From my current point of view the root cause of those kind of issues is that the YaST firewall and network setup does not first and formost focus on the fundamental firewall setup to assign the network interface which belongs to the internal network to the internal zone. Such a setting is possible but our users are not forced to make the decision - instead they leave the default (i.e. "EXT" zone) and this is the root cause of all the following issues and misunderstandings how a firewall setup should be done at all. Currently the YaST firewall setup is maily focussed on opening and closing individual ports (or services). Of course zone selection is possible but as far as I noticed, most users don't have an idea what this "zones stuff" is about so that in the end our users open ports for the default zone (i.e. the "EXT" zone) where all their network interfaces belong by default which is in the usual use-cases plain wrong and makes our users' systems insecure. At least the Windows 7 on my wife's laptop at home supports and somewhat enforces this kind of fundamental firewall setup: For each network connection, the user is first and foremost
Hello, some probably important information regarding further discussion: Whatever you request regarding firewall setup in YaST belongs first and foremost to the YaST firewall setup module. For example it is currently not possible that I provide something in the CUPS package which lets the user open IPP in the YaST firewall setup module and shows some additional case-specific (warning) messages or have whatever kind of case-specific restrictions, compare https://bugzilla.novell.com/show_bug.cgi?id=610327#c6 Because of somewhat complicated reasons I can no longer provide firewall setup functionality regarding IPP/CUPS in the YaST printer setup module. See https://bugzilla.novell.com/show_bug.cgi?id=468426#c8 why it has become impossible in practice to call functions of yast2-firewall to implement a reliable working firewall setup in yast2-printer. Currently https://bugzilla.novell.com/show_bug.cgi?id=549065 is all what I can provide regarding firewall setup in yast2-printer. prompted to specify if it connects his system to a public network or to a private network. When you ask for better (e.g. easier to understand) documentation regarding firewall setup, please do not ask me because I can only provide developer-style documentation. If you don't like my documentation, I could remove it which would even save me a lot of time to maintain it (documentation is a very low-priority part of what I do and making end-user documentation is no task at all for me). Please try to find someone who can produce the kind of documentation which you like and have in mind that openSUSE is a wiki so that whoever likes to contribute can provide whatever kind of better documentation. Nothing at all hinders anybody to contribute an easier to understand article regarding firewall setup. When you ask for a feature like an easy setup for the use-case of a home network with a DSL all-in-one router-box please file a feature request at https://features.opensuse.org/ because such a feature requires very much work to get it well implemented (some changes in yast2-printer would be a very minor part near the end of the whole stuff). Definitely opening IPP for the external firewall zone would be the very most wrong idea to implement such a feature in yast2-printer. On Aug 5 12:19 Carlos F Lange wrote (shortened):
You are here showing that you "think" you are right, just because you did not understood our use scenario. In your other responses you show that you do not trust routers with firewall that you don't build yourself. But the fact is there are home routers running solid embedded linux on them, and there are also situations as in my university department, which is protected by a very solid firewall from the world, but still I would not trust every computer in our LAN. By keeping the firewall on and treating the network as external, we are at least protected against unforeseen situations, "when whatever kind of server process was started by accident", as you say in your article.
Again and again: Whoever opens IPP for the external firewall zone has very likely something wrong in his network or firewall design. Compare https://bugzilla.novell.com/show_bug.cgi?id=610327#c6 ----------------------------------------------------------------- For the exceptional case when the firewall protects even the INT zone, the user had set up this manually intentionally and then the user can also intentionally open the IPP port for TCP and UDP manually intentionally. ----------------------------------------------------------------- It is an exceptional case when you don't trust all what there is in your internal network - for example when it is not a small internal home network but a big internal network of a company or organization. Then it makes sense to let the firewall protect even the internal network and open only those services which are intended to be used in the internal network only for the "INT" zone. Think about a user with a laptop in your use case. Currently if this user travels, he has e.g. IPP open everywhere which makes it needlessly insecure for him. If the laptop has two kind of network connections like one for a wired network cable which is used in your internal network and a wireless connection which is used while traveling, it should be possible to assign the network interface which belongs to the wireless connection to the "EXT" zone and the network interface which belongs to the wired network connection to the "INT" zone. Then there would be in your case firewall protection even for the "INT" zone but only for the "INT" zone those services which are intended to be used in your internal network would be open. If the laptop has only one network connection, FW_TRUSTED_NETS should be used as best-effort attempt - but there should be still no need to open ports for the "EXT" zone. This all is not specific for IPP. It is all about general very basic firewall setup. Form this point of view opening particular ports is always some kind of exceptional firewall setup. Accordingly the main focus should not be IPP/CUPS but how we do our general very basic firewall setup, see http://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings#Bottom_Line Kind Regards Johannes Meixner -- SUSE LINUX Products GmbH, Maxfeldstrasse 5, 90409 Nuernberg, Germany AG Nuernberg, HRB 16746, GF: Markus Rex -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org