Feature changed by: Ralph Ulrich (ulenrich) Feature #303859, revision 32 Title: simple network configuration in 1st stage openSUSE-11.1: Rejected by Stanislav Visnovsky (visnov) reject date: 2008-07-09 10:04:08 reject reason: Postponing, out of resources. Priority Requester: Important Projectmanager: Important openSUSE-11.2: Evaluation Priority Requester: Important Projectmanager: Important Requested by: Jiří­ Suchomel (jsuchome) Description: The feature of "Automatic Configuration" has a nice effect of not asking users for accepting all the default settings. However, there's (at least) one setting that is default but still not widely accepted (I think so - at least I change it always): it's the firewall that is automatically running. Wouldn't it be good to have some simple client, only opened from installation proposal upon user's request (so not by default) where could be this option configured? Even better would be "Network" part in Installation summary, with the only setting "Firewall on", which would be a link which value changes on click. References: https://bugzilla.novell.com/show_bug.cgi?id=379149 https://bugzilla.novell.com/show_bug.cgi?id=303859 Discussion: #1: Matthias Eckermann (mge1512) (2008-06-09 23:49:49) An automatically running firewall is great - for the average user. And this even applies in enterprise. I strongly recomment to reject this feature for ALL products: SLES, SLED and openSUSE, but leave it to Federico. Guy, Federico, Michl, Marcus? #2: Jiří­ Suchomel (jsuchome) (2008-06-10 07:49:31) (reply to #1) Well, I'm not asking for not starting firewall by default. I agree it is good to have it automatically on. But we miss an option to change this during the installation workflow. #3: Michal Svec (msvec) (2008-06-10 11:24:41) (reply to #2) Right, the proposal was to have a simple way, ideally a hyperlink, to disable the firewall, either completely or just for some services (ssh) somewhere accessible during the installation workflow. We should certainly keep the current default of running firewall automatically. #4: Lukas Ocilka (locilka) (2008-06-10 14:51:08) (reply to #3) It's quite easy to add another firewall_proposal client to the fist stage but that one could only provide enable/disable functionality (the default value is set in control file already). On the other hand, opening a firewall for some services couldn't be done as these services are known after packages with service- definitions are installed (firewall services defined by packages). Using other words: In the installed system. This feature is more about specific configuration dialogs providing functionality to Open Firewall for XYZ Service - I think only configuration of users is affected now (samba-client, SLP broadcast reply, ...?). #5: Jiří­ Suchomel (jsuchome) (2008-06-10 15:03:08) (reply to #4) No, it isn't. This feature is about possibility to either shut down the firewall or open ports for defined (not arbitrary) services (e.g. ssh). No samba, no SLP. It is called simple network configuration in 1st stage. #6: Lukas Ocilka (locilka) (2008-06-10 16:42:14) (reply to #5) Yes I know what is it called, but as I've already written, in first stage, firewall can be only enabled or disabled. No additional servics could be open as they are unknown in that stage. I'm just talking about the limits of the proposed firewall/network client in first stage. The rest is left on particular modules to open ports/services as required by a specific service used in second stage. Services are defined in packages, their ports, names, description. Even SSH has its own definition in openssh package: /etc/sysconfig/SuSEfirewall2.d/services/sshd . This package needen't be installed at all. #7: Jiří­ Suchomel (jsuchome) (2008-06-11 08:07:35) (reply to #6) And again, I am not requesting any configuration of services in this stage. Basically I want the same thing we have in current network proposal (at the beginning of currently-usually-unused 2nd stage) , where you can shut firewall down and/or open ssh port. If sshd is the problem (but in the time of installation proposal, we know if it is going to be installed or not, so it may be hidden if sshd is not selected for installation) it doesn't have to be there, and it may consist of simple firewall off/on hyperlink. So yes, it is true that firewall_proposal client ...could only provide enable/disable functionality , but this is actually the point of this feature. I should probably also make clear that I'm not requesting any additonal step in the sequence, only the option to be selected from installation summary, just like Installation from Images is enabled (disable) one. #8: Guy Lunardi (glunardi) (2008-06-12 17:34:47) (reply to #7) Could this be served by providing an hyperlink which would open the current network module presented during the normal installation? Like I had made my initial priority, I am pretty neutral on this. I think power users would appreciate the feature but most of our 1-time installation users would not care. I am fine having it if the investment is very small. #11: Jiří­ Suchomel (jsuchome) (2008-06-13 07:48:43) (reply to #8) Hyperlink yes, but for enabling/disabling, not for full firewall configuration. This is not really possible in 1st stage, see Lukas' comments 4 and 6. #9: Federico Lucifredi (flucifredi) (2008-06-12 18:11:07) Guys, I am not following... why do we want the enable/disable choice in 1st stage? Looks just fine to me as is. Please clarify what's the advantage of allowing the choice earlier. #10: Jiří­ Suchomel (jsuchome) (2008-06-13 07:47:11) (reply to #9) In previous versions, we had the network configuration proposed which user had to accept, but now the networking is (by default) configured automatically (and this is without debates fine for most users). The old screen with the network configuration had an option disable firewall with one click and this is the thing which I miss now (yes, it is possible to use the old way also in 11.0, but it brings bunch of other configuration options that are correctly done automatically). So, earlier actually means during installation . Of course this is possible to configure after the installation, but just like many other users, I'd like to have the system configured after the system is installed. #12: Federico Lucifredi (flucifredi) (2008-06-13 17:02:08) (reply to #10) okay - I understand. Yes, this is handy, as it saves the need to go through all the config when all one wants to do is remove the fw. _if_ there is a way to include in the early workflow, lets do it. Of course, that may not be the case on "keeping it simple" grounds. #13: Stanislav Visnovsky (visnov) (2008-06-19 13:21:59) (reply to #12) I agree, if we are able to find a reasonable place, would be nice to have. #15: Jiri Srain (jsrain) (2009-07-16 12:26:49) Bubli, please, add very simple Firewall configuration to the first stage (only enabling/disabling firewall itself and opening/closing the SSH port). + #16: Ralph Ulrich (ulenrich) (2009-08-28 16:18:55) + Case study - Firewall on factory 11.2 + The most common case today is the most hard to find out how to + configure: In a normal 192.168.0.0 network that has a router to + internet connection, there is also a total cracked Windows computer. So + I want to enable SUSEfirewall. But I don't have seperated + internal/external devices - all help directs to this seperated zones. + And is my 127.0.0.0 network affected if I do default all to + untrusted/external ? + Where are examples? Help is no help. Fortunately I found in a forum + message I do have: + file:///usr/share/doc/packages/SuSEfirewall2/EXAMPLES.html +   -- openSUSE Feature: https://features.opensuse.org/303859