That stinks!<br><br>RHEL/Fedora systems use comments as well in /etc/sysconfig/iptables but things "JustWork". sounds like SLES tossed a wrench in their parser.<br><br><div class="gmail_quote">On Thu, Jan 10, 2013 at 3:23 PM, Beddingfield, Allen <span dir="ltr"><<a href="mailto:allen@ua.edu" target="_blank">allen@ua.edu</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">If you have any SUSE Linux Enterprise 11 SP2 systems, you will want to pay careful attention to this one. I'm getting it submitted so SUSE as a bug report.<br>
<br>
When you go into the "firewall" module of yast and create custom rules, they are added to a line in /etc/sysconfig/SuSEfirewall2<br>
<br>
Once this patch is applied:<br>
v | SLES11-SP2-Updates | SuSEfirewall2 | 3.6_SVNr208-2.5.1 | 3.6_SVNr208-2.7.1<br>
<br>
A comment line gets thrown into the middle of your custom firewall rules. The next time the system is rebooted, the firewall does not start. If you aren't watching the console of your server, you won't know that your server has come up without the firewall running.<br>
<br>
Below is a before and after example of what I'm talking about (from /etc/sysconfig/SuSEfirewall2):<br>
<br>
Firewall rules before update:<br>
FW_SERVICES_ACCEPT_EXT="130.160.21.210,tcp,10050<br>
<a href="http://10.0.0.0/255.0.0.0,udp,1645" target="_blank">10.0.0.0/255.0.0.0,udp,1645</a><br>
<a href="http://130.160.0.0/255.255.0.0,udp,1645" target="_blank">130.160.0.0/255.255.0.0,udp,1645</a><br>
<a href="http://10.0.0.0/255.0.0.0,udp,1646" target="_blank">10.0.0.0/255.0.0.0,udp,1646</a><br>
<a href="http://130.160.0.0/255.255.0.0,udp,1646" target="_blank">130.160.0.0/255.255.0.0,udp,1646</a><br>
130.160.4.150,udp,1645"<br>
<br>
Firewall rules after update:<br>
FW_SERVICES_ACCEPT_EXT="<a href="tel:130.160.21.210" value="+13016021210">130.160.21.210</a>,tcp,10050<br>
<br>
## Type: string<br>
<a href="http://10.0.0.0/255.0.0.0,udp,1645" target="_blank">10.0.0.0/255.0.0.0,udp,1645</a><br>
<a href="http://130.160.0.0/255.255.0.0,udp,1645" target="_blank">130.160.0.0/255.255.0.0,udp,1645</a><br>
<a href="http://10.0.0.0/255.0.0.0,udp,1646" target="_blank">10.0.0.0/255.0.0.0,udp,1646</a><br>
<a href="http://130.160.0.0/255.255.0.0,udp,1646" target="_blank">130.160.0.0/255.255.0.0,udp,1646</a>"<br>
<br>
As you can see, there is a comment line inserted in the middle of the rules. This prevents the firewall from starting. I can readily reproduce this problem on multiple systems. I really wish I had encountered this problem before deploying this patch, because I have a LOT of SLES systems….sigh.<br>
<br>
--<br>
Allen Beddingfield<br>
Systems Engineer<br>
The University of Alabama<br>
<br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
</blockquote></div><br><br clear="all"><br>-- <br>-- <br>James P. Kinney III<br><i><i><i><i><br></i></i></i></i>Every time you stop a school, you will have to build a jail. What you
gain at one end you lose at the other. It's like feeding a dog on his
own tail. It won't fatten the dog.<br>
- Speech 11/23/1900 Mark Twain<br><i><i><i><i><br><a href="http://electjimkinney.org" target="_blank">http://electjimkinney.org</a><br><a href="http://heretothereideas.blogspot.com/" target="_blank">http://heretothereideas.blogspot.com/</a><br>
</i></i></i></i>