|
Bugzilla – Full Text Bug Listing |
| Summary: | During Default Installation Suse Firewall does NOT Assign any ZONE to the Network Interface Card | ||
|---|---|---|---|
| Product: | [openSUSE] openSUSE Distribution | Reporter: | Forgotten User SxCIMBZqeN <forgotten_SxCIMBZqeN> |
| Component: | Security | Assignee: | Security Team bot <security-team> |
| Status: | RESOLVED INVALID | QA Contact: | E-mail List <qa-bugs> |
| Severity: | Major | ||
| Priority: | P5 - None | CC: | ab, aburgemeister, astieger, forgotten_SxCIMBZqeN, jo4su |
| Version: | 13.2 | ||
| Target Milestone: | 13.2 | ||
| Hardware: | x86-64 | ||
| OS: | openSUSE 13.2 | ||
| Whiteboard: | |||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Description
Forgotten User SxCIMBZqeN
2015-05-17 01:05:56 UTC
(In reply to Scott Couston from comment #0) > I’ve have 4 x 12.3 Default Installations. 3 KDE 1 Gnome > On inspection each and every PC showed the NIC as not being assigned to be > in ANY Zone of the Suse2Firewall. > You can easily identify this by watching the boot log from ESC during > Start-up and you find that Suseefirewall doesn’t even start as such. > > In the unlikely event you cant validate this I'll do a fresh install for you > and send you logs but sending you Yast Logs for any installation that is > moths old, may yield little practice help due size and other extraneous > issues. Hello Scott, thanks for reporting. However we are not accepting security issue reports against 12.3 anymore as it has reached it's end of life: http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00003.html Please check if the problem still persists on 13.1, 13.2 or Tumbleweed. If so, please re-open this issue, updating the relevant product/version fields and adding any updated information. Thanks! Apologies for version error. My earlier statement that susefirewall not being present as started and running in start-up log is incorrect but definately a default install assigns NO zone to the NIC Version number in text should read 13.2 not 12.3...apologies Please outline what you think is the security impact of not having a zone assigned? "Interfaces not explicitly configured as int, ext or dmz will be considered external." The secure default behaves as if the ext zone was assigned, applying all default rules. You can verify this by looking the configured iptables rules in such a system. Sure I can see now that the absence of a zone has no impact on the previous default since 9.0 of assigning the default interface to the external zone. It is difficult sometimes to test the efficacy of the firewall for example an NFS client can be configured via the interface whether or not the 'open firewall' is ticked or not. Thanks Closing.. no zone implies external interface. Thanks for your concern. Posts 2 and 9 of https://forums.opensuse.org/showthread.php/518486-In-Yast-no-zone-assigned-to-interface-in-firewall-which-firewall-rules-apply show that some users wrongly assume that the "No zone" is always closed, allowing only outgoing connections. If this zone is then used for the public network and the external zone for a more secure but still not fully trusted network, this opens up security issues. However, I don't think this is a big enough issue to change the software. Therefore, I submitted a documentation request as bug #989145 . |