Bugzilla – Bug 712670
Problem with FW_SERVICES_ACCEPT_EXT in /etc/sysconfig/SuSEfirewall2
Last modified: 2021-02-16 11:08:47 UTC
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:6.0) Gecko/20100101 Firefox/6.0 I have the following 3 lines in etc/sysconfig/SuSEfirewall2: FW_SERVICES_ACCEPT_EXT="0.0.0.0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh 127.0.0.0/8,tcp,mysql 192.168.1.0/24,tcp,3080 192.168.1.0/24,tcp,3493" The first two lines are in fact one line. At a certain moment, I can relate it a YaST session, these lines are changed into: hitcount="3,blockseconds=60,recentname=ssh" FW_SERVICES_ACCEPT_EXT="0.0.0.0/0,tcp,22,, 127.0.0.0/8,tcp,mysql 192.168.1.0/24,tcp,3080 192.168.1.0/24,tcp,3493" so the first line above is moved out of the FW_SERVICES_ACCEPT_EXT definition. This effectively disables what should be achieved, limiting the amount of ssh tcp sessions to 3 per minute from one IP address. # ls -l /etc/sysconfig/SuSEfirewall2 -rw-r--r-- 1 root root 34590 Aug 14 22:25 /etc/sysconfig/SuSEfirewall2 shows the date of last change of that file # zcat /var/log/YaST2/y2log-1.gz | grep SuSEfirewall | grep '14 22' 2011-08-14 22:25:08 <1> eik114(5855) [YCP] Service.ycp:403 Enabling service SuSEfirewall2_init 2011-08-14 22:25:08 <1> eik114(5855) [YCP] Service.ycp:403 Enabling service SuSEfirewall2_setup shows YaST activity at that moment. Reproducible: Sometimes Steps to Reproduce: 1.Don't know 2. 3. Expected Results: The line in SuSEfirewall2 should be left alone It happened several times earlier, but had the file SuSEfirewall2 changed before I could relate it to something happening at that moment. Below is the last line of a zypper session show in the file /var/log/zypper.log 2011-08-14 22:25:02 <1> eik114(5631) [zypp] ZYppFactory.cc(~ZYppGlobalLock):90 Lockfile cleaned. (5631) So a few seconds before zypper ended.
I am sorry, but in the above 3 lines should be 4 lines and the sentence "The first two lines are in fact one line." should be removed.
Reassigned to maintainer of yast2-firewall
Please attach YaST logs.
Created attachment 447768 [details] YaST logfile YaST log containing the log of 2011-08-14
Thanks, I've reproduced the bug here.
Issues: YaST Firewall doesn't know flags in FW_SERVICES_ACCEPT_* YaST (Generic) doesn't read them properly anyway This will need fix for yast2-firewall.rpm yast2.rpm
Fixed for openSUSE 11.2 * yast2 2.21.12 * yast2-firewall 2.21.0
This is an autogenerated message for OBS integration: This bug (712670) was mentioned in https://build.opensuse.org/request/show/80030 Factory / yast2 https://build.opensuse.org/request/show/80031 Factory / yast2-firewall
(In reply to comment #8) > Fixed for openSUSE 11.2 Should have been 12.1
This is an autogenerated message for OBS integration: This bug (712670) was mentioned in https://build.opensuse.org/request/show/80077 Factory / yast2-firewall
The update is okay for me on 11.{3,4} +1
I assume the previous comment provides the needed information
OK, so it's a planned update for older distros and already fixed for 12.1. You can upgrade to Factory versions now if you wish so: * yast2 2.21.12 (or higher) * yast2-firewall 2.21.0 (or higher)