File SuSEfirewall2.changes of Package SuSEfirewall2

Overview Repositories Revisions Requests Users Attributes Meta

File SuSEfirewall2.changes of Package SuSEfirewall2

-------------------------------------------------------------------
Tue Feb 21 09:00:54 UTC 2023 - Matthias Gerstner <matthias.gerstner@suse.com>

- package additional /etc/ directories that are no longer part of the
  basesystem.

-------------------------------------------------------------------
Fri Nov 12 13:49:45 UTC 2021 - Matthias Gerstner <matthias.gerstner@suse.com>

- remove all links in /sbin as this breaks the Tumbleweed build, where /sbin
  and /usr/sbin are the same directories.

-------------------------------------------------------------------
Wed Sep  1 08:58:17 UTC 2021 - Matthias Gerstner <matthias.gerstner@suse.com>

- suppress fillup error with badness 10.000. We don't go to Factory with this
  package anymore and fillup is delibaretly not called for SFW2 any more since
  2010.

Thu Sep  3 07:03:02 UTC 2020 - matthias.gerstner@suse.com

- explicitly own directories in /etc. For some reason the build worked before,
  probably because some other package owned them.

-------------------------------------------------------------------
Sun Mar 17 10:33:37 UTC 2019 - Jan Engelhardt <jengelh@inai.de>

- Reduce too broad systemd requires.
- Fix rpmlint complaint about unlisted SuSEfirewall2_init.service.

-------------------------------------------------------------------
Thu Feb 28 14:33:03 UTC 2019 - matthias.gerstner@suse.com

- Add deprecation warning messages for zypper to make the last users more
  aware of the upcoming removal of SuSEfirewall2.

-------------------------------------------------------------------
Thu Feb 21 18:14:20 UTC 2019 - Franck Bui <fbui@suse.com>

- Drop use of $FIRST_ARG in .spec

The use of $FIRST_ARG was probably required because of the
  %service_* rpm macros were playing tricks with the shell positional
  parameters. This is bad practice and error prones so let's assume
  that no macros should do that anymore and hence it's safe to assume
  that positional parameters remains unchanged after any rpm macro
  call.

-------------------------------------------------------------------
Mon Mar 19 13:36:47 UTC 2018 - matthias.gerstner@suse.com

- Reverted previous change. The rpm level conflict between the old and new
  default firewall result in migration issues. Also the original problem
  cannot be reproduced (bnc#1085260, bnc#1084177).

-------------------------------------------------------------------
Fri Mar  9 11:01:22 UTC 2018 - matthias.gerstner@suse.com

- Have SuSEfirewall2 conflict firewalld to avoid a messed up netfilter setup
  (bnc#1084177)

-------------------------------------------------------------------
Tue Jan 16 10:58:23 UTC 2018 - matthias.gerstner@suse.com

- Fixed a regression in setting up the final LOG/DROP/REJECT rules for IPv6 (bnc#1075251)
- Set RPC related rules also for IPv6 (bnc#1074933)

-------------------------------------------------------------------
Tue Nov 28 13:42:07 UTC 2017 - matthias.gerstner@suse.com

- logging: correctly set the PID of the logging process

-------------------------------------------------------------------
Tue Nov 28 10:33:24 UTC 2017 - matthias.gerstner@suse.com

- main script: remove duplicate rules in the rpc rules area (bnc#1069760)
- main script: support --trace messages

-------------------------------------------------------------------
Thu Nov 23 13:37:44 UTC 2017 - rbrown@suse.com

- Replace references to /var/adm/fillup-templates with new 
  %_fillupdir macro (boo#1069468)

-------------------------------------------------------------------
Wed Oct 18 15:47:48 UTC 2017 - matthias.gerstner@suse.com

- rpcinfo: recognize execution errors of the perl script and terminate accordingly
- rpcinfo: fixed security issue with too open implicit portmapper rules
  (bnc#1064127): A source net restriction for _rpc_ services was not taken
  into account for the implicitly added rules for port 111, making the portmap
  service accessible to everyone in the affected zone.

-------------------------------------------------------------------
Fri Jul 28 08:40:55 UTC 2017 - matthias.gerstner@suse.com

- Removed bogus nfs alias units, added correct nfs-client target in
  SuSEfirewall2.service (bnc#946325).

The nfs alias units are false friends, because they don't fix the startup
  ordering between nfs and SuSEfirewall2.

The missing nfs-client target could cause nfs mounts for nfs versions < 4.1
  to be unable to receive callbacks from the server, when the nfs client was
  started before the SuSEfirewall2 was started on boot.

-------------------------------------------------------------------
Wed Jul 12 13:40:57 UTC 2017 - matthias.gerstner@suse.com

- sysctl settings: make list of sysctl.d directories configurable via
  FW_SYSCTL_PATHS (bnc#1044523)

-------------------------------------------------------------------
Thu Jul  6 10:05:41 UTC 2017 - matthias.gerstner@suse.com

- clarified warning message about FW_ROUTE being enabled but ip_forwarding not configured
- sysctl.d: avoid error messages if no /etc/sysctl.d/*.conf files are existing (bnc#1044523)

-------------------------------------------------------------------
Wed Jun 28 09:19:26 UTC 2017 - matthias.gerstner@suse.com

- Only consider *.conf files to ignore backup files and similar (bnc#1044523)

-------------------------------------------------------------------
Tue Jun 20 16:16:45 UTC 2017 - matthias.gerstner@suse.com

- Also check /etc/sysctl.d for custom sysctl overrides (bnc#1044523)
- improved documentation of FW_SERVICES_DROP_... to mention "all" protocols

-------------------------------------------------------------------
Mon Apr 24 12:19:12 UTC 2017 - matthias.gerstner@suse.com

- implementation of feature FATE#316295: allow incremental update of rpc
  rules:

By calling "/usr/sbin/SuSEfirewall2 update-rpc [-s service]" you can now
  cause SuSEfirewall to update its rpc related firewall rules to reflect the
  current portmapper state in the system, without affecting the rest of the
  firewall rule set.

This can for example be put in systemd unit files as ExecStartPost
  directives, to always keep port mapping rules up to date, for certain rpc
  services. Note that you still need to configure the rpc rules in
  /etc/sysconfig/SuSEfirewall2 to make this work. See configuration variables:

FW_SERVICES_DROP_{EXT,INT,DMZ}
  FW_SERVICES_ACCEPT_{EXT,INT,DMZ}
  FW_SERVICES_{EXT,INT,DMZ}_RPC

- conntrack helpers: explicitly load kernel module to make sure conntrack
  helper rules can be applied and to avoid errors messages if kernel module is
  not loaded

-------------------------------------------------------------------
Tue Apr 18 16:07:56 UTC 2017 - matthias.gerstner@suse.com

Update to new git release 3.6.351:

- ship ftp-client service file for allowing active ftp client connections
  easily. Also fix use of connection tracker helper on kernel >= 4.7 for ftp.
  (boo#1034341)

-------------------------------------------------------------------
Mon Mar 20 18:11:15 CET 2017 - mgerstner@suse.de

Update to new git release 3.6.346:

- harmonized the logic of setting IPv4/IPv6 forwarding when FW_ROUTE is set to
  "yes". Previously only IPv4 forwarding was exclusively set by SuSEfirewall2,
  while IPv6 forwarding could only be set via "yast2 firewall". With this
  update you should always configure IPv4/IPv6 forwarding with yast.
  SuSEfirewall2 will still provide backwards compatibility to temporarily
  enable IPv4/IPv6 forwarding if not already enabled system wide. Also
  forwarding can now be configured separately for IPv4/IPv6 if only one of
  both is required. See FW_ROUTE documentation. (bnc#572202)
- ignore the bootlock when incremental updates for hotplugged or virtual
  devices are coming in during boot. This prevents lockups for example when
  drbd is used with FB_BOOT_FULL_INIT. (bnc#785299)
- fixed a race condition in systemd unit files that could cause the
  SuSEfirewall2_init unit to sporadically fail, because /tmp was not
  there/writable yet. (bnc#1014987)
- support new kernels >= 4.7 that run with
  net.netfilter.nf_conntrack_helper = 0
  by default. Currently only netbios/samba is fully covered. (bnc#986527)
- allow mdns multicast packets input in unconfigured firewall setups (no zones
  configured) to make zeroconf setups (like avahi) work out of the box for
  typical desktops connecting via DSL/WiFi router scenarios. (bnc#959707)
- refurbished the documentation in /usr/share/doc. (bnc#884037)
- updated GPL license texts with the current address from FSF
- support for IPv6 in FW_TRUSTED_NETS config variable. (bnc#841046)
- don't log dropped broadcast IPv6 broadcast/multicast packets by default to
  avoid cluttering the kernel log. (bnc#847193)
- recognize a running libvirtd instance and cause it to recreate its custom
  firewall rules on SuSEfirewall2 reload, to not break VM networking.
  (bnc#884398)
- only apply FW_KERNEL_SECURITY proc settings, if not overriden by the
  administrator in /etc/sysctl.conf (bnc#906136). This allows you to benefit
  from some of the kernel security settings, while overwriting others.
- don't enable FW_LO_NOTRACK by default any more, because it breaks expected
  behaviour in some scenarios (bnc#916771)
- increase security when sourcing external script files by checking file
  ownership and permissions first (to avoid sourcing untrusted files owned by
  non-root or world-writable)
- fixed "/usr/sbin/SUSEfirewall log" pretty logfile parsing functionality when
  running under systemd with journald.

-------------------------------------------------------------------
Tue Mar  7 10:39:28 CET 2017 - mgerstner@suse.de

- Install symlink to SuSEfirewall2 with the updated SUSE spelling
  (bsc#938727, FATE#316521)
- Added rpmlintrc file to suppress some bogus warnings during building

-------------------------------------------------------------------
Fri Feb 10 22:39:10 CET 2017 - kukuk@suse.de

- Remove unused PreReq for insserv and fillup

-------------------------------------------------------------------
Wed Feb 10 15:18:40 UTC 2016 - meissner@suse.com
:
- add nfs-server.service too as dependency, remove default.target again
  as it makes trouble (bsc#963740)
- basic.target and SuSEfirewall2 have a loop, remove it bsc#961258

-------------------------------------------------------------------
Tue Feb  9 11:01:25 UTC 2016 - meissner@suse.com

- change dependencies of SUSEfirewall2_init, so it gets run after systemd
  version update brought new dependencies somehow (bsc#963969)

-------------------------------------------------------------------
Thu Jan 28 12:23:06 UTC 2016 - meissner@suse.com

- add default.target, so SuSEfirewall2 final will be started after
  all other services. This is relevant for rpc services like the NFS rpc
  process group, where ports are opened dynamically. bsc#963740

-------------------------------------------------------------------
Mon Jan 18 12:44:38 UTC 2016 - meissner@suse.com

- Merge pull request #5 from hwoarang/firewalld-conflict
- SuSEfirewall2{,_init}.service: Conflict with firewalld service

-------------------------------------------------------------------
Fri Jan 15 16:36:15 UTC 2016 - meissner@suse.com

- basic.service -> basic.target (bsc#961258)

-------------------------------------------------------------------
Wed Jun 24 12:07:08 UTC 2015 - meissner@suse.com

- reduce amount of setprocinfo set values, adjusted to existence and
  also current kernel defaults.
- missing IPv6 commands to enable broadcast (e.g.: avahi over ipv6) 
  (bsc#935716)

-------------------------------------------------------------------
Mon Aug 18 08:17:30 UTC 2014 - lnussel@suse.de

- perl-Net-DNS is only needed by some ancillary helper tool but not for the
  core features. So set it to Recommended.

-------------------------------------------------------------------
Fri Aug 15 16:02:46 UTC 2014 - meissner@suse.com

- hosting moved to github.com/opensuse/susefirewall2
- added a sysvinit -> systemd conversion hack (bnc#891669)

-------------------------------------------------------------------
Thu Jul 31 08:51:43 UTC 2014 - meissner@suse.com

- SuSEfirewall2, ACCEPT from services is a local variable, otherwise
  "ACCEPT" would be used a service name (bnc#889406 bnc#889555 bnc#887040)

-------------------------------------------------------------------
Wed Jun 11 08:49:18 UTC 2014 - mt@suse.com

- Added ACCEPT to TEMPLATE using FW_SERVICES_ACCEPT

-------------------------------------------------------------------
Tue May 27 08:59:59 UTC 2014 - meissner@suse.com

- Allow incoming DHCPv6 replies, currently unlimited.
  bnc#867819,bnc#868031,bnc#783002,bnc#822959
- typo fix customary -> custom bnc#835677

-------------------------------------------------------------------
Fri Dec 27 11:13:55 UTC 2013 - meissner@suse.com

- add perl-Net-DNS requires for "SuSEfirewall2 log" (bnc#856705)

-------------------------------------------------------------------
Wed Aug 21 08:43:32 UTC 2013 - lnussel@suse.de

- adjust service files so manual starts work better (bnc#819499)

-------------------------------------------------------------------
Mon May  6 13:15:59 UTC 2013 - cfarrell@suse.com

- license update: GPL-2.0
  Various GPL-2.0 (only) licensed files

-------------------------------------------------------------------
Fri May  3 13:25:35 UTC 2013 - meissner@suse.com

- clarify what the default is in FW_MASQ_NETS (bnc#817233)
- removed the --rttl option in recent matches, as this could also be used by attackers (bnc#800719)

-------------------------------------------------------------------
Tue Jan 29 08:05:15 UTC 2013 - lnussel@suse.de

- do not add dependency information about YaST2 Second Stage (bnc#800365)

-------------------------------------------------------------------
Thu Jan 17 11:11:51 UTC 2013 - lnussel@suse.de

- fix defaultl value docu for FW_PROTECT_FROM_INT (bnc#798834)

-------------------------------------------------------------------
Thu Dec 13 12:23:01 UTC 2012 - lnussel@suse.de

- move to /usr, remove init scripts

-------------------------------------------------------------------
Wed Dec 12 15:31:58 UTC 2012 - lnussel@suse.de

- adjust for starting via systemd service files
- move lock files to /run
- just CT instead of NOTRACK (bnc#793459)

-------------------------------------------------------------------
Tue Sep 11 08:29:41 UTC 2012 - lnussel@suse.de

- getdevinfo is gone as per commit 0c5ac93 (bnc#777271)

-------------------------------------------------------------------
Fri Jul 13 12:43:17 UTC 2012 - lnussel@suse.de

- honor FW_IPv6 setting also in debug mode (bnc#769411)

-------------------------------------------------------------------
Tue Jun 19 11:38:32 UTC 2012 - lnussel@suse.de

- fix logging in test mode

-------------------------------------------------------------------
Mon Jun 18 09:30:51 UTC 2012 - lnussel@suse.de

- allow icmpv6 in FW_SERVICES_*_*

-------------------------------------------------------------------
Mon Jun 18 09:24:18 UTC 2012 - lnussel@suse.de

- allow ICMPv6 Multicast Listener Query (bnc#767392)

-------------------------------------------------------------------
Tue May 29 13:16:20 UTC 2012 - lnussel@suse.de

- fix typo spotted by Frederic

-------------------------------------------------------------------
Wed Jan 18 14:17:19 UTC 2012 - lnussel@suse.de

- assume all interface names are correct (bnc#739084)

-------------------------------------------------------------------
Wed Dec 14 16:55:43 UTC 2011 - lnussel@suse.de

- fix forward masquerading (bnc#736205)
- compat syntax for negated options no longer works (bnc#660156, bnc#731088)
- enhance debug mode

-------------------------------------------------------------------
Mon Nov  7 10:56:04 UTC 2011 - lnussel@suse.de

- use /sbin/rpcinfo as /usr/sbin/rpcinfo is gone (bnc#727438)

-------------------------------------------------------------------
Wed Nov  2 15:27:04 UTC 2011 - lnussel@suse.de

- set SYSTEMD_NO_WRAP for status (bnc#727445)

-------------------------------------------------------------------
Fri Oct 14 09:46:33 UTC 2011 - lnussel@suse.de

- fix manual rcSuSEfirewall2 stop with sytemd (bnc#717583)

-------------------------------------------------------------------
Tue Oct  4 14:53:13 UTC 2011 - lnussel@suse.de

- fix typo (bnc#721845)
- atomic zone status writing

-------------------------------------------------------------------
Sat Sep 17 10:25:23 UTC 2011 - jengelh@medozas.de

- Remove redundant tags/sections from specfile

-------------------------------------------------------------------
Wed Sep  7 11:38:14 UTC 2011 - lnussel@suse.de

- sanitize FW_ZONE_DEFAULT (bnc#716013)
- add warning about iptables-batch to SuSEfirewall2-custom
- fix warning about /proc/net/ip_tables_names not readable
- don't install input rules for interfaces in default zone
- Add hook fw_custom_after_finished
- update FAQ (bnc#694464)
- clean up overrides when stopping the firewall (bnc#630961)
- change default FW_LOG_ACCEPT_CRIT to "no"
- allow redir without port specification
- make FW_SERVICES_{REJECT,DROP}_* take precedende before ACCEPT (bnc#671997)
- fix zonein and zoneout parameters
- fix reverse direction of forwarding rules (bnc#679192)

-------------------------------------------------------------------
Tue Feb  1 13:16:53 UTC 2011 - lnussel@suse.de

- introduce rpcusers file to allow statd to run as non-root
  (bnc#668553)

-------------------------------------------------------------------
Wed Jan 19 14:04:48 UTC 2011 - lnussel@suse.de

- add zonein and zoneout parameters for FW_FORWARD
- fix typos

-------------------------------------------------------------------
Mon Jan 10 13:15:05 UTC 2011 - lnussel@suse.de

- don't start in runlevel 4 by default (bnc#656520)
- cut off long zone names (bnc#644527)
- fix and enhance output of log command (bnc#663262)

-------------------------------------------------------------------
Thu Dec  2 13:33:59 UTC 2010 - lnussel@suse.de

- don't unload rules when using systemd

-------------------------------------------------------------------
Tue Nov 16 15:01:04 UTC 2010 - lnussel@suse.de

- list some known rpc services as Should-Start
- don't filter outgoing packets at all
- fix an example (bnc#641907)
- fix status check in SuSEfirewall2_init (bnc#628751)

-------------------------------------------------------------------
Mon Aug 16 07:32:31 UTC 2010 - lnussel@suse.de

- don't use fillup anymore as it keeps corrupting the config file
  (bnc#340926)

-------------------------------------------------------------------
Tue Jun 29 12:20:30 UTC 2010 - lnussel@suse.de

- remove "batch committing..." message
- read defaults from separate file
- warn if highports config options are set
- finally drop 'highports' misfeature
- remove kernel ipv6 module detection (bnc#617033)
- silence warning about default zone (bnc#616841)
- SuSEfirewall2-open: don't add values multiple times
- Use multiprotocol xt_conntrack

-------------------------------------------------------------------
Mon May 31 08:11:54 UTC 2010 - lnussel@suse.de

- only directories in /sys/class/net are real interfaces (bnc#609810)

-------------------------------------------------------------------
Fri Mar 19 13:34:10 UTC 2010 - lnussel@suse.de

- add entry about drbd to FAQ
- update docu
- implement FW_BOOT_FULL_INIT

-------------------------------------------------------------------
Tue Feb 16 13:51:48 UTC 2010 - lnussel@suse.de

- use new versioning scheme after switch of repo to git
- update and rebuild docu
- remove really old rc.config conversion code from spec file

-------------------------------------------------------------------
Tue Sep 15 13:33:06 UTC 2009 - lnussel@suse.de

- fix spelling error in sysconfig file (bnc#537427)
- polishing of log drop policy (bnc#538053)
  * drop multicast packets silently
  * separate drop rule for broadcast packets at end of chain
  * only consider NEW udp packets as critical
  * don't log INVALID packets as critical

-------------------------------------------------------------------
Fri Aug 21 11:09:40 UTC 2009 - lnussel@suse.de

- implement runtime override of interface zones
- allow disabling NOTRACK rules on lo (bnc#519526)

-------------------------------------------------------------------
Fri Jul 17 10:04:48 UTC 2009 - lnussel@suse.de

- remove chkconfig calls (bnc#522268)

-------------------------------------------------------------------
Thu Jul  9 13:50:47 UTC 2009 - lnussel@suse.de

- add note about use as bridging firewall
- allow to set FW_ZONE_DEFAULT via config file
- deprecate fw_custom_before_antispoofing and
  fw_custom_after_antispoofing, use fw_custom_after_chain_creation
  instead

-------------------------------------------------------------------
Tue Jun  9 14:19:27 UTC 2009 - lnussel@suse.de

- add note that ulog doesn't work with IPv6 (bnc#442756)
- fix version number in help text
- allow service files to specify kernel modules and allow related packets
- silence an error from bash if a service config file is not available (bnc#487870)
- better wording for BROADCAST in template
- update firewall hook script (patch by Marius)

-------------------------------------------------------------------
Thu Nov  6 13:18:31 CET 2008 - lnussel@suse.de

- check whether IPv6 support is available when stopping the firewall
  (bnc#442118)
- point to correct path for service files (bnc#425187)

-------------------------------------------------------------------
Wed Oct 15 15:50:36 CEST 2008 - lnussel@suse.de

- check status of SuSEfirewall2 without triggering module load (bnc#435653)
- add missing iptables-batch commitpoint for IPv4

-------------------------------------------------------------------
Tue Sep 30 10:48:19 CEST 2008 - lnussel@suse.de

- don't modify the ip local port range
- allow negated rules via ! in FW_FORWARD_MASQ (bnc#413046)
- explain some common pitfalls around FW_SERVICES_ACCEPT_EXT
- SuSEfirewall2_init: don't fail if /usr is not available (bnc#429899)

-------------------------------------------------------------------
Tue Sep  2 11:22:53 CEST 2008 - lnussel@suse.de

- fix "recent" match (bnc#421806)

-------------------------------------------------------------------
Mon Aug 25 01:44:41 CEST 2008 - ro@suse.de

- remove outdated start variables from fillup_and_insserv call

-------------------------------------------------------------------
Thu Jul 31 19:21:51 CEST 2008 - werner@suse.de

- Make boot script know about new upcoming startpar and insserv

-------------------------------------------------------------------
Tue Jul 22 10:48:18 CEST 2008 - lnussel@suse.de

- add NOTRACK/raw table support (fate#978788)

-------------------------------------------------------------------
Mon Jul 14 09:32:40 CEST 2008 - lnussel@suse.de

- use correct rules to accept RELATED icmpv6 packets (bnc#396667)

-------------------------------------------------------------------
Mon Jun 30 17:27:30 CEST 2008 - lnussel@suse.de

- allow empty protocol in FW_SERVICES_ACCEPT_RELATED,
  FW_SERVICES_REJECT, FW_SERVICES_DROP, FW_SERVICES_ACCEPT (bnc#376758)

-------------------------------------------------------------------
Tue Apr 22 11:10:10 CEST 2008 - lnussel@suse.de

- accept icmp RELATED packets (bnc#382004)

-------------------------------------------------------------------
Thu Apr 17 14:55:17 CEST 2008 - lnussel@suse.de

- sysconfig file documentation improvements

-------------------------------------------------------------------
Fri Apr  4 10:06:20 CEST 2008 - lnussel@suse.de

- remove X-UnitedLinux tags from init scripts
- update links in docu
- auto detect bridge interfaces and permit traffic

-------------------------------------------------------------------
Fri Mar 28 14:39:59 CET 2008 - lnussel@suse.de

- fix typo in comment (bnc#350651)
- don't check for /proc/net/stat/nf_conntrack when checking for ipv6 support
- allow to ignore certain broadcasts even if broadcasts in general
  are allowed which is the expected behavior
- change handling of RELATED packages and make that configurable
  (fate#300970)

-------------------------------------------------------------------
Wed Nov 28 12:13:31 CET 2007 - lnussel@suse.de

- don't reject port 113 by default anymore (#344337)

-------------------------------------------------------------------
Tue Aug  7 14:56:41 CEST 2007 - lnussel@suse.de

- use hwdesc2iface to convert old eth-id-* and eth-bus-* interface
  specifications to actual interface names.

-------------------------------------------------------------------
Mon Aug  6 16:22:44 CEST 2007 - lnussel@suse.de

- don't try to load ip6tables modules if ipv6 is disabled (#297621)

-------------------------------------------------------------------
Fri Jul  6 15:27:53 CEST 2007 - lnussel@suse.de

- New configuration options: FW_NOMASQ_NETS, FW_FORWARD_REJECT,
  FW_FORWARD_DROP

-------------------------------------------------------------------
Thu Jun 21 09:18:42 CEST 2007 - lnussel@suse.de

- manually move SuSEfirewall2_init from boot.d to runlevel directory
  (#285872)

-------------------------------------------------------------------
Mon Jun 18 17:05:55 CEST 2007 - lnussel@suse.de

- start SuSEfirewall2_init as normal init script rather than during
  boot.d

-------------------------------------------------------------------
Wed Jun 13 16:45:51 CEST 2007 - lnussel@suse.de

- move removing the boot lock file from init script to
  /sbin/SuSEfirewall2
- add separate bootlock and bootunlock actions
- use if-up script instead of NetworkManager specific script

-------------------------------------------------------------------
Fri Mar 23 14:01:14 CET 2007 - lnussel@suse.de

- enhance FW_ALLOW_CLASS_ROUTING to allow routing in specific zones only
- prevent unintended inter-class routing when masquerading is enabled on
  multiple interfaces in the same zone
- disable extra rules for established/related icmp packets as those
  are useless
- accept icmpv6 in the OUTPUT chain to avoid excessive errors in log
- add IPv6 support for FW_ALLOW_CLASS_ROUTING and FW_FORWARD

-------------------------------------------------------------------
Thu Mar  8 11:45:44 CET 2007 - lnussel@suse.de

- remove checks for binaries that are not requried anymore anyways
- fix package dependencies

-------------------------------------------------------------------
Thu Mar  1 16:50:12 CET 2007 - lnussel@suse.de

- use /etc/sysconfig/SuSEfirewall2.d/services (#247352)

-------------------------------------------------------------------
Thu Feb 22 13:14:02 CET 2007 - sbrabec@suse.cz

- Removed directory ownership of /usr/share/SuSEfirewall2*
  (#247435).

-------------------------------------------------------------------
Tue Feb 13 09:58:55 CET 2007 - lnussel@suse.de

- fix FW_DEV_* not working (#244917)

-------------------------------------------------------------------
Mon Feb 12 12:16:42 CET 2007 - lnussel@suse.de

- use /sys/class/net instead of /proc/sys/net/ipv[46]/conf/ to
  determine whether an interface exists. Side effect: interfaces
  without ip also get filtering rules
- read FW_ZONE variable from ifcfg files for interfaces that are not
  listed in FW_DEV_*
- always use default zone for interfaces that are neither listed in
  FW_DEV_* nor have FW_ZONE set
- FW_DEV_*="any" sets default zone
- FW_MASQ_DEV="$FW_DEV_EXT" does not work with ifcfg method of
  specifying a zone. Use FW_MASQ_DEV="zone:ext" instead.
- remove old interface autodetection code
- add a name tag to meta info of service template
- fix some typos found by Eric Auer
- set version to 3.6

-------------------------------------------------------------------
Wed Nov 15 13:55:23 CET 2006 - lnussel@suse.de

- only log errors in the output chain if logging is actually enabled
  (#219108)

-------------------------------------------------------------------
Wed Sep 20 14:50:34 CEST 2006 - lnussel@suse.de

- honor zone specific FW_REJECT_* variables and reject instead of
  dropping packets from the internal zone by default (#147263)
- fix wrong default value in sysconfig metadata for
  FW_SERVICES_ACCEPT_EXT

-------------------------------------------------------------------
Sun Aug 13 16:27:42 CEST 2006 - ro@suse.de

- remove update-messages

-------------------------------------------------------------------
Wed Jul 19 16:42:37 CEST 2006 - lnussel@suse.de

- add support for ipt_recent (#104602)

-------------------------------------------------------------------
Mon Jul 17 11:08:54 CEST 2006 - lnussel@suse.de

- add support for service configuration files in
  /usr/share/SuSEfirewall2/services via FW_CONFIGURATIONS_* (fate
  #300687)
- support alternative logging targets (#180078)
- start version 3.5

-------------------------------------------------------------------
Tue Jun  6 09:16:53 CEST 2006 - lnussel@suse.de

- install rule for interface 'any' last in order to make it work
  with additional zones like DMZ (#181308)

-------------------------------------------------------------------
Mon May 22 13:39:38 CEST 2006 - lnussel@suse.de

- fix FW_FORWARD not working with ipsec flag (#170530)

-------------------------------------------------------------------
Thu Mar 30 11:13:22 CEST 2006 - lnussel@suse.de

- don't change igmp_max_memberships, correct docu for
  FW_KERNEL_SECURITY (#162086)

-------------------------------------------------------------------
Tue Mar 28 16:19:52 CEST 2006 - lnussel@suse.de

- introduce FW_FORWARD_ALWAYS_INOUT_DEV for use with XEN (#154133)

-------------------------------------------------------------------
Mon Mar  6 16:32:34 CET 2006 - lnussel@suse.de

- log and drop multicast packets separately in order to prevent
  flooding other log targets (#155326)

-------------------------------------------------------------------
Thu Mar  2 14:51:26 CET 2006 - lnussel@suse.de

- don't try to use v6 state matching if /proc/net/stat/nf_conntrack
  doesn't exist as it won't work without (#151776)
- reject v6 packets by default to avoid timeouts (#145758)

-------------------------------------------------------------------
Mon Feb 20 14:23:57 CET 2006 - lnussel@suse.de

- allow FW_FORWARD_MASQ without FW_MASQ_NETS (#151795)

-------------------------------------------------------------------
Fri Feb  3 15:03:56 CET 2006 - lnussel@suse.de

- add dispatcher script for NetworkManager (#147671)

-------------------------------------------------------------------
Wed Feb  1 15:52:05 CET 2006 - lnussel@suse.de

- also check for xt_state to finally get IPv6 state matching again
  (#145758)

-------------------------------------------------------------------
Wed Jan 25 21:45:39 CET 2006 - mls@suse.de

- converted neededforbuild to BuildRequires

-------------------------------------------------------------------
Tue Jan 10 13:46:59 CET 2006 - lnussel@suse.de

- don't change setting for ECN and TCP syncookies as those are
  already configurable via /etc/sysconfig/sysctl

-------------------------------------------------------------------
Tue Jan  3 11:12:03 CET 2006 - lnussel@suse.de

- fix initscript status reporting (#124869)

-------------------------------------------------------------------
Mon Aug  1 16:35:03 CEST 2005 - lnussel@suse.de

- fall back to normal iptables if iptables-batch fails
- always add ip6tables drop rule in case REJECT doesn't work for some
  reason

-------------------------------------------------------------------
Mon Aug  1 10:19:21 CEST 2005 - lnussel@suse.de

- don't load ftp conntrack modules by default

-------------------------------------------------------------------
Wed Jul 20 15:48:43 CEST 2005 - lnussel@suse.de

- discard errors from rpcinfo as some people don't have it running
  all the time
- don't print warning if ipv6 support is disabled
- mark FW_ALLOW_INCOMING_HIGHPORTS_* as deprecated
- permit empty port in FW_TRUSTED_NETS
- fix FW_ALLOW_INCOMING_HIGHPORTS_UDP

-------------------------------------------------------------------
Mon May  9 15:00:25 CEST 2005 - lnussel@suse.de

- fix check for iptables-batch

-------------------------------------------------------------------
Fri Apr 22 11:17:28 CEST 2005 - lnussel@suse.de

- use iptables-batch by default if available
- use full path to getopt and logger (#76703)
- fix FW_ALLOW_CLASS_ROUTING (#75319)
- start version 3.4

-------------------------------------------------------------------
Wed Mar 16 14:02:57 CET 2005 - lnussel@suse.de

- include all sysctl in FW_KERNEL_SECURITY (#61429)
- allow basic IPv6 tcp and icmp despite missing conntrack (#72865)

-------------------------------------------------------------------
Mon Mar 14 14:51:23 CET 2005 - lnussel@suse.de

- fix rejecting of IPv6 packets if state matching is not available (#72414) 
- fix "any" interface (#72428)
- fix docu stylesheet to make programlistings have a grey background again

-------------------------------------------------------------------
Fri Mar 11 17:19:01 CET 2005 - lnussel@suse.de

- install desktop file to integrate docu in susehelp

-------------------------------------------------------------------
Tue Mar  1 16:59:50 CET 2005 - lnussel@suse.de

- support forwarding of decrypted IPsec packets independent of
  FW_IPSEC_TRUST (#66664)

-------------------------------------------------------------------
Mon Feb 21 11:39:58 CET 2005 - lnussel@suse.de

- reorder rule creation to keep window where packets are dropped small
- fix missing space at some log messages

-------------------------------------------------------------------
Fri Feb 18 14:20:06 CET 2005 - lnussel@suse.de

- add port to FW_FORWARD reply packet match rule

-------------------------------------------------------------------
Thu Feb 17 17:01:36 CET 2005 - lnussel@suse.de

- cleanup and enhance docu

-------------------------------------------------------------------
Thu Feb  3 16:53:20 CET 2005 - lnussel@suse.de

- disable workaround for #46818
- use proof-read text for broadcast update message

-------------------------------------------------------------------
Tue Feb  1 13:12:32 CET 2005 - lnussel@suse.de

- parse zones before interface evaluation
- convert broadcast variables to new syntax
- add update message for broadcast variable conversion
- remove more obsolete variables from config file

-------------------------------------------------------------------
Fri Jan 28 18:18:04 CET 2005 - lnussel@suse.de

- fix init script requires tag (#50231)

-------------------------------------------------------------------
Wed Jan 26 14:04:42 CET 2005 - lnussel@suse.de

- add note about inconsistent iptables behavior (#49739)
- allow protocols without port in FW_DROP*
- make warnings about deprecated variables more specific
- allow to define additional zones through FW_ZONES
- remove FW_ALLOW_FW_TRACEROUTE from config file

-------------------------------------------------------------------
Tue Jan 11 17:39:40 CET 2005 - lnussel@suse.de

- implement FW_SERVICES_ACCEPT_*
- allow source port in FW_SERVICES_{REJECT,DROP}
- recognise special protocol _rpc_ in FW_SERVICES_{ACCEPT,REJECT,DROP}_*
- do not load ipv6 modules if FW_IPv6=no (#47545)
- add -q (quiet) option, used during boot
- don't warn if FW_MASQ_NETS is set to default 0/0
- create boot lock file in SuSEfirewall2_init to prevent useless
  firewall starts in rcnetwork (#49068)
- use only SuSEfirewall2_init and ..._setup during boot
- run SuSEfirewall2_init before entering runlevel already

-------------------------------------------------------------------
Wed Dec  8 17:15:01 CET 2004 - lnussel@suse.de

- move qdisc settings into separate file
- do not call "ip" anymore as ip addresses are not used anyway
- drop tos settings
- reduce log messages for dropped icmp packets

-------------------------------------------------------------------
Tue Dec  7 15:44:48 CET 2004 - lnussel@suse.de

- do not rely on int, ext, dmz anymore
- PROTECT_FROM_INTERNAL -> PROTECT_FROM_$zone
- fix replies to forwarded packets (#48793)
- split broadcast stuff into separate zone specific variables
- only create rules for zones that are actually needed => less
  rules, less forks, more speed.
- remove traces of personal-firewall

-------------------------------------------------------------------
Thu Dec  2 18:16:49 CET 2004 - lnussel@suse.de

- remove icmp output rules
- first steps toward configurable zones
- match redirected packets with fwmark so the port does not need to
  be opened (Carl-Daniel)
- drop auto protect and anti spoof stuff

-------------------------------------------------------------------
Wed Dec  1 17:04:56 CET 2004 - lnussel@suse.de

- more cleanup
- add temporary workaround for #46818
- set version to 3.3

-------------------------------------------------------------------
Tue Sep 28 23:05:51 CEST 2004 - schwab@suse.de

- Fix typo in last change.

-------------------------------------------------------------------
Tue Sep 28 18:20:10 CEST 2004 - lnussel@suse.de

- finally allow ESTABLISHED,RELATED tcp and udp always to fix
  problems with DHCP (#46237)

-------------------------------------------------------------------
Mon Sep 27 15:38:33 CEST 2004 - lnussel@suse.de

- some typo fixes from Volker Kuhlmann
- add feature FW_DEV_EXT=any to prevent common pitfall of packets on
  unconfigured interfaces beeing dropped (#46164, #46168)

-------------------------------------------------------------------
Wed Sep 22 11:39:36 CEST 2004 - lnussel@suse.de

- fix opening of ports in zones other than external (#45776)

-------------------------------------------------------------------
Mon Sep 20 12:17:31 CEST 2004 - lnussel@suse.de

- better detection if state matching is supported
- really don't use REJECT if ip6tables has no reject target
- fix debug mode
- fix output log message

-------------------------------------------------------------------
Tue Sep 14 15:23:04 CEST 2004 - lnussel@suse.de

- do not set ip_conntrack_max (#44846)

-------------------------------------------------------------------
Tue Sep 14 12:48:52 CEST 2004 - lnussel@suse.de

- add 'open' parameter to have SuSEfirewall open the specified services

-------------------------------------------------------------------
Fri Sep  3 16:18:00 CEST 2004 - lnussel@suse.de

- do not run ip6tables if network in FW_SERVICES_{REJECT,DROP}_*
  looks like an IPv4 address and vice versa.
- add "on" and "off" commandline parameters to quickly add and
  remove the initscripts together with starting and stopping the
  firewall.

-------------------------------------------------------------------
Mon Aug 30 17:02:27 CEST 2004 - lnussel@suse.de

- set FW_MASQ_DEV to zero if personal-firewall is enabled without
  masquerading (#44076)

-------------------------------------------------------------------
Mon Aug 30 16:06:31 CEST 2004 - lnussel@suse.de

- support invidual services in FW_ALLOW_FW_BROADCAST (#44393)
- always also open portmapper port if any rpc services are to be opened
- fix $AWK not set in quickmode

-------------------------------------------------------------------
Thu Aug 26 12:07:26 CEST 2004 - lnussel@suse.de

- allow related connections even in 'close' mode to allow DNS replies during
  boot (#44202, #44268)
- add net parameter to FW_SERVICES_DROP_* and FW_SERVICES_REJECT_*
- set default log limit to 3/minute
- remove accidently slipped in default drop of ssh
- fix typo: "will used" -> "will be used"

-------------------------------------------------------------------
Mon Aug 23 12:25:07 CEST 2004 - lnussel@suse.de

- initial stateful IPv6 support 
- rephrase more comments in sysconfig file
- use new update message mechanism (#44041)
- new parameter 'log' to display firewall related log messages
- don't install perl helper scripts with executable bits set to not
  depend on perl

-------------------------------------------------------------------
Thu Aug 12 14:34:11 CEST 2004 - lnussel@suse.de

- use perl helper script to determine ports of RPC services.
  Services that did not open their port as root are ignored.

-------------------------------------------------------------------
Fri Aug  6 15:55:22 CEST 2004 - lnussel@suse.de

- major cleanup
- use ipsec policy match to match ipsec packets
- use pkttype to match broadcast packges
- new variables: FW_LOG_LIMIT, FW_SERVICES_DROP_EXT, FW_SERVICES_REJECT_EXT
- obsolete: FW_SERVICE_DHCLIENT, FW_SERVICE_DHCPD, FW_SERVICE_SAMBA
- switch autoprotoect and protect from internal off by default

-------------------------------------------------------------------
Wed May 26 12:17:26 CEST 2004 - lnussel@suse.de

- drop special support for named and squid, the stateful rules should suffice
- fix icmp usage in FW_MASQ_NETS (patch by Carl-Daniel Hailfinger)
- don't send mail about changed FW_LOG if FW_LOG was empty
- remove comment about kernel 2.4 (#40127)
- consider kernel 2.7 as supported

-------------------------------------------------------------------
Wed May  5 13:04:51 CEST 2004 - lnussel@suse.de

- make masquerading work when external interface is set to "auto" (#39914)

-------------------------------------------------------------------
Wed Mar 31 12:18:19 CEST 2004 - lnussel@suse.de

- use getcfg-interface to support config names in FW_DEV_EXT, FW_DEV_INT, FW_DEV_DMZ,
  FW_MASQ_DEV and FW_HTB_TUNE_DEV (#37643).

-------------------------------------------------------------------
Tue Mar 16 12:19:32 CET 2004 - lnussel@suse.de

- replace FW_LOG in sysconfig file with default value and send a notify mail to
  root (#36066)
- getconfig-interface was renamed to getcfg-interface, so call that one in
  SuSEfirewall2-autointerface.sh (#36067)

-------------------------------------------------------------------
Thu Feb 26 16:16:42 CET 2004 - lnussel@suse.de

- determine dynamic portnumbers for RPC services to be able to run e.g. an nfs
  server in a firewalled zone (SuSEfirewall2-3.1-rpcserver.diff, #32033)

-------------------------------------------------------------------
Mon Feb 16 18:21:59 CET 2004 - lnussel@suse.de

- allow IPsec packets to be trusted (SuSEfirewall2-ipsec.diff)

-------------------------------------------------------------------
Mon Feb 16 14:35:43 CET 2004 - lnussel@suse.de

- allow to change IPv6 policy independent of IPv4
  (SuSEfirewall2-3.1-close-ipv6.diff).
- change handling of broadcasts. Allow them on interal interfaces
  per default (SuSEfirewall2-noantispoof.diff).
- rely on rp_filter instead of generating anti-spoofing rules
  (SuSEfirewall2-noantispoof.diff).
- optional automatic detection of external and internal interface
  (SuSEfirewall2-auto.diff).
- use stateful filtering to allow related incoming tcp and udp
  packets on any port (SuSEfirewall2-highports.diff).
- update SuSEfirewall2-3.1-newlog.diff: don't add logging options in
  sysconfig file but instead use default if empty.

-------------------------------------------------------------------
Fri Feb  6 17:45:31 CET 2004 - lnussel@suse.de

- clean up spec file
- get rid of compatability stuff for <= 8.0
- build as user
- merge some patches
- install files with less paranoid permissions

-------------------------------------------------------------------
Mon Jan 12 15:31:15 CET 2004 - ug@suse.de

- static quantum added in the HTB patch to avoid a
  warning about a too small quantum calculated automatically
- deleting qdisc before creating new one to avoid
  warning on second start with no stop in-between

-------------------------------------------------------------------
Fri Oct 24 17:22:33 CEST 2003 - garloff@suse.de

- Use logging prefixes with more information.

-------------------------------------------------------------------
Fri Oct 24 16:49:35 CEST 2003 - garloff@suse.de

- Don't use REJECT target for IPv6.

-------------------------------------------------------------------
Fri Oct 24 15:22:00 CEST 2003 - garloff@suse.de

- #32032: When closing down IPv6, we do a bit too much. As local
  host resolves to ::1, we should allow traffic on lo to not break
  mozilla.
- #30789: Disable warning about not running named. named does only
  need port 53 in many configs and then the warning is bogus.

-------------------------------------------------------------------
Sat Sep 20 22:48:14 CEST 2003 - garloff@suse.de

- #27661: Close down IPv6 traffic as we can not yet filter it.
- Patch to detect conflicts in antispoofing rules between ipsec 
  interfaces in internal networks and external interfaces.
- Fix one bug with logging logic.
- Start SuSEfirewall2_setup after named. (#30789)
 
-------------------------------------------------------------------
Sat Sep 20 22:23:31 CEST 2003 - garloff@suse.de

- #27316: Fix determination of external interface in Personal-
  Firewall Mode.

-------------------------------------------------------------------
Tue Sep  2 01:03:23 CEST 2003 - mmj@suse.de

- Add sysconfig metadata [#28808]

-------------------------------------------------------------------
Thu Jul 31 16:34:07 CEST 2003 - kukuk@suse.de

- serial was renamed to setserial [Bug #28353]

-------------------------------------------------------------------
Mon Mar 24 16:31:52 CET 2003 - garloff@suse.de

- Dec 30 change was too restrictive. Instead fix log messages.
  [bug #25453]

-------------------------------------------------------------------
Tue Mar 11 16:03:19 CET 2003 - garloff@suse.de

- Fix for optional rate limiting (HTB) feature: In full mode, the
  qdisc_settings need to be redone after the last TOS settings.
  Contributed by Uwe Gansert.

-------------------------------------------------------------------
Mon Mar 10 15:37:04 CET 2003 - garloff@suse.de

- Return 6 if no interface is specified. [bug #24438]

-------------------------------------------------------------------
Fri Feb 21 18:40:51 CET 2003 - garloff@suse.de

- Put metadata also in personal-firewall sysconfig.

-------------------------------------------------------------------
Fri Feb 21 18:04:38 CET 2003 - garloff@suse.de

- Change sysconfig metadata path to Network/Firewall/SuSEfirewall2
  [bug #23878]
- Integrate optional support for limiting the rate of outgoing
  packets. Contributed by Uwe Gansert.

-------------------------------------------------------------------
Thu Feb  6 10:50:29 CET 2003 - garloff@suse.de

- Add Obsoletes & Provides: SuSEfirewall [#19561]

-------------------------------------------------------------------
Thu Jan 23 17:47:36 CET 2003 - garloff@suse.de

- Add sysconfig metainfo. [#22586]

-------------------------------------------------------------------
Tue Jan 21 21:25:36 CET 2003 - garloff@suse.de

- Path in comment in sysconfig file to custom rules was wrong.
  [bug #21651]
- Sort SuSEfirewall2_final to the end.

-------------------------------------------------------------------
Mon Dec 30 17:34:04 CET 2002 - garloff@suse.de

- Fix reversed logic in evaluation on ALLOW_INCOMING_HIGHPORTS_TCP.
  Thanks to Gernot Hillier for analyzing and reporting.

-------------------------------------------------------------------
Wed Oct 30 18:03:44 MET 2002 - garloff@suse.de

- Fix masquerading in quick mode/pfw compat mode.
- custom_before_port_handling back to old name (for compatibility),
  new custom_after_antospoofing() function instead.

-------------------------------------------------------------------
Mon Oct 21 18:26:34 CEST 2002 - draht@suse.de

- SuSEfirewall2-3.1.personal-firewall-compat.diff changed to remove
  error in testing for interfaces in REJECT_ALL_INCOMING_CONNECTIONS

-------------------------------------------------------------------
Tue Oct 15 12:52:00 MEST 2002 - garloff@suse.de

- When using FW_SERVICES_QUICK, the log messages could log packets
  which in the end are not dropped.
- Try to handle exotic protocols (Appletalk), #20414.
- Move custom_before_port_handling before we split the rulechains
  into input_XXX and forward_XXX and introduce custom_after_port
  _handling at old position.

-------------------------------------------------------------------
Sun Oct  6 01:05:18 MEST 2002 - garloff@suse.de

- Consolidate patches:
  * Integrate fixes for FW_SERVICES_QUICK in it
  * Integrate fixes for service_noext in it
  * DEV_IP parsing is obsolete because of fix-parse-bcast
- Restrict DHCP by specifying interface in INPUT chain rather than
  putting rules in input_XXX chains: Broadcasts did not get there.
- Fix spec file for SL 8.0.

-------------------------------------------------------------------
Thu Oct  3 11:51:35 MEST 2002 - garloff@suse.de

- Create input/forward rulechains before inserting special services
  on them. Mea maxima culpa.
  Fixes bug #20093.
- Shorten too long log prefix.

-------------------------------------------------------------------
Thu Oct  3 11:19:00 MEST 2002 - garloff@suse.de

- Explicitly require #!/bin/bash.

-------------------------------------------------------------------
Wed Oct  2 19:03:30 MEST 2002 - garloff@suse.de

- Fix iptables usage error for FW_SERVICE_QUICK_XXX.

-------------------------------------------------------------------
Wed Oct  2 16:40:02 MEST 2002 - garloff@suse.de

- Fix more parsing issues: Use read instead of awk (much faster)
  and handle interfaces without braodcast address. [Bug #20414]

-------------------------------------------------------------------
Wed Oct  2 11:34:32 MEST 2002 - garloff@suse.de

- Fix split of adress/netmasks for masqueraded nets. [Bug #20093]

-------------------------------------------------------------------
Sun Sep 15 17:39:51 CEST 2002 - draht@suse.de

- added missing -j option to iptables. Fix in
  SuSEfirewall2-3.1.correct-reject.diff

-------------------------------------------------------------------
Wed Sep 11 01:57:54 CEST 2002 - draht@suse.de

- bug in interface address parsing from ifconfig output (#19384)

-------------------------------------------------------------------
Sun Sep  8 14:21:47 CEST 2002 - kukuk@suse.de

- Add "Provides: personal-firewall" [Bug #19097]

-------------------------------------------------------------------
Thu Sep  5 14:06:11 MEST 2002 - garloff@suse.de

- Fix syntax error in pers-fw part.

-------------------------------------------------------------------
Thu Sep  5 13:53:34 MEST 2002 - garloff@suse.de

- Merge personal-firewall compatibility fixes from draht.

-------------------------------------------------------------------
Thu Sep  5 13:40:57 MEST 2002 - garloff@suse.de

- Allow DHClient in all networks even for "yes".

-------------------------------------------------------------------
Thu Sep  5 12:30:51 MEST 2002 - garloff@suse.de

- Fix bug #18336:
  * The switches FW_SERVICE_DNS, FW_SERVICE_DHCLIENT, FW_SERVICE_
    DHCPD, FW_SERVICE_SQUID and FW_SERVICE_SAMBA, as well as the
    magical FW_SERVICE_AUTODETECT have four possible values now.
  * no: not open (unchanged)
  * yes: open to internal networks (formerly: to all)
  * dmz: open to internal and DMZ networks (new)
  * ext: open to everywhere (new, corresponds to old yes)

-------------------------------------------------------------------
Thu Sep  5 11:26:37 MEST 2002 - garloff@suse.de

- Fix rcSuSEfirewall2 status report (it probes for reject_func
  rulechain now).
- Add optional FW_SERVICES_QUICK_ to make QUICK mode useful for
  many more people. Defaults to empty of course.

-------------------------------------------------------------------
Thu Sep  5 01:25:48 MEST 2002 - garloff@suse.de

- Unify spec file for older version of SL using %if %suse_version.

-------------------------------------------------------------------
Thu Sep  5 00:20:07 MEST 2002 - garloff@suse.de

- Added Obsoletes: personal-firewall (#18691)
- Update to 3.1:
  * Contains some of the previously applied fixes
  * Speedup by avoiding forks
  * Bugfix for accepting related and established connections
  * FW_FORWARD_MASQ bug: Demasquerading was too global and was
    overriding other rules for the same port.

-------------------------------------------------------------------
Mon Aug 19 02:26:45 MEST 2002 - garloff@suse.de

- Add filesystem PreReq: (#17776)

-------------------------------------------------------------------
Wed Aug 14 13:13:14 MEST 2002 - garloff@suse.de

- Reenable no-rmmod patch: Current kernels still can hang on rmmod
  of ipt modules.
- Remove some Should-Start comments from SuSEfirewall2_init, so it
  can be started earlier.

-------------------------------------------------------------------
Mon Aug 12 17:06:29 MEST 2002 - garloff@suse.de

- Don't refuse to run on 2.5 or 2.6 kernels.

-------------------------------------------------------------------
Mon Aug 12 03:16:57 MEST 2002 - garloff@suse.de

- Update to SuSEfirewall2-3.0:
  * FW_QUICKMODE, only needing FW_DEV_EXT and FW_MASQ_DEV
    to be configured, replacing SuSE's personal-firewall.
  * FW_REJECT option: Instead of dropping packets, we reject them.
  * FW_FORWARD fix for icmp types
  * Target IP address for FW_FORWARD_MASQ
  * Skip _final run if not needed (only needed if autoprotecting
    features are present)
  * Docu fixes  
- Revert FW_STOP_KEEP_ROUTING_STATE="yes" default (2002-07-12)
  due to security concerns.

-------------------------------------------------------------------
Sun Aug 11 18:27:38 MEST 2002 - garloff@suse.de

- Don't add /var/log/firewall to syslog file automatically any more
  as it might cause problems at installation time. (#17421)

-------------------------------------------------------------------
Sat Aug  3 19:05:37 CEST 2002 - kukuk@suse.de

- Add PreRequires.

-------------------------------------------------------------------
Fri Jul 12 02:03:10 MEST 2002 - garloff@suse.de

- Set FW_STOP_KEEP_ROUTING_STATE="yes" by default. (bug #11785)

-------------------------------------------------------------------
Thu Jul 11 11:39:53 MEST 2002 - garloff@suse.de

- Make SQUID_PORT and DNS_PORT greps on lsof output handle the
  situation when the named/squid are bind to an IP address (#16350)

-------------------------------------------------------------------
Thu Jul 11 10:34:46 MEST 2002 - garloff@suse.de

- Adapt to new init info comments (X-UnitedLinux-Should-Start)
- Provide Short-Description
- Remove Dep-Only flag (bug #15650)

-------------------------------------------------------------------
Fri Mar  8 15:06:21 MET 2002 - garloff@suse.de

- Some people don't like colons. (bug #14700)
  Remove them from initscripts. Compensation here ::::::

-------------------------------------------------------------------
Thu Mar  7 16:36:25 MET 2002 - draht@suse.de,lnussel@suse.de

- cosmetic fixes in fillup template
  (SuSEfirewall2-2.1.cosmetics-in-fillup.diff)
  functionality enhancements to cooprtate with the y2 frontend,
  reflected in the changed 
  SuSEfirewall2-2.1.syntax-for-y2-config.diff

-------------------------------------------------------------------
Mon Mar  4 18:05:36 MET 2002 - draht@suse.de

- fixes for SuSEfirewall2 to cooperate with the y2 frontend.
  SuSEfirewall2-2.1.syntax-for-y2-config.diff

-------------------------------------------------------------------
Fri Mar  1 11:49:42 CET 2002 - pthomas@suse.de

- Fix notification mail.

-------------------------------------------------------------------
Fri Jan 18 18:19:05 MET 2002 - garloff@suse.de

- UNALLOWED -> UNAUTHORIZED (bug #12859)

-------------------------------------------------------------------
Mon Jan 14 12:22:05 MET 2002 - garloff@suse.de

- Use LC_ALL to unset language specific support.
- Remove /etc/sysconfig/SuSEfirewall2 from %file list.

-------------------------------------------------------------------
Fri Jan 11 18:47:57 MET 2002 - garloff@suse.de

- Moved SuSEfirewall2 config files away from network to 
  /etc/sysconfig resp. /etc/sysconfig/scripts/
- More docu fixes
- Init script fixes for new sysconfig (incl. dep. info)

-------------------------------------------------------------------
Fri Jan 11 04:37:32 MET 2002 - garloff@suse.de

- Update to new runlevel and configuration scheme:
  * config files are /etc/sysconfig/network/SuSEfirewall2 and
    /etc/sysconfig/network/scripts/SuSEfitrewall2-custom now
  * Startup behaviour is controlled by the existence of rc?.d
    symlinks.
  * Old config files should be saved and moved
  
-------------------------------------------------------------------
Fri Jan 11 02:28:12 MET 2002 - garloff@suse.de

- Update to SuSEfirewall-2.1:
  * Improved logging
  * FW_*_ALLOW_HIGH_PORT: related connections always allowed now,
    therefore INCOMING_HIGHPORTS_TCP="no" by default now.
  * '!' support for FW_REDIRECT

-------------------------------------------------------------------
Wed Nov 28 00:29:57 MET 2001 - garloff@suse.de

- Update to SuSEfirewall2-2.0:
  * Typo which created probs for ADSL users fixed.
- Update to SuSEfirewall2-1.8:
  * Private network detection for FW_MASQ_NETS fixed
  * Better log output

-------------------------------------------------------------------
Thu Sep 20 13:59:04 MEST 2001 - draht@suse.de

- rmmod of ip_tables modules can cause rmmod (and the system 
  startup) to hang. Removing modules is racey and should not be 
  required. rmmod of legacy ipfwadm and ipchains modules is 
  untouched.

-------------------------------------------------------------------
Wed Sep 19 17:13:09 MEST 2001 - draht@suse.de

- Added restart2 section into rc scripts to work around open
  packet filter rules during yast2-triggered rules reload.

-------------------------------------------------------------------
Tue Sep  4 10:11:01 MEST 2001 - garloff@suse.de

- Disabled automatic ip-up updating for the release of SuSE Linux
  7.3 (not needed, so avoid any risks).

-------------------------------------------------------------------
Tue Sep  4 09:01:11 MEST 2001 - garloff@suse.de

- Update to SuSEfirewall2-1.7:
  * Fixed a bug in FW_FORWARD_MASQ when target ports were ranges.
  * Fixed some bugs in the documentation.
  * When stopping SuSEfirewall2, all modules are now removed.
- bzip2 sources.

-------------------------------------------------------------------
Fri Aug  3 16:37:12 MEST 2001 - garloff@suse.de

- Update to SuSEfirewall-1.6:
  * Error checking for FW_MASQ_NETS.
  * Added an additional EXAMPLE with an ipsec setup and a FAQ 
    section.

-------------------------------------------------------------------
Thu Jul 26 21:17:19 MEST 2001 - garloff@suse.de

- Update to SuSEfirewall2-1.5:
  * Already include most patches applied to 1.3
  * Fix firewall2.rc.config syntax to be YaST(2) compliant
  * Fix bug WRT timeout for first DNS lookup that triggered
    autodialing
  * SQUID udp ports support
  * Fix problem with error logging
- Provide automatic update for /etc/ppp/ip-up for SuSE Linux 7.2
  users and warn others.

-------------------------------------------------------------------
Tue Jul 17 11:48:28 MEST 2001 - garloff@suse.de

- rcSuSEfirewall2 symlink points to _setup now, as that one's 
  capable of doing a start and a stop.
- Use rc.status functions

-------------------------------------------------------------------
Tue Jul 17 09:06:44 MEST 2001 - garloff@suse.de

- Use ispell to fix docus. Strip CR from LICENCE.

-------------------------------------------------------------------
Tue Jul 17 08:14:11 MEST 2001 - garloff@suse.de

- Initial creation of package SuSEfirewall2:
  * checkin version 1.3
  * create package description and specfile
- Some changes to the startup scripts:
  * LSB conformant comments

Places

File SuSEfirewall2.changes of Package SuSEfirewall2

Places