Bug 712670

Summary: Problem with FW_SERVICES_ACCEPT_EXT in /etc/sysconfig/SuSEfirewall2
Product: [openSUSE] openSUSE 11.4 Reporter: Freek de Kruijf <freek>
Component: YaST2Assignee: Lukas Ocilka <locilka>
Status: RESOLVED FIXED QA Contact: Jiri Srain <jsrain>
Severity: Normal    
Priority: P2 - High    
Version: Final   
Target Milestone: ---   
Hardware: x86-64   
OS: openSUSE 11.4   
Whiteboard: maint:planned:update
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: YaST logfile

Description Freek de Kruijf 2011-08-17 14:14:27 UTC 
User-Agent:       Mozilla/5.0 (X11; Linux x86_64; rv:6.0) Gecko/20100101 Firefox/6.0

I have the following 3 lines in etc/sysconfig/SuSEfirewall2:

FW_SERVICES_ACCEPT_EXT="0.0.0.0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh
127.0.0.0/8,tcp,mysql
192.168.1.0/24,tcp,3080
192.168.1.0/24,tcp,3493"

The first two lines are in fact one line.

At a certain moment, I can relate it a YaST session, these lines are changed into:

hitcount="3,blockseconds=60,recentname=ssh"
FW_SERVICES_ACCEPT_EXT="0.0.0.0/0,tcp,22,,
127.0.0.0/8,tcp,mysql
192.168.1.0/24,tcp,3080
192.168.1.0/24,tcp,3493"

so the first line above is moved out of the FW_SERVICES_ACCEPT_EXT definition. This effectively disables what should be achieved, limiting the amount of ssh tcp sessions to 3 per minute from one IP address.

# ls -l /etc/sysconfig/SuSEfirewall2
-rw-r--r-- 1 root root 34590 Aug 14 22:25 /etc/sysconfig/SuSEfirewall2

shows the date of last change of that file

# zcat /var/log/YaST2/y2log-1.gz | grep SuSEfirewall | grep '14 22'
2011-08-14 22:25:08 <1> eik114(5855) [YCP] Service.ycp:403 Enabling service SuSEfirewall2_init
2011-08-14 22:25:08 <1> eik114(5855) [YCP] Service.ycp:403 Enabling service SuSEfirewall2_setup

shows YaST activity at that moment.




Reproducible: Sometimes

Steps to Reproduce:
1.Don't know
2.
3.


Expected Results:  
The line in SuSEfirewall2 should be left alone

It happened several times earlier, but had the file SuSEfirewall2 changed before I could relate it to something happening at that moment.

Below is the last line of a zypper session show in the file /var/log/zypper.log
2011-08-14 22:25:02 <1> eik114(5631) [zypp] ZYppFactory.cc(~ZYppGlobalLock):90 Lockfile cleaned. (5631)

So a few seconds before zypper ended.
Comment 1 Freek de Kruijf 2011-08-17 14:19:11 UTC 
I am sorry, but in the above 3 lines should be 4 lines and the sentence "The first two lines are in fact one line." should be removed.
Comment 2 Thomas Fehr 2011-08-25 09:10:21 UTC 
Reassigned to maintainer of yast2-firewall
Comment 3 Lukas Ocilka 2011-08-25 09:15:35 UTC 
Please attach YaST logs.
Comment 4 Freek de Kruijf 2011-08-25 18:55:59 UTC 
Created attachment 447768 [details]
YaST logfile

YaST log containing the log of 2011-08-14
Comment 5 Lukas Ocilka 2011-08-26 10:41:35 UTC 
Thanks, I've reproduced the bug here.
Comment 6 Lukas Ocilka 2011-08-26 11:20:24 UTC 
Issues:
  YaST Firewall doesn't know flags in FW_SERVICES_ACCEPT_*
  YaST (Generic) doesn't read them properly anyway

This will need fix for
  yast2-firewall.rpm
  yast2.rpm
Comment 8 Lukas Ocilka 2011-08-29 11:18:05 UTC 
Fixed for openSUSE 11.2
  * yast2 2.21.12
  * yast2-firewall 2.21.0
Comment 10 Bernhard Wiedemann 2011-08-29 12:00:08 UTC 
This is an autogenerated message for OBS integration:
This bug (712670) was mentioned in
https://build.opensuse.org/request/show/80030 Factory / yast2
https://build.opensuse.org/request/show/80031 Factory / yast2-firewall
Comment 11 Lukas Ocilka 2011-08-29 14:28:21 UTC 
(In reply to comment #8)
> Fixed for openSUSE 11.2

Should have been 12.1
Comment 12 Bernhard Wiedemann 2011-08-29 15:00:19 UTC 
This is an autogenerated message for OBS integration:
This bug (712670) was mentioned in
https://build.opensuse.org/request/show/80077 Factory / yast2-firewall
Comment 14 Christian Dengler 2011-08-30 13:19:47 UTC 
The update is okay for me on 11.{3,4} +1
Comment 15 Freek de Kruijf 2011-09-04 22:21:05 UTC 
I assume the previous comment provides the needed information
Comment 16 Lukas Ocilka 2011-09-09 09:12:09 UTC 
OK, so it's a planned update for older distros and already fixed
for 12.1. You can upgrade to Factory versions now if you wish so:

  * yast2 2.21.12 (or higher)
  * yast2-firewall 2.21.0 (or higher)