Bug 146338

Summary:	yast2-modem breaks SuSE firewall2
Product:	[openSUSE] SUSE LINUX 10.0	Reporter:	Hartmut Buhrmester <hartmut.buhrmester>
Component:	YaST2	Assignee:	Martin Vidner <mvidner>
Status:	RESOLVED FIXED	QA Contact:	Klaus Kämpf <kkaempf>
Severity:	Critical
Priority:	P5 - None
Version:	Final
Target Milestone:	---
Hardware:	i586
OS:	SuSE Linux 10.0
Whiteboard:
Found By:	Customer	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---
Attachments:	Configuration file /etc/sysconfig/SuSEfirewall2 after running kppp Location of the setting "External Firewall" which was mentioned in the first report Log file /var/run/YaST/y2log after adding a new provider to YaST

Description Hartmut Buhrmester 2006-01-27 20:46:25 UTC

kppp 3.4.2-11 breaks SuSE firewall2

Recently, I tried the lightweight desktops WindowMaker and icewm. Since kinternet (as a KDE applet) doesn't run under these desktops, I used kppp to connect to the internet.

When I entered the settings for my internet service provider, I noticed the option to "define this interface as the external interface in SuSE firewall2". This seemed appropriate, so I checked the option.

I could then dial up to my provider, and the firewall seemed to work fine: the Shield Up! test from <http://www.grc.com> showed the usual results for a SuSE firewall2: the ident port was closed, and all other ports stealthed.

Now, the Linux machine also serves as a router for a second computer. The internal interface is eth0, and routing and masquerading are both on. But when I tried to connect from the second machine, I could not get through. There was no connection at all, even the domain name servers could not be reached.

In YaST, all settings still looked okay. But when I opened the configuration file /etc/sysconfig/SuSEfirewall2 directly in a text editor, I noticed that the contents were rearranged: the beginning of the file was deleted, up to and including the line FW_DEV_EXT="modem0 ppp0". Only the line FW_DEV_EXT="modem0 ppp0" was appended again to the end of the file. But this breaks the firewall script, because the variable is referred to in the line FW_MASQ_DEV="$FW_DEV_EXT", which is near the beginning of the file. So, if $FW_DEV_EXT is not defined yet, $FW_MASQ_DEV can not be set correctly.

I could successfully repair the file by moving the line FW_DEV_EXT="modem0 ppp0" back to the top of the file.

Comment 1 Hartmut Buhrmester 2006-01-27 20:50:26 UTC

Created attachment 65523 [details]
Configuration file /etc/sysconfig/SuSEfirewall2 after running kppp

Comment 2 Stephan Kulow 2006-01-28 08:38:59 UTC

where would that option to "define this interface" be? I couldn't find this text in kppp source code at least

Comment 3 Hartmut Buhrmester 2006-01-28 12:07:04 UTC

Sorry, then I was wrong and confused kppp with the YaST modem module, which has similar options.

The YaST module "Netzwerkgeräte --> Modem" has the mentioned setting. When entering a new provider, the page "Verbindungsparameter" has the option "Externe Firewall-Schnittstelle".

(See the attached screen shot Bildschirmphoto1.png)

The option is on, if modem0 is already defined as the external interface, e.g. in the configuration file /etc/sysconfig/SuSEfirewall2 there is a line:
FW_DEV_EXT="modem0"

The option is off, if modem0 is not yet defined as the external interface, e.g.
FW_DEV_EXT="any"

Setting the option to "on" will seriously damage the sysconfig file: The top of the file will be deleted, up to and including the line FW_DEV_EXT="any". Then this definition is actually missing from the file.

The YaST module "Sicherheit und Benutzer --> Firewall" may add the definition again, but then it will be appended to the end of the file. This state is shown in the file I attached to my initial report.

Comment 4 Hartmut Buhrmester 2006-01-28 12:10:18 UTC

Created attachment 65541 [details]
Location of the setting "External Firewall" which was mentioned in the first report

Comment 5 Martin Lasarsch 2006-01-29 13:13:21 UTC

please attach /var/log/YaST/y2log after trying changing it in YaST again

Comment 6 Hartmut Buhrmester 2006-01-29 17:52:10 UTC

Okay, now I did the following:

1) Edited the file /etc/sysconfig/SuSEfirewall2 directly with vi and changed FW_DEV_EXT="modem0" to FW_DEV_EXT="any". This is the starting condition.

2) Archived the existing log file y2log as y2log.backup, since it was already pretty long.

3) Started YaST, opened the module "Netzwerkgeräte --> Modem" and entered a new provider "Freenet IbC". On the second page "Verbindungsparameter" the option "Externe Firewall-Schnittstelle" is "off". I toggled this option to "on" by marking it with the mouse.

4) The next page will be a summary "Überblick über die Modemkonfiguration". I just quit this module and the new modem configuration will be saved. Then there is a dialog "Mail nun konfigurieren?" but I just dismiss this question by clicking on "Nein".

5) Next I open the module "Sicherheit und Benutzer --> Firewall". The second option on the left panel is "Schnittstellen", so I go to that page. The modem is listed as:
Gerät: U.S. Robotics 56K FAX EXT
Schnittstelle oder String: modem0
Konfiguriert in: Keine Zone zugewiesen

The only other interface is:
Gerät: D-Link RTL-8029(AS)
Schnittstelle oder String: eth-id-00:50:ba:34:8b:cf
Konfiguriert in: Interne Zone

Note that there is no "Externe Zone" at all.

6) I changed the definition for modem0 and assigned it to the "Externe Schnittstelle".

7) Clicking on "Weiter" brings up a summary page. Then I quit this module and also the YaST-Kontrollzentrum.

8) Copied /var/run/YaST/y2log to my home directory and sent is as an attachment.

Comment 7 Hartmut Buhrmester 2006-01-29 17:55:08 UTC

Created attachment 65562 [details]
Log file /var/run/YaST/y2log after adding a new provider to YaST

Comment 8 Michael Gross 2006-01-30 16:09:59 UTC

Hartmut: Where do you suppose lies the cause of this problem? Firewall itself or YaST, or kppp?

Comment 9 Hartmut Buhrmester 2006-01-30 18:47:10 UTC

I think it is the YaST2 module "Netzwerkgeräte --> Modem". It does not read/write the file /etc/sysconfig/SuSEfirewall2 correctly. If the option "Externe Schnittstelle" in that module is toggled on, the top of the sysconfig file will be deleted. If the option is already on, the file will not be changed.

The firewall just interpretes the configuration file /etc/sysconfig/SuSEfirewall2. The YaST module "Sicherheit --> Firewall" also seems to work fine.

Initially, I suspected kppp, because I tried it recently with other desktops, and found later that the firewall did not work as usual (routing did not work anymore). But that was just coincidence, and kppp is not involved at all.

Comment 10 Michael Gross 2006-01-31 11:12:36 UTC

Reassignint to the maintainer.

Comment 11 Martin Vidner 2006-01-31 13:33:23 UTC

The problem appears when you enter the modem module and go to edit a provider without editing a modem first. Then the Firewall checkbox does not make sense (because it applies to a modem device, not a provider) and that confuses the firewall code to the point of removing the initial portion of the file.

Comment 12 Martin Vidner 2006-02-05 19:11:24 UTC

I have hidden the firewall checkbox when it does not make sense.
Fixed in yast2-network-2.13.21.