Author: jsmeix Date: Wed Dec 23 15:36:04 2009 New Revision: 60192 URL: http://svn.opensuse.org/viewcvs/yast?rev=60192&view=rev Log: New version 2.19.0 with this RPM changelog entry: - V 2.19.0 - Replaced overcomplicated but nevertheless mostly useless code for using the YaST SuSEFirewall module by simple generic code in a ShowFirewallPopup function in the same way as it works for yast2-printer (compare Novell/Suse Bugzilla bnc#549065) and enhanced the help text "Regarding Firewall", (see Novell/Suse Bugzilla bnc#551282). - Fixed duplicate button widget with ID `back by calling Wizard::HideBackButton() before calling Wizard::SetAbortButton(`back,Label::CancelButton()), see http://lists.opensuse.org/opensuse-factory/2009-10/msg00528.html - Added X-KDE-SubstituteUID=true to src/scanner.desktop (see Novell/Suse Bugzilla bnc#550073). Modified: trunk/scanner/VERSION trunk/scanner/package/yast2-scanner.changes trunk/scanner/src/Scanner.ycp trunk/scanner/src/dialogs.ycp trunk/scanner/src/helps.ycp Modified: trunk/scanner/VERSION URL: http://svn.opensuse.org/viewcvs/yast/trunk/scanner/VERSION?rev=60192&r1=6019... ============================================================================== --- trunk/scanner/VERSION (original) +++ trunk/scanner/VERSION Wed Dec 23 15:36:04 2009 @@ -1 +1 @@ -2.18.0 +2.19.0 Modified: trunk/scanner/package/yast2-scanner.changes URL: http://svn.opensuse.org/viewcvs/yast/trunk/scanner/package/yast2-scanner.cha... ============================================================================== --- trunk/scanner/package/yast2-scanner.changes (original) +++ trunk/scanner/package/yast2-scanner.changes Wed Dec 23 15:36:04 2009 @@ -1,4 +1,21 @@ ------------------------------------------------------------------- +Wed Dec 23 15:21:13 CET 2009 - jsmeix@suse.de + +- V 2.19.0 +- Replaced overcomplicated but nevertheless mostly useless code + for using the YaST SuSEFirewall module by simple generic code + in a ShowFirewallPopup function in the same way as it works + for yast2-printer (compare Novell/Suse Bugzilla bnc#549065) + and enhanced the help text "Regarding Firewall", + (see Novell/Suse Bugzilla bnc#551282). +- Fixed duplicate button widget with ID `back by + calling Wizard::HideBackButton() before calling + Wizard::SetAbortButton(`back,Label::CancelButton()), see + http://lists.opensuse.org/opensuse-factory/2009-10/msg00528.html +- Added X-KDE-SubstituteUID=true to src/scanner.desktop + (see Novell/Suse Bugzilla bnc#550073). + +------------------------------------------------------------------- Wed Feb 11 16:04:35 CET 2009 - jsmeix@suse.de - V 2.18.0 Modified: trunk/scanner/src/Scanner.ycp URL: http://svn.opensuse.org/viewcvs/yast/trunk/scanner/src/Scanner.ycp?rev=60192... ============================================================================== --- trunk/scanner/src/Scanner.ycp (original) +++ trunk/scanner/src/Scanner.ycp Wed Dec 23 15:36:04 2009 @@ -20,7 +20,6 @@ import "Package"; import "Label"; import "Service"; -import "SuSEFirewall"; import "Arch"; /** @@ -181,23 +180,6 @@ global map< string, string > network_scanning_config = $[]; /** - * Firewall network scanning configuration: - * Determined at runtime via Scanner::DetermineNetworkScanningConfig() - * which calls SuSEFirewall functions to fill the map @ref firewall_config - * except "ui_no_firewall_for_int" and "ui_deny_from_ext" which are the user settings in the dialog. - * The entries are such that "true" is the default, reasonable and intended setting. - * @struct firewall_config - * $[ "suse_firewall_used":"true if Suse Firewall and no other firewall is used", - * "firewall_active":"true if Suse Firewall is actually running", - * "no_firewall_for_int":"true if Suse Firewall does not potect the INT zone", - * "ui_no_firewall_for_int":"true if user has set in dialog no Suse Firewall protection for INT", - * "denied_from_ext":"true if saned access (sane-port 6566) is denied from EXT zone", - * "ui_deny_from_ext":"true if user has set in dialog to deny access from EXT" - * ] - */ -global map< string, boolean > firewall_config = $[]; - -/** * Environment values: * It is a map of @ref environment_values * @struct environment_values @@ -2428,8 +2410,6 @@ * which calls "grep ... /etc/sane.d/net.conf" and "grep ... /etc/sane.d/saned.conf" * and processes its output and stores the results as YCP map in a temporary file * and then read the temporary file (SCR::Read) to get the YCP map. - * Additionally call SuSEFirewall functions to determine the firewall settings - * regarding remote access to the saned (service "sane-port" 6566/tcp,6566/udp). * @return true on success */ global boolean DetermineNetworkScanningConfig() @@ -2469,77 +2449,6 @@ return false; } y2milestone( "Network scanning config: %1", network_scanning_config ); - // Determine the firewall settings regarding remote access to the saned: - // Return successfully regardless of the result of this steps - // because the mandatory network scanning config was successfully determined. - // SuSEFirewall::Read shows a Progress. - // Save previous Progress state and disable showing Progress: - boolean progress_previous_state = Progress::set( false ); - if( ! SuSEFirewall::Read() ) - { // If firewall_config is the empty map, the user - // cannot change a firewall setting and in SetupNetworkScanningConfig() - // noting will be committed. - y2milestone( "SuSEFirewall::Read failed." ); - firewall_config = $[]; - // Restore previous Progress state: - Progress::set( progress_previous_state ); - return true; - } - // Restore previous Progress state: - Progress::set( progress_previous_state ); - // Preset the firewall_config map with the - // defaults after a default system installation - // to have a reasonable fallback if the actual values regarding - // firewall access permissions for the saned cannot be determined: - firewall_config = $[ "suse_firewall_used":true, - "firewall_active":true, - "no_firewall_for_int":true, - "ui_no_firewall_for_int":true, - "denied_from_ext":true, - "ui_deny_from_ext":true - ]; - // Determine whether the Suse Firewall is used: - if( SuSEFirewall::IsOtherFirewallRunning() ) - { // If not the Suse Firewall is used, the dialogs will not show - // any firewall settings and therefore the user cannot change them. - firewall_config["suse_firewall_used"] = false; - y2milestone( "Not the Suse Firewall is used, i.e. another firewall is running." ); - return true; - } - // Determine whether the Suse Firewall is active: - if( ! SuSEFirewall::IsStarted() - || ! SuSEFirewall::GetStartService() - ) - { // If the Suse Firewall is not active, the dialogs will not show - // any firewall settings because it is useless and confusing - // to let the user change firewall settings regarding saned - // when the user had decided to have no firewall currently running - // or if the firewall would not be started in SuSEFirewall::Write() - firewall_config["firewall_active"] = false; - y2milestone( "The Suse Firewall is not active or would not be started in SuSEFirewall::Write." ); - return true; - } - // Determine the actual settings regarding firewall access permissions for saned - // and preset the user interface settings with the actual settings: - if( SuSEFirewall::GetProtectFromInternalZone() ) - { firewall_config["no_firewall_for_int"] = false; - firewall_config["ui_no_firewall_for_int"] = false; - } - else - { firewall_config["no_firewall_for_int"] = true; - firewall_config["ui_no_firewall_for_int"] = true; - } - if( SuSEFirewall::HaveService( "sane-port", "TCP", "EXT" ) - || SuSEFirewall::HaveService( "sane-port", "UDP", "EXT" ) - ) - { firewall_config["denied_from_ext"] = false; - firewall_config["ui_deny_from_ext"] = false; - } - else - { firewall_config["denied_from_ext"] = true; - firewall_config["ui_deny_from_ext"] = true; - } - y2milestone( "Firewall network scanning config: %1", firewall_config ); return true; } @@ -2548,8 +2457,6 @@ * activates or deactivates the "net" backend and which writes into * /etc/sane.d/net.conf, /etc/sane.d/saned.conf, and /etc/xinetd.d/sane-port * and reloads or starts the xinetd dependig on whether it is running or not. - * Additionally call SuSEFirewall functions to commit changed firewall settings - * regarding remote access to the saned (service "sane-port" 6566/tcp,6566/udp). * @return true on success */ global boolean SetupNetworkScanningConfig() @@ -2574,69 +2481,6 @@ ); return false; } - // If the Suse Firewall is used and - // if the Suse Firewall is active and - // if firewall settings have been changed by the user, - // then set and commit the new firewall settings. - // Use safe fallback values - i.e. in case of doubt don't do anything: - if( firewall_config["suse_firewall_used"]:false - && firewall_config["firewall_active"]:false - && ( firewall_config["ui_no_firewall_for_int"]:true != firewall_config["no_firewall_for_int"]:true - || firewall_config["ui_deny_from_ext"]:true != firewall_config["denied_from_ext"]:true - ) - ) - { // Set new firewall settings in SuSEFirewall: - y2milestone( "Set and commit new firewall network scanning config: %1", firewall_config ); - // Set new firewall settings regarding access allow from INT zone: - if( ! firewall_config["no_firewall_for_int"]:true - && firewall_config["ui_no_firewall_for_int"]:false ) - { // Firewall protects internal zone - // but user has set no protection for internal zone. - // The SuSEFirewall::SetProtectFromInternalZone returns void, - // therefore there is no test possible whether it had worked. - SuSEFirewall::SetProtectFromInternalZone(false); - y2milestone( "SuSEFirewall::SetProtectFromInternalZone(false)" ); - } - // Set new firewall settings regarding saned access deny from EXT zone: - if( ! firewall_config["denied_from_ext"]:true - && firewall_config["ui_deny_from_ext"]:false ) - { // Firewall allows saned access from the external zone - // but user has set in dialog to deny saned access from the external zone: - if( ! SuSEFirewall::RemoveService( "sane-port", "TCP", "EXT" ) - || ! SuSEFirewall::RemoveService( "sane-port", "UDP", "EXT" ) - ) - { y2milestone( "Error: SuSEFirewall::AddService(sane-port,TCP+UDP,EXT) failed." ); - Popup::Error( // Message of a Popup::Error. - // Only a simple message because this error does not happen on a normal system - // (i.e. a system which is not totally broken or totally messed up). - // Do not confuse this error with the case when no firewall stuff is to be set up. - // The latter results no error. - _("Failed to deny saned access from external zone in firewall.") - ); - return false; - } - y2milestone( "Success: SuSEFirewall::RemoveService(sane-port,TCP+UDP,EXT)" ); - } - // Commit the new firewall settings: - // SuSEFirewall::Write shows a Progress. - // Save previous Progress state and disable showing Progress: - boolean progress_previous_state = Progress::set( false ); - if( ! SuSEFirewall::Write() ) - { y2milestone( "Error: SuSEFirewall::Write failed to commit firewall settings regarding scanning via network." ); - Popup::Error( // Message of a Popup::Error. - // Only a simple message because this error does not happen on a normal system - // (i.e. a system which is not totally broken or totally messed up). - // Do not confuse this error with the case when no firewall stuff is to be set up. - // The latter results no error. - _("Failed to write firewall settings regarding scanning via network.") - ); - // Restore previous Progress state: - Progress::set( progress_previous_state ); - return false; - } - // Restore previous Progress state: - Progress::set( progress_previous_state ); - } // Determine active scanners and active backends anew. // Return successfully regardless of the result of this steps // because scanning via network was successfully set up. @@ -2649,6 +2493,39 @@ return true; } +/** + * Determine if any kind of firewall seems to be active by calling + * "iptables -n -L | egrep -q 'DROP|REJECT'" + * to find out if there are currently dropping or rejecting packet filter rules. + * One might use a more specific test via + * "iptables -n -L | grep -v '^LOG' | egrep -q '^DROP|^REJECT'" + * to match only for DROP and REJECT targets and exclude LOG targets + * but it does not cause real problems when there is a false positive result here + * because all what happens it that then a needless firewall info popup would be shown. + * If any kind of firewall seems to be active, show a popup message + * regarding scanning via network and firewall. + * @return true if any kind of firewall seems to be active + */ +global boolean ShowFirewallPopup() +{ // Note the '-n' (only numeric output) option to avoid long reverse DNS lookups: + if( ExecuteBashCommand( "iptables -n -L | egrep -q 'DROP|REJECT'" ) ) + { y2milestone("A firewall seems to be active."); + Popup::MessageDetails( // Popup::MessageDetails message: + _("Check that your firewall allows scanning via network."), + // Popup::MessageDetails information regarding details: + _("For details regarding firewall see the help text of this dialog.") + ); + return true; + } + // Return 'false' also as fallback value when the above command fails + // because of whatever reason because this fallback value is safe + // because it only results that no firewall info popup is shown + // the "Print via Network" and/or "Share Printers" dialogs + // but also the help text of those dialogs explains firewall stuff + // so that sufficient information is available in any case: + return false; +} + /* * Autoinstallation stuff: * Modified: trunk/scanner/src/dialogs.ycp URL: http://svn.opensuse.org/viewcvs/yast/trunk/scanner/src/dialogs.ycp?rev=60192... ============================================================================== --- trunk/scanner/src/dialogs.ycp (original) +++ trunk/scanner/src/dialogs.ycp Wed Dec 23 15:36:04 2009 @@ -633,15 +633,15 @@ Label::NextButton() ); // According to http://en.opensuse.org/YaST/Style_Guide#Configuration_Wizard + // the button with the "back" functionality must be disabled + // only when it is the first dialog of a wizard stlye dialog sequence. + Wizard::HideBackButton(); + // According to http://en.opensuse.org/YaST/Style_Guide#Configuration_Wizard // there is no longer a "abort" functionality which exits the whole module. // Instead this button is now named "Cancel" and its functionality is // to go back to the Overview dialog (i.e. what the "back" button would do) // because it reads "Cancel - Closes the window and returns to the overview." Wizard::SetAbortButton( `back, Label::CancelButton() ); - // According to http://en.opensuse.org/YaST/Style_Guide#Configuration_Wizard - // the button with the "back" functionality must be disabled - // when it is the first dialog of a wizard stlye dialog sequence. - Wizard::DisableBackButton(); any ret = nil; while(true) { ret = UI::UserInput(); @@ -850,122 +850,13 @@ * @return dialog result */ any ConfigureNetworkScanningDialog() -{ // Determine the network scanning config +{ boolean firewall_popup_was_shown = false; + // Determine the network scanning config // but don't care if this fails because then empty strings are used as secure fallback // and empty strings will disable scanning via network (i.e. the net backend and the saned): Scanner::DetermineNetworkScanningConfig(); string net_backend_hosts = Scanner::network_scanning_config["net_backend_hosts"]:""; string saned_hosts = Scanner::network_scanning_config["saned_hosts"]:""; - // Dialog contents regarding firewall settings: - // Predefine it for the case when not the Suse Firewall is used: - term firewall_contents = `Label( // User information when not the Suse Firewall is used. - _("No SUSE Firewall, but another kind of firewall is used") - ); - if( Scanner::firewall_config["suse_firewall_used"]:false ) - { // The Suse Firewall is used: - if( ! Scanner::firewall_config["firewall_active"]:true ) - { // The Suse Firewall is used but it is not active: - firewall_contents = `Label( // User information when the Suse Firewall is not active. - _("Firewall is not or should not be running") - ); - } - else - { // The Suse Firewall is used and it is active: - // Predefine the contents for the current Suse Firewall status - // according to what the usual defaults are (e.g. after the installation): - term firewall_active_content = `Label( // User information when the Suse Firewall is used and active. - _("Firewall is active") - ); - term no_firewall_for_int_content = `Label( // User information when the Suse Firewall does not potect the INT zone. - // Be careful when you change or translate "internal", and "zone" - // to keep the relationship to the matching term in the YaST firewall - // setup module where also "internal zone" is used. - _("No firewall protection for the internal network zone") - ); - term denied_from_ext_content = `Label( // User information when saned access is denied from the EXT zone. - // Do not change or translate "saned", it is a program (sane daemon) name. - // Be careful when you change or translate "external", and "zone" - // to keep the relationship to the matching term in the YaST firewall - // setup module where also "external zone" is used. - _("saned access denied from the external network zone") - ); - // Label of a CheckBox: - // Be careful when you change or translate "internal", and "zone" - // to keep the relationship to the matching term in the YaST firewall - // setup module where also "internal zone" is used. - string ui_no_firewall_for_int_checkbox_label = _("No Firewall Protection for the &Internal Network Zone"); - // Label of a CheckBox: - // Do not change or translate "saned", it is a program (sane daemon) name. - // Be careful when you change or translate "external", and "zone" - // to keep the relationship to the matching term in the YaST firewall - // setup module where also "external zone" is used. - string ui_deny_from_ext_checkbox_label = _("Deny saned Access from the &External Network Zone"); - // Predefine the CheckBoxes according to what the usual defaults are (e.g. after the installation). - // The defaults are: No protection for internal zone but protection from external zone. - // Those defaults are o.k. for scanning via internal network and should not be changed. - // Therefore the CheckBoxes are disabled: - term ui_no_firewall_for_int_checkbox_content = `CheckBox( `id(`ui_no_firewall_for_int_checkbox), - `opt(`disabled), - ui_no_firewall_for_int_checkbox_label, - true - ); - term ui_deny_from_ext_checkbox_content = `CheckBox( `id(`ui_deny_from_ext_checkbox), - `opt(`disabled), - ui_deny_from_ext_checkbox_label, - true - ); - // Determine and set the actual contents regarding firewall settings: - if( ! Scanner::firewall_config["no_firewall_for_int"]:true ) - { // There is protection for internal zone: - no_firewall_for_int_content = `Label( // User information when the Suse Firewall potects the INT zone. - // Be careful when you change or translate "internal", and "zone" - // to keep the relationship to the matching term in the YaST firewall - // setup module where also "internal zone" is used. - _("Firewall protection enabled for the internal network zone") - ); - // When firewall protection is enabled for internal network zone - // have an active CheckBox to disable it but don't have it checked by default - // to be on the safe side because the user must intentionally disable the - // firewall protection for internal zone: - ui_no_firewall_for_int_checkbox_content = `CheckBox( `id(`ui_no_firewall_for_int_checkbox), - ui_no_firewall_for_int_checkbox_label, - false - ); - } - if( ! Scanner::firewall_config["denied_from_ext"]:true ) - { // There is no protection from external zone: - denied_from_ext_content = `Label( // User information when saned access is allowed from the EXT zone. - // Do not change or translate "saned", it is a program (sane daemon) name. - // Be careful when you change or translate "external", and "zone" - // to keep the relationship to the matching term in the YaST firewall - // setup module where also "external zone" is used. - _("saned access allowed from the external network zone") - ); - // When firewall protection is disabled for external zone - // have an active CheckBox to enable it and have it checked by default - // to be on the safe side because saned access from external is insecure: - ui_deny_from_ext_checkbox_content = `CheckBox( `id(`ui_deny_from_ext_checkbox), - ui_deny_from_ext_checkbox_label, - true - ); - } - // Assemble the parts of the firewall_contents: - firewall_contents = `VBox( `Frame( // Label of a Frame for the current firewall status. - _("Current Firewall Status"), - `VBox( `Left( firewall_active_content ), - `Left( no_firewall_for_int_content ), - `Left( denied_from_ext_content ) - ) - ), - `Frame( // Label of a Frame for the firewall settings for scanning via network. - _("Firewall Settings"), - `VBox( `Left( ui_no_firewall_for_int_checkbox_content ), - `Left( ui_deny_from_ext_checkbox_content ) - ) - ) - ); - } - } // Caption of the ConfigureNetworkScanningDialog: string caption = _("Set Up Scanning via Network"); // Header of a TextEntry user input field. @@ -985,12 +876,10 @@ term contents = `VBox( `VStretch(), `Frame( // Label of a Frame for the server settings for scanning via network. _("Server Settings"), - `VBox( `TextEntry( `id(`saned_hosts_input), - saned_hosts_input_label, - saned_hosts - ), - firewall_contents - ) + `TextEntry( `id(`saned_hosts_input), + saned_hosts_input_label, + saned_hosts + ) ), `VStretch(), `Frame( // Label of a Frame for the client settings for scanning via network. @@ -1040,6 +929,23 @@ Label::OKButton() ); Wizard::HideAbortButton(); + if( ( "" != filterchars( net_backend_hosts, Scanner::alnum_chars ) + || "" != filterchars( saned_hosts, Scanner::alnum_chars ) + ) + && + ( net_backend_hosts_input_local_host_config_value != net_backend_hosts + || saned_hosts_input_local_host_config_value != saned_hosts + ) + ) + { // When the current net_backend_hosts value is effectively non-empty + // or when the current saned_hosts value is effectively non-empty + // and when at least one is not only those of a "Local Host Configuration" + // test whether or not a firewall seems to be active and + // if yes show a popup regarding firewall: + if( Scanner::ShowFirewallPopup() ) + { firewall_popup_was_shown = true; + } + } any ret = nil; while(true) { ret = UI::UserInput(); @@ -1070,71 +976,29 @@ /* set up the configuration */ if( ret == `next ) { // Get the mandatory vaules to set up scanning via network: - Scanner::network_scanning_config["net_backend_hosts"] = (string)UI::QueryWidget( `id(`net_backend_hosts_input), - `Value - ); - Scanner::network_scanning_config["saned_hosts"] = (string)UI::QueryWidget( `id(`saned_hosts_input), - `Value - ); - // Only when the Suse Firewall is used and when it is active - // the checkbox for the firewall settings exist: - if( Scanner::firewall_config["suse_firewall_used"]:false - && Scanner::firewall_config["firewall_active"]:false + net_backend_hosts = (string)UI::QueryWidget( `id(`net_backend_hosts_input), `Value ); + saned_hosts = (string)UI::QueryWidget( `id(`saned_hosts_input), `Value ); + if( ( "" != filterchars( net_backend_hosts, Scanner::alnum_chars ) + || "" != filterchars( saned_hosts, Scanner::alnum_chars ) + ) + && + ( net_backend_hosts_input_local_host_config_value != net_backend_hosts + || saned_hosts_input_local_host_config_value != saned_hosts + ) ) - { // Get the vaules of the checkboxes for the firewall settings: - Scanner::firewall_config["ui_no_firewall_for_int"] = (boolean)UI::QueryWidget( `id(`ui_no_firewall_for_int_checkbox), - `Value - ); - Scanner::firewall_config["ui_deny_from_ext"] = (boolean)UI::QueryWidget( `id(`ui_deny_from_ext_checkbox), - `Value - ); - // Test whether the vaules of the checkboxes for the firewall settings make sense: - if( ! Scanner::firewall_config["ui_deny_from_ext"]:true ) - { // User has set in dialog to allow saned access from the external zone. - // This is only possible when saned access from the external zone is allowed in firewall - // because otherwise the CheckBox is disabled: - if( Scanner::network_scanning_config["saned_hosts"]:"" != "" ) - { // There are clients which should be able to access saned, - // therefore saned will be started and then it must be protected from external zone: - Popup::Notify ( // Message of a Popup::Notify. - // The help text of the "Scanning via Network" dialog explains - // why it doesn't make sense and is insecure to allow saned access - // from the external network zone. - // Do not change or translate "saned", it is a program (sane daemon) name. - // Be careful when you change or translate "external", and "zone" - // to keep the relationship to the matching term in the YaST firewall - // setup module where also "external zone" is used. - _("saned access from the external zone cannot be allowed.") - ); - UI::ChangeWidget( `id(`ui_deny_from_ext_checkbox), - `Value, - true - ); - continue; - } - } - if( ! Scanner::firewall_config["ui_no_firewall_for_int"]:true ) - { // User has set in dialog to potect the internal zone. - // This is only possible when firewall protection is enabled for internal zone - // because otherwise the CheckBox is disabled: - if( Scanner::network_scanning_config["saned_hosts"]:"" != "" - && Scanner::network_scanning_config["saned_hosts"]:"" != saned_hosts_input_local_host_config_value ) - { // There are non-localnet clients which should be able to access saned: - if( ! Popup::ContinueCancel( // Message of a Popup::ContinueCancel. - // Be careful when you change or translate "local host configuration" - // because this term is used also in the help text and as a label - // of a PushButton for a predefined configuration. - // Be careful when you change or translate "internal", and "zone" - // to keep the relationship to the matching term in the YaST firewall - // setup module where also "internal zone" is used. - _("Only a local host configuration works with firewall protection for the internal zone.") - ) - ) - { continue; - } + { // When the current net_backend_hosts value is effectively non-empty + // or when the current saned_hosts value is effectively non-empty + // and when at least one is not only those of a "Local Host Configuration" + // test whether or not a firewall seems to be active and + // if yes show a popup regarding firewall if it was not yet shown: + if( ! firewall_popup_was_shown ) + { if( Scanner::ShowFirewallPopup() ) + { firewall_popup_was_shown = true; } } } + Scanner::network_scanning_config["net_backend_hosts"] = net_backend_hosts; + Scanner::network_scanning_config["saned_hosts"] = saned_hosts; Wizard::DisableBackButton(); Wizard::DisableNextButton(); if( ! Scanner::SetupNetworkScanningConfig() ) @@ -1149,7 +1013,7 @@ if( ret == `back ) { break; } - y2milestone( "Ignoring unexpected returncode in ConfigureBackendDialog: %1", ret ); + y2milestone( "Ignoring unexpected returncode in ConfigureNetworkScanningDialog: %1", ret ); continue; } return ret; Modified: trunk/scanner/src/helps.ycp URL: http://svn.opensuse.org/viewcvs/yast/trunk/scanner/src/helps.ycp?rev=60192&r... ============================================================================== --- trunk/scanner/src/helps.ycp (original) +++ trunk/scanner/src/helps.ycp Wed Dec 23 15:36:04 2009 @@ -235,7 +235,7 @@ </p>"), "configure_network_scanning" : -// ConfigureNetworkScanning dialog help 1/4: +// ConfigureNetworkScanning dialog help 1/5: // Do not confuse "scanning via network" (i.e. use a remote scanner via another host in the network) // with "scanning the network" (i.e. scan the network for other hosts or services). _("<p> @@ -243,16 +243,11 @@ Enter the appropriate information and press <b>Next</b> to set up scanning via network. </p>") + -// ConfigureNetworkScanning dialog help 2/4: +// ConfigureNetworkScanning dialog help 2/5: // Do not change or translate "saned", it is a program (sane daemon) name. // Do not change or translate "CIDR", it is a (sub)-network notation name. // Do not change or translate "192.168.1.0/24", it is an intentionally selected actually working example. // Do not change or translate "xinetd", it is a program (daemon) name. -// Do not change or translate "sane-port", it is a port name (see /etc/services). -// Be careful when you change or translate "external", "internal", and "zone" -// to keep the relationship to the matching terms in the YaST firewall setup module -// where also "external zone", and "internal zone" is used. -// Keep the information that external access is useless and insecure (see "man saned"). _("<p> <b><big>Server Settings</big></b><br> If you have locally connected scanners and want to make them accessible via the network, @@ -262,19 +257,60 @@ or subnets (CIDR notation, such as 192.168.1.0/24). If no client hosts are permitted, saned is not activated. If saned is activated, xinetd is also activated and set up for saned. -Clients contact saned via the sane-port (TCP port 6566) +</p>") + +// ConfigureNetworkScanning dialog help 3/5: +// Do not change or translate "saned", it is a program (sane daemon) name. +// Do not change or translate "sane-port", it is a port name (see /etc/services). +// Be careful when you change or translate "external", "internal", and "zone" +// to keep the relationship to the matching terms in the YaST firewall setup module +// where also "external zone", and "internal zone" is used. +// Keep the information that external access is useless and insecure (see "man saned"). +_("<p> +<b><big>Regarding Firewall</big></b><br> +Clients contact the saned via the sane-port (TCP port 6566) but scanning data is transferred via an additional random port. -The default <b>Firewall Settings</b> during system installation -protect your host from external access. -This is not a problem when using scanners in an internal network -(when the network interface belongs to the internal network zone) +Therefore is is not sufficient for scanning via network +to open only port 6566 in the firewall.<br> +You can specify a port range for the data connection +in the saned config file /etc/sane.d/saned.conf +via an entry like 'data_portrange = 30000 - 30100' +and then open port 6566 and the port range 30000:30100 +in the firewall.<br> +The default firewall settings protect your host from external access. +Allowing access from the external network (i.e. for the external zone) +does not make sense because scanning documents requires +physical scanner access by trusted users.<br> +On the other hand the default firewall settings allow +any access from an internal (i.e. trusted) network unless you have firewall protection enabled for the internal zone. -Allowing access from an external network does not make sense -because scanning documents requires physical scanner access. -Therefore access from the external zone can only be denied -if it was accidentally allowed by insecure firewall settings. +But an active firewall for the internal zone (i.e. for the +trusted network zone) does usually also not make much sense +because this makes the internal zone effectively the same +as the external zone.<br> +The simplest and most secure way to do scanning via network +is when the trusted network has a well separated network interface +to have the trusted network well separated from the rest. +Then those network interface can be assigned to the internal zone +via the YaST Firewall setup module and scanning via network +will work without any further firewall setup.<br> +Anything else may result a problematic mix-up of trusted and +non-trusted network traffic in one same network environment. +For example when both the internal network and the connection +to the Internet happens via one same 'router-box' device. +In such a case the 'router-box' device is the crucial point +(in particular the crucial point of possible failure) +regarding network security.<br> +In any case a plain opening of a port for the external zone +is dangerous because it allows access from any foreign host +to those port but does not provide any protection for +the service which is accessed via this port (e.g. the saned). +Instead of plain opening of ports for arbitrary access +one should additionally specify in the firewall setup +from which hosts and networks the access is allowed. +The YaST Firewall setup module can also be used +for such kind of more sophisticated firewall setup. </p>") + -// ConfigureNetworkScanning dialog help 3/4: +// ConfigureNetworkScanning dialog help 4/5: // Do not change or translate "net", it is a metadriver name. // Do not simply use "driver" because net is no normal driver but a metadriver. // Do not change or translate "saned", it is a program (sane daemon) name. @@ -287,7 +323,7 @@ Enter a comma-separated list of servers (server names or IP addresses). If no servers are entered, net is not activated. </p>") + -// ConfigureNetworkScanning dialog help 4/4: +// ConfigureNetworkScanning dialog help 5/5: // Be careful when you change or translate "local host configuration" // because this term is used also in a message of a Popup::ContinueCancel // and as label of a PushButton for a predefined configuration. -- To unsubscribe, e-mail: yast-commit+unsubscribe@opensuse.org For additional commands, e-mail: yast-commit+help@opensuse.org