfaces: [], Other: []
SuSEFirewall.ycp:1262 enable-firewall has been already set to false

Oou, it seems that NetworkDevices module doesn't report any devices (Proposal based on...). Whence it follows that firewall is proposed to be disabled. Problem probably based on cooperation with the NetworkManager.
Comment 3 Bart Whiteley 2005-12-15 22:18:59 UTC 
I just installed NLD10-Preview2.  In the network dialog of the install, it said that the firewall was disabled by default.  I thought "cool.  that's just how I want it."  However, in reality the firewall was enabled by default.  So, the firewall was enabled, and the yast installer lied about it.
Comment 4 Lukas Ocilka 2005-12-16 08:48:31 UTC 
Bart, could you, please attach YaST logs?
Comment 6 Martin Vidner 2005-12-16 16:33:30 UTC 
Bart, why do you think it was enabled? For me iptables -L and chkconfig -l say it is disabled.
Comment 7 Bart Whiteley 2005-12-16 16:49:15 UTC 
Because iptables -L says it was, and I couldn't ssh into the box.
Comment 8 Martin Vidner 2005-12-16 16:59:33 UTC 
I see. Then we need the logs.

Anyway, Lukas, you can detect whether NetworkManager will run by looking at boolean NetworkService::Managed. It is in yast2-network now but I will move it to yast2.rpm.
Comment 9 Martin Vidner 2005-12-19 16:39:07 UTC 
I have this patch for SuSEFirewallProposal::ProposeFunctions ()
Lukas, please heve a look whether it;s enough.

--- library/network/src/SuSEFirewallProposal.ycp        (revision 26649)
+++ library/network/src/SuSEFirewallProposal.ycp        (working copy)
@@ -14,6 +14,7 @@
     textdomain "base";

     import "SuSEFirewall";
+    import "NetworkService";
     import "ProductFeatures";
     import "Linuxrc";

@@ -187,7 +188,9 @@
        );

        // has no network interface
-       if (size(non_dup_interfaces)==0 && size(dial_up_interfaces)==0) {
+       // and NetworkManager is disabled (#139402)
+       if (size(non_dup_interfaces)==0 && size(dial_up_interfaces)==0 &&
+           !NetworkService::IsManaged ()) {
            SuSEFirewall::SetEnableService(false);
            SuSEFirewall::SetStartService(false);
        } else {
Comment 10 Lukas Ocilka 2005-12-20 18:23:17 UTC 
Yes, this patch should fix the Firewall proposal.

On the other hand, it means that if we let the NetworkManager to configure the network (default behavior in the installation), we have an unprotected computer by default - this goes against the feature which wanted firewall on by default.
Comment 11 Martin Vidner 2005-12-21 15:49:00 UTC 
What do you mean, unprotected? This patch _enables_ FW in the default case when NM is on.

Bart, please fork a separate bug for your problem when you have the logs.
Comment 12 Ihno Krumreich 2006-04-24 12:24:56 UTC 
Status of the bug.
Comment 13 Martin Vidner 2006-04-24 13:25:41 UTC 
This has been probably fixed already:
Mon Jan 30 17:36:35 CET 2006 - mvidner@suse.cz
- For NetworkManager, propose basic ifcfgs because of firewall.
Or bug 152650, bug 154295