http://bugzilla.novell.com/show_bug.cgi?id=551282
http://bugzilla.novell.com/show_bug.cgi?id=551282#c44
Johannes Meixner changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution| |FIXED
--- Comment #44 from Johannes Meixner 2009-12-23 14:45:48 UTC ---
Fixed in YaST SVN revision 60192.
New version 2.19.0 with this RPM changelog entry:
--------------------------------------------------------------------
- Replaced overcomplicated but nevertheless mostly useless code
for using the YaST SuSEFirewall module by simple generic code
in a ShowFirewallPopup function in the same way as it works
for yast2-printer (compare Novell/Suse Bugzilla bnc#549065)
and enhanced the help text "Regarding Firewall",
(see Novell/Suse Bugzilla bnc#551282).
--------------------------------------------------------------------
The enhanced the help text "Regarding Firewall" is:
--------------------------------------------------------------------
Regarding Firewall
Clients contact the saned via the sane-port (TCP port 6566)
but scanning data is transferred via an additional random port.
Therefore is is not sufficient for scanning via network
to open only port 6566 in the firewall.
You can specify a port range for the data connection
in the saned config file /etc/sane.d/saned.conf
via an entry like 'data_portrange = 30000 - 30100'
and then open port 6566 and the port range 30000:30100
in the firewall.
The default firewall settings protect your host from external access.
Allowing access from the external network (i.e. for the external zone)
does not make sense because scanning documents requires
physical scanner access by trusted users.
On the other hand the default firewall settings allow
any access from an internal (i.e. trusted) network
unless you have firewall protection enabled for the internal zone.
But an active firewall for the internal zone (i.e. for the
trusted network zone) does usually also not make much sense
because this makes the internal zone effectively the same
as the external zone.
The simplest and most secure way to do scanning via network
is when the trusted network has a well separated network interface
to have the trusted network well separated from the rest.
Then those network interface can be assigned to the internal zone
via the YaST Firewall setup module and scanning via network
will work without any further firewall setup.
Anything else may result a problematic mix-up of trusted and
non-trusted network traffic in one same network environment.
For example when both the internal network and the connection
to the Internet happens via one same 'router-box' device.
In such a case the 'router-box' device is the crucial point
(in particular the crucial point of possible failure)
regarding network security.
In any case a plain opening of a port for the external zone
is dangerous because it allows access from any foreign host
to those port but does not provide any protection for
the service which is accessed via this port (e.g. the saned).
Instead of plain opening of ports for arbitrary access
one should additionally specify in the firewall setup
from which hosts and networks the access is allowed.
The YaST Firewall setup module can also be used
for such kind of more sophisticated firewall setup.
--------------------------------------------------------------------
--
Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.