Bug 139402 - firewall off by default?
Summary: firewall off by default?
Status: RESOLVED FIXED
Alias: None
Product: SUSE Linux 10.1
Classification: openSUSE
Component: YaST2 (show other bugs)
Version: Alpha 4
Hardware: Other Other
: P5 - None : Normal (vote)
Target Milestone: ---
Assignee: Martin Vidner
QA Contact: Klaus Kämpf
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-12-15 17:33 UTC by Ludwig Nussel
Modified: 2006-04-24 13:25 UTC (History)
2 users (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ludwig Nussel 2005-12-15 17:33:27 UTC 
IIRC the firewall was just off in the network proposal by default. If that's not intentional it probably is a bug :-)
Comment 2 Lukas Ocilka 2005-12-15 18:06:34 UTC 
This is the default setting:
clients/firewall_proposal.ycp:32 Default firewall values: enable_firewall=true, enable_ssh=false

This is the firewall proposal:
SuSEFirewallProposal.ycp:185 Proposal based on configuration: Dial-up interfaces: [], Other: []
SuSEFirewall.ycp:1262 enable-firewall has been already set to false

Oou, it seems that NetworkDevices module doesn't report any devices (Proposal based on...). Whence it follows that firewall is proposed to be disabled. Problem probably based on cooperation with the NetworkManager.
Comment 3 Bart Whiteley 2005-12-15 22:18:59 UTC 
I just installed NLD10-Preview2.  In the network dialog of the install, it said that the firewall was disabled by default.  I thought "cool.  that's just how I want it."  However, in reality the firewall was enabled by default.  So, the firewall was enabled, and the yast installer lied about it.
Comment 4 Lukas Ocilka 2005-12-16 08:48:31 UTC 
Bart, could you, please attach YaST logs?
Comment 6 Martin Vidner 2005-12-16 16:33:30 UTC 
Bart, why do you think it was enabled? For me iptables -L and chkconfig -l say it is disabled.
Comment 7 Bart Whiteley 2005-12-16 16:49:15 UTC 
Because iptables -L says it was, and I couldn't ssh into the box.
Comment 8 Martin Vidner 2005-12-16 16:59:33 UTC 
I see. Then we need the logs.

Anyway, Lukas, you can detect whether NetworkManager will run by looking at boolean NetworkService::Managed. It is in yast2-network now but I will move it to yast2.rpm.
Comment 9 Martin Vidner 2005-12-19 16:39:07 UTC 
I have this patch for SuSEFirewallProposal::ProposeFunctions ()
Lukas, please heve a look whether it;s enough.

--- library/network/src/SuSEFirewallProposal.ycp        (revision 26649)
+++ library/network/src/SuSEFirewallProposal.ycp        (working copy)
@@ -14,6 +14,7 @@
     textdomain "base";

     import "SuSEFirewall";
+    import "NetworkService";
     import "ProductFeatures";
     import "Linuxrc";

@@ -187,7 +188,9 @@
        );

        // has no network interface
-       if (size(non_dup_interfaces)==0 && size(dial_up_interfaces)==0) {
+       // and NetworkManager is disabled (#139402)
+       if (size(non_dup_interfaces)==0 && size(dial_up_interfaces)==0 &&
+           !NetworkService::IsManaged ()) {
            SuSEFirewall::SetEnableService(false);
            SuSEFirewall::SetStartService(false);
        } else {
Comment 10 Lukas Ocilka 2005-12-20 18:23:17 UTC 
Yes, this patch should fix the Firewall proposal.

On the other hand, it means that if we let the NetworkManager to configure the network (default behavior in the installation), we have an unprotected computer by default - this goes against the feature which wanted firewall on by default.
Comment 11 Martin Vidner 2005-12-21 15:49:00 UTC 
What do you mean, unprotected? This patch _enables_ FW in the default case when NM is on.

Bart, please fork a separate bug for your problem when you have the logs.
Comment 12 Ihno Krumreich 2006-04-24 12:24:56 UTC 
Status of the bug.
Comment 13 Martin Vidner 2006-04-24 13:25:41 UTC 
This has been probably fixed already:
Mon Jan 30 17:36:35 CET 2006 - mvidner@suse.cz
- For NetworkManager, propose basic ifcfgs because of firewall.
Or bug 152650, bug 154295