Author: jsmeix Date: Tue Feb 17 14:04:51 2009 New Revision: 55547 URL: http://svn.opensuse.org/viewcvs/yast?rev=55547&view=rev Log: - Removed Firewall Settings which were added in version 2.17.29 because it is not possible to implement it so that it works reliable and correct (see Novell/Suse Bugzilla bnc#468426). In particular it is not possible to test on the local host if remote access via port 631 TCP/UDP would be allowed (there is no replacement for "ipchains --check"). Added notification texts regarding firewall in the dialogs and added explanatory help texts regarding firewall so that users are informed what to do manually regarding firewall. - 2.18.5 Modified: trunk/printer/VERSION trunk/printer/package/yast2-printer.changes trunk/printer/src/Printer.ycp trunk/printer/src/helps.ycp trunk/printer/src/printingvianetwork.ycp trunk/printer/src/sharing.ycp Modified: trunk/printer/VERSION URL: http://svn.opensuse.org/viewcvs/yast/trunk/printer/VERSION?rev=55547&r1=55546&r2=55547&view=diff ============================================================================== --- trunk/printer/VERSION (original) +++ trunk/printer/VERSION Tue Feb 17 14:04:51 2009 @@ -1 +1 @@ -2.18.4 +2.18.5 Modified: trunk/printer/package/yast2-printer.changes URL: http://svn.opensuse.org/viewcvs/yast/trunk/printer/package/yast2-printer.changes?rev=55547&r1=55546&r2=55547&view=diff ============================================================================== --- trunk/printer/package/yast2-printer.changes (original) +++ trunk/printer/package/yast2-printer.changes Tue Feb 17 14:04:51 2009 @@ -1,4 +1,18 @@ ------------------------------------------------------------------- +Tue Feb 17 12:34:16 CET 2009 - jsmeix@suse.de + +- Removed Firewall Settings which were added in version 2.17.29 + because it is not possible to implement it so that it works + reliable and correct (see Novell/Suse Bugzilla bnc#468426). + In particular it is not possible to test on the local host + if remote access via port 631 TCP/UDP would be allowed + (there is no replacement for "ipchains --check"). + Added notification texts regarding firewall in the dialogs + and added explanatory help texts regarding firewall so that + users are informed what to do manually regarding firewall. +- 2.18.5 + +------------------------------------------------------------------- Wed Feb 11 12:27:55 CET 2009 - jsmeix@suse.de - Fixed various typos in various texts (see Novell/Suse Bugzilla Modified: trunk/printer/src/Printer.ycp URL: http://svn.opensuse.org/viewcvs/yast/trunk/printer/src/Printer.ycp?rev=55547&r1=55546&r2=55547&view=diff ============================================================================== --- trunk/printer/src/Printer.ycp (original) +++ trunk/printer/src/Printer.ycp Tue Feb 17 14:04:51 2009 @@ -39,7 +39,6 @@ import "Summary"; import "Popup"; import "Printerlib"; -import "SuSEFirewall"; /** * Prototypes @@ -219,32 +218,6 @@ */ global list< map< string, any > > driver_options = []; -/** - * Firewall configuration: - * Determined and set at runtime in the "Print via Network" and "Sharing" dialogs - * by calling Printer::FirewallConfig("read") and Printer::FirewallConfig("write") - * which calls SuSEFirewall functions to fill in the map @ref firewall_config - * except "ui_browsing_from_int", "ui_access_from_int", and "ui_deny_from_ext" - * which are the user settings in the dialog or change the SuSEFirewall settings - * according to "ui_browsing_from_int", "ui_access_from_int", and "ui_deny_from_ext". - * The entries are such that "true" is the default, reasonable and intended setting. - * In particular it is reasonable to deny CUPS Browsing packages (port 631 UDP) from the EXT zone - * to avoid "print job phishing" by announcing local queue names from a malicious external host, - * see http://www.cups.org/newsgroups.php?gcups.general+T+Q"print+job+phishing" - * @struct firewall_config - * $[ "suse_firewall_used":"true if Suse Firewall and no other firewall is used", - * "firewall_active":"true if Suse Firewall is actually running", - * "no_firewall_for_int":"true if Suse Firewall does not potect the INT zone", - * "browsing_from_int":"true if Suse Firewall does not deny CUPS Browsing (port 631 UDP) from the INT zone", - * "ui_browsing_from_int":"true if user has set in dialog not to deny CUPS Browsing from the INT zone", - * "access_from_int":"true if Suse Firewall does not deny CUPS access (port 631 TCP) from the INT zone", - * "ui_access_from_int":"true if user has set in dialog not to deny CUPS access from the INT zone", - * "deny_from_ext":"true if any CUPS access (port 631 UDP and TCP) is denied from the EXT zone", - * "ui_deny_from_ext":"true if user has set in dialog to deny any CUPS access from the EXT zone" - * ] - */ -global map< string, boolean > firewall_config = $[]; - /* * Local variables: */ @@ -1865,198 +1838,6 @@ } /** - * Determined and set at runtime in the "Print via Network" and "Sharing" dialogs - * by calling Printer::FirewallConfig("read") and Printer::FirewallConfig("write") - * @param "read" to fill in the firewall_config map - * "write" change the SuSEFirewall settings according to the firewall_config map - * @return true on success - */ -global boolean FirewallConfig( string action ) -{ if( "read" == action ) - { // SuSEFirewall::Read shows a Progress. - // Save previous Progress state and disable showing Progress: - boolean progress_previous_state = Progress::set( false ); - if( ! SuSEFirewall::Read() ) - { // If firewall_config is the empty map, the user - // cannot change a firewall setting in the "Print via Network" and "Sharing" dialogs - // so that noting will be committed regarding the Suse Firewall. - y2milestone( "SuSEFirewall::Read failed." ); - firewall_config = $[]; - // Restore previous Progress state: - Progress::set( progress_previous_state ); - return true; - } - // Restore previous Progress state: - Progress::set( progress_previous_state ); - // Preset the firewall_config map with the defaults after a default system installation - // to have a reasonable fallback if the actual values cannot be determined: - firewall_config = $[ "suse_firewall_used":true, - "firewall_active":true, - "no_firewall_for_int":true, - "browsing_from_int":true, - "ui_browsing_from_int":true, - "access_from_int":true, - "ui_access_from_int":true, - "deny_from_ext":true, - "ui_deny_from_ext":true - ]; - // Determine whether the Suse Firewall is used: - if( SuSEFirewall::IsOtherFirewallRunning() ) - { // If not the Suse Firewall is used, the dialogs will not show - // any firewall settings and therefore the user cannot change them. - firewall_config["suse_firewall_used"] = false; - y2milestone( "Not the Suse Firewall is used, i.e. another firewall is running." ); - return true; - } - // Determine whether the Suse Firewall is active: - if( ! SuSEFirewall::IsStarted() - || ! SuSEFirewall::GetStartService() - ) - { // If the Suse Firewall is not active, the dialogs will not show - // any firewall settings because it is useless and confusing - // to let the user change firewall settings - // when the user had decided to have no firewall currently running - // or if the firewall would not be started in SuSEFirewall::Write() - firewall_config["firewall_active"] = false; - y2milestone( "The Suse Firewall is not active or would not be started in SuSEFirewall::Write." ); - return true; - } - // Determine the actual settings regarding IPP (port 631 UDB and TCP) - // and preset the user interface settings with the actual settings: - if( SuSEFirewall::GetProtectFromInternalZone() ) - { firewall_config["no_firewall_for_int"] = false; - if( ! SuSEFirewall::HaveService( "631", "UDP", "INT" ) ) - { firewall_config["browsing_from_int"] = false; - firewall_config["ui_browsing_from_int"] = false; - } - if( ! SuSEFirewall::HaveService( "631", "TCP", "INT" ) ) - { firewall_config["access_from_int"] = false; - firewall_config["ui_access_from_int"] = false; - } - } - if( SuSEFirewall::HaveService( "631", "TCP", "EXT" ) - || SuSEFirewall::HaveService( "631", "UDP", "EXT" ) - ) - { firewall_config["deny_from_ext"] = false; - firewall_config["ui_deny_from_ext"] = false; - } - y2milestone( "FirewallConfig read result: %1", firewall_config ); - } - if( "write" == action ) - { y2milestone( "FirewallConfig write using: %1", firewall_config ); - // If the Suse Firewall is used and - // if the Suse Firewall is active and - // if firewall settings have been changed by the user, - // then set and commit the new firewall settings. - // Use safe fallback values (i.e. deny access as fallback). - // Those fallback values makes the code look confusing - // for example in conditions like if(firewall_config["..."]:false) - // because the actual value is often the opposite of the fallback value. - if( firewall_config["suse_firewall_used"]:false - && firewall_config["firewall_active"]:false - && ( firewall_config["ui_browsing_from_int"]:false != firewall_config["browsing_from_int"]:true - || firewall_config["ui_access_from_int"]:false != firewall_config["access_from_int"]:true - || firewall_config["ui_deny_from_ext"]:false != firewall_config["deny_from_ext"]:true - ) - ) - { // Set new firewall settings in SuSEFirewall: - boolean write_firewall_settings_failed = false; - y2milestone( "FirewallConfig commit new firewall config: %1", firewall_config ); - if( firewall_config["ui_browsing_from_int"]:false != firewall_config["browsing_from_int"]:true ) - { if( firewall_config["ui_browsing_from_int"]:false ) - { // The user has set in dialog not to deny CUPS Browsing from the INT zone: - if( ! firewall_config["no_firewall_for_int"]:true ) - { // The Suse Firewall does potect the INT zone: - if( ! SuSEFirewall::AddService( "631", "UDP", "INT" ) ) - { y2milestone( "FirewallConfig: SuSEFirewall::AddService(631,UDP,INT) failed." ); - write_firewall_settings_failed = true; - } - } - } - else - { // The user has set in dialog to deny CUPS Browsing from the INT zone: - if( ! firewall_config["no_firewall_for_int"]:true ) - { // The Suse Firewall does potect the INT zone: - if( ! SuSEFirewall::RemoveService( "631", "UDP", "INT" ) ) - { y2milestone( "FirewallConfig: SuSEFirewall::RemoveService(631,UDP,INT) failed." ); - write_firewall_settings_failed = true; - } - } - else - { // The Suse Firewall does not potect the INT zone: - y2milestone( "FirewallConfig: Cannot deny CUPS Browsing from the INT zone because the Suse Firewall does not potect the INT zone." ); - write_firewall_settings_failed = true; - } - } - } - if( firewall_config["ui_access_from_int"]:false != firewall_config["access_from_int"]:true ) - { if( firewall_config["ui_access_from_int"]:false ) - { // The user has set in dialog not to deny CUPS access from the INT zone: - if( ! firewall_config["no_firewall_for_int"]:true ) - { // The Suse Firewall does potect the INT zone: - if( ! SuSEFirewall::AddService( "631", "TCP", "INT" ) ) - { y2milestone( "FirewallConfig: SuSEFirewall::AddService(631,TCP,INT) failed." ); - write_firewall_settings_failed = true; - } - } - } - else - { // The user has set in dialog to deny CUPS access from the INT zone: - if( ! firewall_config["no_firewall_for_int"]:true ) - { // The Suse Firewall does potect the INT zone: - if( ! SuSEFirewall::RemoveService( "631", "TCP", "INT" ) ) - { y2milestone( "FirewallConfig: SuSEFirewall::RemoveService(631,TCP,INT) failed." ); - write_firewall_settings_failed = true; - } - } - else - { // The Suse Firewall does not potect the INT zone: - y2milestone( "FirewallConfig: Cannot deny CUPS access from the INT zone because the Suse Firewall does not potect the INT zone." ); - write_firewall_settings_failed = true; - } - } - } - if( firewall_config["ui_deny_from_ext"]:false != firewall_config["deny_from_ext"]:true ) - { if( firewall_config["ui_deny_from_ext"]:false ) - { // The user has set in dialog to deny any CUPS access from the EXT zone: - if( ! SuSEFirewall::RemoveService( "631", "TCP", "EXT" ) ) - { y2milestone( "FirewallConfig: SuSEFirewall::RemoveService(631,TCP,EXT) failed." ); - write_firewall_settings_failed = true; - } - if( ! SuSEFirewall::RemoveService( "631", "UDP", "EXT" ) ) - { y2milestone( "FirewallConfig: SuSEFirewall::RemoveService(631,UDP,EXT) failed." ); - write_firewall_settings_failed = true; - } - } - else - { // The user has set in dialog not to deny deny any CUPS access from the EXT zone: - y2milestone( "FirewallConfig: Ignored to allow CUPS access from the EXT zone because it is insecure." ); - write_firewall_settings_failed = true; - } - } - // Commit the new firewall settings: - // SuSEFirewall::Write shows a Progress. - // Save previous Progress state and disable showing Progress: - boolean progress_previous_state = Progress::set( false ); - if( ! SuSEFirewall::Write() ) - { y2milestone( "FirewallConfig: SuSEFirewall::Write failed to commit firewall settings." ); - write_firewall_settings_failed = true; - } - // Restore previous Progress state: - Progress::set( progress_previous_state ); - if( write_firewall_settings_failed ) - { Popup::Error( // Message of a Popup::Error. - // Only a simple message because this error does not happen on a normal system. - _("Failed to set up the firewall settings.\nUse the specific YaST Firewall module.") - ); - return false; - } - } - } - return true; -} - -/** * Get all printer settings from the first parameter * (For use by autoinstallation.) * @param settings The YCP structure to be imported. Modified: trunk/printer/src/helps.ycp URL: http://svn.opensuse.org/viewcvs/yast/trunk/printer/src/helps.ycp?rev=55547&r1=55546&r2=55547&view=diff ============================================================================== --- trunk/printer/src/helps.ycp (original) +++ trunk/printer/src/helps.ycp Tue Feb 17 14:04:51 2009 @@ -463,7 +463,22 @@ In this case remote CUPS servers must publish their printers via network and accordingly on your host the CUPS daemon process (cupsd) must run which is listening for incomming information about published printers.<br> -CUPS Browsing information is recieved via UDP port 631. +CUPS Browsing information is recieved via UDP port 631.<br> +Regarding firewall:<br> +Check if a firewall is active for a network zone +in which printers are published via network. +By default the SuSEfirewall allows any incomming information +via a network interface which belongs to the 'internal zone' +because this zone is trusted by default. +If the remote CUPS servers and your system are in an internal network +and when you trust all what there is in your internal network, +your network interface must be set to be in the 'internal zone'. +It does not make sense to have a network setup in a trusted internal network +with a network interface which belongs to the untrusted 'external zone' +which is the default setting for network interfaces to be safe. +Do not disable firewall protection for CUPS +(i.e. for IPP which uses TCP port 631 and UDP port 631) +for the untrusted 'external zone'. </p>") + // PrintingViaNetworkDialog help 2/3: _("<p> @@ -481,7 +496,7 @@ </p>"), "sharing_dialog" : -// SharingDialog help 1/2: +// SharingDialog help 1/3: _("<p> <b><big>Sharing Print Queues and Publish Them Via Network</big></b><br> Usually CUPS (Common Unix Printing System) should be set up to use @@ -491,7 +506,7 @@ which is listening for incomming information about published printers.<br> CUPS Browsing information is recieved via UDP port 631. </p>") + -// SharingDialog help 2/2: +// SharingDialog help 2/3: _("<p> First of all CUPS client systems must be allowed to access the CUPS server. Then specify whether or not printers should be published to the clients. @@ -499,6 +514,24 @@ If you have only one single CUPS server, there is no need to use CUPS Browsing. Instead it is simpler to specify the CUPS server on the client systems (via 'Printing Via Network') so that the clients access the server directly. +</p>") + +// SharingDialog help 3/3: +_("<p> +Regarding firewall:<br> +Check if a firewall is active for a network zone in which printers +are made available via network to be used by trusted users +(nobody lets arbitrary users print on his printer). +By default the SuSEfirewall allows any access via a network interface +which belongs to the 'internal zone' because this zone is trusted by default. +If the CUPS server and the client systems are in an internal network +and when you trust all what there is in your internal network, +your network interface must be set to be in the 'internal zone'. +It does not make sense to have a network setup in a trusted internal network +with a network interface which belongs to the untrusted 'external zone' +which is the default setting for network interfaces to be safe. +Do not disable firewall protection for CUPS +(i.e. for IPP which uses TCP port 631 and UDP port 631) +for the untrusted 'external zone'. </p>"), "policies" : Modified: trunk/printer/src/printingvianetwork.ycp URL: http://svn.opensuse.org/viewcvs/yast/trunk/printer/src/printingvianetwork.ycp?rev=55547&r1=55546&r2=55547&view=diff ============================================================================== --- trunk/printer/src/printingvianetwork.ycp (original) +++ trunk/printer/src/printingvianetwork.ycp Tue Feb 17 14:04:51 2009 @@ -55,9 +55,6 @@ // remote CUPS servers with specific addresses // where the specific addresses are specified in a TextEntry below: string browse_allow_specific_string = _("only specific addresses"); -// Firewall related widget types: -boolean firewall_first_browsing_widget_is_checkbox = false; -boolean firewall_second_browsing_widget_is_checkbox = false; term widgetNetworkPrinting = `VBox ( `VStretch(), @@ -119,32 +116,10 @@ ), `Left ( `Label - ( `id(`firewall_browsing_settings_label), - // A caption to make a Firewall settings - // to allow incomming printer information - // from remote CUPS servers: - _("Firewall Settings") - ) - ), - `HBox - ( `HSpacing( 2 ), - `VBox - ( `Left - ( `ReplacePoint - ( `id(`firewall_first_browsing_replace_point), - `Empty - ( `id(`firewall_first_browsing_widget) - ) - ) - ), - `Left - ( `ReplacePoint - ( `id(`firewall_second_browsing_replace_point), - `Empty - ( `id(`firewall_second_browsing_widget) - ) - ) - ) + ( `id(`firewall_label), + // A notification to make the user aware of possible Firewall restrictions + // regarding allow incomming printer information from remote CUPS servers: + _("If a firewall is used, check that incomming packages on UDP port 631 are allowed.") ) ) ) @@ -361,30 +336,6 @@ boolean ApplyNetworkPrintingSettings() { printing_via_network_has_changed = false; - // Do the Firewall stuff first of all: - boolean firewall_allow_browsing_from_int = true; - boolean firewall_deny_browsing_from_ext = true; - if( firewall_first_browsing_widget_is_checkbox ) - { firewall_allow_browsing_from_int = (boolean)UI::QueryWidget( `firewall_first_browsing_widget, `Value ); - y2milestone( "firewall_allow_browsing_from_int value: '%1'", firewall_allow_browsing_from_int ); - Printer::firewall_config["ui_browsing_from_int"] = firewall_allow_browsing_from_int; - } - if( firewall_second_browsing_widget_is_checkbox ) - { firewall_deny_browsing_from_ext = (boolean)UI::QueryWidget( `firewall_second_browsing_widget, `Value ); - y2milestone( "firewall_deny_browsing_from_ext value: '%1'", firewall_deny_browsing_from_ext ); - Printer::firewall_config["ui_deny_from_ext"] = firewall_deny_browsing_from_ext; - } - if( Printer::firewall_config["browsing_from_int"]:false != Printer::firewall_config["ui_browsing_from_int"]:true - || Printer::firewall_config["deny_from_ext"]:false != Printer::firewall_config["ui_deny_from_ext"]:true - ) - { // The user has changed a Firewall setting: - printing_via_network_has_changed = true; - if( ! Printer::FirewallConfig( "write" ) ) - { // No error message here because Printer::FirewallConfig shows already error messages: - return false; - } - } - // Do the CUPS stuff after the Firewall stuff. // Get the actual settings and values from the dialog: any current_radio_button = UI::QueryWidget( `id(`browsing_or_client_only_check_boxes), `CurrentButton ); any current_browse_allow = UI::QueryWidget( `id(`browse_allow_combo_box), `Value ); @@ -749,6 +700,7 @@ UI::ChangeWidget( `id(`browsing_on_radio_button), `Value, false ); UI::ChangeWidget( `id(`browse_allow_label), `Enabled, false ); UI::ChangeWidget( `id(`browse_allow_combo_box), `Enabled, false ); + UI::ChangeWidget( `id(`firewall_label), `Enabled, false ); // When by accident "all" and "@LOCAL" were set as BrowseAllow values, // the "@LOCAL" entry is preselected in browse_allow_combo_box // because this is the more secure setting: @@ -822,6 +774,7 @@ UI::ChangeWidget( `id(`browsing_on_radio_button), `Value, true ); UI::ChangeWidget( `id(`browse_allow_label), `Enabled, true ); UI::ChangeWidget( `id(`browse_allow_combo_box), `Enabled, true ); + UI::ChangeWidget( `id(`firewall_label), `Enabled, true ); // If browsing info is accepted from all hosts, // it is useless to additionally accept it from specific IPs or networks: if( ! contains( Printerlib::cupsd_conf_browse_allow, "all" ) ) @@ -833,100 +786,6 @@ UI::ChangeWidget( `id(`browsing_off_radio_button), `Value, true ); } } - // Determine the Firewall settings. - // Ignore errors because Printer::FirewallConfig results a firewall_config fallback map. - Printer::FirewallConfig( "read" ); - // Set the content and values for the firewall related widgets in the dialog: - if( ! Printer::firewall_config["suse_firewall_used"]:true ) - { // Not the Suse Firewall but another firewall is used: - UI::ReplaceWidget( `firewall_first_browsing_replace_point, - `Label - ( `id(`firewall_first_browsing_widget), - // Label when not the Suse Firewall but another firewall is used: - _("Not the Suse Firewall but another firewall is used") - ) - ); - UI::ReplaceWidget( `firewall_second_browsing_replace_point, - `Empty - ( `id(`firewall_second_browsing_widget) - ) - ); - } - else - { // The Suse Firewall is used: - if( ! Printer::firewall_config["firewall_active"]:true ) - { // The Suse Firewall is not running: - UI::ReplaceWidget( `firewall_first_browsing_replace_point, - `Label - ( `id(`firewall_first_browsing_widget), - // Label when the Suse Firewall is not running: - _("The Suse Firewall is not active") - ) - ); - UI::ReplaceWidget( `firewall_second_browsing_replace_point, - `Empty - ( `id(`firewall_second_browsing_widget) - ) - ); - } - else - { // The Suse Firewall is running: - if( ! Printer::firewall_config["no_firewall_for_int"]:true ) - { // The Suse Firewall does potect the INT zone: - // Let the user deny or allow CUPS Browsing from the INT zone here: - UI::ReplaceWidget( `firewall_first_browsing_replace_point, - `CheckBox - ( `id(`firewall_first_browsing_widget), - // CheckBox whether or not the Suse Firewall allows - // incomming printer information (CUPS Browsing packages) - // from the internal network zone (INT zone): - _("Allow printer information from the &internal network zone"), - Printer::firewall_config["browsing_from_int"]:true - ) - ); - firewall_first_browsing_widget_is_checkbox = true; - } - else - { // The Suse Firewall does not potect the INT zone: - UI::ReplaceWidget( `firewall_first_browsing_replace_point, - `Label - ( `id(`firewall_first_browsing_widget), - // Label when the Suse Firewall does not potect the internal network zone - // which means that incomming printer information from the INT zone is allowed: - _("Printer information from the internal network zone is allowed") - ) - ); - } - if( ! Printer::firewall_config["deny_from_ext"]:true ) - { // The Suse Firewall does not deny incomming printer information from the EXT zone. - // Let the user deny incomming printer information from the EXT zone here: - UI::ReplaceWidget( `firewall_second_browsing_replace_point, - `CheckBox - ( `id(`firewall_second_browsing_widget), - // CheckBox whether or not the Suse Firewall denies - // incomming printer information from the external network zone. - // This is done by denying any access from the EXT zone. - _("Deny access and printer information from the &external network zone"), - false - ) - ); - firewall_second_browsing_widget_is_checkbox = true; - } - else - { // The Suse Firewall denies incomming printer information from the EXT zone. - // Do not let the user allow incomming printer information from the EXT zone here: - UI::ReplaceWidget( `firewall_second_browsing_replace_point, - `Label - ( `id(`firewall_second_browsing_widget), - // Label when the Suse Firewall denies printer information - // from the external network zone. - // This is done by denying any access from the EXT zone. - _("Access and printer information from the external network zone is denied") - ) - ); - } - } - } y2milestone( "leaving initNetworkPrinting with\ninitial_radio_button = '%1'\ninitial_browse_allow = '%2'\ninitial_browse_allow_input_value = '%3'\ninitial_server_name_input_value = '%4'", initial_radio_button, initial_browse_allow, initial_browse_allow_input_value, initial_server_name_input_value ); } @@ -937,6 +796,7 @@ { UI::ChangeWidget( `id(`browse_allow_label), `Enabled, false ); UI::ChangeWidget( `id(`browse_allow_combo_box), `Enabled, false ); UI::ChangeWidget( `id(`browse_allow_input), `Enabled, false ); + UI::ChangeWidget( `id(`firewall_label), `Enabled, false ); UI::ChangeWidget( `id(`client_conf_server_name_input), `Enabled, false ); UI::ChangeWidget( `id(`test_client_conf_server), `Enabled, false ); if( ! Printerlib::client_only ) @@ -950,6 +810,7 @@ { UI::ChangeWidget( `id(`browse_allow_label), `Enabled, true ); UI::ChangeWidget( `id(`browse_allow_combo_box), `Enabled, true ); UI::ChangeWidget( `id(`browse_allow_input), `Enabled, true ); + UI::ChangeWidget( `id(`firewall_label), `Enabled, true ); UI::ChangeWidget( `id(`client_conf_server_name_input), `Enabled, false ); UI::ChangeWidget( `id(`test_client_conf_server), `Enabled, false ); if( ! Printerlib::client_only ) @@ -973,6 +834,7 @@ { UI::ChangeWidget( `id(`browse_allow_label), `Enabled, false ); UI::ChangeWidget( `id(`browse_allow_combo_box), `Enabled, false ); UI::ChangeWidget( `id(`browse_allow_input), `Enabled, false ); + UI::ChangeWidget( `id(`firewall_label), `Enabled, false ); UI::ChangeWidget( `id(`client_conf_server_name_input), `Enabled, true ); UI::ChangeWidget( `id(`test_client_conf_server), `Enabled, true ); UI::ChangeWidget( `id(`connection_wizard), `Enabled, false ); Modified: trunk/printer/src/sharing.ycp URL: http://svn.opensuse.org/viewcvs/yast/trunk/printer/src/sharing.ycp?rev=55547&r1=55546&r2=55547&view=diff ============================================================================== --- trunk/printer/src/sharing.ycp (original) +++ trunk/printer/src/sharing.ycp Tue Feb 17 14:04:51 2009 @@ -49,8 +49,6 @@ list< term > initial_interface_table_items = []; string initial_allow_input_value = ""; string initial_browse_address_input_value = ""; -boolean firewall_first_sharing_widget_is_checkbox = false; -boolean firewall_second_sharing_widget_is_checkbox = false; term widgetSharing = `VBox ( `RadioButtonGroup @@ -181,33 +179,13 @@ ) ) ) - ) - ) - ), - `Left - ( `Label - ( `id(`firewall_sharing_settings_label), - // A caption to make Firewall settings to allow remote access to CUPS: - _("Firewall Settings") - ) - ), - `HBox - ( `HSpacing( 2 ), - `VBox - ( `Left - ( `ReplacePoint - ( `id(`firewall_first_sharing_replace_point), - `Empty - ( `id(`firewall_first_sharing_widget) - ) - ) ), `Left - ( `ReplacePoint - ( `id(`firewall_second_sharing_replace_point), - `Empty - ( `id(`firewall_second_sharing_widget) - ) + ( `Label + ( `id(`firewall_label), + // A notification to make the user aware of possible Firewall restrictions + // regarding remote access to CUPS via the IPP protocol (TCP/UDP port 631): + _("If a firewall is used, check that remote access to CUPS is allowed via IPP on port 631.") ) ) ) @@ -262,30 +240,6 @@ boolean ApplySharingSettings() { sharing_has_changed = false; - // Do the Firewall stuff first of all: - boolean firewall_allow_from_int = true; - boolean firewall_deny_from_ext = true; - if( firewall_first_sharing_widget_is_checkbox ) - { firewall_allow_from_int = (boolean)UI::QueryWidget( `firewall_first_sharing_widget, `Value ); - y2milestone( "firewall_allow_from_int value: '%1'", firewall_allow_from_int ); - Printer::firewall_config["ui_access_from_int"] = firewall_allow_from_int; - } - if( firewall_second_sharing_widget_is_checkbox ) - { firewall_deny_from_ext = (boolean)UI::QueryWidget( `firewall_second_sharing_widget, `Value ); - y2milestone( "firewall_deny_from_ext value: '%1'", firewall_deny_from_ext ); - Printer::firewall_config["ui_deny_from_ext"] = firewall_deny_from_ext; - } - if( Printer::firewall_config["access_from_int"]:false != Printer::firewall_config["ui_access_from_int"]:true - || Printer::firewall_config["deny_from_ext"]:false != Printer::firewall_config["ui_deny_from_ext"]:true - ) - { // The user has changed a Firewall setting: - sharing_has_changed = true; - if( ! Printer::FirewallConfig( "write" ) ) - { // No error message here because Printer::FirewallConfig shows already error messages: - return false; - } - } - // Do the CUPS sharing stuff after the Firewall stuff. // Get the actual settings and values from the dialog. // It does not work well to query the RadioButtonGroup with something like // UI::QueryWidget(`deny_or_allow_remote_access,`CurrentButton)) @@ -611,9 +565,7 @@ UI::ChangeWidget( `specific_addresses_label, `Enabled, false ); UI::ChangeWidget( `allow_input, `Enabled, false ); UI::ChangeWidget( `browse_address_input, `Enabled, false ); - UI::ChangeWidget( `firewall_sharing_settings_label, `Enabled, false ); - UI::ChangeWidget( `firewall_first_sharing_widget, `Enabled, false ); - UI::ChangeWidget( `firewall_second_sharing_widget, `Enabled, false ); + UI::ChangeWidget( `firewall_label, `Enabled, false ); } // Regardless whether or not the "Share Printers" dialog is useless, // fill in the values of the current settings in the system: @@ -831,94 +783,6 @@ y2milestone( "Initial initial_browse_address_input_value: %1", initial_browse_address_input_value ); UI::ChangeWidget( `id(`browse_address_input), `Value, initial_browse_address_input_value ); y2milestone( "Initial browse_address_values: %1", browse_address_values ); - // Determine the Firewall settings. - // Ignore errors because Printer::FirewallConfig results a firewall_config fallback map. - Printer::FirewallConfig( "read" ); - // Set the content and values for the firewall related widgets in the dialog: - if( ! Printer::firewall_config["suse_firewall_used"]:true ) - { // Not the Suse Firewall but another firewall is used: - UI::ReplaceWidget( `firewall_first_sharing_replace_point, - `Label - ( `id(`firewall_first_sharing_widget), - // Label when not the Suse Firewall but another firewall is used: - _("Not the Suse Firewall but another firewall is used") - ) - ); - UI::ReplaceWidget( `firewall_second_sharing_replace_point, - `Empty - ( `id(`firewall_second_sharing_widget) - ) - ); - } - else - { // The Suse Firewall is used: - if( ! Printer::firewall_config["firewall_active"]:true ) - { // The Suse Firewall is not running: - UI::ReplaceWidget( `firewall_first_sharing_replace_point, - `Label - ( `id(`firewall_first_sharing_widget), - // Label when the Suse Firewall is not running: - _("The Suse Firewall is not active") - ) - ); - UI::ReplaceWidget( `firewall_second_sharing_replace_point, - `Empty - ( `id(`firewall_second_sharing_widget) - ) - ); - } - else - { // The Suse Firewall is running: - if( ! Printer::firewall_config["no_firewall_for_int"]:true ) - { // The Suse Firewall does potect the INT zone: - // Let the user deny or allow CUPS access from the INT zone here: - UI::ReplaceWidget( `firewall_first_sharing_replace_point, - `CheckBox - ( `id(`firewall_first_sharing_widget), - // CheckBox whether or not the Suse Firewall allows CUPS access from the INT zone: - _("Allow access from the &internal network zone"), - Printer::firewall_config["access_from_int"]:true - ) - ); - firewall_first_sharing_widget_is_checkbox = true; - } - else - { // The Suse Firewall does not potect the INT zone: - UI::ReplaceWidget( `firewall_first_sharing_replace_point, - `Label - ( `id(`firewall_first_sharing_widget), - // Label when the Suse Firewall does not potect the internal network zone - // which means that CUPS access from the INT zone is allowed: - _("Access from the internal network zone is allowed") - ) - ); - } - if( ! Printer::firewall_config["deny_from_ext"]:true ) - { // The Suse Firewall does not deny CUPS access from the EXT zone. - // Let the user deny CUPS access from the EXT zone here: - UI::ReplaceWidget( `firewall_second_sharing_replace_point, - `CheckBox - ( `id(`firewall_second_sharing_widget), - // CheckBox whether or not the Suse Firewall denies CUPS access from the EXT zone: - _("Deny access from the &external network zone"), - false - ) - ); - firewall_second_sharing_widget_is_checkbox = true; - } - else - { // The Suse Firewall denies CUPS access from the EXT zone. - // Do not let the user allow CUPS access from the EXT zone here: - UI::ReplaceWidget( `firewall_second_sharing_replace_point, - `Label - ( `id(`firewall_second_sharing_widget), - // Label when the Suse Firewall denies CUPS access from the external network zone: - _("Access from the external network zone is denied") - ) - ); - } - } - } y2milestone( "leaving initSharing" ); } @@ -1080,21 +944,22 @@ // does not trigger any event even not with "`opt(`notify, `immediate)" // so that this special action is unnoticed. boolean remote_access = (boolean)UI::QueryWidget( `allow_remote_access_radio_button, `Value ); - UI::ChangeWidget(`allow_local_network_access_check_box, `Enabled, remote_access); - UI::ChangeWidget(`publish_to_local_network_check_box, `Enabled, remote_access); - UI::ChangeWidget(`interface_table_label, `Enabled, remote_access); - UI::ChangeWidget(`interface_table, `Enabled, remote_access); - UI::ChangeWidget(`add_interface, `Enabled, remote_access); - UI::ChangeWidget(`edit_interface, `Enabled, remote_access); - UI::ChangeWidget(`delete_interface, `Enabled, remote_access); - UI::ChangeWidget(`specific_addresses_label, `Enabled, remote_access); - UI::ChangeWidget(`allow_input, `Enabled, remote_access); - UI::ChangeWidget(`browse_address_input, `Enabled, remote_access); + UI::ChangeWidget( `allow_local_network_access_check_box, `Enabled, remote_access ); + UI::ChangeWidget( `publish_to_local_network_check_box, `Enabled, remote_access ); + UI::ChangeWidget( `interface_table_label, `Enabled, remote_access ); + UI::ChangeWidget( `interface_table, `Enabled, remote_access ); + UI::ChangeWidget( `add_interface, `Enabled, remote_access ); + UI::ChangeWidget( `edit_interface, `Enabled, remote_access ); + UI::ChangeWidget( `delete_interface, `Enabled, remote_access ); + UI::ChangeWidget( `specific_addresses_label, `Enabled, remote_access ); + UI::ChangeWidget( `allow_input, `Enabled, remote_access ); + UI::ChangeWidget( `browse_address_input, `Enabled, remote_access ); + UI::ChangeWidget( `firewall_label, `Enabled, remote_access ); if( remote_access ) { boolean interface_modify_buttons = true; if( 0 == size((list)UI::QueryWidget(`interface_table, `Items)) ) interface_modify_buttons = false; - UI::ChangeWidget(`edit_interface, `Enabled, interface_modify_buttons); - UI::ChangeWidget(`delete_interface, `Enabled, interface_modify_buttons); + UI::ChangeWidget( `edit_interface, `Enabled, interface_modify_buttons ); + UI::ChangeWidget( `delete_interface, `Enabled, interface_modify_buttons ); } } return nil; -- To unsubscribe, e-mail: yast-commit+unsubscribe@opensuse.org For additional commands, e-mail: yast-commit+help@opensuse.org