Feature changed by: Marcus Meissner (msmeissn) Feature #316708, revision 13 Title: simple laptop user firewall experience (e.g. printing) openSUSE Distribution: New Priority Requester: Desirable Requested by: Susanne Oberhauser (froh) Partner organization: openSUSE.org Description: Context: a laptop user regularly moves between networks with her laptop. When the user wants to print or use other broadcast-advertised services, then the Laptop should *in an obvious way* help to connect to the services. Currently "it just does not work", and what makes things worse, in a non-obvious way. And the firewall, once identifed as the part preventing to do what the user wants to do, is perceived not as useful part of the system but as overjealous hindrance. It's not simple to reconfigure it "reasonably", e.g. opening the IPP port for incoming broadcasts only in the DMZ is not simple. Thus there is a high risk of opening ports in the EXT zone or even of the firewall being just disabled permanently, especially by users who really should have it up. So the current system behaviour leads to the opposite of the desired goal. The firewall zone switcher fwzs applet is a first good step into the right direction. However there is a number of issues that still interfere: * There is no preconfigured, sane standard mechanism to set the firewall zones depending on the network you connect to, let alone to remember the setting (e.g. nothing connects the network manager to fwzs). * The firewall zones are vaguely labeled and defined. For example the DMZ is labeled "something in between" and does not allow incoming IPP broadcasts, only the "private network" (i.e. the INT zone) allows that. Maybe an additional zone "Internet cafe" or something like that would be more useful, which allows to browse broadacasted services but which protects data on the laptop? And a "Trusted Network behind a firewall" which allows to share files and services on the laptop? Discussion: #1: Johannes Meixner (jsmeix) (2013-11-12 15:15:18) I think the initial description is twofold: First and foremost it is about SuSEfirewall2 not perceived at all and if perceived, then as hindrance. Second it is about possible shortcomings in the current Firewall Zone Switcher. Regarding the first issue: If the Firewall Zone Switcher applet would run by default on the various desktops (KDE, Gnome, Xfce, LXDE), SuSEfirewall2 would be perceived and the user could then at any time select the firewall zone according to the current need. I think very most of "this or that networking stuff does not just work because of the firewall" issues would "just go away" if desktop users could at any time select the firewall zone according to the current need. Regarding the second issue: I think enhancements for fwzs might be better discussed in a separated feature request to avoid that this feature request fades away in an endless discussion. FYI: Regarding firewall setup for printing, see http://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings (http://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings) Regarding Ubuntu and firewall, see https://help.ubuntu.com/13.10/serverguide/firewall.html (https://help.ubuntu.com/13.10/serverguide/firewall.html) that reads: ---------------------------------------------- The default firewall configuration tool for Ubuntu is ufw. ... ufw by default is initially disabled. ----------------------------------------------- https://help.ubuntu.com/community/DoINeedAFirewall (https://help.ubuntu.com/community/DoINeedAFirewall) https://help.ubuntu.com/community/NetworkPrintingWithUbuntu (https://help.ubuntu.com/community/NetworkPrintingWithUbuntu) + #3: Marcus Meissner (msmeissn) (2013-11-19 10:45:21) + no question for me I can asnwer -- openSUSE Feature: https://features.opensuse.org/316708