[ale] FYI - major bug in SUSE SLES 11 SP2 firewall update

Scott Steele roninazure at gmail.com
Thu Jan 10 16:12:05 EST 2013


Thanks for the heads-up. This update was pushed in November. I took a
quick audit of my SLES SMT (Subscription Management Tool) server and
it appears it had downloaded this patch for my servers.  Thankfully I
haven't had to reboot any of them yet. One of the solutions would be
to turn of the firewall in Yast2 and let the corporate firewalls to
their job.

On Thu, Jan 10, 2013 at 3:43 PM, Jim Kinney <jim.kinney at gmail.com> wrote:
> That stinks!
>
> RHEL/Fedora systems use comments as well in /etc/sysconfig/iptables but
> things "JustWork". sounds like SLES tossed a wrench in their parser.
>
>
> On Thu, Jan 10, 2013 at 3:23 PM, Beddingfield, Allen <allen at ua.edu> wrote:
>>
>> If you have any SUSE Linux Enterprise 11 SP2 systems, you will want to pay
>> careful attention to this one.  I'm getting it submitted so SUSE as a bug
>> report.
>>
>> When you go into the "firewall" module of yast and create custom rules,
>> they are added to a line in /etc/sysconfig/SuSEfirewall2
>>
>> Once this patch is applied:
>> v | SLES11-SP2-Updates    | SuSEfirewall2                   |
>> 3.6_SVNr208-2.5.1      | 3.6_SVNr208-2.7.1
>>
>> A comment line gets thrown into the middle of your custom firewall rules.
>> The next time the system is rebooted, the firewall does not start.  If you
>> aren't watching the console of your server, you won't know that your server
>> has come up without the firewall running.
>>
>> Below is a before and after example of what I'm talking about (from
>> /etc/sysconfig/SuSEfirewall2):
>>
>> Firewall rules before update:
>> FW_SERVICES_ACCEPT_EXT="130.160.21.210,tcp,10050
>> 10.0.0.0/255.0.0.0,udp,1645
>> 130.160.0.0/255.255.0.0,udp,1645
>> 10.0.0.0/255.0.0.0,udp,1646
>> 130.160.0.0/255.255.0.0,udp,1646
>> 130.160.4.150,udp,1645"
>>
>> Firewall rules after update:
>> FW_SERVICES_ACCEPT_EXT="130.160.21.210,tcp,10050
>>
>> ## Type: string
>> 10.0.0.0/255.0.0.0,udp,1645
>> 130.160.0.0/255.255.0.0,udp,1645
>> 10.0.0.0/255.0.0.0,udp,1646
>> 130.160.0.0/255.255.0.0,udp,1646"
>>
>> As you can see, there is a comment line inserted in the middle of the
>> rules.  This prevents the firewall from starting.  I can readily reproduce
>> this problem on multiple systems.  I really wish I had encountered this
>> problem before deploying this patch, because I have a LOT of SLES
>> systems….sigh.
>>
>> --
>> Allen Beddingfield
>> Systems Engineer
>> The University of Alabama
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>
>
>
>
> --
> --
> James P. Kinney III
>
> Every time you stop a school, you will have to build a jail. What you gain
> at one end you lose at the other. It's like feeding a dog on his own tail.
> It won't fatten the dog.
> - Speech 11/23/1900 Mark Twain
>
> http://electjimkinney.org
> http://heretothereideas.blogspot.com/
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>



More information about the Ale mailing list