2017-10-19 - firstname.lastname@example.org
- rpcinfo: fixed security issue with too open implicit portmapper rules
(bnc#1064127, CVE-2017-15638): A source net restriction for _rpc_ services
was not taken into account for the implicitly added rules for port 111,
making the portmap service accessible to everyone in the affected zone.
2017-07-28 - email@example.com
- follow-up bugfix for bnc#946325:
Removed bogus nfs alias units, added correct nfs-client target in
The nfs alias units are false friends, because they don't fix the startup
ordering between nfs and SuSEfirewall2.
The missing nfs-client target could cause nfs mounts for nfs versions < 4.1
to be unable to receive callbacks from the server, when the nfs client was
started before the SuSEfirewall2 was started on boot.
renamed 0007-fix-nfs-server-dependency.patch to
0007-fix-nfs-dependencies.patch to fix both client and server issues
2017-07-25 - firstname.lastname@example.org
- correct boot order between SuSEfirewall2 and nfs-server to fix bnc#946325,
bsc#963740. Without this fix the NFS server ports might not have been
correctly opened after boot when both SuSEfirewall2 and nfs-server have been
enabled in systemd.
2017-07-17 - email@example.com
- improve/fix consideration of sysctl values in the system (bnc#1044523).
SuSEfirewall2 will now also check for existing configuration in sysctl.d
style directories in some default locations. Custom directories can be
configured via the new configuration variable FW_SYSCTL_PATHS. This is a
follow-up to (bnc#906136).
2017-03-21 - firstname.lastname@example.org
- Install symlink to SuSEfirewall2 with the updated SUSE spelling
- basic.target and SuSEfirewall2 have a loop, remove it bsc#961258
- ignore the bootlock when incremental updates for hotplugged or virtual
devices are coming in during boot. This prevents lockups for example when
drbd is used with FW_BOOT_FULL_INIT. (bnc#785299)
- support for IPv6 in FW_TRUSTED_NETS config variable. (bnc#841046)
- don't log dropped broadcast IPv6 broadcast/multicast packets by default to
avoid cluttering the kernel log. (bnc#847193)
- only apply FW_KERNEL_SECURITY proc settings, if not overriden by the
administrator in /etc/sysctl.conf (bnc#906136). This allows you to benefit
from some of the kernel security settings, while overwriting others.
- fixed a race condition in systemd unit files that could cause the
SuSEfirewall2_init unit to sporadically fail, because /tmp was not
there/writable yet. (bnc#1014987)
2014-08-15 - email@example.com
- hosting moved to github.com/opensuse/susefirewall2
- added a sysvinit -> systemd conversion hack (bnc#891669)
2014-07-31 - firstname.lastname@example.org
- SuSEfirewall2, ACCEPT from services is a local variable, otherwise
"ACCEPT" would be used a service name (bnc#889406 bnc#889555 bnc#887040)
2014-06-11 - email@example.com
- Added ACCEPT to TEMPLATE using FW_SERVICES_ACCEPT
2014-05-27 - firstname.lastname@example.org
- Allow incoming DHCPv6 replies, currently unlimited.
- typo fix customary -> custom bnc#835677
2013-12-27 - email@example.com
- add perl-Net-DNS requires for "SuSEfirewall2 log" (bnc#856705)