Bug 375877

Summary: Firewall is desactivated when you configure the service NTP
Product: [openSUSE] openSUSE 10.3 Reporter: Quentin l <tintinl>
Component: YaST2Assignee: Martin Vidner <mvidner>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Critical    
Priority: P5 - None CC: locilka, security-team
Version: Final   
Target Milestone: ---   
Hardware: i686   
OS: openSUSE 10.3   
Whiteboard:
Found By: Customer Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: screen of the panel with desactivate the firewall
screen of the state of the firewall after the configuration

Description Quentin l 2008-04-01 13:45:56 UTC 
Created attachment 205391 [details]
screen of the panel with desactivate the firewall

The firewall is disable when you did:

*Clic right on the clock on the panel.
*select  "configure the date and the hour"
*then select modify near the clock.
*select synchronize with NTP server
*clic on the configure button
configure your server and clic on terminate.

When the configuration is applied the firewall is disabled.




In french:

QUand on synchronise l'horloge avec un serveur NTP, que l'on configure le deamon NTP, une fois qu'on a cliqué sur le bouton terminé,
le firewall est désactivé


C'est donc une erreur critique.


Here is my report, i could send you more information if you need some.
Comment 1 Quentin l 2008-04-01 13:54:27 UTC 
Created attachment 205405 [details]
screen of the state of the firewall after the configuration
Comment 2 Ludwig Nussel 2008-04-01 14:02:13 UTC 
screenshots in french are not that useful. you need to attach the yast2 logs.
Anyways, sounds like a problem of yast2-ntp-client. reassigning to maintainer.
Comment 3 Quentin l 2008-04-01 14:11:29 UTC 
Whitch folder or file in /var/log do you need??
Comment 4 Katarina Machalkova 2008-04-02 13:56:58 UTC 
Je n'ai pas besoin des journaux, j'ai reproduit l'erreur moi meme :):D

It is enough to start firewall and launch ntp-client from date&time module, it will kick SuSEfirewall dead. Interestingly enough, it does not happen with standalone ntp-client module. Investigating ...
Comment 5 Katarina Machalkova 2008-04-02 14:39:29 UTC 
2008-04-02 15:46:06 <1> felix(16661) [YCP] SuSEFirewall.ycp:2484 Firewall settings weren't modified, skipping...
2008-04-02 15:46:06 <1> felix(16661) [YCP] SuSEFirewall.ycp:2505 Firewall enable/disable wasn't modified, skipping...
2008-04-02 15:46:06 <1> felix(16661) [YCP] SuSEFirewall.ycp:1336 Firewall services are started
2008-04-02 15:46:06 <1> felix(16661) [YCP] SuSEFirewall.ycp:2424 Stopping firewall services
2008-04-02 15:46:06 <1> felix(16661) [YCP] SuSEFirewall.ycp:1226 Stopping firewall...
2008-04-02 15:46:06 <1> felix(16661) [YCP] SuSEFirewall.ycp:1232 Stopped

All ntp-client does is that it calls SuSEFirewall::Write(). Then, for some reason,  SuSEFirewall module thinks that fw service has not been started before (even though it was) and thus it stops and does not start again.

And, as I wrote above, it does not happen with standalone ntp-client module. Something, somewhere stops the firewall and I'm not aware that it would be something in my code.
Lukas, can you please lend a hand ?
Comment 6 Quentin l 2008-04-02 19:29:23 UTC 
(In reply to comment #4 from Katarina Machalkova)
> Je n'ai pas besoin des journaux, j'ai reproduit l'erreur moi meme :):D
> 
> It is enough to start firewall and launch ntp-client from date&time module, it
> will kick SuSEfirewall dead. Interestingly enough, it does not happen with
> standalone ntp-client module. Investigating ...
> 

Ok thanks to reply so fast. i expect that you will find the problem.


Je vois que vous parlez français. :) Merci de répondre si rapidement. Je vous avoue que nous avons été surpris de trouver ce problème et que nous avons eu du bole d'en trouver la cause. 
J'espère que vous arriverais à le régler. :)
Bonne continuation. :)

Je suis le report jusqu'à sa correction (enfin j'espère qu'il sera corrigé :D)
Comment 7 Katarina Machalkova 2008-04-08 08:21:49 UTC 
The problem: when launching ntp-client from outside (e.g. from timezone module) via ntp-client_proposal, only /etc/ntp.conf file is processed. Firewall settings, but also ntp related stuff from sysconfig is left behind. Thus, some variables are not initialized and it confuses SuSEFirewall. It thinks it has not been started before, even though it was

So I patched the proposal to call full NtpClient::Read() on the running system, but process ntp.conf only during installation. Seems to fix the problem of stopped firewall, but I cannot test if it does not break the installation at the moment. Moreover, a new functionality (fate #302917) appeared in the module since this bug  was reported.

Anyway, this belongs to the new maintainer now. Martin, the fix is in svn trunk now, please have a look.
Comment 8 Martin Vidner 2008-04-15 08:58:34 UTC 
yast2-ntp-client-2.16.7 contains the fix from comment 7, I will test it in beta 1.
Comment 9 Martin Vidner 2008-04-30 09:26:59 UTC 
Firewall stays enabled, the fix works.