some probably important information regarding further discussion:
Whatever you request regarding firewall setup in YaST
belongs first and foremost to the YaST firewall setup module.
For example it is currently not possible that I provide
something in the CUPS package which lets the user open IPP
in the YaST firewall setup module and shows some additional
case-specific (warning) messages or have whatever kind
of case-specific restrictions, compare
Because of somewhat complicated reasons I can no longer
provide firewall setup functionality regarding IPP/CUPS
in the YaST printer setup module. See
why it has become impossible in practice to call functions
of yast2-firewall to implement a reliable working firewall
setup in yast2-printer. Currently
is all what I can provide regarding firewall setup
From my current point of view the root cause of those
of issues is that the YaST firewall and network setup does not
first and formost focus on the fundamental firewall setup
to assign the network interface which belongs to the
internal network to the internal zone.
Such a setting is possible but our users are not forced
to make the decision - instead they leave the default
(i.e. "EXT" zone) and this is the root cause of all the
following issues and misunderstandings how a firewall
setup should be done at all.
Currently the YaST firewall setup is maily focussed on
opening and closing individual ports (or services).
Of course zone selection is possible but as far as I noticed,
most users don't have an idea what this "zones stuff" is about
so that in the end our users open ports for the default zone
(i.e. the "EXT" zone) where all their network interfaces
belong by default which is in the usual use-cases plain wrong
and makes our users' systems insecure.
At least the Windows 7 on my wife's laptop at home supports
and somewhat enforces this kind of fundamental firewall setup:
For each network connection, the user is first and foremost
prompted to specify if it connects his system to a public
network or to a private network.
When you ask for better (e.g. easier to understand)
documentation regarding firewall setup, please do not ask me
because I can only provide developer-style documentation.
If you don't like my documentation, I could remove it
which would even save me a lot of time to maintain it
(documentation is a very low-priority part of what I do
and making end-user documentation is no task at all for me).
Please try to find someone who can produce the kind of
documentation which you like and have in mind that
openSUSE is a wiki so that whoever likes to contribute
can provide whatever kind of better documentation.
Nothing at all hinders anybody to contribute an easier to
understand article regarding firewall setup.
When you ask for a feature like an easy setup for the
use-case of a home network with a DSL all-in-one router-box
please file a feature request at https://features.opensuse.org/
because such a feature requires very much work to get
it well implemented (some changes in yast2-printer would
be a very minor part near the end of the whole stuff).
Definitely opening IPP for the external firewall zone
would be the very most wrong idea to implement such
a feature in yast2-printer.
On Aug 5 12:19 Carlos F Lange wrote (shortened):
You are here showing that you "think" you
are right, just because you did not
understood our use scenario. In your other responses you show that you do not
trust routers with firewall that you don't build yourself. But the fact is
there are home routers running solid embedded linux on them, and there are
also situations as in my university department, which is protected by a very
solid firewall from the world, but still I would not trust every computer in
our LAN. By keeping the firewall on and treating the network as external, we
are at least protected against unforeseen situations, "when whatever kind of
server process was started by accident", as you say in your article.
Again and again:
Whoever opens IPP for the external firewall zone has very likely
something wrong in his network or firewall design. Compare
For the exceptional case when the firewall protects even
the INT zone, the user had set up this manually intentionally
and then the user can also intentionally open the IPP port
for TCP and UDP manually intentionally.
It is an exceptional case when you don't trust all
what there is in your internal network - for example
when it is not a small internal home network but a big
internal network of a company or organization. Then it makes
sense to let the firewall protect even the internal network
and open only those services which are intended to be used
in the internal network only for the "INT" zone.
Think about a user with a laptop in your use case.
Currently if this user travels, he has e.g. IPP open
everywhere which makes it needlessly insecure for him.
If the laptop has two kind of network connections like
one for a wired network cable which is used in your
internal network and a wireless connection which is used
while traveling, it should be possible to assign the
network interface which belongs to the wireless connection
to the "EXT" zone and the network interface which belongs
to the wired network connection to the "INT" zone.
Then there would be in your case firewall protection
even for the "INT" zone but only for the "INT" zone
those services which are intended to be used in your
internal network would be open.
If the laptop has only one network connection, FW_TRUSTED_NETS
should be used as best-effort attempt - but there should be
still no need to open ports for the "EXT" zone.
This all is not specific for IPP.
It is all about general very basic firewall setup.
Form this point of view opening particular ports is always
some kind of exceptional firewall setup.
Accordingly the main focus should not be IPP/CUPS but
how we do our general very basic firewall setup, see
SUSE LINUX Products GmbH, Maxfeldstrasse 5, 90409 Nuernberg, Germany
AG Nuernberg, HRB 16746, GF: Markus Rex
To unsubscribe, e-mail: opensuse+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse+help(a)opensuse.org