[ale] FYI - major bug in SUSE SLES 11 SP2 firewall update

Jim Kinney jim.kinney at gmail.com
Thu Jan 10 15:43:03 EST 2013


That stinks!

RHEL/Fedora systems use comments as well in /etc/sysconfig/iptables but
things "JustWork". sounds like SLES tossed a wrench in their parser.

On Thu, Jan 10, 2013 at 3:23 PM, Beddingfield, Allen <allen at ua.edu> wrote:

> If you have any SUSE Linux Enterprise 11 SP2 systems, you will want to pay
> careful attention to this one.  I'm getting it submitted so SUSE as a bug
> report.
>
> When you go into the "firewall" module of yast and create custom rules,
> they are added to a line in /etc/sysconfig/SuSEfirewall2
>
> Once this patch is applied:
> v | SLES11-SP2-Updates    | SuSEfirewall2                   |
> 3.6_SVNr208-2.5.1      | 3.6_SVNr208-2.7.1
>
> A comment line gets thrown into the middle of your custom firewall rules.
>  The next time the system is rebooted, the firewall does not start.  If you
> aren't watching the console of your server, you won't know that your server
> has come up without the firewall running.
>
> Below is a before and after example of what I'm talking about (from
> /etc/sysconfig/SuSEfirewall2):
>
> Firewall rules before update:
> FW_SERVICES_ACCEPT_EXT="130.160.21.210,tcp,10050
> 10.0.0.0/255.0.0.0,udp,1645
> 130.160.0.0/255.255.0.0,udp,1645
> 10.0.0.0/255.0.0.0,udp,1646
> 130.160.0.0/255.255.0.0,udp,1646
> 130.160.4.150,udp,1645"
>
> Firewall rules after update:
> FW_SERVICES_ACCEPT_EXT="130.160.21.210,tcp,10050
>
> ## Type: string
> 10.0.0.0/255.0.0.0,udp,1645
> 130.160.0.0/255.255.0.0,udp,1645
> 10.0.0.0/255.0.0.0,udp,1646
> 130.160.0.0/255.255.0.0,udp,1646"
>
> As you can see, there is a comment line inserted in the middle of the
> rules.  This prevents the firewall from starting.  I can readily reproduce
> this problem on multiple systems.  I really wish I had encountered this
> problem before deploying this patch, because I have a LOT of SLES
> systems….sigh.
>
> --
> Allen Beddingfield
> Systems Engineer
> The University of Alabama
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>



-- 
-- 
James P. Kinney III
*
*Every time you stop a school, you will have to build a jail. What you gain
at one end you lose at the other. It's like feeding a dog on his own tail.
It won't fatten the dog.
- Speech 11/23/1900 Mark Twain
*
http://electjimkinney.org
http://heretothereideas.blogspot.com/
*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20130110/350eef89/attachment.html>


More information about the Ale mailing list