http://bugzilla.novell.com/show_bug.cgi?id=610327
http://bugzilla.novell.com/show_bug.cgi?id=610327#c6
--- Comment #6 from Johannes Meixner 2010-06-01 09:58:08 UTC ---
According to comment #4 the issue should not happen
when the 'cups' service is not added SuSEfirewall2 configuration.
But as far as I know there is nothing like 'ipp|cups|631'
by default in /etc/sysconfig/SuSEfirewall2
so that I do not understand why it also happens in case of
a new 11.3 installation from scratch (see comment #2)?
Lukas, Ludwig,
do you know why it also happens in case of
a new 11.3 installation from scratch?
Regarding comment #5:
when /etc/sysconfig/SuSEfirewall2.d/services/cups exists,
almost all normal users who want to print in their
internal network just open the IPP port in the firewall
because by default any network interface is assigned
to the EXT zone so that printing via internal network
does not work and then almost all users find the "solution"
to just open the IPP port in the firewall.
Therefore the plain existence of
/etc/sysconfig/SuSEfirewall2.d/services/cups
leads to a security hole for almost all normal users
who want to print in their internal network.
For the exceptional case when the firewall protects even
the INT zone, the user had set up this manually intentionally
and then the user can also intentionally open the IPP port
for TCP and UDP manually intentionally.
If I could specify in
/etc/sysconfig/SuSEfirewall2.d/services/cups
that this service is only available for the INT zone,
I would re-add it.
In this case I would even think about a
/etc/sysconfig/SuSEfirewall2.d/services/sane
because both CUPS and SANE are services which are only
intended for the INT zone but not for the EXT zone.
--
Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.