Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: firewalld replaces yast-firewall

  1. #1
    Join Date
    Jul 2009
    Location
    Köln
    Posts
    23

    Default firewalld replaces yast-firewall

    I am not sure this is the right forum, but...

    I recently discovered that firewalld replaced yast-firewall in my 42.3 installation.
    I am not sure when this happened, but since that update my machine has been running without a firewall, which is a bit scary.
    Now... since years I am subscribed to the newsletters Security (opensuse-security@opensuse.org) and Maintenance (maintenance@opensuse.org) and I cannot find one reference to this replacement.
    Given the security implications, I would expecte a bit of warning if an updated is going to turn-off/disable/uninstall the firewall.
    I cannot imagine the consequences if the machine was an actual internet-facing server.

    The question is: did I miss the announcement / warning about the replacement or did it just slipped through the cracks ?
    and... more importantly... is there newsletter / blog / tweet account / mailing list,... something I need to subscribe to in order to be notified or to discover this kind of news ?
    4 x AMD A8-7600 Radeon R7, 10 Cores - OpenSUSE 42.3 (4.4.175-89) - KDE 5.32.0 - Qt 5.6.2

  2. #2
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    24,718

    Default Re: firewalld replaces yast-firewall

    In fact firewalld replaced SuSEfirewall2. yast-firewall is only a user interface to configure SuSEfirewall2. And that is also replaced by a new user configuration interface (also GUI), of which I forgot the name because I do not run a firewall.

    There were/are several threads here on the forums about this. The main thing I can remember with respect to your "why wasn't I warned" remark, is that it was announced in the release notes of the openSUSE version concerned.

    BTW, I found e.g. this https://en.opensuse.org/Firewalld
    Henk van Velden

  3. #3
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    12,161
    Blog Entries
    3

    Default Re: firewalld replaces yast-firewall

    Quote Originally Posted by savedario View Post
    I recently discovered that firewalld replaced yast-firewall in my 42.3 installation.
    I haven't been paying close attention to 42.3, but I don't think there was ever such a change. So it might be something that you did.

    You have possibly done something to your repos, so that a package was installed that was never intended for 42.3.

    Please provide the output from:
    Code:
    zypper lr -d
    That lists the repos. Use CODE tags for posting that output. You can generate CODE tags by clicking the "#" icon in the edit tool bar. The paste the output between those tags.
    openSUSE Leap 15.1; KDE Plasma 5;

  4. #4
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    24,718

    Default Re: firewalld replaces yast-firewall

    And this will be moved to install/boot/login. It is not an announcement, but seems to be a request for help.

    CLOSED for the moment.
    Henk van Velden

  5. #5
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    24,718

    Default Re: firewalld replaces yast-firewall

    Quote Originally Posted by savedario View Post
    I am not sure this is the right forum, but...

    I recently discovered that firewalld replaced yast-firewall in my 42.3 installation.
    I am not sure when this happened, but since that update my machine has been running without a firewall, which is a bit scary.
    Now... since years I am subscribed to the newsletters Security (opensuse-security@opensuse.org) and Maintenance (maintenance@opensuse.org) and I cannot find one reference to this replacement.
    Given the security implications, I would expecte a bit of warning if an updated is going to turn-off/disable/uninstall the firewall.
    I cannot imagine the consequences if the machine was an actual internet-facing server.

    The question is: did I miss the announcement / warning about the replacement or did it just slipped through the cracks ?
    and... more importantly... is there newsletter / blog / tweet account / mailing list,... something I need to subscribe to in order to be notified or to discover this kind of news ?
    Moved from Announcements and open again.
    Henk van Velden

  6. #6
    Join Date
    Feb 2010
    Location
    Germany
    Posts
    2,392

    Talking Re: firewalld replaces yast-firewall

    For the case of the Leap 15.0 Release Notes, Bug #1129556 has been raised.

    There's nothing in the Leap 42.3 Release Notes about this – not expected because “officially” the change was made with Leap 15.0.

    There's also a package containing a “Basic SuSEfirewall2 to FirewallD migration script”: ‘susefirewall2-to-firewalld’ …

  7. #7
    Join Date
    Feb 2010
    Location
    Germany
    Posts
    2,392

    Red face Re: firewalld replaces yast-firewall

    Re: Bug #1129556

    Ooops!! I failed to notice this Leap 15.0 Release Notes entry: <https://doc.opensuse.org/release-not...ackage.removed> – The “SuSEfirewall2” package has been removed …

  8. #8
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    20,005
    Blog Entries
    1

    Default Re: firewalld replaces yast-firewall

    Quote Originally Posted by dcurtisfra View Post
    Re: Bug #1129556

    Ooops!! I failed to notice this Leap 15.0 Release Notes entry: <https://doc.opensuse.org/release-not...ackage.removed> – The “SuSEfirewall2” package has been removed …
    Yep, and the move to using firewalld has been discussed in numerous threads here already.
    openSUSE Leap 15.0; KDE Plasma 5

  9. #9
    Join Date
    Jul 2009
    Location
    Köln
    Posts
    23

    Default Re: firewalld replaces yast-firewall

    Hi all,
    I am sorry for the delay in answering.

    I realize that there must have been discussion around this change and 'public' announcements, but unless I check all the forums/news on a regular basis (which I cannot obviously do), I don't get to read about this kind of changes.
    From what I read above, the news were also limited to Leap 15.0 and I am still on 42.3 (I know.... I know... but it takes a week of disruption to my work between backup, installation, redo all the configuration, settings, preferences etc...).
    The fact is that I need to have a couple of ports open to the 'outside' to do testing / debugging and the old firewall was protecting the machine to allow connections only from known sources.
    I discovered the firewall was gone only because I was watching the log and started seeing an IP flooding with HTTP requests of the usual URLs.

    I don't mean/care to blame anybody. My question was more around the lines of: "How do I prevent this from happening again ?"

    Did this happen because I am using an 'old' release ? Should I use Tumbleweed instead ?

    I don't care much about "The bleeding edge", but if that gives me a machine that is stable enough and then, by listening to its forum/news/announcements, I get to hear about this stuff, I would consider the change.

    Thanks for your time.

    @nrickert: see below my repos (I removed GPG Check and Priority (all 99) and wrapped one line to reduce width). I installed firewalld myself when I discovered the old one was gone. I may have turned it off by mistake, but uninstall it by mistake? (including the Yast module ?). I don't think so.
    Code:
    # zypper lr -d
    Repository priorities in effect:                                                                                             (See 'zypper lr -P' for details)
          90 (raised priority)  :  1 repository  
          99 (default priority) : 10 repositories
    
    #  | Alias                               | Name                                    | Enabled | Refresh | Type   | URI                                                                                                                      | Service
    ---+-------------------------------------+-----------------------------------------+---------+---------+--------+---------------------------------------------------------------------------
     1 | Google-Chrome                       | Google-Chrome                           | Yes     | Yes     | rpm-md | http://dl.google.com/linux/chrome/rpm/stable/x86_64                       
     2 | adobe                               | adobe                                   | No      | ----    | rpm-md | http://linuxdownload.adobe.com/linux/x86_64/                              
     3 | download.opensuse.org-non-oss       | Main Repository (NON-OSS)               | Yes     | Yes     | yast2  | http://download.opensuse.org/distribution/leap/42.3/repo/non-oss/         
     4 | download.opensuse.org-non-oss_1     | Update Repository (Non-Oss)             | Yes     | Yes     | rpm-md | http://download.opensuse.org/update/leap/42.3/non-oss/                    
     5 | download.opensuse.org-oss           | Main Repository (OSS)                   | Yes     | Yes     | yast2  | http://download.opensuse.org/distribution/leap/42.3/repo/oss/             
     6 | download.opensuse.org-oss_1         | Main Update Repository                  | Yes     | Yes     | rpm-md | http://download.opensuse.org/update/leap/42.3/oss                         
     7 | http-download.opensuse.org-fe1a881b | http-download.opensuse.org-fe1a881b     | No      | ----    | rpm-md | http://download.opensuse.org/ports/update/leap/15.0/oss                   
     8 | openSUSE-Leap-42.3-0                | openSUSE-Leap-42.3-0                    | No      | ----    | yast2  | hd:///?device=/dev/disk/by-id/usb-_USB_DISK_2.0_07104B91A2FAFF18-0:0-part2
     9 | openSUSE_Leap_42.3                  | openSUSE_Leap_42.3 NodeJs               | Yes     | Yes     | rpm-md |
          http://download.opensuse.org/repositories/devel:/languages:/nodejs/openSUSE_Leap_42.3        
    10 | openSUSE_Leap_42.3_1                | openSUSE_Leap_42.3_Mozilla              | Yes     | Yes     | rpm-md | http://download.opensuse.org/repositories/mozilla/openSUSE_Leap_42.3/     
    11 | opensuse-guide.org-repo             | Libdvdcss Repository                    | Yes     | Yes     | rpm-md | http://opensuse-guide.org/repo/openSUSE_Leap_42.3/                        
    12 | packman.inode.at-suse               | Packman Repository                      | Yes     | Yes     | rpm-md | http://packman.inode.at/suse/openSUSE_Leap_42.3/                          
    13 | repo-debug                          | openSUSE-Leap-42.3-Debug                | No      | ----    | yast2  | http://download.opensuse.org/debug/distribution/leap/42.3/repo/oss/       
    14 | repo-debug-non-oss                  | openSUSE-Leap-42.3-Debug-Non-Oss        | No      | ----    | yast2  | http://download.opensuse.org/debug/distribution/leap/42.3/repo/non-oss/   
    15 | repo-debug-update                   | openSUSE-Leap-42.3-Update-Debug         | No      | ----    | rpm-md | http://download.opensuse.org/debug/update/leap/42.3/oss/                  
    16 | repo-debug-update-non-oss           | openSUSE-Leap-42.3-Update-Debug-Non-Oss | No      | ----    | rpm-md | http://download.opensuse.org/debug/update/leap/42.3/non-oss/              
    17 | repo-source                         | openSUSE-Leap-42.3-Source               | No      | ----    | yast2  | http://download.opensuse.org/source/distribution/leap/42.3/repo/oss/      
    18 | repo-source-non-oss                 | openSUSE-Leap-42.3-Source-Non-Oss       | No      | ----    | yast2  | http://download.opensuse.org/source/distribution/leap/42.3/repo/non-oss/  
    19 | skype-stable                        | skype (stable)                          | Yes     | Yes     | rpm-md | https://repo.skype.com/rpm/stable/                                        
    20 | teamviewer                          | TeamViewer - x86_64                     | Yes     | No      | rpm-md | http://linux.teamviewer.com/yum/stable/main/binary-x86_64/
    4 x AMD A8-7600 Radeon R7, 10 Cores - OpenSUSE 42.3 (4.4.175-89) - KDE 5.32.0 - Qt 5.6.2

  10. #10
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    24,718

    Default Re: firewalld replaces yast-firewall

    I am not sure why you see this on 42.3. As mentioned above, the step was made starting from 15.0 (and earlier somewhere in Tumbleweed). But as it is also not the policy to change packages to new ones (not even newer versions of packages, let alone replacing products during the lifetime of a version of openSUSE), I do not quite understand where you got that new firewalld from.

    Well, I have an idea. Look at your repo #7. It is a 15.0 one and can veru well be the start of this problem (and maybe even more problems yet to surface. Better remove it and zypper dup from the correct repos to undo what went wrong.

    PS, better do not change anything when you post computer text. Things that you think are unimportant may be important. After all you have a problem you can not solve. That often means that you walk a path through what you think may be the possible causes. But you may be completely wrong. Others might see what you do not see. But when you post biased information, the others will not see also.
    Last edited by hcvv; 21-Mar-2019 at 05:07.
    Henk van Velden

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •