[ale] FYI - major bug in SUSE SLES 11 SP2 firewall update

Scott roninazure at gmail.com
Fri Jan 11 11:06:15 EST 2013


I have my servers registered with the SMT and patches are pushed to them on a schedule , like early morning. 

I've tried Suse Manager. The interface is nice seems very intuitive.

Sent from my iPhone

On Jan 10, 2013, at 4:18 PM, "Beddingfield, Allen" <allen at ua.edu> wrote:

> Yeah, we still have unprotected subnets in some cases, and I pretty much
> keep up the software firewalls because I'm not so trusting of our border
> firewalls, based on past experiences.  How are you staging/applying your
> patches?  I have SMT, but have more recently started using SUSE Manager to
> manage updates.  
> Allen B.
> 
> -- 
> Allen Beddingfield
> Systems Engineer
> The University of Alabama
> 
> 
> 
> 
> On 1/10/13 3:12 PM, "Scott Steele" <roninazure at gmail.com> wrote:
> 
>> Thanks for the heads-up. This update was pushed in November. I took a
>> quick audit of my SLES SMT (Subscription Management Tool) server and
>> it appears it had downloaded this patch for my servers.  Thankfully I
>> haven't had to reboot any of them yet. One of the solutions would be
>> to turn of the firewall in Yast2 and let the corporate firewalls to
>> their job.
>> 
>> On Thu, Jan 10, 2013 at 3:43 PM, Jim Kinney <jim.kinney at gmail.com> wrote:
>>> That stinks!
>>> 
>>> RHEL/Fedora systems use comments as well in /etc/sysconfig/iptables but
>>> things "JustWork". sounds like SLES tossed a wrench in their parser.
>>> 
>>> 
>>> On Thu, Jan 10, 2013 at 3:23 PM, Beddingfield, Allen <allen at ua.edu>
>>> wrote:
>>>> 
>>>> If you have any SUSE Linux Enterprise 11 SP2 systems, you will want to
>>>> pay
>>>> careful attention to this one.  I'm getting it submitted so SUSE as a
>>>> bug
>>>> report.
>>>> 
>>>> When you go into the "firewall" module of yast and create custom rules,
>>>> they are added to a line in /etc/sysconfig/SuSEfirewall2
>>>> 
>>>> Once this patch is applied:
>>>> v | SLES11-SP2-Updates    | SuSEfirewall2                   |
>>>> 3.6_SVNr208-2.5.1      | 3.6_SVNr208-2.7.1
>>>> 
>>>> A comment line gets thrown into the middle of your custom firewall
>>>> rules.
>>>> The next time the system is rebooted, the firewall does not start.  If
>>>> you
>>>> aren't watching the console of your server, you won't know that your
>>>> server
>>>> has come up without the firewall running.
>>>> 
>>>> Below is a before and after example of what I'm talking about (from
>>>> /etc/sysconfig/SuSEfirewall2):
>>>> 
>>>> Firewall rules before update:
>>>> FW_SERVICES_ACCEPT_EXT="130.160.21.210,tcp,10050
>>>> 10.0.0.0/255.0.0.0,udp,1645
>>>> 130.160.0.0/255.255.0.0,udp,1645
>>>> 10.0.0.0/255.0.0.0,udp,1646
>>>> 130.160.0.0/255.255.0.0,udp,1646
>>>> 130.160.4.150,udp,1645"
>>>> 
>>>> Firewall rules after update:
>>>> FW_SERVICES_ACCEPT_EXT="130.160.21.210,tcp,10050
>>>> 
>>>> ## Type: string
>>>> 10.0.0.0/255.0.0.0,udp,1645
>>>> 130.160.0.0/255.255.0.0,udp,1645
>>>> 10.0.0.0/255.0.0.0,udp,1646
>>>> 130.160.0.0/255.255.0.0,udp,1646"
>>>> 
>>>> As you can see, there is a comment line inserted in the middle of the
>>>> rules.  This prevents the firewall from starting.  I can readily
>>>> reproduce
>>>> this problem on multiple systems.  I really wish I had encountered this
>>>> problem before deploying this patch, because I have a LOT of SLES
>>>> systemsŠ.sigh.
>>>> 
>>>> --
>>>> Allen Beddingfield
>>>> Systems Engineer
>>>> The University of Alabama
>>>> 
>>>> _______________________________________________
>>>> Ale mailing list
>>>> Ale at ale.org
>>>> http://mail.ale.org/mailman/listinfo/ale
>>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>>> http://mail.ale.org/mailman/listinfo
>>> 
>>> 
>>> 
>>> 
>>> --
>>> --
>>> James P. Kinney III
>>> 
>>> Every time you stop a school, you will have to build a jail. What you
>>> gain
>>> at one end you lose at the other. It's like feeding a dog on his own
>>> tail.
>>> It won't fatten the dog.
>>> - Speech 11/23/1900 Mark Twain
>>> 
>>> http://electjimkinney.org
>>> http://heretothereideas.blogspot.com/
>>> 
>>> _______________________________________________
>>> Ale mailing list
>>> Ale at ale.org
>>> http://mail.ale.org/mailman/listinfo/ale
>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>> http://mail.ale.org/mailman/listinfo
>> 
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
> 
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo



More information about the Ale mailing list