[ale] FYI - major bug in SUSE SLES 11 SP2 firewall update

Beddingfield, Allen allen at ua.edu
Thu Jan 10 15:23:54 EST 2013


If you have any SUSE Linux Enterprise 11 SP2 systems, you will want to pay careful attention to this one.  I'm getting it submitted so SUSE as a bug report.

When you go into the "firewall" module of yast and create custom rules, they are added to a line in /etc/sysconfig/SuSEfirewall2

Once this patch is applied:
v | SLES11-SP2-Updates    | SuSEfirewall2                   | 3.6_SVNr208-2.5.1      | 3.6_SVNr208-2.7.1

A comment line gets thrown into the middle of your custom firewall rules.  The next time the system is rebooted, the firewall does not start.  If you aren't watching the console of your server, you won't know that your server has come up without the firewall running.

Below is a before and after example of what I'm talking about (from /etc/sysconfig/SuSEfirewall2):

Firewall rules before update:
FW_SERVICES_ACCEPT_EXT="130.160.21.210,tcp,10050
10.0.0.0/255.0.0.0,udp,1645
130.160.0.0/255.255.0.0,udp,1645
10.0.0.0/255.0.0.0,udp,1646
130.160.0.0/255.255.0.0,udp,1646
130.160.4.150,udp,1645"

Firewall rules after update:
FW_SERVICES_ACCEPT_EXT="130.160.21.210,tcp,10050

## Type: string
10.0.0.0/255.0.0.0,udp,1645
130.160.0.0/255.255.0.0,udp,1645
10.0.0.0/255.0.0.0,udp,1646
130.160.0.0/255.255.0.0,udp,1646"

As you can see, there is a comment line inserted in the middle of the rules.  This prevents the firewall from starting.  I can readily reproduce this problem on multiple systems.  I really wish I had encountered this problem before deploying this patch, because I have a LOT of SLES systems….sigh.

--
Allen Beddingfield
Systems Engineer
The University of Alabama



More information about the Ale mailing list