[opensuse] why no "cups" entry in YaST Firewall Allowed Services in 11.3?
In the Firewall Configuration of YaST, the list of services to allow for the External Zone no longer contains "cups". Instead, When setting up the Printer Configuration to accept printer announcements from CUPS servers, YaST pops up a recommendation to open UDP port 631 in the firewall. Any sane reason to make this process less convenient? -- Carlos F Lange -- Recursive: Adj. See Recursive. -- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hello, On Jul 26 20:13 Carlos F Lange wrote:
In the Firewall Configuration of YaST, the list of services to allow for the External Zone no longer contains "cups". Instead, When setting up the Printer Configuration to accept printer announcements from CUPS servers, YaST pops up a recommendation to open UDP port 631 in the firewall.
There should be no recommendation to open any port in the firewall. But the current popup texts could be misunderstood to do it. Therefore I filed https://bugzilla.novell.com/show_bug.cgi?id=627799
Any sane reason to make this process less convenient?
This is intentionally to avoid that almost all normal users open a security hole because in the usual network environments, the IPP port should never be opened for the EXT zone, see http://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings Additionally you may have a look at https://bugzilla.novell.com/show_bug.cgi?id=610327 Kind Regards Johannes Meixner -- SUSE LINUX Products GmbH, Maxfeldstrasse 5, 90409 Nuernberg, Germany AG Nuernberg, HRB 16746, GF: Markus Rex -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2010-08-03 12:46, Johannes Meixner wrote:
Hello,
On Jul 26 20:13 Carlos F Lange wrote:
In the Firewall Configuration of YaST, the list of services to allow for the External Zone no longer contains "cups". Instead, When setting up the Printer Configuration to accept printer announcements from CUPS servers, YaST pops up a recommendation to open UDP port 631 in the firewall.
There should be no recommendation to open any port in the firewall. But the current popup texts could be misunderstood to do it. Therefore I filed https://bugzilla.novell.com/show_bug.cgi?id=627799
Any sane reason to make this process less convenient?
This is intentionally to avoid that almost all normal users open a security hole because in the usual network environments, the IPP port should never be opened for the EXT zone, see http://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings
But the "external" network is also the internal one in many cases, such as mine. There is an ADSL router that connects to Internet. Behind there is an internal network, which some prefer to consider as external in the firewall config for extra protection. But it is this one which has to be opened to connect to other machines in the local network. - -- Cheers / Saludos, Carlos E. R. (from 11.2 x86_64 "Emerald" GM (Elessar)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAkxZubEACgkQU92UU+smfQUz0ACghGuxKjKg5gCVlSxLU+Y+TMlS 9pEAoIx6RNoSc9wlgPUbaJHCFRYXYgcZ =a7Ex -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 08/04/2010 09:04 PM, Carlos E. R. wrote:
But the "external" network is also the internal one in many cases, such as mine. There is an ADSL router that connects to Internet.
So is that your external firewall ?
Behind there is an internal network, which some prefer to consider as external in the firewall config for extra protection. But it is this one which has to be opened to connect to other machines in the local network. So if someone passes through your ADSL router and through the cups port breaks in to your local system you are OK ?
I would use different of networks so internal and external are really separate HTH Togan -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wednesday 04 August 2010, Togan Muftuoglu wrote:
On 08/04/2010 09:04 PM, Carlos E. R. wrote:
But the "external" network is also the internal one in many cases, such as mine. There is an ADSL router that connects to Internet.
So is that your external firewall ?
Behind there is an internal network, which some prefer to consider as external in the firewall config for extra protection. But it is this one which has to be opened to connect to other machines in the local network.
So if someone passes through your ADSL router and through the cups port breaks in to your local system you are OK ?
I would use different of networks so internal and external are really separate
Are you *seriously* suggesting a family with two computers and a printer go to those lengths? I take it you will personally advise them all on the necessary setup ... Dx -- “ ‘... but there is so much else behind what I say. It makes itself known to me so slowly, so incompletely! ...’ ” -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 08/05/2010 09:55 AM, Dylan wrote:
On Wednesday 04 August 2010, Togan Muftuoglu wrote:
So if someone passes through your ADSL router and through the cups port breaks in to your local system you are OK ?
I would use different of networks so internal and external are really separate
Are you *seriously* suggesting a family with two computers and a printer go to those lengths? I take it you will personally advise them all on the necessary setup ...
Personally yes otherwise why bother with a firewall, you either trust your internal network or don't and printing is an internal service. On the other hand external is not everybody you know. If your ADSL/cable router has a built in firewall why not take use of it also. Yet life is about choice and free will so YMMV HTH Togan -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hello, On Aug 5 08:55 Dylan wrote (shortened):
On Wednesday 04 August 2010, Togan Muftuoglu wrote:
On 08/04/2010 09:04 PM, Carlos E. R. wrote:
... There is an ADSL router that connects to Internet. Behind there is an internal network ...
I would use different of networks so internal and external are really separate
What a unexpected coincidence with what I suggest in http://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings ;-)
Are you *seriously* suggesting a family with two computers and a printer go to those lengths? I take it you will personally advise them all on the necessary setup ...
Are you *seriously* suggesting in case of a mix up of trusted and non-trusted network traffic in one same network the necessary setup to get this mess sufficiently secure is easy? Of course to get it somehow working regardless of security, one same network for every kind of traffic is easy to set up. For my family with exactly two computers and one printer (one more unexpected coincidence ;-) I use strictly separated network hardware for my internal network and then a sufficiently secure setup is relatively easy - but it is no "plug and play" experience. I do not own a DSL all-in-one router but I assume the easiest solution to get it working and sufficiently secure is to pay a reasonable price for a solid router-box which provides built-in out-of-the-box ready-to-use separation of the internal network from the stuff which belongs to the connection to the Internet. Unfortunately I do not trust any router-box (regardless what its manufacturer announced) because there have been too many reports about security issues in router-boxes. Even if the probability is low that a particular router-box which one uses has a security bug, I do not trust any of those devices. Just one example (only in German): http://www.heise.de/security/meldung/Oesterreich-Standardpasswort-oeffnet-70... In short: On a particular router-box ssh was running (usual port 22) and accessible from the Internet and there was a predefined admin password in the firmware of this piece of crap which gets one root access to the device. Great! Kind Regards Johannes Meixner -- SUSE LINUX Products GmbH, Maxfeldstrasse 5, 90409 Nuernberg, Germany AG Nuernberg, HRB 16746, GF: Markus Rex -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Johannes Meixner wrote:
For my family with exactly two computers and one printer (one more unexpected coincidence ;-) I use strictly separated network hardware for my internal network and then a sufficiently secure setup is relatively easy - but it is no "plug and play" experience.
I do not own a DSL all-in-one router
I'm having trouble visualising what network design you do have. Is it possible to post a diagram, or an adjacency list or similar? I'm picturing something like a modem, a firewall box, two switches and two PCs each with two NICs? Cheers, Dave -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hello, On Aug 5 10:40 Dave Howorth wrote (shortened):
I'm having trouble visualising what network design you do have.
Internet | DSL Modem | Main computer with two network interface cards one network interface card which connects to the DSL Modem and another network interface card which connects to the internal stuff I like it the traditional way because then even I understand which network traffic goes on where - in contrast to an all-in-one router-box where I can only hope things go right inside such a device. Of course I also jail all electromagnetic waves which belong to my network traffic in traditional network cables. I even bought a nice efficient hammer drill which is useful to connect computers in the traditional way in my house ;-) The obvious drawback is that my "main computer" must run so that the other computer can access the Internet but for me this is even an advantage because I have one single point where I must pay attention regarding its setup and where I can trust its setup. Kind Regards Johannes Meixner -- SUSE LINUX Products GmbH, Maxfeldstrasse 5, 90409 Nuernberg, Germany AG Nuernberg, HRB 16746, GF: Markus Rex -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thu, 05 Aug, 2010 at 12:19:54 +0200, Johannes Meixner wrote:
Hello,
On Aug 5 10:40 Dave Howorth wrote (shortened):
I'm having trouble visualising what network design you do have.
Internet | DSL Modem | Main computer with two network interface cards
<snip>
The obvious drawback is that my "main computer" must run so that the other computer can access the Internet but for me this is even an advantage because I have one single point where I must pay attention regarding its setup and where I can trust its setup.
Why don't you get something like a soekris 5501 or similar, and put some sort of embedded firewall distribution on it? It's gonna save you a ton of electricity ;) /jon -- YMMV -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 08/05/2010 12:26 PM, Jon Clausen wrote:
Why don't you get something like a soekris 5501 or similar, and put some sort of embedded firewall distribution on it?
mbedsuzi is under development
It's gonna save you a ton of electricity ;)
Ok new way of calculating usage :) Togan -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thu, 05 Aug, 2010 at 12:43:05 +0200, Togan Muftuoglu wrote:
On 08/05/2010 12:26 PM, Jon Clausen wrote:
Why don't you get something like a soekris 5501 or similar, and put some sort of embedded firewall distribution on it?
mbedsuzi is under development
who? what? where? ...or: it's about bl**dy time! links please?
It's gonna save you a ton of electricity ;)
Ok new way of calculating usage :)
:D -- YMMV -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 08/05/2010 03:15 PM, Jon Clausen wrote:
On Thu, 05 Aug, 2010 at 12:43:05 +0200, Togan Muftuoglu wrote:
On 08/05/2010 12:26 PM, Jon Clausen wrote:
Why don't you get something like a soekris 5501 or similar, and put some sort of embedded firewall distribution on it?
mbedsuzi is under development
who? what? where? ...or: it's about bl**dy time!
links please?
I knew it would sound cool :=). There should definitely be a derivative of that sort. Having said that using susestudio one can create a slimmed distro. No documentation, no yast, just the needed software Togan -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thu, 05 Aug, 2010 at 15:34:14 +0200, Togan Muftuoglu wrote:
On 08/05/2010 03:15 PM, Jon Clausen wrote:
On Thu, 05 Aug, 2010 at 12:43:05 +0200, Togan Muftuoglu wrote:
mbedsuzi is under development
who? what? where? ...or: it's about bl**dy time!
links please?
I knew it would sound cool :=). There should definitely be a derivative of that sort. Having said that using susestudio one can create a slimmed distro. No documentation, no yast, just the needed software
You son of a... ..you just got me hoping... :/ Tried 'studio' a while back, but wasn't overly impressed with the whole thing. Think I'm gonna go with Linux From Scratch for the project in question. -- YMMV -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 08/05/2010 04:10 PM, Jon Clausen wrote:
You son of a... ..you just got me hoping... :/
:=) Admit it name was catchy
Tried 'studio' a while back, but wasn't overly impressed with the whole thing.
Well studio has improved a lot lately. I use it to initially create the distro I want, then where the web environment becomes too restrictive I continue with kiwi back in my own environment. Having said that I have also built a gateway distro for my own like in studio with no yast no X no documents and imagine the thrill; install and everything works as it should be without any configuration or anything extra. It was customized to my needs so would not fit other peoples needs. Maybe time to think such a derivative via studio and then gallery Togan -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thu, 05 Aug, 2010 at 16:23:08 +0200, Togan Muftuoglu wrote:
On 08/05/2010 04:10 PM, Jon Clausen wrote:
You son of a... ..you just got me hoping... :/
:=) Admit it name was catchy
oh, it is... ;)
Tried 'studio' a while back, but wasn't overly impressed with the whole thing.
Well studio has improved a lot lately. I use it to initially create the distro I want, then where the web environment becomes too restrictive I continue with kiwi back in my own environment. Having said that I have also built a gateway distro for my own like in studio with no yast no X no documents and imagine the thrill; install and everything works as it should be without any configuration or anything extra. It was customized to my needs so would not fit other peoples needs.
Maybe time to think such a derivative via studio and then gallery
Well... all in all I'm just more comfortable with having everything 'in house', at this point. While 'studio' may be a nice enough tool, the whole idea reminds me of when I thought things like Webmin, or the various web-based frontends to Nagios configuration, would be good ways to learn how to set stuff up: I always ended up getting frustrated, because I would be facing two sets of unknowns instead of one, as in: Initial concern: "how do I configure things so they do what I want?" Additional concern: "how do I get the 'tool' to do what I *think* is neccessary to satisfy the initial concern?" ...it's about time I did some 'from the ground up' LFS builds anyways ;) -- YMMV -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hello, On Aug 5 12:26 Jon Clausen wrote (shortened):
On Thu, 05 Aug, 2010 at 12:19:54 +0200, Johannes Meixner wrote: ...
The obvious drawback is that my "main computer" must run so that the other computer can access the Internet ... Why don't you get something like a soekris 5501 or similar, and put some sort of embedded firewall distribution on it? It's gonna save you a ton of electricity ;)
Not really. Adding a small dedicated router/firewall machine would add a pound of electricity in my particular case because our "main computer" is the one which we usually use and the other computer is used only occasionally so that usually the "main computer" runs anyway. Kind Regards Johannes Meixner -- SUSE LINUX Products GmbH, Maxfeldstrasse 5, 90409 Nuernberg, Germany AG Nuernberg, HRB 16746, GF: Markus Rex -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thu, 05 Aug, 2010 at 12:46:53 +0200, Johannes Meixner wrote:
Why don't you get something like a soekris 5501 or similar, and put some sort of embedded firewall distribution on it? It's gonna save you a ton of electricity ;)
Not really.
Adding a small dedicated router/firewall machine would add a pound of electricity in my particular case because our "main computer" is the one which we usually use and the other computer is used only occasionally so that usually the "main computer" runs anyway.
hmm, well... of course you know your usage pattern, but I'd still think that having things split off would be worth it. /jon -- YMMV -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hello, On Aug 4 21:04 Carlos E. R. wrote (shortened):
On 2010-08-03 12:46, Johannes Meixner wrote: ...
But the "external" network is also the internal one in many cases, such as mine.
This is a contradiction in itself and therefore you get trouble how to deal with it.
There is an ADSL router that connects to Internet. Behind there is an internal network, which some prefer to consider as external in the firewall config for extra protection. But it is this one which has to be opened to connect to other machines in the local network.
Your case is described in http://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings ---------------------------------------------------------------- When Network Security is Likely to be Doomed ... Save money and use the same network hardware for trusted and non-trusted network traffic and as a consequence pay with an increased likelihood that your network security is doomed and with an increased effort to maintain your network security. ... Use one same "router-box" device for both your trusted internal network and the connection to the Internet. ---------------------------------------------------------------- Please read the whole article. Again and again - as described in http://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings There is no longer any kind of firewall protection for a service if you open its port(s) in the firewall. In particular responses as yours prove that I am right not to offer our users a too easy "just one click" way in YaST which removes firewall protection completely from CUPS. Please do not misunderstand me: You are of course still free to open whatever port for whatever firewall zone you like depending on your particular needs. I am only interested to make it not too easy in particular for unexperienced users to open needless security holes. I want to guide our users to a reasonable secure setup and not to just please them with "one click easy going" stuff which makes in the end our users' systems needlessly insecure. Kind Regards Johannes Meixner -- SUSE LINUX Products GmbH, Maxfeldstrasse 5, 90409 Nuernberg, Germany AG Nuernberg, HRB 16746, GF: Markus Rex -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2010-08-05 10:42, Johannes Meixner wrote:
On Aug 4 21:04 Carlos E. R. wrote (shortened):
On 2010-08-03 12:46, Johannes Meixner wrote: ...
But the "external" network is also the internal one in many cases, such as mine.
This is a contradiction in itself and therefore you get trouble how to deal with it.
I don't see any contradiction. In fact, ext is the default setting for any interface.
There is an ADSL router that connects to Internet. Behind there is an internal network, which some prefer to consider as external in the firewall config for extra protection. But it is this one which has to be opened to connect to other machines in the local network.
Your case is described in http://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings
Yes, and many consider that having that kind of router with NAT is enough security. In my case there are two cascaded firewalls, anyway, and the ports the ISP left opened for remote admin I closed.
Please read the whole article.
I read it years ago. Not practical, IMO.
In particular responses as yours prove that I am right not to offer our users a too easy "just one click" way in YaST which removes firewall protection completely from CUPS.
Please do not misunderstand me: You are of course still free to open whatever port for whatever firewall zone you like depending on your particular needs. I am only interested to make it not too easy in particular for unexperienced users to open needless security holes. I want to guide our users to a reasonable secure setup and not to just please them with "one click easy going" stuff which makes in the end our users' systems needlessly insecure.
It would be enough to put a warning when you click. What you'll get instead is that people define the interface connected to the router as internal instead. Is that better? People have routers to Internet they get from their providers. And they use windows, and they use samba... very few people have computers with two nicks and can go to the extent of wiring two networks. Or put a real good firewall there. Do you really think people will do the complicated setup that you suggest to secure their network? They'll simply remove susefirewall or use the internal interface. It would be best to correct cups so that it is not a dangerous service. - -- Cheers / Saludos, Carlos E. R. (from 11.2 x86_64 "Emerald" GM (Elessar)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAkxanGoACgkQU92UU+smfQW4twCeL50qg1ZwTJ6Od+xqwGREYzPK kQcAoJMRvrkMPXtNJA43MtwfN8x2Xa8v =ZdD9 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hello, On Aug 5 13:11 Carlos E. R. wrote (shortened):
On 2010-08-05 10:42, Johannes Meixner wrote:
Your case is described in http://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings
...
Please read the whole article.
I read it years ago. Not practical, IMO.
The article was created by me on 14 January 2010 from scratch in the meanwhile outdated old openSUSE wiki (old-en.opensuse.org). Kind Regards Johannes Meixner -- SUSE LINUX Products GmbH, Maxfeldstrasse 5, 90409 Nuernberg, Germany AG Nuernberg, HRB 16746, GF: Markus Rex -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 2010-08-05 14:26, Johannes Meixner wrote:
Hello,
On Aug 5 13:11 Carlos E. R. wrote (shortened):
On 2010-08-05 10:42, Johannes Meixner wrote:
Your case is described in http://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings
...
Please read the whole article.
I read it years ago. Not practical, IMO.
The article was created by me on 14 January 2010 from scratch in the meanwhile outdated old openSUSE wiki (old-en.opensuse.org).
Dunno, but I remember having read most of that previously. -- Cheers / Saludos, Carlos E. R. (from 11.2 x86_64 "Emerald" GM (Elessar))
Wow. For 2 days I don't check my old thread and then everything is discussed already... Unfortunately, I must side with my namesake on this issue, Johannes. On Tue August 3 2010 04:46:46 Johannes Meixner wrote:
There should be no recommendation to open any port in the firewall. But the current popup texts could be misunderstood to do it. Therefore I filed https://bugzilla.novell.com/show_bug.cgi?id=627799 [...]
Additionally you may have a look at https://bugzilla.novell.com/show_bug.cgi?id=610327
I had not seen those. I will not debate the issue in bugzilla and I'll respect that you have the final word there. But apparently you don't see that all you are doing is making YaST2 less convenient for administrators, not the setup more secure. YaST2 is one of the best features openSUSE has, exactly because it makes advanced administration more convenient. An inexperienced user will simply use the defaults and will follow all the security warnings that you include, because he/she doesn't know all the details (and they will NOT read the very long SDB article you wrote). To be as secure as you are driven to make this setup, it is sufficient to make the default secure and to include warnings in all the other configurations, as it is done with the partitioning tool.
Any sane reason to make this process less convenient?
This is intentionally to avoid that almost all normal users open a security hole because in the usual network environments, the IPP port should never be opened for the EXT zone, see http://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings
That is precisely where you get things mixed up. Normal users will not read or understand your SDB article. Not that it is not well written, but it is too long and too complex. You are not making them more secure by removing the "cups" one-button function in YaST2. They will use the default or ask for help. But for us, it's a PITA and removes power from YaST. You say that we are still free to open the port in the firewall. Of course, but what is the point of YaST, if not making administration steps more convenient and less prone to typos? Again, look at the partitioning tool in YaST and see how the cups setup should be done. It protect all sensitive and dangerous areas with a lot of warning, but instead of telling us "now, go and use gpart or parted", it offers us very convenient and powerful GUI front end for this dangerous tools. That is what your CUPS setup should do and you would be highly praised by all of us. In addition, Carlos ER has indeed a good point that you unfortunately dismiss with "In particular responses as yours prove that I am right not to offer our users a too easy "just one click" way in YaST which removes firewall protection completely from CUPS." You are here showing that you "think" you are right, just because you did not understood our use scenario. In your other responses you show that you do not trust routers with firewall that you don't build yourself. But the fact is there are home routers running solid embedded linux on them, and there are also situations as in my university department, which is protected by a very solid firewall from the world, but still I would not trust every computer in our LAN. By keeping the firewall on and treating the network as external, we are at least protected against unforeseen situations, "when whatever kind of server process was started by accident", as you say in your article. I like your idea of "specifying the IP address of the trusted internal network via FW_TRUSTED_NETS in the firewall configuration". I think this will further strengthen my setup at the university. Please, reconsider your design of this YaST tool, not from the point of view of security (I certainly won't advocate making openSUSE less secure out of the box), but from the point of view of robust and convenient advanced administration. -- Carlos F Lange -- Recursive: Adj. See Recursive. -- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
From my current point of view the root cause of those kind of issues is that the YaST firewall and network setup does not first and formost focus on the fundamental firewall setup to assign the network interface which belongs to the internal network to the internal zone. Such a setting is possible but our users are not forced to make the decision - instead they leave the default (i.e. "EXT" zone) and this is the root cause of all the following issues and misunderstandings how a firewall setup should be done at all. Currently the YaST firewall setup is maily focussed on opening and closing individual ports (or services). Of course zone selection is possible but as far as I noticed, most users don't have an idea what this "zones stuff" is about so that in the end our users open ports for the default zone (i.e. the "EXT" zone) where all their network interfaces belong by default which is in the usual use-cases plain wrong and makes our users' systems insecure. At least the Windows 7 on my wife's laptop at home supports and somewhat enforces this kind of fundamental firewall setup: For each network connection, the user is first and foremost
Hello, some probably important information regarding further discussion: Whatever you request regarding firewall setup in YaST belongs first and foremost to the YaST firewall setup module. For example it is currently not possible that I provide something in the CUPS package which lets the user open IPP in the YaST firewall setup module and shows some additional case-specific (warning) messages or have whatever kind of case-specific restrictions, compare https://bugzilla.novell.com/show_bug.cgi?id=610327#c6 Because of somewhat complicated reasons I can no longer provide firewall setup functionality regarding IPP/CUPS in the YaST printer setup module. See https://bugzilla.novell.com/show_bug.cgi?id=468426#c8 why it has become impossible in practice to call functions of yast2-firewall to implement a reliable working firewall setup in yast2-printer. Currently https://bugzilla.novell.com/show_bug.cgi?id=549065 is all what I can provide regarding firewall setup in yast2-printer. prompted to specify if it connects his system to a public network or to a private network. When you ask for better (e.g. easier to understand) documentation regarding firewall setup, please do not ask me because I can only provide developer-style documentation. If you don't like my documentation, I could remove it which would even save me a lot of time to maintain it (documentation is a very low-priority part of what I do and making end-user documentation is no task at all for me). Please try to find someone who can produce the kind of documentation which you like and have in mind that openSUSE is a wiki so that whoever likes to contribute can provide whatever kind of better documentation. Nothing at all hinders anybody to contribute an easier to understand article regarding firewall setup. When you ask for a feature like an easy setup for the use-case of a home network with a DSL all-in-one router-box please file a feature request at https://features.opensuse.org/ because such a feature requires very much work to get it well implemented (some changes in yast2-printer would be a very minor part near the end of the whole stuff). Definitely opening IPP for the external firewall zone would be the very most wrong idea to implement such a feature in yast2-printer. On Aug 5 12:19 Carlos F Lange wrote (shortened):
You are here showing that you "think" you are right, just because you did not understood our use scenario. In your other responses you show that you do not trust routers with firewall that you don't build yourself. But the fact is there are home routers running solid embedded linux on them, and there are also situations as in my university department, which is protected by a very solid firewall from the world, but still I would not trust every computer in our LAN. By keeping the firewall on and treating the network as external, we are at least protected against unforeseen situations, "when whatever kind of server process was started by accident", as you say in your article.
Again and again: Whoever opens IPP for the external firewall zone has very likely something wrong in his network or firewall design. Compare https://bugzilla.novell.com/show_bug.cgi?id=610327#c6 ----------------------------------------------------------------- For the exceptional case when the firewall protects even the INT zone, the user had set up this manually intentionally and then the user can also intentionally open the IPP port for TCP and UDP manually intentionally. ----------------------------------------------------------------- It is an exceptional case when you don't trust all what there is in your internal network - for example when it is not a small internal home network but a big internal network of a company or organization. Then it makes sense to let the firewall protect even the internal network and open only those services which are intended to be used in the internal network only for the "INT" zone. Think about a user with a laptop in your use case. Currently if this user travels, he has e.g. IPP open everywhere which makes it needlessly insecure for him. If the laptop has two kind of network connections like one for a wired network cable which is used in your internal network and a wireless connection which is used while traveling, it should be possible to assign the network interface which belongs to the wireless connection to the "EXT" zone and the network interface which belongs to the wired network connection to the "INT" zone. Then there would be in your case firewall protection even for the "INT" zone but only for the "INT" zone those services which are intended to be used in your internal network would be open. If the laptop has only one network connection, FW_TRUSTED_NETS should be used as best-effort attempt - but there should be still no need to open ports for the "EXT" zone. This all is not specific for IPP. It is all about general very basic firewall setup. Form this point of view opening particular ports is always some kind of exceptional firewall setup. Accordingly the main focus should not be IPP/CUPS but how we do our general very basic firewall setup, see http://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings#Bottom_Line Kind Regards Johannes Meixner -- SUSE LINUX Products GmbH, Maxfeldstrasse 5, 90409 Nuernberg, Germany AG Nuernberg, HRB 16746, GF: Markus Rex -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hello, On Aug 6 11:11 Johannes Meixner wrote (shortened):
When you ask for a feature like an easy setup for the use-case of a home network with a DSL all-in-one router-box please file a feature request at https://features.opensuse.org/
There could be already a matching feature request https://features.opensuse.org/305147 But it seems it got already distracted from what should be the main focus (do the right basic firewall setup) towards a nice desktop applet to switch firewall zones http://lizards.opensuse.org/2009/07/10/1453/ This applet is of course useful when moving with a laptop between trusted and non-trusted networks but then security may depend on the user that he does not forget to switch to "external" when he moves into a non-trusted network without doing a reboot in between - I don't know what happens if he only suspends the laptop while moving? Nevertheless I wonder if whatever desktop stuff is really the right solution to do the very basic firewall setup because http://lizards.opensuse.org/2009/07/10/1453/ reads: ---------------------------------------------------------------- It's neither a Firewall configuration tool. That job is still left to Admin tools like YaST. ---------------------------------------------------------------- Strange, but I am no firewall expert to make a decision here. Kind Regards Johannes Meixner -- SUSE LINUX Products GmbH, Maxfeldstrasse 5, 90409 Nuernberg, Germany AG Nuernberg, HRB 16746, GF: Markus Rex -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wednesday 11 August 2010 08:50:57 Johannes Meixner wrote:
Strange, but I am no firewall expert to make a decision here.
It is not firewall expertise that can decide what is better. Overcomplicated setup will force users that don't know how to handle it, to turn off firewall, or delete that Linux thingy and turn back to something that just works. When the goal is to help users to keep security and working printers, then workflow must be as simple as possible. Create icon in a task bar that will do only that, enable printing over network or disable it. YaST with a lot of menus and setup options is not replacement for that. No one can protect people that don't think about security. They will leave ignition key in the car, open door on the house, give credit card numbers on unknown sites, give user ID and password on email request, etc, etc. -- Regards, Rajko -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (9)
-
Carlos E. R.
-
Carlos E. R.
-
Carlos F Lange
-
Dave Howorth
-
Dylan
-
Johannes Meixner
-
Jon Clausen
-
Rajko M.
-
Togan Muftuoglu