Le mardi 02 août 2011, à 10:16 +0200, Johannes Meixner a écrit :
Hello,
On Aug 1 14:18 Vincent Untz wrote (excerpt):
For instance, when configuring printers, the tool can open the mdns, ipp, ipp-client and samba-client ports for 5 minutes and probe the network (ports will get closed after the 5 minutes). And if the user chooses to use a printer using one of those ports, the tool will permanently open the port.
What is the security concept behind this?
In other words: Why is it secure to remove security for 5 minutes? Why is it secure to remove security permanently for particular stuff?
Oh, it's certainly not the most secure approach; it's a compromise between user-friendliness and security. A few ways it could be made more secure include: - instead of having a 5 minutes timeout, just revert to previous state at the end of the probing - instead of blindly opening the service, open it only when on a specific network and for a specific server And while I haven't thought about firewall security in a while, the first example I come with when talking about trusted zones is connecting to WiFi at a university. Is this trusted or not? It might need to be trusted to allow printing documents and most people would trust it, and yet there are hundreds of individuals on this network, including some who might abuse your trust. My question is really: do we plan to integrate firewalld, or something similar, that would improve user-friendliness? This "something similar" could be based on zones -- even if I don't believe it's a better approach, at least, for users, it's an improvement compared to what we have today. I'd just like us to have a solution in the near future (12.1 if we can have fast action, 12.2 otherwise). Vincent -- Les gens heureux ne sont pas pressés. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org