[Bug 348575] New: Avahi ports not exposed through firewall by default
https://bugzilla.novell.com/show_bug.cgi?id=348575 Summary: Avahi ports not exposed through firewall by default Product: openSUSE 11.0 Version: unspecified Platform: Other OS/Version: Other Status: NEW Severity: Major Priority: P5 - None Component: YaST2 AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: jpr@novell.com QAContact: jsrain@novell.com Found By: --- Avahi is turned on by default currently, but so is the firewall, and the firewall does not enable those ports by default. The avahi package does provide: /etc/sysconfig/SuSEfirewall2.d/services/avahi Is there a way to get this service enabled by default like ssh? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=348575
User benji.weber@gmail.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=348575#c1
Benjamin Weber
https://bugzilla.novell.com/show_bug.cgi?id=348575
Cyril Hrubis
https://bugzilla.novell.com/show_bug.cgi?id=348575
User locilka@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=348575#c2
Lukas Ocilka
https://bugzilla.novell.com/show_bug.cgi?id=348575
User lnussel@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=348575#c3
Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=348575
User benji.weber@gmail.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=348575#c4
--- Comment #4 from Benjamin Weber
https://bugzilla.novell.com/show_bug.cgi?id=348575
User locilka@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=348575#c5
Lukas Ocilka
https://bugzilla.novell.com/show_bug.cgi?id=348575
User jpr@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=348575#c6
--- Comment #6 from JP Rosevear
No service is allowed in firewall by default.
In many ways its nonsensical to enable services (ssh, avahi) by default at boot time that simply cannot be used in any meaningful way. (In reply to comment #3 from Ludwig Nussel)
- the external zone will not have any open ports by default on any product. - opening ports is the wrong solution in most cases anyways. The correct solution is to declare the LAN interface as 'internal' (you don't want to offer avahi to the internet, do you?)
zeroconf can do wlan resolution of services but that is not a widely used case. Something a long this line would solve the issue for samba, cups, avahi, etc. My main concern is that its sensible for the user, we can't ask them to grok things like "Would you like to make this interface internal?".
A more prominent firewall setup during installation to basically force people to make a conscious decision about the zones would be very helpful IMHO but this request was declined.
Do you have a reference #? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=348575
User lnussel@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=348575#c7
--- Comment #7 from Ludwig Nussel
(In reply to comment #2 from Lukas Ocilka)
No service is allowed in firewall by default.
In many ways its nonsensical to enable services (ssh, avahi) by default at boot time that simply cannot be used in any meaningful way.
I don't disagree and would really like to see that solved in a better way too.
My main concern is that its sensible for the user, we can't ask them to grok things like "Would you like to make this interface internal?".
Yeah, the basic assumption seems to be that the user is too clueless to decide anything. I don't take that for granted. Sure, technically accurate wording likely confuses people ("external zone", wtf?) but I am confident that a proper wording can be found.
A more prominent firewall setup during installation to basically force people to make a conscious decision about the zones would be very helpful IMHO but this request was declined.
Do you have a reference #?
No, that was some talk on the floor when coolo told us (security) about his thoughts to redesign the workflow. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=348575
User jpr@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=348575#c8
--- Comment #8 from JP Rosevear
(In reply to comment #6 from JP Rosevear)
(In reply to comment #2 from Lukas Ocilka)
No service is allowed in firewall by default.
In many ways its nonsensical to enable services (ssh, avahi) by default at boot time that simply cannot be used in any meaningful way.
I don't disagree and would really like to see that solved in a better way too.
My main concern is that its sensible for the user, we can't ask them to grok things like "Would you like to make this interface internal?".
Yeah, the basic assumption seems to be that the user is too clueless to decide anything. I don't take that for granted. Sure, technically accurate wording likely confuses people ("external zone", wtf?) but I am confident that a proper wording can be found.
Perhaps, but I always like to reference this paper: http://www.cs.auckland.ac.nz/~pgut001/pubs/man_usability.pdf I think you often get into a situation where people press the "make it work" button without understanding the full consequences of what's going on. -JP -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com