Frederic Crozat wrote:
Le mardi 02 août 2011 à 08:54 +0200, Ludwig Nussel a écrit :
Frederic Crozat wrote:
Le lundi 01 août 2011 à 16:28 +0200, jdd a écrit :
Le 01/08/2011 15:00, Ludwig Nussel a écrit :
Well, I could implement something like that for SuSEfirwall2/fwzs (using service definitions instead of ports though) but I'm not sure it's good behavior anyways. Users are not supposed to punch holes in the external zone just because they wanted to print once.
it's somewhat necessary only for printers detection and no more after that
Not only for printers. We have several locations in Yast which states "you might need to lower / punch firewall for this autodetection to work". It would be better for an usuability PoV for Yast to talk to the firewall and punch it just for the autodetection.
The need for that will mostly vanish as soon as network connections (rather then network interfaces) have firewall zones attached. When connecting to a new network NM would ask whether you are connected to e.g. your home network or some untrusted public one. The former choice would just map to the internal zone ie no filtering, therefore no problems.
Except : - it is not there yet - we should still be installing and enabling a firewall by default, even the one in internal zone : a lot of home users are currently using DSL / cable modem / routers which are "protecting" them with NAT but as soon as the NAT goes down (restarting the modem in factory setting) or with IPv6 becoming more and more prevalent, relying on internal zone isn't a good idea (for a company network, I agree it is "safe").
Let's accept your assumption that home routers would actually route all traffic into your network for a moment. That would mean opening some port, even for a little while is even more wrong. You'd expose your cups/avahi/rpc ports not only to the local network but the whole internet! So you'd have to restrict access to your local IP range at which point things get difficult to squeeze into a usable UI. Esp with v6 where you get multiple, dynamically assigned and potentially even changing prefixes depending on connectivity (e.g. ULAs if router is offline). So either the router takes care of filtering traffic or the network really is untrusted in which case you don't want to suggest the user to open ports.
- current yast tools behavior is still screaming "I'm broken, unbroke me to get the function you want", from a usability PoV.
Well, feel free to file bugs against yast modules that are broken in that regard. No need to wait for firewalld. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org