[ale] FYI - major bug in SUSE SLES 11 SP2 firewall update

Thu Jan 10 16:18:09 EST 2013

Yeah, we still have unprotected subnets in some cases, and I pretty much
keep up the software firewalls because I'm not so trusting of our border
firewalls, based on past experiences.  How are you staging/applying your
patches?  I have SMT, but have more recently started using SUSE Manager to
manage updates.  
Allen B.

-- 
Allen Beddingfield
Systems Engineer
The University of Alabama

On 1/10/13 3:12 PM, "Scott Steele" <roninazure at gmail.com> wrote:

>Thanks for the heads-up. This update was pushed in November. I took a
>quick audit of my SLES SMT (Subscription Management Tool) server and
>it appears it had downloaded this patch for my servers.  Thankfully I
>haven't had to reboot any of them yet. One of the solutions would be
>to turn of the firewall in Yast2 and let the corporate firewalls to
>their job.
>
>On Thu, Jan 10, 2013 at 3:43 PM, Jim Kinney <jim.kinney at gmail.com> wrote:
>> That stinks!
>>
>> RHEL/Fedora systems use comments as well in /etc/sysconfig/iptables but
>> things "JustWork". sounds like SLES tossed a wrench in their parser.
>>
>>
>> On Thu, Jan 10, 2013 at 3:23 PM, Beddingfield, Allen <allen at ua.edu>
>>wrote:
>>>
>>> If you have any SUSE Linux Enterprise 11 SP2 systems, you will want to
>>>pay
>>> careful attention to this one.  I'm getting it submitted so SUSE as a
>>>bug
>>> report.
>>>
>>> When you go into the "firewall" module of yast and create custom rules,
>>> they are added to a line in /etc/sysconfig/SuSEfirewall2
>>>
>>> Once this patch is applied:
>>> v | SLES11-SP2-Updates    | SuSEfirewall2                   |
>>> 3.6_SVNr208-2.5.1      | 3.6_SVNr208-2.7.1
>>>
>>> A comment line gets thrown into the middle of your custom firewall
>>>rules.
>>> The next time the system is rebooted, the firewall does not start.  If
>>>you
>>> aren't watching the console of your server, you won't know that your
>>>server
>>> has come up without the firewall running.
>>>
>>> Below is a before and after example of what I'm talking about (from
>>> /etc/sysconfig/SuSEfirewall2):
>>>
>>> Firewall rules before update:
>>> FW_SERVICES_ACCEPT_EXT="130.160.21.210,tcp,10050
>>> 10.0.0.0/255.0.0.0,udp,1645
>>> 130.160.0.0/255.255.0.0,udp,1645
>>> 10.0.0.0/255.0.0.0,udp,1646
>>> 130.160.0.0/255.255.0.0,udp,1646
>>> 130.160.4.150,udp,1645"
>>>
>>> Firewall rules after update:
>>> FW_SERVICES_ACCEPT_EXT="130.160.21.210,tcp,10050
>>>
>>> ## Type: string
>>> 10.0.0.0/255.0.0.0,udp,1645
>>> 130.160.0.0/255.255.0.0,udp,1645
>>> 10.0.0.0/255.0.0.0,udp,1646
>>> 130.160.0.0/255.255.0.0,udp,1646"
>>>
>>> As you can see, there is a comment line inserted in the middle of the
>>> rules.  This prevents the firewall from starting.  I can readily
>>>reproduce
>>> this problem on multiple systems.  I really wish I had encountered this
>>> problem before deploying this patch, because I have a LOT of SLES
>>> systemsŠ.sigh.
>>>
>>> --
>>> Allen Beddingfield
>>> Systems Engineer
>>> The University of Alabama
>>>
>>> _______________________________________________
>>> Ale mailing list
>>> Ale at ale.org
>>> http://mail.ale.org/mailman/listinfo/ale
>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>> http://mail.ale.org/mailman/listinfo
>>
>>
>>
>>
>> --
>> --
>> James P. Kinney III
>>
>> Every time you stop a school, you will have to build a jail. What you
>>gain
>> at one end you lose at the other. It's like feeding a dog on his own
>>tail.
>> It won't fatten the dog.
>> - Speech 11/23/1900 Mark Twain
>>
>> http://electjimkinney.org
>> http://heretothereideas.blogspot.com/
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
>
>_______________________________________________
>Ale mailing list
>Ale at ale.org
>http://mail.ale.org/mailman/listinfo/ale
>See JOBS, ANNOUNCE and SCHOOLS lists at
>http://mail.ale.org/mailman/listinfo