Index index by Group index by Distribution index by Vendor index by creation date index by Name Mirrors Help Search

SuSEfirewall2-3.6.312.333-7.1 RPM for noarch

From OpenSuSE Ports Leap 42.3 updates for noarch

Name: SuSEfirewall2 Distribution: openSUSE Leap 42.3
Version: 3.6.312.333 Vendor: openSUSE
Release: 7.1 Build date: Mon Nov 6 21:09:42 2017
Group: Productivity/Networking/Security Build host: obs-power8-02
Size: 295792 Source RPM: SuSEfirewall2-3.6.312.333-7.1.src.rpm
Summary: Stateful Packet Filter Using iptables and netfilter
SuSEfirewall2 implements a packet filter that protects hosts and
routers by limiting which services or networks are accessible on the
host or via the router.

SuSEfirewall2 uses the iptables/netfilter packet filtering
infrastructure to create a flexible rule set for a stateful firewall.






* Thu Oct 19 2017
  - rpcinfo: fixed security issue with too open implicit portmapper rules
    (bnc#1064127, CVE-2017-15638): A source net restriction for _rpc_ services
    was not taken into account for the implicitly added rules for port 111,
    making the portmap service accessible to everyone in the affected zone.
* Fri Jul 28 2017
  - follow-up bugfix for bnc#946325:
    Removed bogus nfs alias units, added correct nfs-client target in
    The nfs alias units are false friends, because they don't fix the startup
    ordering between nfs and SuSEfirewall2.
    The missing nfs-client target could cause nfs mounts for nfs versions < 4.1
    to be unable to receive callbacks from the server, when the nfs client was
    started before the SuSEfirewall2 was started on boot.
    renamed 0002-fix-nfs-server-dependency.patch to
    0002-fix-nfs-dependencies.patch to fix both client and server issues
* Tue Jul 25 2017
  - correct boot order between SuSEfirewall2 and nfs-server to fix
    bnc#946325, bsc#963740. Without this fix the NFS server ports might not have
    been correctly opened after boot when both SuSEfirewall2 and nfs-server have
    been enabled in systemd.
* Mon Jul 17 2017
  - improve/fix consideration of sysctl values in the system (bnc#1044523).
    SuSEfirewall2 will now also check for existing configuration in sysctl.d
    style directories in some default locations. Custom directories can be
    configured via the new configuration variable FW_SYSCTL_PATHS. This is a
    follow-up to (bnc#906136).
* Thu May 04 2017
  Merged some lines from the factory spec file, to actually implement:
  - Install symlink to SuSEfirewall2 with the updated SUSE spelling
    (bsc#938727, FATE#316521)
* Tue Apr 25 2017
  Update to new version 3.6.312.333 from SLE12-SP3 branch:
  - implementation of feature FATE#316295: allow incremental update of rpc rules
* Thu Apr 13 2017
  Update to new version 3.6.312.330 from SLE12-SP3 branch:
  - Install symlink to SuSEfirewall2 with the updated SUSE spelling
    (bsc#938727, FATE#316521)
  - and SuSEfirewall2 have a loop, remove it bsc#961258
  - ignore the bootlock when incremental updates for hotplugged or virtual
    devices are coming in during boot. This prevents lockups for example when
    drbd is used with FW_BOOT_FULL_INIT. (bnc#785299)
  - support for IPv6 in FW_TRUSTED_NETS config variable. (bnc#841046)
  - don't log dropped broadcast IPv6 broadcast/multicast packets by default to
    avoid cluttering the kernel log. (bnc#847193)
  - only apply FW_KERNEL_SECURITY proc settings, if not overriden by the
    administrator in /etc/sysctl.conf (bnc#906136). This allows you to benefit
    from some of the kernel security settings, while overwriting others.
  - fixed a race condition in systemd unit files that could cause the
    SuSEfirewall2_init unit to sporadically fail, because /tmp was not
    there/writable yet. (bnc#1014987)
  - cooperate with libvirtd NAT guest networking (bsc#884398)
  - refurbished the documentation in /usr/share/doc. (bnc#884037)
  - allow mdns multicast packets input in unconfigured firewall setups (no zones
    configured) to make zeroconf setups (like avahi) work out of the box for
    typical desktops connecting via DSL/WiFi router scenarios. (bnc#959707)
  - increase security when sourcing external script files by checking file
    ownership and permissions first (to avoid sourcing untrusted files owned by
    non-root or world-writable)
  - don't enable FW_LO_NOTRACK by default any more, because it breaks expected
    behaviour in some scenarios (bnc#916771)
  - fixed 'SuSEfirewall showlog' functionality to be compatible with journalctl
* Fri Aug 15 2014
  - hosting moved to
  - added a sysvinit -> systemd conversion hack (bnc#891669)
* Thu Jul 31 2014
  - SuSEfirewall2, ACCEPT from services is a local variable, otherwise
    "ACCEPT" would be used a service name (bnc#889406 bnc#889555 bnc#887040)
* Wed Jun 11 2014
* Tue May 27 2014
  - Allow incoming DHCPv6 replies, currently unlimited.
  - typo fix customary -> custom bnc#835677
* Fri Dec 27 2013
  - add perl-Net-DNS requires for "SuSEfirewall2 log" (bnc#856705)
* Wed Aug 21 2013
  - adjust service files so manual starts work better (bnc#819499)
* Mon May 06 2013
  - license update: GPL-2.0
    Various GPL-2.0 (only) licensed files
* Fri May 03 2013
  - clarify what the default is in FW_MASQ_NETS (bnc#817233)
  - removed the --rttl option in recent matches, as this could also be used by attackers (bnc#800719)
* Tue Jan 29 2013
  - do not add dependency information about YaST2 Second Stage (bnc#800365)
* Thu Jan 17 2013
  - fix defaultl value docu for FW_PROTECT_FROM_INT (bnc#798834)
* Thu Dec 13 2012
  - move to /usr, remove init scripts
* Wed Dec 12 2012
  - adjust for starting via systemd service files
  - move lock files to /run
  - just CT instead of NOTRACK (bnc#793459)
* Tue Sep 11 2012
  - getdevinfo is gone as per commit 0c5ac93 (bnc#777271)
* Fri Jul 13 2012
  - honor FW_IPv6 setting also in debug mode (bnc#769411)
* Tue Jun 19 2012
  - fix logging in test mode
* Mon Jun 18 2012
  - allow icmpv6 in FW_SERVICES_*_*
* Mon Jun 18 2012
  - allow ICMPv6 Multicast Listener Query (bnc#767392)
* Tue May 29 2012
  - fix typo spotted by Frederic
* Wed Jan 18 2012
  - assume all interface names are correct (bnc#739084)
* Wed Dec 14 2011
  - fix forward masquerading (bnc#736205)
  - compat syntax for negated options no longer works (bnc#660156, bnc#731088)
  - enhance debug mode
* Mon Nov 07 2011
  - use /sbin/rpcinfo as /usr/sbin/rpcinfo is gone (bnc#727438)
* Wed Nov 02 2011
  - set SYSTEMD_NO_WRAP for status (bnc#727445)
* Fri Oct 14 2011
  - fix manual rcSuSEfirewall2 stop with sytemd (bnc#717583)
* Tue Oct 04 2011
  - fix typo (bnc#721845)
  - atomic zone status writing
* Sat Sep 17 2011
  - Remove redundant tags/sections from specfile
* Wed Sep 07 2011
  - sanitize FW_ZONE_DEFAULT (bnc#716013)
  - add warning about iptables-batch to SuSEfirewall2-custom
  - fix warning about /proc/net/ip_tables_names not readable
  - don't install input rules for interfaces in default zone
  - Add hook fw_custom_after_finished
  - update FAQ (bnc#694464)
  - clean up overrides when stopping the firewall (bnc#630961)
  - change default FW_LOG_ACCEPT_CRIT to "no"
  - allow redir without port specification
  - make FW_SERVICES_{REJECT,DROP}_* take precedende before ACCEPT (bnc#671997)
  - fix zonein and zoneout parameters
  - fix reverse direction of forwarding rules (bnc#679192)
* Tue Feb 01 2011
  - introduce rpcusers file to allow statd to run as non-root
* Wed Jan 19 2011
  - add zonein and zoneout parameters for FW_FORWARD
  - fix typos
* Mon Jan 10 2011
  - don't start in runlevel 4 by default (bnc#656520)
  - cut off long zone names (bnc#644527)
  - fix and enhance output of log command (bnc#663262)
* Thu Dec 02 2010
  - don't unload rules when using systemd
* Tue Nov 16 2010
  - list some known rpc services as Should-Start
  - don't filter outgoing packets at all
  - fix an example (bnc#641907)
  - fix status check in SuSEfirewall2_init (bnc#628751)
* Mon Aug 16 2010
  - don't use fillup anymore as it keeps corrupting the config file
* Tue Jun 29 2010
  - remove "batch committing..." message
  - read defaults from separate file
  - warn if highports config options are set
  - finally drop 'highports' misfeature
  - remove kernel ipv6 module detection (bnc#617033)
  - silence warning about default zone (bnc#616841)
  - SuSEfirewall2-open: don't add values multiple times
  - Use multiprotocol xt_conntrack
* Mon May 31 2010
  - only directories in /sys/class/net are real interfaces (bnc#609810)
* Fri Mar 19 2010
  - add entry about drbd to FAQ
  - update docu
  - implement FW_BOOT_FULL_INIT
* Tue Feb 16 2010
  - use new versioning scheme after switch of repo to git
  - update and rebuild docu
  - remove really old rc.config conversion code from spec file
* Tue Sep 15 2009
  - fix spelling error in sysconfig file (bnc#537427)
  - polishing of log drop policy (bnc#538053)
    * drop multicast packets silently
    * separate drop rule for broadcast packets at end of chain
    * only consider NEW udp packets as critical
    * don't log INVALID packets as critical
* Fri Aug 21 2009
  - implement runtime override of interface zones
  - allow disabling NOTRACK rules on lo (bnc#519526)
* Fri Jul 17 2009
  - remove chkconfig calls (bnc#522268)
* Thu Jul 09 2009
  - add note about use as bridging firewall
  - allow to set FW_ZONE_DEFAULT via config file
  - deprecate fw_custom_before_antispoofing and
    fw_custom_after_antispoofing, use fw_custom_after_chain_creation
* Tue Jun 09 2009
  - add note that ulog doesn't work with IPv6 (bnc#442756)
  - fix version number in help text
  - allow service files to specify kernel modules and allow related packets
  - silence an error from bash if a service config file is not available (bnc#487870)
  - better wording for BROADCAST in template
  - update firewall hook script (patch by Marius)



Generated by rpm2html 1.8.1

Fabrice Bellet, Fri Jan 10 08:09:53 2020