SuSEfirewall2-3.6.312.333-10.1<>,e6Zy0/=„[+LErdn" 輤 t}r t'`+,~i]P~mQm: nLۃ#WFWw ,eHq@Ơ(> zo;ɁTPPד6" klBN?Nd ! Ux|  a 6E(<( ( ( |( ( ($(((| (C8L191:!1=D>D ?D@DFD"GD4(HD(IEt(XEYE\E(]Fh(^HbJcKNdKeKfKlKuL(vL wM(xN0(yNzNCSuSEfirewall23.6.312.33310.1Stateful Packet Filter Using iptables and netfilterSuSEfirewall2 implements a packet filter that protects hosts and routers by limiting which services or networks are accessible on the host or via the router. SuSEfirewall2 uses the iptables/netfilter packet filtering infrastructure to create a flexible rule set for a stateful firewall.Zy0lamb05openSUSE Leap 42.3openSUSEGPL-2.0http://bugs.opensuse.orgProductivity/Networking/Securityhttp://en.opensuse.org/SuSEfirewall2linuxnoarch test -n "$FIRST_ARG" || FIRST_ARG="$1" # disable migration if initial install under systemd [ -d /var/lib/systemd/migrated ] || mkdir -p /var/lib/systemd/migrated || : if [ "$FIRST_ARG" -eq 1 ]; then for service in SuSEfirewall2.service ; do sysv_service="${service%.*}" touch "/var/lib/systemd/migrated/$sysv_service" || : done else for service in SuSEfirewall2.service ; do # The tag file might have been left by a preceding # update (see bsc#1059627) rm -f "/run/rpm-SuSEfirewall2-update-$service-new-in-upgrade" if [ ! -e "/usr/lib/systemd/system/$service" ]; then touch "/run/rpm-SuSEfirewall2-update-$service-new-in-upgrade" fi done for service in SuSEfirewall2.service ; do sysv_service="${service%.*}" if [ -e /var/lib/systemd/migrated/$sysv_service ]; then continue fi if [ ! -x /usr/sbin/systemd-sysv-convert ]; then continue fi /usr/sbin/systemd-sysv-convert --save $sysv_service || : done fi # Upgrade case means more than 1 package in system, so probably 2 # if we still have the LSB init script, save its state, remove _setup # and store it in the database. if [ $FIRST_ARG -gt 1 ]; then if test -e /etc/init.d/SuSEfirewall2_setup ; then if test ! -e /var/lib/systemd/migrated/SuSEfirewall2 ; then /usr/sbin/systemd-sysv-convert --save SuSEfirewall2_setup sed -i -e 's/SuSEfirewall2_setup/SuSEfirewall2/' /var/lib/systemd/sysv-convert/database fi fi fi test -n "$FIRST_ARG" || FIRST_ARG="$1" [ -d /var/lib/systemd/migrated ] || mkdir -p /var/lib/systemd/migrated || : if [ "$YAST_IS_RUNNING" != "instsys" -a -x /usr/bin/systemctl ]; then /usr/bin/systemctl daemon-reload || : fi if [ "$FIRST_ARG" -eq 1 ]; then if [ -x /usr/bin/systemctl ]; then /usr/bin/systemctl preset SuSEfirewall2.service || : fi elif [ "$FIRST_ARG" -gt 1 ]; then for service in SuSEfirewall2.service ; do if [ ! -e "/run/rpm-SuSEfirewall2-update-$service-new-in-upgrade" ]; then continue fi rm -f "/run/rpm-SuSEfirewall2-update-$service-new-in-upgrade" if [ ! -x /usr/bin/systemctl ]; then continue fi /usr/bin/systemctl preset "$service" || : done for service in SuSEfirewall2.service ; do sysv_service=${service%.*} if [ -e /var/lib/systemd/migrated/$sysv_service ]; then continue fi if [ ! -x /usr/sbin/systemd-sysv-convert ]; then continue fi /usr/sbin/systemd-sysv-convert --apply $sysv_service || : touch /var/lib/systemd/migrated/$sysv_service || : done fi test -n "$FIRST_ARG" || FIRST_ARG="$1" if [ "$FIRST_ARG" -eq 0 -a -x /usr/bin/systemctl ]; then # Package removal, not upgrade /usr/bin/systemctl --no-reload disable SuSEfirewall2.service || : ( test "$YAST_IS_RUNNING" = instsys && exit 0 test -f /etc/sysconfig/services -a \ -z "$DISABLE_STOP_ON_REMOVAL" && . /etc/sysconfig/services test "$DISABLE_STOP_ON_REMOVAL" = yes -o \ "$DISABLE_STOP_ON_REMOVAL" = 1 && exit 0 /usr/bin/systemctl stop SuSEfirewall2.service ) || : fi test -n "$FIRST_ARG" || FIRST_ARG="$1" if [ "$FIRST_ARG" -ge 1 ]; then # Package upgrade, not uninstall if [ -x /usr/bin/systemctl ]; then /usr/bin/systemctl daemon-reload || : ( test "$YAST_IS_RUNNING" = instsys && exit 0 test -f /etc/sysconfig/services -a \ -z "$DISABLE_RESTART_ON_UPDATE" && . /etc/sysconfig/services test "$DISABLE_RESTART_ON_UPDATE" = yes -o \ "$DISABLE_RESTART_ON_UPDATE" = 1 && exit 0 /usr/bin/systemctl try-restart SuSEfirewall2.service ) || : fi else # package uninstall for service in SuSEfirewall2.service ; do sysv_service="${service%.*}" rm -f "/var/lib/systemd/migrated/$sysv_service" || : done if [ -x /usr/bin/systemctl ]; then /usr/bin/systemctl daemon-reload || : fi fiD z } }  Rhx}%9d+WFHJ"LDsD큤AA큤A큤AAAA큤Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/Zy/e10c1cb8c71adce4a83e02bfd27a805cdfcb2bb0a56eda4a0b7e42d7af5d3411575ff56f8a32dd52eb02c65d20f661c8656d7e936bed1c59d08a3f4ee1ad5389f353f7e44c27646d4c1406062b913de890ff08c3d90714cfeebfa963f63207834c446cca055a887bb7dad94709bdd4374d1e94afaf7ccec2e74b2238f52f4913fd5a96c01ec7cd3b1935fa68740f738c662115509dc33f3cd50a48f189c7d5744fda5f5defa91d572d684a256aab360d291aa9c7285450a08018cdc774163a79c4f21b1805b1ec871def9926bbb85e614ab380dd04b00d9af2969929561dc44a0a7c47c19db8b80b4578ad356089fbf2e348e1d0bd201114135980632f606d60014760eb37a713e766eb0bcc1b43acc71be728a2cc5576e27d334b6d8d0759ea2bc1489f8bba55e685b3bbbba051547894d55d512a9ba36caa9b7df079bae19f2bf0b97dce696409ccc729756627232c5ddf00dc59128c0eca6354cd2577dac5e10c1cb8c71adce4a83e02bfd27a805c503e1156ecac973ac91581f67c60b4011576b823084278b54b2ca0aa54656dc0e10c1cb8c71adce4a83e02bfd27a805c../scripts/SuSEfirewall2SuSEfirewall2SuSEfirewall2/usr/sbin/SuSEfirewall2/usr/sbin/rcSuSEfirewall2SuSEfirewall2servicerootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootSuSEfirewall2-3.6.312.333-10.1.src.rpmSuSEfirewall2config(SuSEfirewall2)@       /bin/bash/bin/sed/bin/sh/bin/sh/bin/sh/bin/shconfig(SuSEfirewall2)coreutilsfilesystemfileutilsgrepiptablesperlperl-Net-DNSrpmlib(CompressedFileNames)rpmlib(PayloadFilesHavePrefix)sysconfigsystemdsystemdsystemdsystemdtextutilsrpmlib(PayloadIsLzma)3.6.312.333-10.13.0.4-14.0-14.4.6-14.11.2ZOYY{'@Yw2YlY X:@Xh@S@S/SDS~@RkRQ@QQPP@PqPO'P OiO@O@Oĺ@O@NN@N0N$@N@NtNg\MGM6@M*L@Lr@Li(@L)@LKg@KzJJ@J`gJUJ.Nmatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commeissner@suse.commeissner@suse.commt@suse.commeissner@suse.commeissner@suse.comlnussel@suse.decfarrell@suse.commeissner@suse.comlnussel@suse.delnussel@suse.delnussel@suse.delnussel@suse.delnussel@suse.delnussel@suse.delnussel@suse.delnussel@suse.delnussel@suse.delnussel@suse.delnussel@suse.delnussel@suse.delnussel@suse.delnussel@suse.delnussel@suse.delnussel@suse.dejengelh@medozas.delnussel@suse.delnussel@suse.delnussel@suse.delnussel@suse.delnussel@suse.delnussel@suse.delnussel@suse.delnussel@suse.delnussel@suse.delnussel@suse.delnussel@suse.delnussel@suse.delnussel@suse.delnussel@suse.delnussel@suse.delnussel@suse.de- remove duplicate rules created in the context of dynamic rpc rules (bnc#1069760). 0004-support-trace-messages.patch 0005-remove-duplicate-rules-in-the-rpc-rules.patch - fixed an issue in the logging logic to show the correct PID and avoid losing log lines: 0006-logging-correctly-set-the-PID-of-the-logging-process.patch - Set RPC related rules also for IPv6 (bnc#1074933) 0007-Set-RPC-related-rules-also-for-IPv6-bnc-1074933.patch - Fixed a regression in setting up the final LOG/DROP/REJECT rules for IPv6 (bnc#1075251) 0008-Fixed-a-regression-in-setting-up-the-final-LOG-DROP.patch- rpcinfo: fixed security issue with too open implicit portmapper rules (bnc#1064127, CVE-2017-15638): A source net restriction for _rpc_ services was not taken into account for the implicitly added rules for port 111, making the portmap service accessible to everyone in the affected zone. 0003-rpcinfo-improve-implicit-portmapper-rules-logic.patch- follow-up bugfix for bnc#946325: Removed bogus nfs alias units, added correct nfs-client target in SuSEfirewall2.service. The nfs alias units are false friends, because they don't fix the startup ordering between nfs and SuSEfirewall2. The missing nfs-client target could cause nfs mounts for nfs versions < 4.1 to be unable to receive callbacks from the server, when the nfs client was started before the SuSEfirewall2 was started on boot. renamed 0002-fix-nfs-server-dependency.patch to 0002-fix-nfs-dependencies.patch to fix both client and server issues- correct boot order between SuSEfirewall2 and nfs-server to fix bnc#946325, bsc#963740. Without this fix the NFS server ports might not have been correctly opened after boot when both SuSEfirewall2 and nfs-server have been enabled in systemd. 0002-fix-nfs-server-dependency.patch- improve/fix consideration of sysctl values in the system (bnc#1044523). SuSEfirewall2 will now also check for existing configuration in sysctl.d style directories in some default locations. Custom directories can be configured via the new configuration variable FW_SYSCTL_PATHS. This is a follow-up to (bnc#906136). 0001-backport-of-sysctl.d-feature-from-master-bnc-1044523.patchMerged some lines from the factory spec file, to actually implement: - Install symlink to SuSEfirewall2 with the updated SUSE spelling (bsc#938727, FATE#316521)Update to new version 3.6.312.333 from SLE12-SP3 branch: - implementation of feature FATE#316295: allow incremental update of rpc rulesUpdate to new version 3.6.312.330 from SLE12-SP3 branch: - Install symlink to SuSEfirewall2 with the updated SUSE spelling (bsc#938727, FATE#316521) - basic.target and SuSEfirewall2 have a loop, remove it bsc#961258 - ignore the bootlock when incremental updates for hotplugged or virtual devices are coming in during boot. This prevents lockups for example when drbd is used with FW_BOOT_FULL_INIT. (bnc#785299) - support for IPv6 in FW_TRUSTED_NETS config variable. (bnc#841046) - don't log dropped broadcast IPv6 broadcast/multicast packets by default to avoid cluttering the kernel log. (bnc#847193) - only apply FW_KERNEL_SECURITY proc settings, if not overriden by the administrator in /etc/sysctl.conf (bnc#906136). This allows you to benefit from some of the kernel security settings, while overwriting others. - fixed a race condition in systemd unit files that could cause the SuSEfirewall2_init unit to sporadically fail, because /tmp was not there/writable yet. (bnc#1014987) - cooperate with libvirtd NAT guest networking (bsc#884398) - refurbished the documentation in /usr/share/doc. (bnc#884037) - allow mdns multicast packets input in unconfigured firewall setups (no zones configured) to make zeroconf setups (like avahi) work out of the box for typical desktops connecting via DSL/WiFi router scenarios. (bnc#959707) - increase security when sourcing external script files by checking file ownership and permissions first (to avoid sourcing untrusted files owned by non-root or world-writable) - don't enable FW_LO_NOTRACK by default any more, because it breaks expected behaviour in some scenarios (bnc#916771) - fixed 'SuSEfirewall showlog' functionality to be compatible with journalctl- hosting moved to github.com/opensuse/susefirewall2 - added a sysvinit -> systemd conversion hack (bnc#891669)- SuSEfirewall2, ACCEPT from services is a local variable, otherwise "ACCEPT" would be used a service name (bnc#889406 bnc#889555 bnc#887040)- Added ACCEPT to TEMPLATE using FW_SERVICES_ACCEPT- Allow incoming DHCPv6 replies, currently unlimited. bnc#867819,bnc#868031,bnc#783002,bnc#822959 - typo fix customary -> custom bnc#835677- add perl-Net-DNS requires for "SuSEfirewall2 log" (bnc#856705)- adjust service files so manual starts work better (bnc#819499)- license update: GPL-2.0 Various GPL-2.0 (only) licensed files- clarify what the default is in FW_MASQ_NETS (bnc#817233) - removed the --rttl option in recent matches, as this could also be used by attackers (bnc#800719)- do not add dependency information about YaST2 Second Stage (bnc#800365)- fix defaultl value docu for FW_PROTECT_FROM_INT (bnc#798834)- move to /usr, remove init scripts- adjust for starting via systemd service files - move lock files to /run - just CT instead of NOTRACK (bnc#793459)- getdevinfo is gone as per commit 0c5ac93 (bnc#777271)- honor FW_IPv6 setting also in debug mode (bnc#769411)- fix logging in test mode- allow icmpv6 in FW_SERVICES_*_*- allow ICMPv6 Multicast Listener Query (bnc#767392)- fix typo spotted by Frederic- assume all interface names are correct (bnc#739084)- fix forward masquerading (bnc#736205) - compat syntax for negated options no longer works (bnc#660156, bnc#731088) - enhance debug mode- use /sbin/rpcinfo as /usr/sbin/rpcinfo is gone (bnc#727438)- set SYSTEMD_NO_WRAP for status (bnc#727445)- fix manual rcSuSEfirewall2 stop with sytemd (bnc#717583)- fix typo (bnc#721845) - atomic zone status writing- Remove redundant tags/sections from specfile- sanitize FW_ZONE_DEFAULT (bnc#716013) - add warning about iptables-batch to SuSEfirewall2-custom - fix warning about /proc/net/ip_tables_names not readable - don't install input rules for interfaces in default zone - Add hook fw_custom_after_finished - update FAQ (bnc#694464) - clean up overrides when stopping the firewall (bnc#630961) - change default FW_LOG_ACCEPT_CRIT to "no" - allow redir without port specification - make FW_SERVICES_{REJECT,DROP}_* take precedende before ACCEPT (bnc#671997) - fix zonein and zoneout parameters - fix reverse direction of forwarding rules (bnc#679192)- introduce rpcusers file to allow statd to run as non-root (bnc#668553)- add zonein and zoneout parameters for FW_FORWARD - fix typos- don't start in runlevel 4 by default (bnc#656520) - cut off long zone names (bnc#644527) - fix and enhance output of log command (bnc#663262)- don't unload rules when using systemd- list some known rpc services as Should-Start - don't filter outgoing packets at all - fix an example (bnc#641907) - fix status check in SuSEfirewall2_init (bnc#628751)- don't use fillup anymore as it keeps corrupting the config file (bnc#340926)- remove "batch committing..." message - read defaults from separate file - warn if highports config options are set - finally drop 'highports' misfeature - remove kernel ipv6 module detection (bnc#617033) - silence warning about default zone (bnc#616841) - SuSEfirewall2-open: don't add values multiple times - Use multiprotocol xt_conntrack- only directories in /sys/class/net are real interfaces (bnc#609810)- add entry about drbd to FAQ - update docu - implement FW_BOOT_FULL_INIT- use new versioning scheme after switch of repo to git - update and rebuild docu - remove really old rc.config conversion code from spec file- fix spelling error in sysconfig file (bnc#537427) - polishing of log drop policy (bnc#538053) * drop multicast packets silently * separate drop rule for broadcast packets at end of chain * only consider NEW udp packets as critical * don't log INVALID packets as critical- implement runtime override of interface zones - allow disabling NOTRACK rules on lo (bnc#519526)- remove chkconfig calls (bnc#522268)- add note about use as bridging firewall - allow to set FW_ZONE_DEFAULT via config file - deprecate fw_custom_before_antispoofing and fw_custom_after_antispoofing, use fw_custom_after_chain_creation instead- add note that ulog doesn't work with IPv6 (bnc#442756) - fix version number in help text - allow service files to specify kernel modules and allow related packets - silence an error from bash if a service config file is not available (bnc#487870) - better wording for BROADCAST in template - update firewall hook script (patch by Marius)/bin/sh/bin/sh/bin/sh/bin/shlamb05 1517922096  !"#$%&'(3.6.312.333-10.13.6.312.333-10.1  SuSEfirewall2TEMPLATESuSEfirewall2SuSEfirewall2firewallSuSEfirewall2-batchSuSEfirewall2-customSuSEfirewall2-oldbroadcastSuSEfirewall2-openSuSEfirewall2-qdiscSuSEfirewall2-rpcinfoSuSEfirewall2-showlogSUSEfirewall2SuSEfirewall2rcSuSEfirewall2SuSEfirewall2.serviceSuSEfirewall2_init.serviceSUSEfirewall2SuSEfirewall2rcSuSEfirewall2SuSEfirewall2defaults50-default.cfgrpcusersSuSEfirewall2EXAMPLESEXAMPLES.htmlFAQFAQ.htmlLICENCEREADMEREADME.htmlSuSEfirewall2.sysconfigsusebooks.csssusehelpmetaManualsProductivitySuSEfirewall2.desktopsysconfig.SuSEfirewall2/etc/sysconfig//etc/sysconfig/SuSEfirewall2.d/services//etc/sysconfig/network/if-up.d//etc/sysconfig/network/scripts//etc/sysconfig/scripts//sbin//usr/lib/systemd/system//usr/sbin//usr/share//usr/share/SuSEfirewall2//usr/share/SuSEfirewall2/defaults//usr/share/doc/packages//usr/share/doc/packages/SuSEfirewall2//usr/share/susehelp//usr/share/susehelp/meta//usr/share/susehelp/meta/Manuals//usr/share/susehelp/meta/Manuals/Productivity//var/adm/fillup-templates/-fomit-frame-pointer -fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.opensuse.org/openSUSE:Maintenance:7765/openSUSE_Leap_42.3_Update/ef2efeef6c67c30db43ab8a986f77403-SuSEfirewall2.openSUSE_Leap_42.3_Updatedrpmlzma5noarch-suse-linuxASCII textBourne-Again shell script, ASCII text executablePOSIX shell script, ASCII text executablea /usr/bin/perl -w script, ASCII text executablePerl script, ASCII text executabledirectoryUTF-8 Unicode textXML document textRR1{*,C9vV?]"k%.oK~'A&߾'Z\Pj@1wޢG}8zك4 p/Z5%{"`QX6WST͜ťTƑ@BqS _pGL9kɭLI?ݺ'N(e5:iPVO34"Lkbr]J5/@6{els\`ט'B9Ey%߇d'ӕTFh?6'Hf)Z?^VM'DA Fc\5H{UtqPR %l=ߚcz3bd6nHa |ѿYI蟇OjN9 ׼?)?EU%/d~8u9gqM,>zVPen2)V }WxTeZuLioofhM'4|C}U Y$O=k:>7u}" V΄jsǕH:)/ {Ɔh0R1FB׫B @ n(х}td$Ű;k pF?j4?lni!HIC:o2CFpqa5qz ْ{@߅t0dT]I ]l)Kb[L+6a,x(4/l O(WwTHaۮ[M&Od($0&8p!M ]j^ _L8F^!/9o>Ӥ`r@^>krRk2Yt.l1PJxy"kdnU/:Dub}ڐsV74jHKa9š,Fc}"Z"=.A%ug} ]ws^A xai`z#5@~|df+U(s@SlH\$AuNRdЂx]%ۦ$wj^L{JMuZM3}+{7S9 Z]*+_B)Â@Ѥ2:%Ț35 %|'Z^l]SzA\5( iL|9D/D\(!2Y˫}šɦ*y/7[ 8}] @Hurixq3dE'D_JmN0KgK`7ey(xu÷|ds]9P4=8P@*Aw ^m fyLU|(2(QAvKl{ scgpwixЈѵ;}]57В-?%hNl@o$rGՑ◧r$">i <Q \,Nb֎r`%.i1|ۉ )Ԅa_}Z,UueRi.$ʚhJ m cfaO?YL[p !WU]pkFiz_0`X(|FW+ x3(8ARqN+eڅ9թރܦyQMsڡCKPQMk,1L.P+7u8"լ_)*|k}`؊.jQu@AB94 3"q"2?>2l\+T ݒGiķ+.S2/a%Tb-\N2 *.&ƙxX XOֱBcX@̽<Dd aT4-t%"8,_im`Ԃ;{YSg Zk ɯjϥz-1_#~`F(kN 8>B4 iME juT֑n9.aPt3,o,6Dɦy"nP.X=ۚ?ZG66LF3S#CQiɪmZ\3Tõ{\~qWha1tR/蹥ܶh>ܪe+`w8c;%:o:k8u^8(G;Rż]H4m8&ɵ+ :Ji1dAE^[%^n[kG[4Ic>'mMT*7 j<]1Ȍc~ӒU)`vB#r}~@H򵌙Ș:^E.S=3/ !0]g:0hW-𱓢Sa8Sxr+%ۿә KҚUvT(&gm&ɻ Ͱ(RƋKFVNKyN}1MgC59ko 5xzvW+ L6]l471$Qh ƒbb/wa(|wTpqWU8*$av}8 cڃn*B0p IG R@гl4 7J>^@CJ?P]U]PQ/.IYP9c=X;fP>*UMͬ#V 8d|OHpf\gq)nZ(T<1(+]l\$¹kTQw< \5 |vȂ5< ת W0 Ζϡg9 [cA9T[r E\~_'K`;55`&q\"٬ClHpBVyg U9ZiWjNj-Ɛ(Ps8UԖmƞ{ G6A Pտ/7}p~knzTɿyJJ "[oge?xh+!h;W#ƶ'pd͔{>!&lT*9$21Օhf- n„Ss03h,26!#c.|nҼ"p4 f5V!JD/d[؍N5Ɨ!#ݜD5:J7 _PBTkiO:gGS(_^P` 0/Y[ӲjOyĠ|Ghz5d@`Դwx,n*SaVlϮhp T5ƻǬ>83[ij& h!-i<']hf8K3|]g>O/ c,TsS5L@NGrd; Aݽ<% pughJc$wnAe.ʧO"#}tOm.ٞul/٠dŇc֩͢[ur\7@ѰpJk x7`uC jwy3ZVvb }+ 8!!