script creates rules to the opposite effect of what they should do

openSUSE / susefirewall2-to-firewalld

Basic SuSEfirewall2 to FirewallD migration script

GNU General Public License v2.0

4 stars 8 forks source link

script creates rules to the opposite effect of what they should do #8

Open lemmy04 opened 5 years ago

lemmy04 commented 5 years ago

I'm running the script susefirewall2-to-firewalld on my server, and in the output i see a large block of lines like this: INFO: RICH: Adding rich rule="rule family=ipv4 source address=54.144.0.0/12 accept" to zone="ext"

the problem here is, in /etc/sysconfig/SuSEfirewall2 all the net blocks in that list are actually in FW_SERVICES_DROP_EXT, so the rich rule should have been drop, not accept.

ahtllc commented 4 years ago

I'm seeing the same thing. Running susefirewall2-to-firewalld script translates

iptables -I INPUT -s www.xxx.yyy.zzz -j DROP

to INFO: RICH: Adding rich rule="rule family=ipv4 source address=www.xxx.yyy.zzz/32 accept" to zone="INPUT"

Not a real confidence builder to know the script is going to open up our server to attacks from IP addresses we've previously blocked.