-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2010-08-05 10:42, Johannes Meixner wrote:
On Aug 4 21:04 Carlos E. R. wrote (shortened):
On 2010-08-03 12:46, Johannes Meixner wrote: ...
But the "external" network is also the internal one in many cases, such as mine.
This is a contradiction in itself and therefore you get trouble how to deal with it.
I don't see any contradiction. In fact, ext is the default setting for any interface.
There is an ADSL router that connects to Internet. Behind there is an internal network, which some prefer to consider as external in the firewall config for extra protection. But it is this one which has to be opened to connect to other machines in the local network.
Your case is described in http://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings
Yes, and many consider that having that kind of router with NAT is enough security. In my case there are two cascaded firewalls, anyway, and the ports the ISP left opened for remote admin I closed.
Please read the whole article.
I read it years ago. Not practical, IMO.
In particular responses as yours prove that I am right not to offer our users a too easy "just one click" way in YaST which removes firewall protection completely from CUPS.
Please do not misunderstand me: You are of course still free to open whatever port for whatever firewall zone you like depending on your particular needs. I am only interested to make it not too easy in particular for unexperienced users to open needless security holes. I want to guide our users to a reasonable secure setup and not to just please them with "one click easy going" stuff which makes in the end our users' systems needlessly insecure.
It would be enough to put a warning when you click. What you'll get instead is that people define the interface connected to the router as internal instead. Is that better? People have routers to Internet they get from their providers. And they use windows, and they use samba... very few people have computers with two nicks and can go to the extent of wiring two networks. Or put a real good firewall there. Do you really think people will do the complicated setup that you suggest to secure their network? They'll simply remove susefirewall or use the internal interface. It would be best to correct cups so that it is not a dangerous service. - -- Cheers / Saludos, Carlos E. R. (from 11.2 x86_64 "Emerald" GM (Elessar)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAkxanGoACgkQU92UU+smfQW4twCeL50qg1ZwTJ6Od+xqwGREYzPK kQcAoJMRvrkMPXtNJA43MtwfN8x2Xa8v =ZdD9 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org