https://bugzilla.novell.com/show_bug.cgi?id=348575 User benji.weber@gmail.com added comment https://bugzilla.novell.com/show_bug.cgi?id=348575#c1 Benjamin Weber changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |benji.weber@gmail.com --- Comment #1 from Benjamin Weber 2007-12-13 15:24:32 MST --- Some things to note: - SSH is not currently open by default (Although it is asked during installation) - Opening ports by default is quite unpopular, there are even frequent complaints that ident is rejected rather than dropped by default. So there should be an easy method to switch to paranoid mode Currently we have: Firewall is [Enabled] SSH is [Disabled] in the installation configuration summary. This could perhaps be changed to have a "default", "paranoid", and "off" modes. - This "problem" is not limited to avahi, but other commonly used things especially samba browsing (which requires a lot of ports, but that's another issue) - YaST firewall module is currently very badly designed for its most common usecase - opening ports. It's hidden away behind an advanced button on a tab, where freeform text must be used. - Interactive firewall is probably the best solution, but a lot of work to implement. It might be possible to adopt/extend mandriva's interactive firewall?[0] - Apparmo[u]r is supposed to be getting per-process network controls at some point, and it already has the beginnings of dbus notication.[1] [0] http://wiki.mandriva.com/en/Projects/Interactive_Firewall [1] http://en.opensuse.org/AppArmor/Changes_AppArmor_2_1#AppArmor_LAF_dispatcher... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=348575 User locilka@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=348575#c2 Lukas Ocilka changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |lnussel@novell.com, sbrabec@novell.com Severity|Major |Enhancement Status|NEW |ASSIGNED --- Comment #2 from Lukas Ocilka 2007-12-14 10:32:07 MST --- No service is allowed in firewall by default. You can adjust default firewall/ssh settings by changing a product control file: * true * false (Example taken from the current 11.0, this is all you can preset) We had similar discussion about avahi in openSUSE 10.3. We've decided (security team, management, avahi-maintainer (?)) not to open the port by default (in EXT zone but leave it open in INT zone - INT zone is unprotected by default). If you want me to extend the control file format to be able to define more (e.g., list of preselected allowed services), please, file a FATE request. --> Enhancement --- // --- // --- - YaST firewall module is currently very badly designed for its most common usecase - opening ports. It's hidden away behind an advanced button on a tab, where freeform text must be used. I can't agree on this. YaST firewall has been designed to make enabling services on firewall easy (I want to enable 'avahi' in firewall). Freeform text is needs to be used for additional/expert settings (I want to open port TCP:5589) YaST firewall is UI for /etc/sysconfig/SuSEfirewall2 --- // --- // --- -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=348575 User benji.weber@gmail.com added comment https://bugzilla.novell.com/show_bug.cgi?id=348575#c4 --- Comment #4 from Benjamin Weber 2007-12-17 02:39:32 MST --- What do you think about putting an interface in the internal zone by default if that interface has an IP assigned within the private range during installation? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=348575 User jpr@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=348575#c6 --- Comment #6 from JP Rosevear 2007-12-17 11:07:22 MST --- (In reply to comment #2 from Lukas Ocilka)

No service is allowed in firewall by default.

In many ways its nonsensical to enable services (ssh, avahi) by default at boot time that simply cannot be used in any meaningful way. (In reply to comment #3 from Ludwig Nussel)

- the external zone will not have any open ports by default on any product. - opening ports is the wrong solution in most cases anyways. The correct solution is to declare the LAN interface as 'internal' (you don't want to offer avahi to the internet, do you?)

zeroconf can do wlan resolution of services but that is not a widely used case. Something a long this line would solve the issue for samba, cups, avahi, etc. My main concern is that its sensible for the user, we can't ask them to grok things like "Would you like to make this interface internal?".

A more prominent firewall setup during installation to basically force people to make a conscious decision about the zones would be very helpful IMHO but this request was declined.

Do you have a reference #? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=348575 User jpr@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=348575#c8 --- Comment #8 from JP Rosevear 2007-12-18 06:18:33 MST --- (In reply to comment #7 from Ludwig Nussel)

(In reply to comment #6 from JP Rosevear)

...

(In reply to comment #2 from Lukas Ocilka)

...

No service is allowed in firewall by default.

In many ways its nonsensical to enable services (ssh, avahi) by default at boot time that simply cannot be used in any meaningful way.

I don't disagree and would really like to see that solved in a better way too.

...

My main concern is that its sensible for the user, we can't ask them to grok things like "Would you like to make this interface internal?".

Yeah, the basic assumption seems to be that the user is too clueless to decide anything. I don't take that for granted. Sure, technically accurate wording likely confuses people ("external zone", wtf?) but I am confident that a proper wording can be found.

Perhaps, but I always like to reference this paper: http://www.cs.auckland.ac.nz/~pgut001/pubs/man_usability.pdf I think you often get into a situation where people press the "make it work" button without understanding the full consequences of what's going on. -JP -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.