File SuSEfirewall2.changes of Package SuSEfirewall2

Overview Repositories Revisions Requests Users Attributes Meta

File SuSEfirewall2.changes of Package SuSEfirewall2

Thu May  4 13:29:29 CEST 2017 - matthias.gerstner@suse.com

Merged some lines from the factory spec file, to actually implement:

- Install symlink to SuSEfirewall2 with the updated SUSE spelling
  (bsc#938727, FATE#316521)

-------------------------------------------------------------------
Tue Apr 25 11:47:01 UTC 2017 - matthias.gerstner@suse.com

Update to new version 3.6.312.333 from SLE12-SP3 branch:

- implementation of feature FATE#316295: allow incremental update of rpc rules

-------------------------------------------------------------------
Thu Apr 13 08:26:54 UTC 2017 - matthias.gerstner@suse.com

Update to new version 3.6.312.330 from SLE12-SP3 branch:

- Install symlink to SuSEfirewall2 with the updated SUSE spelling
  (bsc#938727, FATE#316521)

- basic.target and SuSEfirewall2 have a loop, remove it bsc#961258

- ignore the bootlock when incremental updates for hotplugged or virtual
  devices are coming in during boot. This prevents lockups for example when
  drbd is used with FW_BOOT_FULL_INIT. (bnc#785299)

- support for IPv6 in FW_TRUSTED_NETS config variable. (bnc#841046)

- don't log dropped broadcast IPv6 broadcast/multicast packets by default to
  avoid cluttering the kernel log. (bnc#847193)

- only apply FW_KERNEL_SECURITY proc settings, if not overriden by the
  administrator in /etc/sysctl.conf (bnc#906136). This allows you to benefit
  from some of the kernel security settings, while overwriting others.

- fixed a race condition in systemd unit files that could cause the
  SuSEfirewall2_init unit to sporadically fail, because /tmp was not
  there/writable yet. (bnc#1014987)

- cooperate with libvirtd NAT guest networking (bsc#884398)

- refurbished the documentation in /usr/share/doc. (bnc#884037)

- allow mdns multicast packets input in unconfigured firewall setups (no zones
  configured) to make zeroconf setups (like avahi) work out of the box for
  typical desktops connecting via DSL/WiFi router scenarios. (bnc#959707)

- increase security when sourcing external script files by checking file
  ownership and permissions first (to avoid sourcing untrusted files owned by
  non-root or world-writable)

- don't enable FW_LO_NOTRACK by default any more, because it breaks expected
  behaviour in some scenarios (bnc#916771)

- fixed 'SuSEfirewall showlog' functionality to be compatible with journalctl

-------------------------------------------------------------------
Fri Aug 15 16:02:46 UTC 2014 - meissner@suse.com

- hosting moved to github.com/opensuse/susefirewall2
- added a sysvinit -> systemd conversion hack (bnc#891669)

-------------------------------------------------------------------
Thu Jul 31 08:51:43 UTC 2014 - meissner@suse.com

- SuSEfirewall2, ACCEPT from services is a local variable, otherwise
  "ACCEPT" would be used a service name (bnc#889406 bnc#889555 bnc#887040)

-------------------------------------------------------------------
Wed Jun 11 08:49:18 UTC 2014 - mt@suse.com

- Added ACCEPT to TEMPLATE using FW_SERVICES_ACCEPT

-------------------------------------------------------------------
Tue May 27 08:59:59 UTC 2014 - meissner@suse.com

- Allow incoming DHCPv6 replies, currently unlimited.
  bnc#867819,bnc#868031,bnc#783002,bnc#822959
- typo fix customary -> custom bnc#835677

-------------------------------------------------------------------
Fri Dec 27 11:13:55 UTC 2013 - meissner@suse.com

- add perl-Net-DNS requires for "SuSEfirewall2 log" (bnc#856705)

-------------------------------------------------------------------
Wed Aug 21 08:43:32 UTC 2013 - lnussel@suse.de

- adjust service files so manual starts work better (bnc#819499)

-------------------------------------------------------------------
Mon May  6 13:15:59 UTC 2013 - cfarrell@suse.com

- license update: GPL-2.0
  Various GPL-2.0 (only) licensed files

-------------------------------------------------------------------
Fri May  3 13:25:35 UTC 2013 - meissner@suse.com

- clarify what the default is in FW_MASQ_NETS (bnc#817233)
- removed the --rttl option in recent matches, as this could also be used by attackers (bnc#800719)

-------------------------------------------------------------------
Tue Jan 29 08:05:15 UTC 2013 - lnussel@suse.de

- do not add dependency information about YaST2 Second Stage (bnc#800365)

-------------------------------------------------------------------
Thu Jan 17 11:11:51 UTC 2013 - lnussel@suse.de

- fix defaultl value docu for FW_PROTECT_FROM_INT (bnc#798834)

-------------------------------------------------------------------
Thu Dec 13 12:23:01 UTC 2012 - lnussel@suse.de

- move to /usr, remove init scripts

-------------------------------------------------------------------
Wed Dec 12 15:31:58 UTC 2012 - lnussel@suse.de

- adjust for starting via systemd service files
- move lock files to /run
- just CT instead of NOTRACK (bnc#793459)

-------------------------------------------------------------------
Tue Sep 11 08:29:41 UTC 2012 - lnussel@suse.de

- getdevinfo is gone as per commit 0c5ac93 (bnc#777271)

-------------------------------------------------------------------
Fri Jul 13 12:43:17 UTC 2012 - lnussel@suse.de

- honor FW_IPv6 setting also in debug mode (bnc#769411)

-------------------------------------------------------------------
Tue Jun 19 11:38:32 UTC 2012 - lnussel@suse.de

- fix logging in test mode

-------------------------------------------------------------------
Mon Jun 18 09:30:51 UTC 2012 - lnussel@suse.de

- allow icmpv6 in FW_SERVICES_*_*

-------------------------------------------------------------------
Mon Jun 18 09:24:18 UTC 2012 - lnussel@suse.de

- allow ICMPv6 Multicast Listener Query (bnc#767392)

-------------------------------------------------------------------
Tue May 29 13:16:20 UTC 2012 - lnussel@suse.de

- fix typo spotted by Frederic

-------------------------------------------------------------------
Wed Jan 18 14:17:19 UTC 2012 - lnussel@suse.de

- assume all interface names are correct (bnc#739084)

-------------------------------------------------------------------
Wed Dec 14 16:55:43 UTC 2011 - lnussel@suse.de

- fix forward masquerading (bnc#736205)
- compat syntax for negated options no longer works (bnc#660156, bnc#731088)
- enhance debug mode

-------------------------------------------------------------------
Mon Nov  7 10:56:04 UTC 2011 - lnussel@suse.de

- use /sbin/rpcinfo as /usr/sbin/rpcinfo is gone (bnc#727438)

-------------------------------------------------------------------
Wed Nov  2 15:27:04 UTC 2011 - lnussel@suse.de

- set SYSTEMD_NO_WRAP for status (bnc#727445)

-------------------------------------------------------------------
Fri Oct 14 09:46:33 UTC 2011 - lnussel@suse.de

- fix manual rcSuSEfirewall2 stop with sytemd (bnc#717583)

-------------------------------------------------------------------
Tue Oct  4 14:53:13 UTC 2011 - lnussel@suse.de

- fix typo (bnc#721845)
- atomic zone status writing

-------------------------------------------------------------------
Sat Sep 17 10:25:23 UTC 2011 - jengelh@medozas.de

- Remove redundant tags/sections from specfile

-------------------------------------------------------------------
Wed Sep  7 11:38:14 UTC 2011 - lnussel@suse.de

- sanitize FW_ZONE_DEFAULT (bnc#716013)
- add warning about iptables-batch to SuSEfirewall2-custom
- fix warning about /proc/net/ip_tables_names not readable
- don't install input rules for interfaces in default zone
- Add hook fw_custom_after_finished
- update FAQ (bnc#694464)
- clean up overrides when stopping the firewall (bnc#630961)
- change default FW_LOG_ACCEPT_CRIT to "no"
- allow redir without port specification
- make FW_SERVICES_{REJECT,DROP}_* take precedende before ACCEPT (bnc#671997)
- fix zonein and zoneout parameters
- fix reverse direction of forwarding rules (bnc#679192)

-------------------------------------------------------------------
Tue Feb  1 13:16:53 UTC 2011 - lnussel@suse.de

- introduce rpcusers file to allow statd to run as non-root
  (bnc#668553)

-------------------------------------------------------------------
Wed Jan 19 14:04:48 UTC 2011 - lnussel@suse.de

- add zonein and zoneout parameters for FW_FORWARD
- fix typos

-------------------------------------------------------------------
Mon Jan 10 13:15:05 UTC 2011 - lnussel@suse.de

- don't start in runlevel 4 by default (bnc#656520)
- cut off long zone names (bnc#644527)
- fix and enhance output of log command (bnc#663262)

-------------------------------------------------------------------
Thu Dec  2 13:33:59 UTC 2010 - lnussel@suse.de

- don't unload rules when using systemd

-------------------------------------------------------------------
Tue Nov 16 15:01:04 UTC 2010 - lnussel@suse.de

- list some known rpc services as Should-Start
- don't filter outgoing packets at all
- fix an example (bnc#641907)
- fix status check in SuSEfirewall2_init (bnc#628751)

-------------------------------------------------------------------
Mon Aug 16 07:32:31 UTC 2010 - lnussel@suse.de

- don't use fillup anymore as it keeps corrupting the config file
  (bnc#340926)

-------------------------------------------------------------------
Tue Jun 29 12:20:30 UTC 2010 - lnussel@suse.de

- remove "batch committing..." message
- read defaults from separate file
- warn if highports config options are set
- finally drop 'highports' misfeature
- remove kernel ipv6 module detection (bnc#617033)
- silence warning about default zone (bnc#616841)
- SuSEfirewall2-open: don't add values multiple times
- Use multiprotocol xt_conntrack

-------------------------------------------------------------------
Mon May 31 08:11:54 UTC 2010 - lnussel@suse.de

- only directories in /sys/class/net are real interfaces (bnc#609810)

-------------------------------------------------------------------
Fri Mar 19 13:34:10 UTC 2010 - lnussel@suse.de

- add entry about drbd to FAQ
- update docu
- implement FW_BOOT_FULL_INIT

-------------------------------------------------------------------
Tue Feb 16 13:51:48 UTC 2010 - lnussel@suse.de

- use new versioning scheme after switch of repo to git
- update and rebuild docu
- remove really old rc.config conversion code from spec file

-------------------------------------------------------------------
Tue Sep 15 13:33:06 UTC 2009 - lnussel@suse.de

- fix spelling error in sysconfig file (bnc#537427)
- polishing of log drop policy (bnc#538053)
  * drop multicast packets silently
  * separate drop rule for broadcast packets at end of chain
  * only consider NEW udp packets as critical
  * don't log INVALID packets as critical

-------------------------------------------------------------------
Fri Aug 21 11:09:40 UTC 2009 - lnussel@suse.de

- implement runtime override of interface zones
- allow disabling NOTRACK rules on lo (bnc#519526)

-------------------------------------------------------------------
Fri Jul 17 10:04:48 UTC 2009 - lnussel@suse.de

- remove chkconfig calls (bnc#522268)

-------------------------------------------------------------------
Thu Jul  9 13:50:47 UTC 2009 - lnussel@suse.de

- add note about use as bridging firewall
- allow to set FW_ZONE_DEFAULT via config file
- deprecate fw_custom_before_antispoofing and
  fw_custom_after_antispoofing, use fw_custom_after_chain_creation
  instead

-------------------------------------------------------------------
Tue Jun  9 14:19:27 UTC 2009 - lnussel@suse.de

- add note that ulog doesn't work with IPv6 (bnc#442756)
- fix version number in help text
- allow service files to specify kernel modules and allow related packets
- silence an error from bash if a service config file is not available (bnc#487870)
- better wording for BROADCAST in template
- update firewall hook script (patch by Marius)

-------------------------------------------------------------------
Thu Nov  6 13:18:31 CET 2008 - lnussel@suse.de

- check whether IPv6 support is available when stopping the firewall
  (bnc#442118)
- point to correct path for service files (bnc#425187)

-------------------------------------------------------------------
Wed Oct 15 15:50:36 CEST 2008 - lnussel@suse.de

- check status of SuSEfirewall2 without triggering module load (bnc#435653)
- add missing iptables-batch commitpoint for IPv4

-------------------------------------------------------------------
Tue Sep 30 10:48:19 CEST 2008 - lnussel@suse.de

- don't modify the ip local port range
- allow negated rules via ! in FW_FORWARD_MASQ (bnc#413046)
- explain some common pitfalls around FW_SERVICES_ACCEPT_EXT
- SuSEfirewall2_init: don't fail if /usr is not available (bnc#429899)

-------------------------------------------------------------------
Tue Sep  2 11:22:53 CEST 2008 - lnussel@suse.de

- fix "recent" match (bnc#421806)

-------------------------------------------------------------------
Mon Aug 25 01:44:41 CEST 2008 - ro@suse.de

- remove outdated start variables from fillup_and_insserv call

-------------------------------------------------------------------
Thu Jul 31 19:21:51 CEST 2008 - werner@suse.de

- Make boot script know about new upcoming startpar and insserv

-------------------------------------------------------------------
Tue Jul 22 10:48:18 CEST 2008 - lnussel@suse.de

- add NOTRACK/raw table support (fate#978788)

-------------------------------------------------------------------
Mon Jul 14 09:32:40 CEST 2008 - lnussel@suse.de

- use correct rules to accept RELATED icmpv6 packets (bnc#396667)

-------------------------------------------------------------------
Mon Jun 30 17:27:30 CEST 2008 - lnussel@suse.de

- allow empty protocol in FW_SERVICES_ACCEPT_RELATED,
  FW_SERVICES_REJECT, FW_SERVICES_DROP, FW_SERVICES_ACCEPT (bnc#376758)

-------------------------------------------------------------------
Tue Apr 22 11:10:10 CEST 2008 - lnussel@suse.de

- accept icmp RELATED packets (bnc#382004)

-------------------------------------------------------------------
Thu Apr 17 14:55:17 CEST 2008 - lnussel@suse.de

- sysconfig file documentation improvements

-------------------------------------------------------------------
Fri Apr  4 10:06:20 CEST 2008 - lnussel@suse.de

- remove X-UnitedLinux tags from init scripts
- update links in docu
- auto detect bridge interfaces and permit traffic

-------------------------------------------------------------------
Fri Mar 28 14:39:59 CET 2008 - lnussel@suse.de

- fix typo in comment (bnc#350651)
- don't check for /proc/net/stat/nf_conntrack when checking for ipv6 support
- allow to ignore certain broadcasts even if broadcasts in general
  are allowed which is the expected behavior
- change handling of RELATED packages and make that configurable
  (fate#300970)

-------------------------------------------------------------------
Wed Nov 28 12:13:31 CET 2007 - lnussel@suse.de

- don't reject port 113 by default anymore (#344337)

-------------------------------------------------------------------
Tue Aug  7 14:56:41 CEST 2007 - lnussel@suse.de

- use hwdesc2iface to convert old eth-id-* and eth-bus-* interface
  specifications to actual interface names.

-------------------------------------------------------------------
Mon Aug  6 16:22:44 CEST 2007 - lnussel@suse.de

- don't try to load ip6tables modules if ipv6 is disabled (#297621)

-------------------------------------------------------------------
Fri Jul  6 15:27:53 CEST 2007 - lnussel@suse.de

- New configuration options: FW_NOMASQ_NETS, FW_FORWARD_REJECT,
  FW_FORWARD_DROP

-------------------------------------------------------------------
Thu Jun 21 09:18:42 CEST 2007 - lnussel@suse.de

- manually move SuSEfirewall2_init from boot.d to runlevel directory
  (#285872)

-------------------------------------------------------------------
Mon Jun 18 17:05:55 CEST 2007 - lnussel@suse.de

- start SuSEfirewall2_init as normal init script rather than during
  boot.d

-------------------------------------------------------------------
Wed Jun 13 16:45:51 CEST 2007 - lnussel@suse.de

- move removing the boot lock file from init script to
  /sbin/SuSEfirewall2
- add separate bootlock and bootunlock actions
- use if-up script instead of NetworkManager specific script

-------------------------------------------------------------------
Fri Mar 23 14:01:14 CET 2007 - lnussel@suse.de

- enhance FW_ALLOW_CLASS_ROUTING to allow routing in specific zones only
- prevent unintended inter-class routing when masquerading is enabled on
  multiple interfaces in the same zone
- disable extra rules for established/related icmp packets as those
  are useless
- accept icmpv6 in the OUTPUT chain to avoid excessive errors in log
- add IPv6 support for FW_ALLOW_CLASS_ROUTING and FW_FORWARD

-------------------------------------------------------------------
Thu Mar  8 11:45:44 CET 2007 - lnussel@suse.de

- remove checks for binaries that are not requried anymore anyways
- fix package dependencies

-------------------------------------------------------------------
Thu Mar  1 16:50:12 CET 2007 - lnussel@suse.de

- use /etc/sysconfig/SuSEfirewall2.d/services (#247352)

-------------------------------------------------------------------
Thu Feb 22 13:14:02 CET 2007 - sbrabec@suse.cz

- Removed directory ownership of /usr/share/SuSEfirewall2*
  (#247435).

-------------------------------------------------------------------
Tue Feb 13 09:58:55 CET 2007 - lnussel@suse.de

- fix FW_DEV_* not working (#244917)

-------------------------------------------------------------------
Mon Feb 12 12:16:42 CET 2007 - lnussel@suse.de

- use /sys/class/net instead of /proc/sys/net/ipv[46]/conf/ to
  determine whether an interface exists. Side effect: interfaces
  without ip also get filtering rules
- read FW_ZONE variable from ifcfg files for interfaces that are not
  listed in FW_DEV_*
- always use default zone for interfaces that are neither listed in
  FW_DEV_* nor have FW_ZONE set
- FW_DEV_*="any" sets default zone
- FW_MASQ_DEV="$FW_DEV_EXT" does not work with ifcfg method of
  specifying a zone. Use FW_MASQ_DEV="zone:ext" instead.
- remove old interface autodetection code
- add a name tag to meta info of service template
- fix some typos found by Eric Auer
- set version to 3.6

-------------------------------------------------------------------
Wed Nov 15 13:55:23 CET 2006 - lnussel@suse.de

- only log errors in the output chain if logging is actually enabled
  (#219108)

-------------------------------------------------------------------
Wed Sep 20 14:50:34 CEST 2006 - lnussel@suse.de

- honor zone specific FW_REJECT_* variables and reject instead of
  dropping packets from the internal zone by default (#147263)
- fix wrong default value in sysconfig metadata for
  FW_SERVICES_ACCEPT_EXT

-------------------------------------------------------------------
Sun Aug 13 16:27:42 CEST 2006 - ro@suse.de

- remove update-messages

-------------------------------------------------------------------
Wed Jul 19 16:42:37 CEST 2006 - lnussel@suse.de

- add support for ipt_recent (#104602)

-------------------------------------------------------------------
Mon Jul 17 11:08:54 CEST 2006 - lnussel@suse.de

- add support for service configuration files in
  /usr/share/SuSEfirewall2/services via FW_CONFIGURATIONS_* (fate
  #300687)
- support alternative logging targets (#180078)
- start version 3.5

-------------------------------------------------------------------
Tue Jun  6 09:16:53 CEST 2006 - lnussel@suse.de

- install rule for interface 'any' last in order to make it work
  with additional zones like DMZ (#181308)

-------------------------------------------------------------------
Mon May 22 13:39:38 CEST 2006 - lnussel@suse.de

- fix FW_FORWARD not working with ipsec flag (#170530)

-------------------------------------------------------------------
Thu Mar 30 11:13:22 CEST 2006 - lnussel@suse.de

- don't change igmp_max_memberships, correct docu for
  FW_KERNEL_SECURITY (#162086)

-------------------------------------------------------------------
Tue Mar 28 16:19:52 CEST 2006 - lnussel@suse.de

- introduce FW_FORWARD_ALWAYS_INOUT_DEV for use with XEN (#154133)

-------------------------------------------------------------------
Mon Mar  6 16:32:34 CET 2006 - lnussel@suse.de

- log and drop multicast packets separately in order to prevent
  flooding other log targets (#155326)

-------------------------------------------------------------------
Thu Mar  2 14:51:26 CET 2006 - lnussel@suse.de

- don't try to use v6 state matching if /proc/net/stat/nf_conntrack
  doesn't exist as it won't work without (#151776)
- reject v6 packets by default to avoid timeouts (#145758)

-------------------------------------------------------------------
Mon Feb 20 14:23:57 CET 2006 - lnussel@suse.de

- allow FW_FORWARD_MASQ without FW_MASQ_NETS (#151795)

-------------------------------------------------------------------
Fri Feb  3 15:03:56 CET 2006 - lnussel@suse.de

- add dispatcher script for NetworkManager (#147671)

-------------------------------------------------------------------
Wed Feb  1 15:52:05 CET 2006 - lnussel@suse.de

- also check for xt_state to finally get IPv6 state matching again
  (#145758)

-------------------------------------------------------------------
Wed Jan 25 21:45:39 CET 2006 - mls@suse.de

- converted neededforbuild to BuildRequires

-------------------------------------------------------------------
Tue Jan 10 13:46:59 CET 2006 - lnussel@suse.de

- don't change setting for ECN and TCP syncookies as those are
  already configurable via /etc/sysconfig/sysctl

-------------------------------------------------------------------
Tue Jan  3 11:12:03 CET 2006 - lnussel@suse.de

- fix initscript status reporting (#124869)

-------------------------------------------------------------------
Mon Aug  1 16:35:03 CEST 2005 - lnussel@suse.de

- fall back to normal iptables if iptables-batch fails
- always add ip6tables drop rule in case REJECT doesn't work for some
  reason

-------------------------------------------------------------------
Mon Aug  1 10:19:21 CEST 2005 - lnussel@suse.de

- don't load ftp conntrack modules by default

-------------------------------------------------------------------
Wed Jul 20 15:48:43 CEST 2005 - lnussel@suse.de

- discard errors from rpcinfo as some people don't have it running
  all the time
- don't print warning if ipv6 support is disabled
- mark FW_ALLOW_INCOMING_HIGHPORTS_* as deprecated
- permit empty port in FW_TRUSTED_NETS
- fix FW_ALLOW_INCOMING_HIGHPORTS_UDP

-------------------------------------------------------------------
Mon May  9 15:00:25 CEST 2005 - lnussel@suse.de

- fix check for iptables-batch

-------------------------------------------------------------------
Fri Apr 22 11:17:28 CEST 2005 - lnussel@suse.de

- use iptables-batch by default if available
- use full path to getopt and logger (#76703)
- fix FW_ALLOW_CLASS_ROUTING (#75319)
- start version 3.4

-------------------------------------------------------------------
Wed Mar 16 14:02:57 CET 2005 - lnussel@suse.de

- include all sysctl in FW_KERNEL_SECURITY (#61429)
- allow basic IPv6 tcp and icmp despite missing conntrack (#72865)

-------------------------------------------------------------------
Mon Mar 14 14:51:23 CET 2005 - lnussel@suse.de

- fix rejecting of IPv6 packets if state matching is not available (#72414) 
- fix "any" interface (#72428)
- fix docu stylesheet to make programlistings have a grey background again

-------------------------------------------------------------------
Fri Mar 11 17:19:01 CET 2005 - lnussel@suse.de

- install desktop file to integrate docu in susehelp

-------------------------------------------------------------------
Tue Mar  1 16:59:50 CET 2005 - lnussel@suse.de

- support forwarding of decrypted IPsec packets independent of
  FW_IPSEC_TRUST (#66664)

-------------------------------------------------------------------
Mon Feb 21 11:39:58 CET 2005 - lnussel@suse.de

- reorder rule creation to keep window where packets are dropped small
- fix missing space at some log messages

-------------------------------------------------------------------
Fri Feb 18 14:20:06 CET 2005 - lnussel@suse.de

- add port to FW_FORWARD reply packet match rule

-------------------------------------------------------------------
Thu Feb 17 17:01:36 CET 2005 - lnussel@suse.de

- cleanup and enhance docu

-------------------------------------------------------------------
Thu Feb  3 16:53:20 CET 2005 - lnussel@suse.de

- disable workaround for #46818
- use proof-read text for broadcast update message

-------------------------------------------------------------------
Tue Feb  1 13:12:32 CET 2005 - lnussel@suse.de

- parse zones before interface evaluation
- convert broadcast variables to new syntax
- add update message for broadcast variable conversion
- remove more obsolete variables from config file

-------------------------------------------------------------------
Fri Jan 28 18:18:04 CET 2005 - lnussel@suse.de

- fix init script requires tag (#50231)

-------------------------------------------------------------------
Wed Jan 26 14:04:42 CET 2005 - lnussel@suse.de

- add note about inconsistent iptables behavior (#49739)
- allow protocols without port in FW_DROP*
- make warnings about deprecated variables more specific
- allow to define additional zones through FW_ZONES
- remove FW_ALLOW_FW_TRACEROUTE from config file

-------------------------------------------------------------------
Tue Jan 11 17:39:40 CET 2005 - lnussel@suse.de

- implement FW_SERVICES_ACCEPT_*
- allow source port in FW_SERVICES_{REJECT,DROP}
- recognise special protocol _rpc_ in FW_SERVICES_{ACCEPT,REJECT,DROP}_*
- do not load ipv6 modules if FW_IPv6=no (#47545)
- add -q (quiet) option, used during boot
- don't warn if FW_MASQ_NETS is set to default 0/0
- create boot lock file in SuSEfirewall2_init to prevent useless
  firewall starts in rcnetwork (#49068)
- use only SuSEfirewall2_init and ..._setup during boot
- run SuSEfirewall2_init before entering runlevel already

-------------------------------------------------------------------
Wed Dec  8 17:15:01 CET 2004 - lnussel@suse.de

- move qdisc settings into separate file
- do not call "ip" anymore as ip addresses are not used anyway
- drop tos settings
- reduce log messages for dropped icmp packets

-------------------------------------------------------------------
Tue Dec  7 15:44:48 CET 2004 - lnussel@suse.de

- do not rely on int, ext, dmz anymore
- PROTECT_FROM_INTERNAL -> PROTECT_FROM_$zone
- fix replies to forwarded packets (#48793)
- split broadcast stuff into separate zone specific variables
- only create rules for zones that are actually needed => less
  rules, less forks, more speed.
- remove traces of personal-firewall

-------------------------------------------------------------------
Thu Dec  2 18:16:49 CET 2004 - lnussel@suse.de

- remove icmp output rules
- first steps toward configurable zones
- match redirected packets with fwmark so the port does not need to
  be opened (Carl-Daniel)
- drop auto protect and anti spoof stuff

-------------------------------------------------------------------
Wed Dec  1 17:04:56 CET 2004 - lnussel@suse.de

- more cleanup
- add temporary workaround for #46818
- set version to 3.3

-------------------------------------------------------------------
Tue Sep 28 23:05:51 CEST 2004 - schwab@suse.de

- Fix typo in last change.

-------------------------------------------------------------------
Tue Sep 28 18:20:10 CEST 2004 - lnussel@suse.de

- finally allow ESTABLISHED,RELATED tcp and udp always to fix
  problems with DHCP (#46237)

-------------------------------------------------------------------
Mon Sep 27 15:38:33 CEST 2004 - lnussel@suse.de

- some typo fixes from Volker Kuhlmann
- add feature FW_DEV_EXT=any to prevent common pitfall of packets on
  unconfigured interfaces beeing dropped (#46164, #46168)

-------------------------------------------------------------------
Wed Sep 22 11:39:36 CEST 2004 - lnussel@suse.de

- fix opening of ports in zones other than external (#45776)

-------------------------------------------------------------------
Mon Sep 20 12:17:31 CEST 2004 - lnussel@suse.de

- better detection if state matching is supported
- really don't use REJECT if ip6tables has no reject target
- fix debug mode
- fix output log message

-------------------------------------------------------------------
Tue Sep 14 15:23:04 CEST 2004 - lnussel@suse.de

- do not set ip_conntrack_max (#44846)

-------------------------------------------------------------------
Tue Sep 14 12:48:52 CEST 2004 - lnussel@suse.de

- add 'open' parameter to have SuSEfirewall open the specified services

-------------------------------------------------------------------
Fri Sep  3 16:18:00 CEST 2004 - lnussel@suse.de

- do not run ip6tables if network in FW_SERVICES_{REJECT,DROP}_*
  looks like an IPv4 address and vice versa.
- add "on" and "off" commandline parameters to quickly add and
  remove the initscripts together with starting and stopping the
  firewall.

-------------------------------------------------------------------
Mon Aug 30 17:02:27 CEST 2004 - lnussel@suse.de

- set FW_MASQ_DEV to zero if personal-firewall is enabled without
  masquerading (#44076)

-------------------------------------------------------------------
Mon Aug 30 16:06:31 CEST 2004 - lnussel@suse.de

- support invidual services in FW_ALLOW_FW_BROADCAST (#44393)
- always also open portmapper port if any rpc services are to be opened
- fix $AWK not set in quickmode

-------------------------------------------------------------------
Thu Aug 26 12:07:26 CEST 2004 - lnussel@suse.de

- allow related connections even in 'close' mode to allow DNS replies during
  boot (#44202, #44268)
- add net parameter to FW_SERVICES_DROP_* and FW_SERVICES_REJECT_*
- set default log limit to 3/minute
- remove accidently slipped in default drop of ssh
- fix typo: "will used" -> "will be used"

-------------------------------------------------------------------
Mon Aug 23 12:25:07 CEST 2004 - lnussel@suse.de

- initial stateful IPv6 support 
- rephrase more comments in sysconfig file
- use new update message mechanism (#44041)
- new parameter 'log' to display firewall related log messages
- don't install perl helper scripts with executable bits set to not
  depend on perl

-------------------------------------------------------------------
Thu Aug 12 14:34:11 CEST 2004 - lnussel@suse.de

- use perl helper script to determine ports of RPC services.
  Services that did not open their port as root are ignored.

-------------------------------------------------------------------
Fri Aug  6 15:55:22 CEST 2004 - lnussel@suse.de

- major cleanup
- use ipsec policy match to match ipsec packets
- use pkttype to match broadcast packges
- new variables: FW_LOG_LIMIT, FW_SERVICES_DROP_EXT, FW_SERVICES_REJECT_EXT
- obsolete: FW_SERVICE_DHCLIENT, FW_SERVICE_DHCPD, FW_SERVICE_SAMBA
- switch autoprotoect and protect from internal off by default

-------------------------------------------------------------------
Wed May 26 12:17:26 CEST 2004 - lnussel@suse.de

- drop special support for named and squid, the stateful rules should suffice
- fix icmp usage in FW_MASQ_NETS (patch by Carl-Daniel Hailfinger)
- don't send mail about changed FW_LOG if FW_LOG was empty
- remove comment about kernel 2.4 (#40127)
- consider kernel 2.7 as supported

-------------------------------------------------------------------
Wed May  5 13:04:51 CEST 2004 - lnussel@suse.de

- make masquerading work when external interface is set to "auto" (#39914)

-------------------------------------------------------------------
Wed Mar 31 12:18:19 CEST 2004 - lnussel@suse.de

- use getcfg-interface to support config names in FW_DEV_EXT, FW_DEV_INT, FW_DEV_DMZ,
  FW_MASQ_DEV and FW_HTB_TUNE_DEV (#37643).

-------------------------------------------------------------------
Tue Mar 16 12:19:32 CET 2004 - lnussel@suse.de

- replace FW_LOG in sysconfig file with default value and send a notify mail to
  root (#36066)
- getconfig-interface was renamed to getcfg-interface, so call that one in
  SuSEfirewall2-autointerface.sh (#36067)

-------------------------------------------------------------------
Thu Feb 26 16:16:42 CET 2004 - lnussel@suse.de

- determine dynamic portnumbers for RPC services to be able to run e.g. an nfs
  server in a firewalled zone (SuSEfirewall2-3.1-rpcserver.diff, #32033)

-------------------------------------------------------------------
Mon Feb 16 18:21:59 CET 2004 - lnussel@suse.de

- allow IPsec packets to be trusted (SuSEfirewall2-ipsec.diff)

-------------------------------------------------------------------
Mon Feb 16 14:35:43 CET 2004 - lnussel@suse.de

- allow to change IPv6 policy independent of IPv4
  (SuSEfirewall2-3.1-close-ipv6.diff).
- change handling of broadcasts. Allow them on interal interfaces
  per default (SuSEfirewall2-noantispoof.diff).
- rely on rp_filter instead of generating anti-spoofing rules
  (SuSEfirewall2-noantispoof.diff).
- optional automatic detection of external and internal interface
  (SuSEfirewall2-auto.diff).
- use stateful filtering to allow related incoming tcp and udp
  packets on any port (SuSEfirewall2-highports.diff).
- update SuSEfirewall2-3.1-newlog.diff: don't add logging options in
  sysconfig file but instead use default if empty.

-------------------------------------------------------------------
Fri Feb  6 17:45:31 CET 2004 - lnussel@suse.de

- clean up spec file
- get rid of compatability stuff for <= 8.0
- build as user
- merge some patches
- install files with less paranoid permissions

-------------------------------------------------------------------
Mon Jan 12 15:31:15 CET 2004 - ug@suse.de

- static quantum added in the HTB patch to avoid a
  warning about a too small quantum calculated automatically
- deleting qdisc before creating new one to avoid
  warning on second start with no stop in-between

-------------------------------------------------------------------
Fri Oct 24 17:22:33 CEST 2003 - garloff@suse.de

- Use logging prefixes with more information.

-------------------------------------------------------------------
Fri Oct 24 16:49:35 CEST 2003 - garloff@suse.de

- Don't use REJECT target for IPv6.

-------------------------------------------------------------------
Fri Oct 24 15:22:00 CEST 2003 - garloff@suse.de

- #32032: When closing down IPv6, we do a bit too much. As local
  host resolves to ::1, we should allow traffic on lo to not break
  mozilla.
- #30789: Disable warning about not running named. named does only
  need port 53 in many configs and then the warning is bogus.

-------------------------------------------------------------------
Sat Sep 20 22:48:14 CEST 2003 - garloff@suse.de

- #27661: Close down IPv6 traffic as we can not yet filter it.
- Patch to detect conflicts in antispoofing rules between ipsec 
  interfaces in internal networks and external interfaces.
- Fix one bug with logging logic.
- Start SuSEfirewall2_setup after named. (#30789)
 
-------------------------------------------------------------------
Sat Sep 20 22:23:31 CEST 2003 - garloff@suse.de

- #27316: Fix determination of external interface in Personal-
  Firewall Mode.

-------------------------------------------------------------------
Tue Sep  2 01:03:23 CEST 2003 - mmj@suse.de

- Add sysconfig metadata [#28808]

-------------------------------------------------------------------
Thu Jul 31 16:34:07 CEST 2003 - kukuk@suse.de

- serial was renamed to setserial [Bug #28353]

-------------------------------------------------------------------
Mon Mar 24 16:31:52 CET 2003 - garloff@suse.de

- Dec 30 change was too restrictive. Instead fix log messages.
  [bug #25453]

-------------------------------------------------------------------
Tue Mar 11 16:03:19 CET 2003 - garloff@suse.de

- Fix for optional rate limiting (HTB) feature: In full mode, the
  qdisc_settings need to be redone after the last TOS settings.
  Contributed by Uwe Gansert.

-------------------------------------------------------------------
Mon Mar 10 15:37:04 CET 2003 - garloff@suse.de

- Return 6 if no interface is specified. [bug #24438]

-------------------------------------------------------------------
Fri Feb 21 18:40:51 CET 2003 - garloff@suse.de

- Put metadata also in personal-firewall sysconfig.

-------------------------------------------------------------------
Fri Feb 21 18:04:38 CET 2003 - garloff@suse.de

- Change sysconfig metadata path to Network/Firewall/SuSEfirewall2
  [bug #23878]
- Integrate optional support for limiting the rate of outgoing
  packets. Contributed by Uwe Gansert.

-------------------------------------------------------------------
Thu Feb  6 10:50:29 CET 2003 - garloff@suse.de

- Add Obsoletes & Provides: SuSEfirewall [#19561]

-------------------------------------------------------------------
Thu Jan 23 17:47:36 CET 2003 - garloff@suse.de

- Add sysconfig metainfo. [#22586]

-------------------------------------------------------------------
Tue Jan 21 21:25:36 CET 2003 - garloff@suse.de

- Path in comment in sysconfig file to custom rules was wrong.
  [bug #21651]
- Sort SuSEfirewall2_final to the end.

-------------------------------------------------------------------
Mon Dec 30 17:34:04 CET 2002 - garloff@suse.de

- Fix reversed logic in evaluation on ALLOW_INCOMING_HIGHPORTS_TCP.
  Thanks to Gernot Hillier for analyzing and reporting.

-------------------------------------------------------------------
Wed Oct 30 18:03:44 MET 2002 - garloff@suse.de

- Fix masquerading in quick mode/pfw compat mode.
- custom_before_port_handling back to old name (for compatibility),
  new custom_after_antospoofing() function instead.

-------------------------------------------------------------------
Mon Oct 21 18:26:34 CEST 2002 - draht@suse.de

- SuSEfirewall2-3.1.personal-firewall-compat.diff changed to remove
  error in testing for interfaces in REJECT_ALL_INCOMING_CONNECTIONS

-------------------------------------------------------------------
Tue Oct 15 12:52:00 MEST 2002 - garloff@suse.de

- When using FW_SERVICES_QUICK, the log messages could log packets
  which in the end are not dropped.
- Try to handle exotic protocols (Appletalk), #20414.
- Move custom_before_port_handling before we split the rulechains
  into input_XXX and forward_XXX and introduce custom_after_port
  _handling at old position.

-------------------------------------------------------------------
Sun Oct  6 01:05:18 MEST 2002 - garloff@suse.de

- Consolidate patches:
  * Integrate fixes for FW_SERVICES_QUICK in it
  * Integrate fixes for service_noext in it
  * DEV_IP parsing is obsolete because of fix-parse-bcast
- Restrict DHCP by specifying interface in INPUT chain rather than
  putting rules in input_XXX chains: Broadcasts did not get there.
- Fix spec file for SL 8.0.

-------------------------------------------------------------------
Thu Oct  3 11:51:35 MEST 2002 - garloff@suse.de

- Create input/forward rulechains before inserting special services
  on them. Mea maxima culpa.
  Fixes bug #20093.
- Shorten too long log prefix.

-------------------------------------------------------------------
Thu Oct  3 11:19:00 MEST 2002 - garloff@suse.de

- Explicitly require #!/bin/bash.

-------------------------------------------------------------------
Wed Oct  2 19:03:30 MEST 2002 - garloff@suse.de

- Fix iptables usage error for FW_SERVICE_QUICK_XXX.

-------------------------------------------------------------------
Wed Oct  2 16:40:02 MEST 2002 - garloff@suse.de

- Fix more parsing issues: Use read instead of awk (much faster)
  and handle interfaces without braodcast address. [Bug #20414]

-------------------------------------------------------------------
Wed Oct  2 11:34:32 MEST 2002 - garloff@suse.de

- Fix split of adress/netmasks for masqueraded nets. [Bug #20093]

-------------------------------------------------------------------
Sun Sep 15 17:39:51 CEST 2002 - draht@suse.de

- added missing -j option to iptables. Fix in
  SuSEfirewall2-3.1.correct-reject.diff

-------------------------------------------------------------------
Wed Sep 11 01:57:54 CEST 2002 - draht@suse.de

- bug in interface address parsing from ifconfig output (#19384)

-------------------------------------------------------------------
Sun Sep  8 14:21:47 CEST 2002 - kukuk@suse.de

- Add "Provides: personal-firewall" [Bug #19097]

-------------------------------------------------------------------
Thu Sep  5 14:06:11 MEST 2002 - garloff@suse.de

- Fix syntax error in pers-fw part.

-------------------------------------------------------------------
Thu Sep  5 13:53:34 MEST 2002 - garloff@suse.de

- Merge personal-firewall compatibility fixes from draht.

-------------------------------------------------------------------
Thu Sep  5 13:40:57 MEST 2002 - garloff@suse.de

- Allow DHClient in all networks even for "yes".

-------------------------------------------------------------------
Thu Sep  5 12:30:51 MEST 2002 - garloff@suse.de

- Fix bug #18336:
  * The switches FW_SERVICE_DNS, FW_SERVICE_DHCLIENT, FW_SERVICE_
    DHCPD, FW_SERVICE_SQUID and FW_SERVICE_SAMBA, as well as the
    magical FW_SERVICE_AUTODETECT have four possible values now.
  * no: not open (unchanged)
  * yes: open to internal networks (formerly: to all)
  * dmz: open to internal and DMZ networks (new)
  * ext: open to everywhere (new, corresponds to old yes)

-------------------------------------------------------------------
Thu Sep  5 11:26:37 MEST 2002 - garloff@suse.de

- Fix rcSuSEfirewall2 status report (it probes for reject_func
  rulechain now).
- Add optional FW_SERVICES_QUICK_ to make QUICK mode useful for
  many more people. Defaults to empty of course.

-------------------------------------------------------------------
Thu Sep  5 01:25:48 MEST 2002 - garloff@suse.de

- Unify spec file for older version of SL using %if %suse_version.

-------------------------------------------------------------------
Thu Sep  5 00:20:07 MEST 2002 - garloff@suse.de

- Added Obsoletes: personal-firewall (#18691)
- Update to 3.1:
  * Contains some of the previously applied fixes
  * Speedup by avoiding forks
  * Bugfix for accepting related and established connections
  * FW_FORWARD_MASQ bug: Demasquerading was too global and was
    overriding other rules for the same port.

-------------------------------------------------------------------
Mon Aug 19 02:26:45 MEST 2002 - garloff@suse.de

- Add filesystem PreReq: (#17776)

-------------------------------------------------------------------
Wed Aug 14 13:13:14 MEST 2002 - garloff@suse.de

- Reenable no-rmmod patch: Current kernels still can hang on rmmod
  of ipt modules.
- Remove some Should-Start comments from SuSEfirewall2_init, so it
  can be started earlier.

-------------------------------------------------------------------
Mon Aug 12 17:06:29 MEST 2002 - garloff@suse.de

- Don't refuse to run on 2.5 or 2.6 kernels.

-------------------------------------------------------------------
Mon Aug 12 03:16:57 MEST 2002 - garloff@suse.de

- Update to SuSEfirewall2-3.0:
  * FW_QUICKMODE, only needing FW_DEV_EXT and FW_MASQ_DEV
    to be configured, replacing SuSE's personal-firewall.
  * FW_REJECT option: Instead of dropping packets, we reject them.
  * FW_FORWARD fix for icmp types
  * Target IP address for FW_FORWARD_MASQ
  * Skip _final run if not needed (only needed if autoprotecting
    features are present)
  * Docu fixes  
- Revert FW_STOP_KEEP_ROUTING_STATE="yes" default (2002-07-12)
  due to security concerns.

-------------------------------------------------------------------
Sun Aug 11 18:27:38 MEST 2002 - garloff@suse.de

- Don't add /var/log/firewall to syslog file automatically any more
  as it might cause problems at installation time. (#17421)

-------------------------------------------------------------------
Sat Aug  3 19:05:37 CEST 2002 - kukuk@suse.de

- Add PreRequires.

-------------------------------------------------------------------
Fri Jul 12 02:03:10 MEST 2002 - garloff@suse.de

- Set FW_STOP_KEEP_ROUTING_STATE="yes" by default. (bug #11785)

-------------------------------------------------------------------
Thu Jul 11 11:39:53 MEST 2002 - garloff@suse.de

- Make SQUID_PORT and DNS_PORT greps on lsof output handle the
  situation when the named/squid are bind to an IP address (#16350)

-------------------------------------------------------------------
Thu Jul 11 10:34:46 MEST 2002 - garloff@suse.de

- Adapt to new init info comments (X-UnitedLinux-Should-Start)
- Provide Short-Description
- Remove Dep-Only flag (bug #15650)

-------------------------------------------------------------------
Fri Mar  8 15:06:21 MET 2002 - garloff@suse.de

- Some people don't like colons. (bug #14700)
  Remove them from initscripts. Compensation here ::::::

-------------------------------------------------------------------
Thu Mar  7 16:36:25 MET 2002 - draht@suse.de,lnussel@suse.de

- cosmetic fixes in fillup template
  (SuSEfirewall2-2.1.cosmetics-in-fillup.diff)
  functionality enhancements to cooprtate with the y2 frontend,
  reflected in the changed 
  SuSEfirewall2-2.1.syntax-for-y2-config.diff

-------------------------------------------------------------------
Mon Mar  4 18:05:36 MET 2002 - draht@suse.de

- fixes for SuSEfirewall2 to cooperate with the y2 frontend.
  SuSEfirewall2-2.1.syntax-for-y2-config.diff

-------------------------------------------------------------------
Fri Mar  1 11:49:42 CET 2002 - pthomas@suse.de

- Fix notification mail.

-------------------------------------------------------------------
Fri Jan 18 18:19:05 MET 2002 - garloff@suse.de

- UNALLOWED -> UNAUTHORIZED (bug #12859)

-------------------------------------------------------------------
Mon Jan 14 12:22:05 MET 2002 - garloff@suse.de

- Use LC_ALL to unset language specific support.
- Remove /etc/sysconfig/SuSEfirewall2 from %file list.

-------------------------------------------------------------------
Fri Jan 11 18:47:57 MET 2002 - garloff@suse.de

- Moved SuSEfirewall2 config files away from network to 
  /etc/sysconfig resp. /etc/sysconfig/scripts/
- More docu fixes
- Init script fixes for new sysconfig (incl. dep. info)

-------------------------------------------------------------------
Fri Jan 11 04:37:32 MET 2002 - garloff@suse.de

- Update to new runlevel and configuration scheme:
  * config files are /etc/sysconfig/network/SuSEfirewall2 and
    /etc/sysconfig/network/scripts/SuSEfitrewall2-custom now
  * Startup behaviour is controlled by the existence of rc?.d
    symlinks.
  * Old config files should be saved and moved
  
-------------------------------------------------------------------
Fri Jan 11 02:28:12 MET 2002 - garloff@suse.de

- Update to SuSEfirewall-2.1:
  * Improved logging
  * FW_*_ALLOW_HIGH_PORT: related connections always allowed now,
    therefore INCOMING_HIGHPORTS_TCP="no" by default now.
  * '!' support for FW_REDIRECT

-------------------------------------------------------------------
Wed Nov 28 00:29:57 MET 2001 - garloff@suse.de

- Update to SuSEfirewall2-2.0:
  * Typo which created probs for ADSL users fixed.
- Update to SuSEfirewall2-1.8:
  * Private network detection for FW_MASQ_NETS fixed
  * Better log output

-------------------------------------------------------------------
Thu Sep 20 13:59:04 MEST 2001 - draht@suse.de

- rmmod of ip_tables modules can cause rmmod (and the system 
  startup) to hang. Removing modules is racey and should not be 
  required. rmmod of legacy ipfwadm and ipchains modules is 
  untouched.

-------------------------------------------------------------------
Wed Sep 19 17:13:09 MEST 2001 - draht@suse.de

- Added restart2 section into rc scripts to work around open
  packet filter rules during yast2-triggered rules reload.

-------------------------------------------------------------------
Tue Sep  4 10:11:01 MEST 2001 - garloff@suse.de

- Disabled automatic ip-up updating for the release of SuSE Linux
  7.3 (not needed, so avoid any risks).

-------------------------------------------------------------------
Tue Sep  4 09:01:11 MEST 2001 - garloff@suse.de

- Update to SuSEfirewall2-1.7:
  * Fixed a bug in FW_FORWARD_MASQ when target ports were ranges.
  * Fixed some bugs in the documentation.
  * When stopping SuSEfirewall2, all modules are now removed.
- bzip2 sources.

-------------------------------------------------------------------
Fri Aug  3 16:37:12 MEST 2001 - garloff@suse.de

- Update to SuSEfirewall-1.6:
  * Error checking for FW_MASQ_NETS.
  * Added an additional EXAMPLE with an ipsec setup and a FAQ 
    section.

-------------------------------------------------------------------
Thu Jul 26 21:17:19 MEST 2001 - garloff@suse.de

- Update to SuSEfirewall2-1.5:
  * Already include most patches applied to 1.3
  * Fix firewall2.rc.config syntax to be YaST(2) compliant
  * Fix bug WRT timeout for first DNS lookup that triggered
    autodialing
  * SQUID udp ports support
  * Fix problem with error logging
- Provide automatic update for /etc/ppp/ip-up for SuSE Linux 7.2
  users and warn others.

-------------------------------------------------------------------
Tue Jul 17 11:48:28 MEST 2001 - garloff@suse.de

- rcSuSEfirewall2 symlink points to _setup now, as that one's 
  capable of doing a start and a stop.
- Use rc.status functions

-------------------------------------------------------------------
Tue Jul 17 09:06:44 MEST 2001 - garloff@suse.de

- Use ispell to fix docus. Strip CR from LICENCE.

-------------------------------------------------------------------
Tue Jul 17 08:14:11 MEST 2001 - garloff@suse.de

- Initial creation of package SuSEfirewall2:
  * checkin version 1.3
  * create package description and specfile
- Some changes to the startup scripts:
  * LSB conformant comments

Places

File SuSEfirewall2.changes of Package SuSEfirewall2

Places