Red Hat Customer Portal

Skip to main content

Bug Fix Advisory firewalld bug fix and enhancement update

Advisory: RHBA-2015:0520-2
Type: Bug Fix Advisory
Severity: N/A
Issued on: 2015-03-05
Last updated on: 2015-03-05
Affected Products: Red Hat Enterprise Linux Desktop (v. 7)
Red Hat Enterprise Linux HPC Node (v. 7)
Red Hat Enterprise Linux Server (v. 7)
Red Hat Enterprise Linux Workstation (v. 7)

Details

Updated firewalld packages that fix several bugs and add two enhancements are
now available for Red Hat Enterprise Linux 7.

The firewalld packages contain the firewalld service daemon that provides a
dynamic customizable firewall with a D-Bus interface.

Bug fixes:

* When the user incorrectly used the iptables command, the firewalld daemon did
not return any error message to the command line. With this update, an error
message is returned. (BZ#1057095)

* The PK_ACTION_INFO and PK_ACTION_CONFIG PolicyKit domains were not used
consistently as certain methods in the firewalld source code required
PK_ACTION_INFO whereas certain required PK_ACTION_CONFIG. The code has been
modified to use the domains consistently. (BZ#1061809)

* Several changes made in the upstream firewalld manual pages were not
propagated to the firewalld manual page that was packaged with the firewalld
packages. The packaged manual page has been modified to include all relevant
changes. (BZ#1071303)

* The "firewall-cmd --get-target" command returns the target of a permanent
zone. The command referred to the default target as "{chain}_{zone}", which was
not clear. Now, the command refers to the default target as "default" to avoid
possible misunderstandings. (BZ#1075675)

* The at_console="true" condition was used in the firewalld D-Bus policy file.
This condition is deprecated. Also, firewalld had difficulty being used on
servers where users were logged in using the SSH protocol or the Cockpit server
manager. Now, at_console="true" has been removed, and the authorization is
performed by the PolicyKit utility instead. (BZ#1097765)

* Due to a missing argument in the lockdown-whitelist.xml file, when a non-root
user locked the firewall configuration using the "Options" tab in the
firewall-config GUI, only the root user was able to unlock it again. With this
update, lockdown-whitelist.xml has been fixed to allow non-root users to unlock
the firewall configuration as expected. (BZ#1099065)

* The Lockdown property in the firewalld source code was read-only. As a
consequence, an attempt to lock or unlock the firewall configuration using the
"firewall-cmd --lockdown-{on,off}" command failed. The underlying source code
has been modified, and the user is now able to lock or unlock the firewall
configuration as expected. (BZ#1111573)

* The "--permanent --add-interface" option is supposed to be used only for
interfaces that are not managed by the NetworkManager utility. This update
modifies the firewall-cmd(1) and firewalld.zone(5) manual pages to explain the
correct usage of the option. (BZ#1112742)

* Devices that do not have a zone explicitly set use the default zone. If the
default zone was changed, the firewall-config GUI did not reflect this change in
the "Change Zones of Connections" tab until the GUI was restarted. This update
applies a patch to fix this bug, and when the user changes the default zone, the
default zone is also changed in "Change Zones of Connections". (BZ#1120212)

* Several ports are supposed to be opened on the Satellite 6 server. The
firewalld daemon was not aware of those ports, and therefore the user had to set
the ports manually. With this update, the new RH-Satellite-6.xml file has been
added to the /usr/lib/firewalld/services/ directory, which ensures that all
required ports are set automatically. (BZ#1135634)

Enhancements:

* It is now possible to copy changes made in the runtime configuration to the
permanent configuration without manually remaking all the changes also in the
permanent environment. (BZ#993650)

* The firewalld D-Bus API provided two different sets of APIs; one for the
runtime configuration and one for the permanent configuration. This enhancement
unifies the two sets of APIs by implementing the matching runtime methods
directly into the permanent environment without the need to use the Python
client class. (BZ#1127706)

Users of firewalld are advised to upgrade to these updated packages, which fix
these bugs and add these enhancements.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Updated packages

Red Hat Enterprise Linux Desktop (v. 7)

SRPMS:
firewalld-0.3.9-11.el7.src.rpm
File outdated by:  RHBA-2017:0103
    MD5: 65e0c4570417bd798f4de79aadf67108
SHA-256: 2181a6210e9301f6781e61d5afac1040fc77126ab76e6f6494f1666019bb9577
 
x86_64:
firewall-applet-0.3.9-11.el7.noarch.rpm
File outdated by:  RHBA-2017:0103
    MD5: 36ef50a12544317d6289e5378756e3bc
SHA-256: 3c6c82bb2ddc7705b93935298014aace815506a75f173e66732bfca88ddf0bc3
firewall-config-0.3.9-11.el7.noarch.rpm
File outdated by:  RHBA-2017:0103
    MD5: f2999676dee9944079d75099af3da9b4
SHA-256: e746fbae91279a9c07c68332f6baffbc87ea49d376bf8c60be51f0dd6d7484f0
firewalld-0.3.9-11.el7.noarch.rpm
File outdated by:  RHBA-2017:0103
    MD5: da00364123645940cf1d24c41634142f
SHA-256: dda1077cb114c5110f0a042b9d126951ec14c4e1ba57eabb6b86ca5aa417c114
 
Red Hat Enterprise Linux HPC Node (v. 7)

SRPMS:
firewalld-0.3.9-11.el7.src.rpm
File outdated by:  RHBA-2017:0103
    MD5: 65e0c4570417bd798f4de79aadf67108
SHA-256: 2181a6210e9301f6781e61d5afac1040fc77126ab76e6f6494f1666019bb9577
 
x86_64:
firewall-applet-0.3.9-11.el7.noarch.rpm
File outdated by:  RHBA-2017:0103
    MD5: 36ef50a12544317d6289e5378756e3bc
SHA-256: 3c6c82bb2ddc7705b93935298014aace815506a75f173e66732bfca88ddf0bc3
firewall-config-0.3.9-11.el7.noarch.rpm
File outdated by:  RHBA-2017:0103
    MD5: f2999676dee9944079d75099af3da9b4
SHA-256: e746fbae91279a9c07c68332f6baffbc87ea49d376bf8c60be51f0dd6d7484f0
firewalld-0.3.9-11.el7.noarch.rpm
File outdated by:  RHBA-2017:0103
    MD5: da00364123645940cf1d24c41634142f
SHA-256: dda1077cb114c5110f0a042b9d126951ec14c4e1ba57eabb6b86ca5aa417c114
 
Red Hat Enterprise Linux Server (v. 7)

SRPMS:
firewalld-0.3.9-11.el7.src.rpm
File outdated by:  RHBA-2017:0103
    MD5: 65e0c4570417bd798f4de79aadf67108
SHA-256: 2181a6210e9301f6781e61d5afac1040fc77126ab76e6f6494f1666019bb9577
 
PPC:
firewall-applet-0.3.9-11.el7.noarch.rpm
File outdated by:  RHBA-2017:0103
    MD5: 36ef50a12544317d6289e5378756e3bc
SHA-256: 3c6c82bb2ddc7705b93935298014aace815506a75f173e66732bfca88ddf0bc3
firewall-config-0.3.9-11.el7.noarch.rpm
File outdated by:  RHBA-2017:0103
    MD5: f2999676dee9944079d75099af3da9b4
SHA-256: e746fbae91279a9c07c68332f6baffbc87ea49d376bf8c60be51f0dd6d7484f0
firewalld-0.3.9-11.el7.noarch.rpm
File outdated by:  RHBA-2017:0103
    MD5: da00364123645940cf1d24c41634142f
SHA-256: dda1077cb114c5110f0a042b9d126951ec14c4e1ba57eabb6b86ca5aa417c114
 
s390x:
firewall-applet-0.3.9-11.el7.noarch.rpm
File outdated by:  RHBA-2017:0103
    MD5: 36ef50a12544317d6289e5378756e3bc
SHA-256: 3c6c82bb2ddc7705b93935298014aace815506a75f173e66732bfca88ddf0bc3
firewall-config-0.3.9-11.el7.noarch.rpm
File outdated by:  RHBA-2017:0103
    MD5: f2999676dee9944079d75099af3da9b4
SHA-256: e746fbae91279a9c07c68332f6baffbc87ea49d376bf8c60be51f0dd6d7484f0
firewalld-0.3.9-11.el7.noarch.rpm
File outdated by:  RHBA-2017:0103
    MD5: da00364123645940cf1d24c41634142f
SHA-256: dda1077cb114c5110f0a042b9d126951ec14c4e1ba57eabb6b86ca5aa417c114
 
x86_64:
firewall-applet-0.3.9-11.el7.noarch.rpm
File outdated by:  RHBA-2017:0103
    MD5: 36ef50a12544317d6289e5378756e3bc
SHA-256: 3c6c82bb2ddc7705b93935298014aace815506a75f173e66732bfca88ddf0bc3
firewall-config-0.3.9-11.el7.noarch.rpm
File outdated by:  RHBA-2017:0103
    MD5: f2999676dee9944079d75099af3da9b4
SHA-256: e746fbae91279a9c07c68332f6baffbc87ea49d376bf8c60be51f0dd6d7484f0
firewalld-0.3.9-11.el7.noarch.rpm
File outdated by:  RHBA-2017:0103
    MD5: da00364123645940cf1d24c41634142f
SHA-256: dda1077cb114c5110f0a042b9d126951ec14c4e1ba57eabb6b86ca5aa417c114
 
Red Hat Enterprise Linux Workstation (v. 7)

SRPMS:
firewalld-0.3.9-11.el7.src.rpm
File outdated by:  RHBA-2017:0103
    MD5: 65e0c4570417bd798f4de79aadf67108
SHA-256: 2181a6210e9301f6781e61d5afac1040fc77126ab76e6f6494f1666019bb9577
 
x86_64:
firewall-applet-0.3.9-11.el7.noarch.rpm
File outdated by:  RHBA-2017:0103
    MD5: 36ef50a12544317d6289e5378756e3bc
SHA-256: 3c6c82bb2ddc7705b93935298014aace815506a75f173e66732bfca88ddf0bc3
firewall-config-0.3.9-11.el7.noarch.rpm
File outdated by:  RHBA-2017:0103
    MD5: f2999676dee9944079d75099af3da9b4
SHA-256: e746fbae91279a9c07c68332f6baffbc87ea49d376bf8c60be51f0dd6d7484f0
firewalld-0.3.9-11.el7.noarch.rpm
File outdated by:  RHBA-2017:0103
    MD5: da00364123645940cf1d24c41634142f
SHA-256: dda1077cb114c5110f0a042b9d126951ec14c4e1ba57eabb6b86ca5aa417c114
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

1061809 - Inconsistent PolicyKit domain usage for D-Bus methods
1064401 - firewall-cmd man page has a typo in --help description
1071303 - man-page changes are not 'applied'
1075675 - firewall-cmd should use apparent name for default target
1097765 - at_console in dbus policy makes firewalld hard to use on servers
1097841 - firewall-cmd: inconsistent use of colouring when printing yes/no
1099065 - missing -Es in command string in lockdown-whitelist.xml
1111573 - firewall-cmd --lockdown-{on,off} don't work
1112742 - firewall-cmd --permanent --change-interface=... should report an error
1127706 - Unify runtime and permanent D-Bus API
1135634 - [RFE] firewalld services for Satellite 6 ports
993650 - rfe: runtime conf may be saved as permanent
993655 - GUI: missing name of active zone
993740 - rich language> log level
994044 - cli: --timeout should accept time specifiers



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/