firewalld replaces yast-firewall

I am not sure this is the right forum, but…

I recently discovered that firewalld replaced yast-firewall in my 42.3 installation.
I am not sure when this happened, but since that update my machine has been running without a firewall, which is a bit scary.
Now… since years I am subscribed to the newsletters Security (opensuse-security@opensuse.org) and Maintenance (maintenance@opensuse.org) and I cannot find one reference to this replacement.
Given the security implications, I would expecte a bit of warning if an updated is going to turn-off/disable/uninstall the firewall.
I cannot imagine the consequences if the machine was an actual internet-facing server.

The question is: did I miss the announcement / warning about the replacement or did it just slipped through the cracks ?
and… more importantly… is there newsletter / blog / tweet account / mailing list,… something I need to subscribe to in order to be notified or to discover this kind of news ?

In fact firewalld replaced SuSEfirewall2. yast-firewall is only a user interface to configure SuSEfirewall2. And that is also replaced by a new user configuration interface (also GUI), of which I forgot the name because I do not run a firewall.

There were/are several threads here on the forums about this. The main thing I can remember with respect to your “why wasn’t I warned” remark, is that it was announced in the release notes of the openSUSE version concerned.

BTW, I found e.g. this https://en.opensuse.org/Firewalld

I haven’t been paying close attention to 42.3, but I don’t think there was ever such a change. So it might be something that you did.

You have possibly done something to your repos, so that a package was installed that was never intended for 42.3.

Please provide the output from:

zypper lr -d

That lists the repos. Use CODE tags for posting that output. You can generate CODE tags by clicking the “#” icon in the edit tool bar. The paste the output between those tags.

And this will be moved to install/boot/login. It is not an announcement, but seems to be a request for help.

CLOSED for the moment.

Moved from Announcements and open again.

For the case of the Leap 15.0 Release Notes, Bug #1129556 has been raised.

There’s nothing in the Leap 42.3 Release Notes about this – not expected because “officially” the change was made with Leap 15.0.

There’s also a package containing a “Basic SuSEfirewall2 to FirewallD migration script”: ‘susefirewall2-to-firewalld’ …

Re: Bug #1129556

Ooops!! I failed to notice this Leap 15.0 Release Notes entry: <https://doc.opensuse.org/release-notes/x86_64/openSUSE/Leap/15.0/index.html#sec.package.removed> – The “SuSEfirewall2” package has been removed …

Yep, and the move to using firewalld has been discussed in numerous threads here already.

Hi all,
I am sorry for the delay in answering.

I realize that there must have been discussion around this change and ‘public’ announcements, but unless I check all the forums/news on a regular basis (which I cannot obviously do), I don’t get to read about this kind of changes.
From what I read above, the news were also limited to Leap 15.0 and I am still on 42.3 (I know… I know… but it takes a week of disruption to my work between backup, installation, redo all the configuration, settings, preferences etc…).
The fact is that I need to have a couple of ports open to the ‘outside’ to do testing / debugging and the old firewall was protecting the machine to allow connections only from known sources.
I discovered the firewall was gone only because I was watching the log and started seeing an IP flooding with HTTP requests of the usual URLs.

I don’t mean/care to blame anybody. My question was more around the lines of: “How do I prevent this from happening again ?”

Did this happen because I am using an ‘old’ release ? Should I use Tumbleweed instead ?

I don’t care much about “The bleeding edge”, but if that gives me a machine that is stable enough and then, by listening to its forum/news/announcements, I get to hear about this stuff, I would consider the change.

Thanks for your time.

@nrickert: see below my repos (I removed GPG Check and Priority (all 99) and wrapped one line to reduce width). I installed firewalld myself when I discovered the old one was gone. I may have turned it off by mistake, but uninstall it by mistake? (including the Yast module ?). I don’t think so.

# zypper lr -d
Repository priorities in effect:                                                                                             (See 'zypper lr -P' for details)
      90 (raised priority)  :  1 repository  
      99 (default priority) : 10 repositories

#  | Alias                               | Name                                    | Enabled | Refresh | Type   | URI                                                                                                                      | Service
---+-------------------------------------+-----------------------------------------+---------+---------+--------+---------------------------------------------------------------------------
 1 | Google-Chrome                       | Google-Chrome                           | Yes     | Yes     | rpm-md | http://dl.google.com/linux/chrome/rpm/stable/x86_64                       
 2 | adobe                               | adobe                                   | No      | ----    | rpm-md | http://linuxdownload.adobe.com/linux/x86_64/                              
 3 | download.opensuse.org-non-oss       | Main Repository (NON-OSS)               | Yes     | Yes     | yast2  | http://download.opensuse.org/distribution/leap/42.3/repo/non-oss/         
 4 | download.opensuse.org-non-oss_1     | Update Repository (Non-Oss)             | Yes     | Yes     | rpm-md | http://download.opensuse.org/update/leap/42.3/non-oss/                    
 5 | download.opensuse.org-oss           | Main Repository (OSS)                   | Yes     | Yes     | yast2  | http://download.opensuse.org/distribution/leap/42.3/repo/oss/             
 6 | download.opensuse.org-oss_1         | Main Update Repository                  | Yes     | Yes     | rpm-md | http://download.opensuse.org/update/leap/42.3/oss                         
 7 | http-download.opensuse.org-fe1a881b | http-download.opensuse.org-fe1a881b     | No      | ----    | rpm-md | http://download.opensuse.org/ports/update/leap/15.0/oss                   
 8 | openSUSE-Leap-42.3-0                | openSUSE-Leap-42.3-0                    | No      | ----    | yast2  | hd:///?device=/dev/disk/by-id/usb-_USB_DISK_2.0_07104B91A2FAFF18-0:0-part2
 9 | openSUSE_Leap_42.3                  | openSUSE_Leap_42.3 NodeJs               | Yes     | Yes     | rpm-md |
      http://download.opensuse.org/repositories/devel:/languages:/nodejs/openSUSE_Leap_42.3        
10 | openSUSE_Leap_42.3_1                | openSUSE_Leap_42.3_Mozilla              | Yes     | Yes     | rpm-md | http://download.opensuse.org/repositories/mozilla/openSUSE_Leap_42.3/     
11 | opensuse-guide.org-repo             | Libdvdcss Repository                    | Yes     | Yes     | rpm-md | http://opensuse-guide.org/repo/openSUSE_Leap_42.3/                        
12 | packman.inode.at-suse               | Packman Repository                      | Yes     | Yes     | rpm-md | http://packman.inode.at/suse/openSUSE_Leap_42.3/                          
13 | repo-debug                          | openSUSE-Leap-42.3-Debug                | No      | ----    | yast2  | http://download.opensuse.org/debug/distribution/leap/42.3/repo/oss/       
14 | repo-debug-non-oss                  | openSUSE-Leap-42.3-Debug-Non-Oss        | No      | ----    | yast2  | http://download.opensuse.org/debug/distribution/leap/42.3/repo/non-oss/   
15 | repo-debug-update                   | openSUSE-Leap-42.3-Update-Debug         | No      | ----    | rpm-md | http://download.opensuse.org/debug/update/leap/42.3/oss/                  
16 | repo-debug-update-non-oss           | openSUSE-Leap-42.3-Update-Debug-Non-Oss | No      | ----    | rpm-md | http://download.opensuse.org/debug/update/leap/42.3/non-oss/              
17 | repo-source                         | openSUSE-Leap-42.3-Source               | No      | ----    | yast2  | http://download.opensuse.org/source/distribution/leap/42.3/repo/oss/      
18 | repo-source-non-oss                 | openSUSE-Leap-42.3-Source-Non-Oss       | No      | ----    | yast2  | http://download.opensuse.org/source/distribution/leap/42.3/repo/non-oss/  
19 | skype-stable                        | skype (stable)                          | Yes     | Yes     | rpm-md | https://repo.skype.com/rpm/stable/                                        
20 | teamviewer                          | TeamViewer - x86_64                     | Yes     | No      | rpm-md | http://linux.teamviewer.com/yum/stable/main/binary-x86_64/ 
 

I am not sure why you see this on 42.3. As mentioned above, the step was made starting from 15.0 (and earlier somewhere in Tumbleweed). But as it is also not the policy to change packages to new ones (not even newer versions of packages, let alone replacing products during the lifetime of a version of openSUSE), I do not quite understand where you got that new firewalld from.

Well, I have an idea. Look at your repo #7. It is a 15.0 one and can veru well be the start of this problem (and maybe even more problems yet to surface. Better remove it and zypper dup from the correct repos to undo what went wrong.

PS, better do not change anything when you post computer text. Things that you think are unimportant may be important. After all you have a problem you can not solve. That often means that you walk a path through what you think may be the possible causes. But you may be completely wrong. Others might see what you do not see. But when you post biased information, the others will not see also.

With TW is was even more chaos, suddenly after an update there was no Yast plugin for firewall for some time (I posted here on the forum, iirc about a year ago). Then by default the new firewall opend in the “public” ipv6dhcp server port and ssh.

Really not what you expect from a personal firewall on your computer… I shifted the last 42.3 to 15.0 in January and I hardly remember, if there was the old firewall still present at that time, but I think due to the TW firewall problems I had switched them manually over the last year.

Only way to learn about such and other problems for me: Keep an eye on this forum and be late with updating (on your production systems)…

Hi Henk,

firewalld was installed by me when I discovered I had no firewall at all, by then SuseFirewall was already gone.

Probably you are right about repo #7. I had a bit of trouble a couple of months back when I tried to install a package that was available only for 15.0 and answered yes too quickly.
zypper dup I will leave for later, I cannot afford a full upgrade right now.

Thanks

[QUOTE=savedario;2897698]@nrickert: see below my repos (I removed GPG Check and Priority (all 99) and wrapped one line to reduce width). I installed firewalld myself when I discovered the old one was gone. I may have turned it off by mistake, but uninstall it by mistake? (including the Yast module ?). I don’t think so.

When you use a CODE box (as you did), the browser will add a scroll bar for that code box. So no need to worry about long lines.

I did just boot up 42.3, but a very out-of-date install. I see that “firewalld” is in the main repo, but I don’t see anything that wants to install it. And there’s nothing that wants to uninstall SuSEfirewall2. So I’m still not sure why that happened. I’m inclined to agree with Henk, that it happened when you had that Leap 15.0 repo enabled at some time in the past.