Feature changed by: Susanne Oberhauser (froh) Feature #316708, revision 4 Title: simple laptop user firewall experience (e.g. printing) openSUSE Distribution: New Priority - Requester: Mandatory + Requester: Desirable Requested by: Susanne Oberhauser (froh) Partner organization: openSUSE.org Description: context: a laptop user regularly moves between networks with her laptop. When the user wants to print or use other broadcast-advertised services, then the Laptop should *in an obvious way* help to connect to the services. Currently "it just does not work", wand what makes things worse, in a non-obvious way. And the firewall, once identifed as the part preventing to do what the user wants to do, is perceived not as usefull part of the system but as overjealous hindrance. It's not simple to reconfigure it "reasonably", opening the IPP port for broadcasst in the dmz setting is not simple. Thus there is a high risk of the firewall being just disabled permanently, especially by users who really should have it up. So the current system behaviour leads to the opposite of the desired goal. The firewall zone switcher fwzs applet is a first good step into the right direction. However there is a number of issues that still interfere: * on SUSE there is no preconfigured, sane standard mechanism to set the firewall zones depending on the network you connect to, let alone to remember the setting. e.g. nothing connects the kde network manager to fwzs. * the firewall zones are vaguely labeled and defined. The "dmz" zone, aka "something in between", does not allow IPP broadcasts in, only the 'private network' allows that. Maybe an additional zone "Internet cafe" something would be more usefull, which allows to browse broadacasted services but which protects data on the laptop? And a "Trusted Network behind a firewall" which allows to share files and services on the laptop? -- openSUSE Feature: https://features.opensuse.org/316708

Feature changed by: Johannes Meixner (jsmeix) Feature #316708, revision 7 Title: simple laptop user firewall experience (e.g. printing) openSUSE Distribution: New Priority Requester: Desirable Requested by: Susanne Oberhauser (froh) Partner organization: openSUSE.org Description: Context: a laptop user regularly moves between networks with her laptop. When the user wants to print or use other broadcast-advertised services, then the Laptop should *in an obvious way* help to connect to the services. Currently "it just does not work", and what makes things worse, in a non-obvious way. And the firewall, once identifed as the part preventing to do what the user wants to do, is perceived not as useful part of the system but as overjealous hindrance. It's not simple to reconfigure it "reasonably", e.g. opening the IPP port for incoming broadcasts only in the DMZ is not simple. Thus there is a high risk of opening ports in the EXT zone or even of the firewall being just disabled permanently, especially by users who really should have it up. So the current system behaviour leads to the opposite of the desired goal. The firewall zone switcher fwzs applet is a first good step into the right direction. However there is a number of issues that still interfere: * There is no preconfigured, sane standard mechanism to set the firewall zones depending on the network you connect to, let alone to remember the setting (e.g. nothing connects the network manager to fwzs). * The firewall zones are vaguely labeled and defined. For example the DMZ is labeled "something in between" and does not allow incoming IPP broadcasts, only the "private network" (i.e. the INT zone) allows that. Maybe an additional zone "Internet cafe" or something like that would be more useful, which allows to browse broadacasted services but which protects data on the laptop? And a "Trusted Network behind a firewall" which allows to share files and services on the laptop? + Discussion: + #1: Johannes Meixner (jsmeix) (2013-11-12 15:15:18) + I think the initial description is twofold: + First and foremost it is about SuSEfirewall2 not perceived at all and + if perceived, then as hindrance. + Second it is about possible shortcomings in the current Firewall Zone + Switcher. + Regarding the first issue: + If the Firewall Zone Switcher applet would run by default on the + various desktops (KDE, Gnome, Xfce, LXDE), SuSEfirewall2 would be + perceived and the user could then at any time select the firewall zone + according to the current need. + I think very most of "this or that networking stuff does not just work + because of the firewall" issues would "just go away" if desktop users + could at any time select the firewall zone according to the current + need. + Regarding the second issue: + I think enhancements for fwzs might be better discussed in a separated + feature request to avoid that this feature request fades away in an + endless discussion. + FYI: + Regarding firewall setup for printing, see + http://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings + (http://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings) + Regarding Ubuntu and firewall, see + https://help.ubuntu.com/13.10/serverguide/firewall.html + (https://help.ubuntu.com/13.10/serverguide/firewall.html) that reads: + ---------------------------------------------- + The default firewall configuration tool + for Ubuntu is ufw. + ... + ufw by default is initially disabled. + ----------------------------------------------- + https://help.ubuntu.com/community/DoINeedAFirewall + (https://help.ubuntu.com/community/DoINeedAFirewall) + https://help.ubuntu.com/community/NetworkPrintingWithUbuntu + (https://help.ubuntu.com/community/NetworkPrintingWithUbuntu) -- openSUSE Feature: https://features.opensuse.org/316708

Feature changed by: Johannes Meixner (jsmeix) Feature #316708, revision 14 Title: simple laptop user firewall experience (e.g. printing) openSUSE Distribution: New Priority Requester: Desirable Requested by: Susanne Oberhauser (froh) Partner organization: openSUSE.org Description: Context: a laptop user regularly moves between networks with her laptop. When the user wants to print or use other broadcast-advertised services, then the Laptop should *in an obvious way* help to connect to the services. Currently "it just does not work", and what makes things worse, in a non-obvious way. And the firewall, once identifed as the part preventing to do what the user wants to do, is perceived not as useful part of the system but as overjealous hindrance. It's not simple to reconfigure it "reasonably", e.g. opening the IPP port for incoming broadcasts only in the DMZ is not simple. Thus there is a high risk of opening ports in the EXT zone or even of the firewall being just disabled permanently, especially by users who really should have it up. So the current system behaviour leads to the opposite of the desired goal. The firewall zone switcher fwzs applet is a first good step into the right direction. However there is a number of issues that still interfere: * There is no preconfigured, sane standard mechanism to set the firewall zones depending on the network you connect to, let alone to remember the setting (e.g. nothing connects the network manager to fwzs). * The firewall zones are vaguely labeled and defined. For example the DMZ is labeled "something in between" and does not allow incoming IPP broadcasts, only the "private network" (i.e. the INT zone) allows that. Maybe an additional zone "Internet cafe" or something like that would be more useful, which allows to browse broadacasted services but which protects data on the laptop? And a "Trusted Network behind a firewall" which allows to share files and services on the laptop? Discussion: #1: Johannes Meixner (jsmeix) (2013-11-12 15:15:18) I think the initial description is twofold: First and foremost it is about SuSEfirewall2 not perceived at all and if perceived, then as hindrance. Second it is about possible shortcomings in the current Firewall Zone Switcher. Regarding the first issue: If the Firewall Zone Switcher applet would run by default on the various desktops (KDE, Gnome, Xfce, LXDE), SuSEfirewall2 would be perceived and the user could then at any time select the firewall zone according to the current need. I think very most of "this or that networking stuff does not just work because of the firewall" issues would "just go away" if desktop users could at any time select the firewall zone according to the current need. Regarding the second issue: I think enhancements for fwzs might be better discussed in a separated feature request to avoid that this feature request fades away in an endless discussion. FYI: Regarding firewall setup for printing, see http://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings (http://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings) Regarding Ubuntu and firewall, see https://help.ubuntu.com/13.10/serverguide/firewall.html (https://help.ubuntu.com/13.10/serverguide/firewall.html) that reads: ---------------------------------------------- The default firewall configuration tool for Ubuntu is ufw. ... ufw by default is initially disabled. ----------------------------------------------- https://help.ubuntu.com/community/DoINeedAFirewall (https://help.ubuntu.com/community/DoINeedAFirewall) https://help.ubuntu.com/community/NetworkPrintingWithUbuntu (https://help.ubuntu.com/community/NetworkPrintingWithUbuntu) #3: Marcus Meissner (msmeissn) (2013-11-19 10:45:21) no question for me I can asnwer + #4: Johannes Meixner (jsmeix) (2013-12-05 13:05:44) + A general idea for better firewall user experience: + When the firewall is active it would help a lot if the application + programs could get some basic knowledge what goes on in the outer + network beyond the firewall. + If application programs would know what goes on in the outer network + beyond the firewall they could show meaningful information to the user + like "remote host www.example.com (93.184.216.119) tried to connect to + HTTP port 80 but was rejected by the firewall". + To let application programs know what goes on in the outer network + beyond the firewall the firewall should log what it does into dedicated + log files from which application programs could get the information. + A log-rotating mechanism would ensure the log files cannot endlessly + grow. + Appropriate firewall configuration could ensure that only "interesting + stuff" gets logged, e.g. only stuff for certain ports or only stuff + from certain networks. + This could help a lot in particular for printing when the firewall + drops or rejects print queue announcements from remote CUPS servers (i. + e. what gets sent to UDP port 631). + If the firewall would log it, application programs like printer setup + tools, could show the user when there are remote hosts that send stuff + to UDP port 631 which indicates that there are print queue + announcements from remote CUPS servers. The user could then decide if + he trusts those remote hosts and likes to accept what they send to UDP + port 631. -- openSUSE Feature: https://features.opensuse.org/316708