Bug 729793

Summary:	TFTP server doesn't provide support for SuSEfirewall2
Product:	[openSUSE] openSUSE 12.1	Reporter:	Lukas Ocilka <locilka>
Component:	Basesystem	Assignee:	Lukas Ocilka <locilka>
Status:	RESOLVED FIXED	QA Contact:	E-mail List <qa-bugs>
Severity:	Normal
Priority:	P3 - Medium	CC:	mvidner, rysic, vcizek
Version:	RC 2
Target Milestone:	---
Hardware:	Other
OS:	Other
Whiteboard:	maint:running:49006:moderate maint:released:sle11-sp2:49033 maint:released:sle11-sp2:49242
Found By:	Development	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description Lukas Ocilka 2011-11-11 07:55:26 UTC

I came across this article about configuring TFTP http://sellingfreesoftwareforaliving.blogspot.com/2011/11/install-and-configure-tftp-server-for.html
and it says that it needs some manual steps in configuring firewall to
make it work.

Hard to say whether TFTP server actually ever did provide that support, but
YaST configuration module expects that it does.

SuSEfirewall2 provides quite interesting feature: Any package can define
its own set of firewall rules needed for itself to work behind firewall.
More info here: http://kobliha-suse.blogspot.com/2008/06/firewall-services-defined-by-packages.html

I believe it would be enough include a new file
/etc/sysconfig/SuSEfirewall2.d/services/tftp
in the tftp package:

--- cut ---
## Name: TFTP Server
## Description: Opens ports for tftp service.

# space separated list of allowed UDP ports
UDP="tftp"
--- cut ---

Please, correct me if more ports are needed.

Comment 1 Vítězslav Čížek 2011-11-11 16:08:24 UTC

I packaged the firewall rules as you suggested.

However, when I launch the Yast tftp module and check "Open port in firewall",
I still don't see port 69 listed among the allowed services/ports.

In Yast log I find lines like this:
[YCP] SuSEFirewall.ycp:2046 Undefined service 'tftp'
or
[YCP] SuSEFirewallServices.ycp:538 Uknown service 'tftp'

Despite tftp being listed among the known services right bellow:
"service:tftp":$["broadcast_ports":[], "description":"Opens ports for tftp ser
vice.", "ip_protocols":[], "name":"TFTP Server", "rpc_ports":[], "tcp_ports":[], "udp_ports":["tftp"]]

Do you have any ideas what could go wrong?

Comment 2 Lukas Ocilka 2011-11-14 13:32:58 UTC

Well, "service:tftp" != "tftp" --> YaST code needs to be changed too.

BTW, even if you allow TFTP service in firewall, you will still unable
to see port 69 open in YaST Firewall (but you will be able to see it
in iptables list).

Comment 3 Martin Vidner 2011-11-14 14:48:59 UTC

Do you mean that this line should be changed to read "service:tftp"?
http://svn.opensuse.org/viewvc/yast/trunk/tftp-server/src/dialogs.ycp?view=markup&pathrev=64460#l85

Then I don't understand why anything needed to be changed in the first place. 
SuSEFirewallServices.ycp does contain "udp_ports" : [ "tftp" ].

Comment 4 Lukas Ocilka 2011-11-15 12:46:16 UTC

SuSEFirewallServices.ycp contains obsolete services maintained by this
YCP module. Definition mentioned above is used only for converting old
settings to new ones. This conversion is now obsolete as well as it's
been done already.

Anyway, if YaST TFTP Server wants to modify the firewall with CWM
functionality, it has to use some service that exists and thats
"service:tftp"

Comment 5 Lukas Ocilka 2011-11-15 12:49:00 UTC

Additional info:

service:$name has been added years ago to replace the old built-in
services defined in SuSEFirewallServices YCP module. These old
definitions have been already dropped.

Comment 6 Vítězslav Čížek 2011-11-21 14:03:34 UTC

I think my part is done here.

Martin, should I assign this bug to you?

Comment 7 Lukas Ocilka 2011-11-21 14:41:38 UTC

I'll fix that in Factory...

In which version (tftp) has it been implemented?

Comment 8 Vítězslav Čížek 2011-11-21 14:58:51 UTC

I'll fixed it in devel project only, yet. So Factory.

Comment 9 Lukas Ocilka 2011-11-25 10:23:05 UTC

Fixed in Factory, yast2-tftp-server 2.22.1

Comment 10 Bernhard Wiedemann 2011-11-25 11:00:12 UTC

This is an autogenerated message for OBS integration:
This bug (729793) was mentioned in
https://build.opensuse.org/request/show/93601 Factory / yast2-tftp-server

Comment 11 Lukas Ocilka 2012-08-01 14:30:15 UTC

*** Bug 609413 has been marked as a duplicate of this bug. ***

Comment 12 Bernhard Wiedemann 2012-09-13 10:00:29 UTC

This is an autogenerated message for OBS integration:
This bug (729793) was mentioned in
https://build.opensuse.org/request/show/134139 Factory / atftp

Comment 13 Swamp Workflow Management 2012-09-13 20:44:59 UTC

Update released for: tftp, tftp-debuginfo, tftp-debugsource
Products:
SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP2 (i386, x86_64)
SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP2 (i386, x86_64)

Comment 14 Swamp Workflow Management 2012-09-24 18:17:27 UTC

Update released for: atftp, atftp-debuginfo, atftp-debugsource
Products:
SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP2 (i386, x86_64)