http://bugzilla.novell.com/show_bug.cgi?id=537980 User kmachalkova@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=537980#c2 Katarina Machalkova changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|yast2-maintainers@suse.de |kmachalkova@novell.com --- Comment #2 from Katarina Machalkova 2009-09-10 06:33:37 MDT --- I'll take this one (as I wrote fw config sub-proposal in the first stage) -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=537980 User meissner@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=537980#c4 --- Comment #4 from Marcus Meissner 2009-09-10 08:16:48 MDT --- I think they should be folded into 1 option to avoid bloat. * SSH service disabled and closed in firewall (enable and open) -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=537980 User lnussel@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=537980#c6 Ludwig Nussel changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |lnussel@novell.com --- Comment #6 from Ludwig Nussel 2009-09-14 02:43:22 MDT --- (In reply to comment #5)

If there is only one item "disabled and closed" vs. "enabled and open", there is no need to confuse people by mentioning the firewall at all.

I tend to agree. I'd suggest to implement a "remote access/login" proposal instead of a firewall proposal, at least in the install mode without interactive second stage. ie something like * remote access is disabled I'd not offer quick switch buttons. Instead clicking the line should always open a full configuration dialog.

But I still fail to see a point in closing the port of a not running service,

The port isn't explicitly 'closed'. Instead the Firewall just drops all packets you don't explicitly allow.

and of starting sshd, but not opening the port as well.

When configuring a router you'd have interfaces in the external and in the internal zone. ssh would automatically be accessible from the internal zones in that case. Opening the port here would mean allowing ssh access from the internet. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=537980 User binner@kde.org added comment http://bugzilla.novell.com/show_bug.cgi?id=537980#c8 Stephan Binner changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |radomir.cernoch@gmail.com --- Comment #8 from Stephan Binner 2009-09-15 03:51:18 MDT --- *** Bug 539215 has been marked as a duplicate of this bug. *** http://bugzilla.novell.com/show_bug.cgi?id=539215 -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=537980 User kmachalkova@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=537980#c10 Katarina Machalkova changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium Status|NEW |ASSIGNED --- Comment #10 from Katarina Machalkova 2009-09-29 03:38:06 MDT --- Done in 1st stage firewall proposal 2nd stage (non-automatic configuration) is still pending -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=537980 User max@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=537980#c12 Reinhard Max changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Version|Factory |Final Resolution|FIXED | --- Comment #12 from Reinhard Max 2009-11-12 07:21:25 MST --- Katatrina, I think the behaviour of 11.2 final is still strange. There doesn't seem to be a way to enable ssh during installation without enabling the firewall as well. The ssh option disappears or gets greyed outn (depending on context) when the firewall gets disabled. Is that intentional? Maybe the wording of the ssh option could change from "open and enable" to just "enable" when the firewall gets deselected, but enabling ssh should always be possible, regardless whether the firewall is enabled or disabled. BTW, why is there a separate "Firewall and SSH Configuration" dialog if it doesn't contain options or choices that aren't alrady available via the direct links in the installation overview window? -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=537980 User kmachalkova@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=537980#c14 --- Comment #14 from Katarina Machalkova 2009-11-12 07:54:47 MST --- (In reply to comment #12

BTW, why is there a separate "Firewall and SSH Configuration" dialog if it doesn't contain options or choices that aren't alrady available via the direct links in the installation overview window?

If it is the dialog that opens after clicking on Firewall and SSH headline in the main proposal screen (or selecting corresponding menu entry), it is because of principle of least surprise. Some dialog should be open after clicking on any headline in installation proposal (see bug #203817, or bug #539289). Otherwise all proposals are just reloaded and nothing changes. I know it's crappy, and it would be better to e.g. make the link unclickable if there is nothing more to configure in extra dialog, but changing that requires rather intrusive modifications to how proposals and links are handled now. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=537980 User max@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=537980#c16 --- Comment #16 from Reinhard Max 2009-11-12 08:56:52 MST --- (In reply to comment #13)

Hmm, it is consistent with 2nd stage fw proposal and yast2-firewall in general - if fw is disabled, it does not make sense for any services to open ports in it

I am not asking for being able to open ports in a disabled firewall, but for being able to enable the sshd service regardless of the firewall setting.

...

Maybe the wording of the ssh option could change from "open and enable" to just "enable" when the firewall gets deselected,

The wording here is based on _Marcus_'s proposal in comment #4, to "avoid bloat".

Yes, the wording is OK as long as the firewall is on. What I was trying to say is, that instead of greying out or removing the ssh option when the firewall is disabled, just remove the port part of the wording. So, initially the options would read: * Firewall is enabled (disable) * SSH service is disabled and closed in firewall (enable and open) And when the firewall gets disabled, they change to: * Firewall is disabled (enable) * SSH service is disabled (enable) Does that make things clearer? -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=537980 http://bugzilla.novell.com/show_bug.cgi?id=537980#c Katarina Machalkova changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |ASSIGNED -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=537980 http://bugzilla.novell.com/show_bug.cgi?id=537980#c Jiri Srain changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|jsrain@novell.com |locilka@novell.com -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=537980 http://bugzilla.novell.com/show_bug.cgi?id=537980#c19 Stephan Kulow changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED CC| |coolo@novell.com InfoProvider|coolo@novell.com | --- Comment #19 from Stephan Kulow 2010-04-13 08:18:11 UTC --- I'm not sure the network proposal is read by so many these days - but it might be important in the future to do so. In general I agree with you: firewall shouldn't enable services, if anything it could add a warning dialog - but in general it should be the other way around: the service proposal should check the firewall settings. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=537980 https://bugzilla.novell.com/show_bug.cgi?id=537980#c21 Lukas Ocilka changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |locilka@novell.com Component|Installation |Installation Version|Final |Factory AssignedTo|locilka@novell.com |bnc-team-screening@forge.pr | |ovo.novell.com Product|openSUSE 11.2 |openSUSE 12.1 Summary|Opening SSH port in |Offer possibility to start |firewall should start SSH |SSH during installation --- Comment #21 from Lukas Ocilka 2011-06-13 09:12:49 UTC --- Reconsidering the status of this bug: * Requiring YaST Firewall to start SSH if SSH port is open during installation is the same as requiring to start (any) HTTP server if port 80 or 443 was open. Thus... * Starting SSH (and maybe other services?) might be handled by another installation proposal (services_proposal in runlevel) See also FATE #305583 PS: To be decided by the openSUSE PM/PjM -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=537980 https://bugzilla.novell.com/show_bug.cgi?id=537980#c23 Lukas Ocilka changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|WONTFIX | --- Comment #23 from Lukas Ocilka 2011-06-14 08:46:36 UTC --- . -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=537980 https://bugzilla.novell.com/show_bug.cgi?id=537980#c25 Jiří­ Suchomel changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |coolo@novell.com --- Comment #25 from Jiří­ Suchomel 2011-06-15 07:08:09 UTC --- Well, so what's the proposed solution? As Reinhard writes, currently "starting sshd" options is tied to starting firewall, so it is not available once firewall should not be running. So you want to leave out sshd from firewall section and add it to separate services section, right? Additionally, fate #305583 (last comment) describes a way how to set the default value in control file (sshd on/off) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=537980 https://bugzilla.novell.com/show_bug.cgi?id=537980#c27 Stephan Kulow changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|coolo@novell.com | --- Comment #27 from Stephan Kulow 2011-06-15 10:16:15 CEST --- this is how it should look like, yes. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=537980 https://bugzilla.novell.com/show_bug.cgi?id=537980#c28 --- Comment #28 from Reinhard Max 2011-06-15 10:43:35 CEST --- I think prefixing every line with "Service " is redundant, as the section is already called "Services". Instead I suggest the following wording: * SSH Server will be disabled (enable) and likewise for other services. I am still pondering whether it makes more sense to say "will be started"/"will not be started", which would be closer to the technical reality, but might mislead users to think the start/stop happens immediately rather than on next boot. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=537980 https://bugzilla.novell.com/show_bug.cgi?id=537980#c31 Lukas Ocilka changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED InfoProvider|locilka@novell.com | --- Comment #31 from Lukas Ocilka 2011-06-21 07:53:55 UTC --- It's mainly about moving code from services_proposal client to a new library and also about creating another services_finish client that would write the setting at the end of first stage. Starting services would have to be omitted though. It can be done but it would take more than just a few hours. Anyway, if users need the SSH daemon to run and there's no other way, it's worth the effort, I'd say. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=537980 https://bugzilla.novell.com/show_bug.cgi?id=537980#c34 --- Comment #34 from Lukas Ocilka 2011-07-21 07:47:48 UTC --- Created an attachment (id=441302) --> (http://bugzilla.novell.com/attachment.cgi?id=441302) Screenshot from 11.4: Firewall on an installed system Firewall is up and running, SSH port open. SSHD is up and running as well. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=537980 https://bugzilla.novell.com/show_bug.cgi?id=537980#c36 Reinhard Max changed: What |Removed |Added ---------------------------------------------------------------------------- Status|CLOSED |REOPENED Resolution|FIXED | --- Comment #36 from Reinhard Max 2011-07-21 10:00:46 CEST --- The problem is, that you can't enable SSH once the firewall has been disabled. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=537980 https://bugzilla.novell.com/show_bug.cgi?id=537980#c38 Reinhard Max changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|FIXED | --- Comment #38 from Reinhard Max 2011-07-21 10:12:12 CEST --- This is not a new feature, it is a bug in the installation workflow that disabling the firewall takes away the possibility to enable ssh. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=537980 https://bugzilla.novell.com/show_bug.cgi?id=537980#c40 --- Comment #40 from Jiří­ Suchomel 2011-07-21 08:33:04 UTC --- There was already solution proposal here: use services proposal in 1st stage (e.g. comment 26). Current one is 2nd stage only, so there'd be need to adapt it (maybe simplify) to 1st stage usage. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=537980 https://bugzilla.novell.com/show_bug.cgi?id=537980#c42 --- Comment #42 from Lukas Ocilka 2011-07-21 11:43:09 UTC --- Created an attachment (id=441459) --> (http://bugzilla.novell.com/attachment.cgi?id=441459) Screenshot from 11.4: Checking the FW and SSHD status After the installation, Firewall is disabled but SSHD is running. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=537980 https://bugzilla.novell.com/show_bug.cgi?id=537980#c44 --- Comment #44 from Bernhard Wiedemann 2011-07-22 19:00:34 CEST --- This is an autogenerated message for OBS integration: This bug (537980) was mentioned in https://build.opensuse.org/request/show/76800 Factory / yast2-network -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.