http://bugzilla.novell.com/show_bug.cgi?id=549065 User jsmeix@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=549065#c468426 Summary: yast2-printer: add test if firewall is used and if yes popup info regarding CUPS+firewall Classification: openSUSE Product: openSUSE 11.3 Version: unspecified Platform: All OS/Version: SuSE Other Status: ASSIGNED Severity: Enhancement Priority: P5 - None Component: YaST2 AssignedTo: jsmeix@novell.com ReportedBy: jsmeix@novell.com QAContact: jsrain@novell.com CC: jw@novell.com, mzugec@novell.com, mschmidkunz@novell.com Found By: Development Because of https://bugzilla.novell.com/show_bug.cgi?id=468426#c8 there is currently in yast2-printer only a static text regarding firewall in the dialogs as follows: In the "Print via Network" dialog the static text directly in the dialog reads: ---------------------------------------------------------- If a firewall is used, check that incomming packages on UDP port 631 are allowed. ---------------------------------------------------------- and the help text reads: ---------------------------------------------------------- Regarding firewall: Check if a firewall is active for a network zone in which printers are published via network. By default the SuSEfirewall allows any incomming information via a network interface which belongs to the 'internal zone' because this zone is trusted by default. If the remote CUPS servers and your system are in an internal network and when you trust all what there is in your internal network, your network interface must be set to be in the 'internal zone'. It does not make sense to have a network setup in a trusted internal network with a network interface which belongs to the untrusted 'external zone' which is the default setting for network interfaces to be safe. Do not disable firewall protection for CUPS (i.e. for IPP which uses TCP port 631 and UDP port 631) for the untrusted 'external zone'. ---------------------------------------------------------- In the "Share Printers" dialog the static text directly in the dialog reads: ---------------------------------------------------------- If a firewall is used, check that remote access to CUPS is allowed via IPP on port 631. ---------------------------------------------------------- and the help text reads: ---------------------------------------------------------- Regarding firewall: Check if a firewall is active for a network zone in which printers are made available via network to be used by trusted users (nobody lets arbitrary users print on his printer). By default the SuSEfirewall allows any access via a network interface which belongs to the 'internal zone' because this zone is trusted by default. If the CUPS server and the client systems are in an internal network and when you trust all what there is in your internal network, your network interface must be set to be in the 'internal zone'. It does not make sense to have a network setup in a trusted internal network with a network interface which belongs to the untrusted 'external zone' which is the default setting for network interfaces to be safe. Do not disable firewall protection for CUPS (i.e. for IPP which uses TCP port 631 and UDP port 631) for the untrusted 'external zone'. ----------------------------------------------------------

From my point of view sufficient information is there BUT some/many/almost-all? usres do not notice and/or read it.

Therefore I think about an enhancement to make the firewall issue more noticeable by the user. Basically the idea is that a popup is gets hopefully better awareness than just static text or help text. But I do not want to show a popup in any case regardless if actually a firewall is used because popups without a reason are an annoyance. Because of bug #468426 I do no longer like to call the yast firewall module only to find out if a firewall is used or not (I do not want to find if and out how exactly the yast firewall module could tell me if any kind of firewall is used - not only the SuSEfirewall but also whatever selfmade set of iptables rules). Therefore I think about a simple command line test like test "$( iptables -n -L | wc -l )" -gt "10" && echo firewall active or perhaps even better iptables -n -L | egrep -q 'DROP|REJECT' && echo firewall active to find out if any kind of firewall is used. Note that because of https://bugzilla.novell.com/show_bug.cgi?id=468426#c8 "firewall check would not make much sense" such a popup would be shown additionally to the static text in the dialog. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.