SuSEfirewall2-3.6.312.333-10.1<>,aZy0/=„ (`cy?*%4wZ:f4OU1+k@ɓY o+yR.0/Ciu d9ThB^p4 OA+:5p VwfR#e MG`55!pC.e m^UoP ZBN?Nd ! Ux|  a 6E(<( ( ( |( ( ($(((| (C8L191:!1=D>D ?D@DFD"GD4(HD(IEt(XEYE\E(]Fh(^HbJcKNdKeKfKlKuL(vL wM(xN0(yNzNCSuSEfirewall23.6.312.33310.1Stateful Packet Filter Using iptables and netfilterSuSEfirewall2 implements a packet filter that protects hosts and routers by limiting which services or networks are accessible on the host or via the router. SuSEfirewall2 uses the iptables/netfilter packet filtering infrastructure to create a flexible rule set for a stateful firewall.Zy0lamb05openSUSE Leap 42.3openSUSEGPL-2.0http://bugs.opensuse.orgProductivity/Networking/Securityhttp://en.opensuse.org/SuSEfirewall2linuxnoarch test -n "$FIRST_ARG" || FIRST_ARG="$1" # disable migration if initial install under systemd [ -d /var/lib/systemd/migrated ] || mkdir -p /var/lib/systemd/migrated || : if [ "$FIRST_ARG" -eq 1 ]; then for service in SuSEfirewall2.service ; do sysv_service="${service%.*}" touch "/var/lib/systemd/migrated/$sysv_service" || : done else for service in SuSEfirewall2.service ; do # The tag file might have been left by a preceding # update (see bsc#1059627) rm -f "/run/rpm-SuSEfirewall2-update-$service-new-in-upgrade" if [ ! -e "/usr/lib/systemd/system/$service" ]; then touch "/run/rpm-SuSEfirewall2-update-$service-new-in-upgrade" fi done for service in SuSEfirewall2.service ; do sysv_service="${service%.*}" if [ -e /var/lib/systemd/migrated/$sysv_service ]; then continue fi if [ ! -x /usr/sbin/systemd-sysv-convert ]; then continue fi /usr/sbin/systemd-sysv-convert --save $sysv_service || : done fi # Upgrade case means more than 1 package in system, so probably 2 # if we still have the LSB init script, save its state, remove _setup # and store it in the database. if [ $FIRST_ARG -gt 1 ]; then if test -e /etc/init.d/SuSEfirewall2_setup ; then if test ! -e /var/lib/systemd/migrated/SuSEfirewall2 ; then /usr/sbin/systemd-sysv-convert --save SuSEfirewall2_setup sed -i -e 's/SuSEfirewall2_setup/SuSEfirewall2/' /var/lib/systemd/sysv-convert/database fi fi fi test -n "$FIRST_ARG" || FIRST_ARG="$1" [ -d /var/lib/systemd/migrated ] || mkdir -p /var/lib/systemd/migrated || : if [ "$YAST_IS_RUNNING" != "instsys" -a -x /usr/bin/systemctl ]; then /usr/bin/systemctl daemon-reload || : fi if [ "$FIRST_ARG" -eq 1 ]; then if [ -x /usr/bin/systemctl ]; then /usr/bin/systemctl preset SuSEfirewall2.service || : fi elif [ "$FIRST_ARG" -gt 1 ]; then for service in SuSEfirewall2.service ; do if [ ! -e "/run/rpm-SuSEfirewall2-update-$service-new-in-upgrade" ]; then continue fi rm -f "/run/rpm-SuSEfirewall2-update-$service-new-in-upgrade" if [ ! -x /usr/bin/systemctl ]; then continue fi /usr/bin/systemctl preset "$service" || : done for service in SuSEfirewall2.service ; do sysv_service=${service%.*} if [ -e /var/lib/systemd/migrated/$sysv_service ]; then continue fi if [ ! -x /usr/sbin/systemd-sysv-convert ]; then continue fi /usr/sbin/systemd-sysv-convert --apply $sysv_service || : touch /var/lib/systemd/migrated/$sysv_service || : done fi test -n "$FIRST_ARG" || FIRST_ARG="$1" if [ "$FIRST_ARG" -eq 0 -a -x /usr/bin/systemctl ]; then # Package removal, not upgrade /usr/bin/systemctl --no-reload disable SuSEfirewall2.service || : ( test "$YAST_IS_RUNNING" = instsys && exit 0 test -f /etc/sysconfig/services -a \ -z "$DISABLE_STOP_ON_REMOVAL" && . /etc/sysconfig/services test "$DISABLE_STOP_ON_REMOVAL" = yes -o \ "$DISABLE_STOP_ON_REMOVAL" = 1 && exit 0 /usr/bin/systemctl stop SuSEfirewall2.service ) || : fi test -n "$FIRST_ARG" || FIRST_ARG="$1" if [ "$FIRST_ARG" -ge 1 ]; then # Package upgrade, not uninstall if [ -x /usr/bin/systemctl ]; then /usr/bin/systemctl daemon-reload || : ( test "$YAST_IS_RUNNING" = instsys && exit 0 test -f /etc/sysconfig/services -a \ -z "$DISABLE_RESTART_ON_UPDATE" && . /etc/sysconfig/services test "$DISABLE_RESTART_ON_UPDATE" = yes -o \ "$DISABLE_RESTART_ON_UPDATE" = 1 && exit 0 /usr/bin/systemctl try-restart SuSEfirewall2.service ) || : fi else # package uninstall for service in SuSEfirewall2.service ; do sysv_service="${service%.*}" rm -f "/var/lib/systemd/migrated/$sysv_service" || : done if [ -x /usr/bin/systemctl ]; then /usr/bin/systemctl daemon-reload || : fi fiD z } }  Rhx}%9d+WFHJ"LDsD큤AA큤A큤AAAA큤Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/e10c1cb8c71adce4a83e02bfd27a805cdfcb2bb0a56eda4a0b7e42d7af5d3411575ff56f8a32dd52eb02c65d20f661c8656d7e936bed1c59d08a3f4ee1ad5389f353f7e44c27646d4c1406062b913de890ff08c3d90714cfeebfa963f63207834c446cca055a887bb7dad94709bdd4374d1e94afaf7ccec2e74b2238f52f4913fd5a96c01ec7cd3b1935fa68740f738c662115509dc33f3cd50a48f189c7d5744fda5f5defa91d572d684a256aab360d291aa9c7285450a08018cdc774163a79c4f21b1805b1ec871def9926bbb85e614ab380dd04b00d9af2969929561dc44a0a7c47c19db8b80b4578ad356089fbf2e348e1d0bd201114135980632f606d60014760eb37a713e766eb0bcc1b43acc71be728a2cc5576e27d334b6d8d0759ea2bc1489f8bba55e685b3bbbba051547894d55d512a9ba36caa9b7df079bae19f2bf0b97dce696409ccc729756627232c5ddf00dc59128c0eca6354cd2577dac5e10c1cb8c71adce4a83e02bfd27a805c503e1156ecac973ac91581f67c60b4011576b823084278b54b2ca0aa54656dc0e10c1cb8c71adce4a83e02bfd27a805c../scripts/SuSEfirewall2SuSEfirewall2SuSEfirewall2/usr/sbin/SuSEfirewall2/usr/sbin/rcSuSEfirewall2SuSEfirewall2servicerootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootSuSEfirewall2-3.6.312.333-10.1.src.rpmSuSEfirewall2config(SuSEfirewall2)@       /bin/bash/bin/sed/bin/sh/bin/sh/bin/sh/bin/shconfig(SuSEfirewall2)coreutilsfilesystemfileutilsgrepiptablesperlperl-Net-DNSrpmlib(CompressedFileNames)rpmlib(PayloadFilesHavePrefix)sysconfigsystemdsystemdsystemdsystemdtextutilsrpmlib(PayloadIsLzma)3.6.312.333-10.13.0.4-14.0-14.4.6-14.11.2ZOYY{'@Yw2YlY X:@Xh@S@S/SDS~@RkRQ@QQPP@PqPO'P OiO@O@Oĺ@O@NN@N0N$@N@NtNg\MGM6@M*L@Lr@Li(@L)@LKg@KzJJ@J`gJUJ.Nmatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commeissner@suse.commeissner@suse.commt@suse.commeissner@suse.commeissner@suse.comlnussel@suse.decfarrell@suse.commeissner@suse.comlnussel@suse.delnussel@suse.delnussel@suse.delnussel@suse.delnussel@suse.delnussel@suse.delnussel@suse.delnussel@suse.delnussel@suse.delnussel@suse.delnussel@suse.delnussel@suse.delnussel@suse.delnussel@suse.delnussel@suse.delnussel@suse.dejengelh@medozas.delnussel@suse.delnussel@suse.delnussel@suse.delnussel@suse.delnussel@suse.delnussel@suse.delnussel@suse.delnussel@suse.delnussel@suse.delnussel@suse.delnussel@suse.delnussel@suse.delnussel@suse.delnussel@suse.delnussel@suse.delnussel@suse.de- remove duplicate rules created in the context of dynamic rpc rules (bnc#1069760). 0004-support-trace-messages.patch 0005-remove-duplicate-rules-in-the-rpc-rules.patch - fixed an issue in the logging logic to show the correct PID and avoid losing log lines: 0006-logging-correctly-set-the-PID-of-the-logging-process.patch - Set RPC related rules also for IPv6 (bnc#1074933) 0007-Set-RPC-related-rules-also-for-IPv6-bnc-1074933.patch - Fixed a regression in setting up the final LOG/DROP/REJECT rules for IPv6 (bnc#1075251) 0008-Fixed-a-regression-in-setting-up-the-final-LOG-DROP.patch- rpcinfo: fixed security issue with too open implicit portmapper rules (bnc#1064127, CVE-2017-15638): A source net restriction for _rpc_ services was not taken into account for the implicitly added rules for port 111, making the portmap service accessible to everyone in the affected zone. 0003-rpcinfo-improve-implicit-portmapper-rules-logic.patch- follow-up bugfix for bnc#946325: Removed bogus nfs alias units, added correct nfs-client target in SuSEfirewall2.service. The nfs alias units are false friends, because they don't fix the startup ordering between nfs and SuSEfirewall2. The missing nfs-client target could cause nfs mounts for nfs versions < 4.1 to be unable to receive callbacks from the server, when the nfs client was started before the SuSEfirewall2 was started on boot. renamed 0002-fix-nfs-server-dependency.patch to 0002-fix-nfs-dependencies.patch to fix both client and server issues- correct boot order between SuSEfirewall2 and nfs-server to fix bnc#946325, bsc#963740. Without this fix the NFS server ports might not have been correctly opened after boot when both SuSEfirewall2 and nfs-server have been enabled in systemd. 0002-fix-nfs-server-dependency.patch- improve/fix consideration of sysctl values in the system (bnc#1044523). SuSEfirewall2 will now also check for existing configuration in sysctl.d style directories in some default locations. Custom directories can be configured via the new configuration variable FW_SYSCTL_PATHS. This is a follow-up to (bnc#906136). 0001-backport-of-sysctl.d-feature-from-master-bnc-1044523.patchMerged some lines from the factory spec file, to actually implement: - Install symlink to SuSEfirewall2 with the updated SUSE spelling (bsc#938727, FATE#316521)Update to new version 3.6.312.333 from SLE12-SP3 branch: - implementation of feature FATE#316295: allow incremental update of rpc rulesUpdate to new version 3.6.312.330 from SLE12-SP3 branch: - Install symlink to SuSEfirewall2 with the updated SUSE spelling (bsc#938727, FATE#316521) - basic.target and SuSEfirewall2 have a loop, remove it bsc#961258 - ignore the bootlock when incremental updates for hotplugged or virtual devices are coming in during boot. This prevents lockups for example when drbd is used with FW_BOOT_FULL_INIT. (bnc#785299) - support for IPv6 in FW_TRUSTED_NETS config variable. (bnc#841046) - don't log dropped broadcast IPv6 broadcast/multicast packets by default to avoid cluttering the kernel log. (bnc#847193) - only apply FW_KERNEL_SECURITY proc settings, if not overriden by the administrator in /etc/sysctl.conf (bnc#906136). This allows you to benefit from some of the kernel security settings, while overwriting others. - fixed a race condition in systemd unit files that could cause the SuSEfirewall2_init unit to sporadically fail, because /tmp was not there/writable yet. (bnc#1014987) - cooperate with libvirtd NAT guest networking (bsc#884398) - refurbished the documentation in /usr/share/doc. (bnc#884037) - allow mdns multicast packets input in unconfigured firewall setups (no zones configured) to make zeroconf setups (like avahi) work out of the box for typical desktops connecting via DSL/WiFi router scenarios. (bnc#959707) - increase security when sourcing external script files by checking file ownership and permissions first (to avoid sourcing untrusted files owned by non-root or world-writable) - don't enable FW_LO_NOTRACK by default any more, because it breaks expected behaviour in some scenarios (bnc#916771) - fixed 'SuSEfirewall showlog' functionality to be compatible with journalctl- hosting moved to github.com/opensuse/susefirewall2 - added a sysvinit -> systemd conversion hack (bnc#891669)- SuSEfirewall2, ACCEPT from services is a local variable, otherwise "ACCEPT" would be used a service name (bnc#889406 bnc#889555 bnc#887040)- Added ACCEPT to TEMPLATE using FW_SERVICES_ACCEPT- Allow incoming DHCPv6 replies, currently unlimited. bnc#867819,bnc#868031,bnc#783002,bnc#822959 - typo fix customary -> custom bnc#835677- add perl-Net-DNS requires for "SuSEfirewall2 log" (bnc#856705)- adjust service files so manual starts work better (bnc#819499)- license update: GPL-2.0 Various GPL-2.0 (only) licensed files- clarify what the default is in FW_MASQ_NETS (bnc#817233) - removed the --rttl option in recent matches, as this could also be used by attackers (bnc#800719)- do not add dependency information about YaST2 Second Stage (bnc#800365)- fix defaultl value docu for FW_PROTECT_FROM_INT (bnc#798834)- move to /usr, remove init scripts- adjust for starting via systemd service files - move lock files to /run - just CT instead of NOTRACK (bnc#793459)- getdevinfo is gone as per commit 0c5ac93 (bnc#777271)- honor FW_IPv6 setting also in debug mode (bnc#769411)- fix logging in test mode- allow icmpv6 in FW_SERVICES_*_*- allow ICMPv6 Multicast Listener Query (bnc#767392)- fix typo spotted by Frederic- assume all interface names are correct (bnc#739084)- fix forward masquerading (bnc#736205) - compat syntax for negated options no longer works (bnc#660156, bnc#731088) - enhance debug mode- use /sbin/rpcinfo as /usr/sbin/rpcinfo is gone (bnc#727438)- set SYSTEMD_NO_WRAP for status (bnc#727445)- fix manual rcSuSEfirewall2 stop with sytemd (bnc#717583)- fix typo (bnc#721845) - atomic zone status writing- Remove redundant tags/sections from specfile- sanitize FW_ZONE_DEFAULT (bnc#716013) - add warning about iptables-batch to SuSEfirewall2-custom - fix warning about /proc/net/ip_tables_names not readable - don't install input rules for interfaces in default zone - Add hook fw_custom_after_finished - update FAQ (bnc#694464) - clean up overrides when stopping the firewall (bnc#630961) - change default FW_LOG_ACCEPT_CRIT to "no" - allow redir without port specification - make FW_SERVICES_{REJECT,DROP}_* take precedende before ACCEPT (bnc#671997) - fix zonein and zoneout parameters - fix reverse direction of forwarding rules (bnc#679192)- introduce rpcusers file to allow statd to run as non-root (bnc#668553)- add zonein and zoneout parameters for FW_FORWARD - fix typos- don't start in runlevel 4 by default (bnc#656520) - cut off long zone names (bnc#644527) - fix and enhance output of log command (bnc#663262)- don't unload rules when using systemd- list some known rpc services as Should-Start - don't filter outgoing packets at all - fix an example (bnc#641907) - fix status check in SuSEfirewall2_init (bnc#628751)- don't use fillup anymore as it keeps corrupting the config file (bnc#340926)- remove "batch committing..." message - read defaults from separate file - warn if highports config options are set - finally drop 'highports' misfeature - remove kernel ipv6 module detection (bnc#617033) - silence warning about default zone (bnc#616841) - SuSEfirewall2-open: don't add values multiple times - Use multiprotocol xt_conntrack- only directories in /sys/class/net are real interfaces (bnc#609810)- add entry about drbd to FAQ - update docu - implement FW_BOOT_FULL_INIT- use new versioning scheme after switch of repo to git - update and rebuild docu - remove really old rc.config conversion code from spec file- fix spelling error in sysconfig file (bnc#537427) - polishing of log drop policy (bnc#538053) * drop multicast packets silently * separate drop rule for broadcast packets at end of chain * only consider NEW udp packets as critical * don't log INVALID packets as critical- implement runtime override of interface zones - allow disabling NOTRACK rules on lo (bnc#519526)- remove chkconfig calls (bnc#522268)- add note about use as bridging firewall - allow to set FW_ZONE_DEFAULT via config file - deprecate fw_custom_before_antispoofing and fw_custom_after_antispoofing, use fw_custom_after_chain_creation instead- add note that ulog doesn't work with IPv6 (bnc#442756) - fix version number in help text - allow service files to specify kernel modules and allow related packets - silence an error from bash if a service config file is not available (bnc#487870) - better wording for BROADCAST in template - update firewall hook script (patch by Marius)/bin/sh/bin/sh/bin/sh/bin/shlamb05 1517922096  !"#$%&'(3.6.312.333-10.13.6.312.333-10.1  SuSEfirewall2TEMPLATESuSEfirewall2SuSEfirewall2firewallSuSEfirewall2-batchSuSEfirewall2-customSuSEfirewall2-oldbroadcastSuSEfirewall2-openSuSEfirewall2-qdiscSuSEfirewall2-rpcinfoSuSEfirewall2-showlogSUSEfirewall2SuSEfirewall2rcSuSEfirewall2SuSEfirewall2.serviceSuSEfirewall2_init.serviceSUSEfirewall2SuSEfirewall2rcSuSEfirewall2SuSEfirewall2defaults50-default.cfgrpcusersSuSEfirewall2EXAMPLESEXAMPLES.htmlFAQFAQ.htmlLICENCEREADMEREADME.htmlSuSEfirewall2.sysconfigsusebooks.csssusehelpmetaManualsProductivitySuSEfirewall2.desktopsysconfig.SuSEfirewall2/etc/sysconfig//etc/sysconfig/SuSEfirewall2.d/services//etc/sysconfig/network/if-up.d//etc/sysconfig/network/scripts//etc/sysconfig/scripts//sbin//usr/lib/systemd/system//usr/sbin//usr/share//usr/share/SuSEfirewall2//usr/share/SuSEfirewall2/defaults//usr/share/doc/packages//usr/share/doc/packages/SuSEfirewall2//usr/share/susehelp//usr/share/susehelp/meta//usr/share/susehelp/meta/Manuals//usr/share/susehelp/meta/Manuals/Productivity//var/adm/fillup-templates/-fomit-frame-pointer -fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.opensuse.org/openSUSE:Maintenance:7765/openSUSE_Leap_42.3_Update/ef2efeef6c67c30db43ab8a986f77403-SuSEfirewall2.openSUSE_Leap_42.3_Updatedrpmlzma5noarch-suse-linuxASCII textBourne-Again shell script, ASCII text executablePOSIX shell script, ASCII text executablea /usr/bin/perl -w script, ASCII text executablePerl script, ASCII text executabledirectoryUTF-8 Unicode textXML document textRR1{*,C9vV?]"k%.oK~'A&߾U56zyp )8{W\ÑzhPJ"u"rD7{ftй+ekx*5PlwKE?es(dYLc j:jJLsKw=) (j@^;s7{:;Y=4Q"m`ET êXq~ji3Oכ^m֪8H, 9*8g_ʐ,ڿeI4; \pH<K؂j O~+8k!# e1PG;y5kr201V͗صi;O*I$3KXGp_qX[z4-P@0ؑDCCK[}ʱT6UR]ʜLvc2vl P̮Hk/Q ϘqN Br&qș@N]e\]FaP]eR-d:Fb}D.ݩ^/e:) 7c}E5;6[%@+VO͞k~13 kr| frM?ٱo1u•CX36D=n]!@Zm=͔3΋hޯ$䴚$_lҳ@pAϰ/cVhU.pBO./ @FV{g$dGˎK b4R`!8'@:|I"= *,Gh:*@Oo(l`j8#ù bڇZxS>1naz>d P,{LULb 3Y*)@+*yK^,:$Rw u #|j_**pZ!}cr]L5d^2hJ HJ-v#ce<D́; `H$SYzIv? +\ O 4;RgSJvv WO!я!w&q8|TmfSQfq"t9a~: x܊@>q)PSQsS!4,hw2pP!"5aŁ1ylcl3"KH{čMR mea(k+ bhEgZ(T&yQ7:y=A\&6i:by!{ob4T26"aA I,ܵ?FPU OV4Yc]bΩQ)wSJMoF7{̲e>M܅zN[ϥ Fv#;6>-- 5^u4e8 h}Jb0I:{M-d*7NMya>?9E(;6l51YC.+n# < nuryT}DMΫ)NYnwe~x2@x{~YEd^kT 7FNGT(!_qz _xKbHݝZ jB[W=i@ s@}M?7{_vғܸ_S(/t| _0o55lW fW3kOٳVu){޳x(^ab =oK$i[c q *p7Rki *n× F Fۓ78X0upoYk DiE${klc4 N+cc\,C%΄֬GњG4є$jp-@H309Q=@?:fuHEɑXu\<燗_?ԅ[;;*M+Y`79%u(K XruW/ו6$DRCD QJқ4)h|wrHrp䥕elZh=D}74,A=lsa\71A\ P6jRS8gr<)e]p!&=$D&b?uvEYf@n{*9W9Z U'9PX#dq/cc8=o}45SRx$p4^ͳD]u~LF'3ximG1~vKnVo7JԊofX iȡ"۞b*F-#22SSwReѴu0|[ .\?l`b\AU@d`0@O~,@L>7\݉Co-Ֆu/dY?@d{oQyx HMDw,_