Bugzilla – Bug 549065
yast2-printer: add test if firewall is used and if yes popup info regarding CUPS+firewall
Last modified: 2009-10-30 10:59:53 UTC
Because of https://bugzilla.novell.com/show_bug.cgi?id=468426#c8 there is currently in yast2-printer only a static text regarding firewall in the dialogs as follows: In the "Print via Network" dialog the static text directly in the dialog reads: ---------------------------------------------------------- If a firewall is used, check that incomming packages on UDP port 631 are allowed. ---------------------------------------------------------- and the help text reads: ---------------------------------------------------------- Regarding firewall: Check if a firewall is active for a network zone in which printers are published via network. By default the SuSEfirewall allows any incomming information via a network interface which belongs to the 'internal zone' because this zone is trusted by default. If the remote CUPS servers and your system are in an internal network and when you trust all what there is in your internal network, your network interface must be set to be in the 'internal zone'. It does not make sense to have a network setup in a trusted internal network with a network interface which belongs to the untrusted 'external zone' which is the default setting for network interfaces to be safe. Do not disable firewall protection for CUPS (i.e. for IPP which uses TCP port 631 and UDP port 631) for the untrusted 'external zone'. ---------------------------------------------------------- In the "Share Printers" dialog the static text directly in the dialog reads: ---------------------------------------------------------- If a firewall is used, check that remote access to CUPS is allowed via IPP on port 631. ---------------------------------------------------------- and the help text reads: ---------------------------------------------------------- Regarding firewall: Check if a firewall is active for a network zone in which printers are made available via network to be used by trusted users (nobody lets arbitrary users print on his printer). By default the SuSEfirewall allows any access via a network interface which belongs to the 'internal zone' because this zone is trusted by default. If the CUPS server and the client systems are in an internal network and when you trust all what there is in your internal network, your network interface must be set to be in the 'internal zone'. It does not make sense to have a network setup in a trusted internal network with a network interface which belongs to the untrusted 'external zone' which is the default setting for network interfaces to be safe. Do not disable firewall protection for CUPS (i.e. for IPP which uses TCP port 631 and UDP port 631) for the untrusted 'external zone'. ---------------------------------------------------------- From my point of view sufficient information is there BUT some/many/almost-all? usres do not notice and/or read it. Therefore I think about an enhancement to make the firewall issue more noticeable by the user. Basically the idea is that a popup is gets hopefully better awareness than just static text or help text. But I do not want to show a popup in any case regardless if actually a firewall is used because popups without a reason are an annoyance. Because of bug #468426 I do no longer like to call the yast firewall module only to find out if a firewall is used or not (I do not want to find if and out how exactly the yast firewall module could tell me if any kind of firewall is used - not only the SuSEfirewall but also whatever selfmade set of iptables rules). Therefore I think about a simple command line test like test "$( iptables -n -L | wc -l )" -gt "10" && echo firewall active or perhaps even better iptables -n -L | egrep -q 'DROP|REJECT' && echo firewall active to find out if any kind of firewall is used. Note that because of https://bugzilla.novell.com/show_bug.cgi?id=468426#c8 "firewall check would not make much sense" such a popup would be shown additionally to the static text in the dialog.
Martin, what do you think from the usability point of view about such an additional popup?
I think it would be fine. Especially if it has some kind of "intelligence" (e.g. appear only if firewall is enabled). The text in the module could be removed, which would reduce the amount of information processed by the user. This would make it more simple to deal with the module.
Meanwhile I also think that the static text in the dialog could be removed because: I will do the test whether or not a firewall runs initially when the "Print via Network" and/or "Share Printers" dialogs are launched and also show the firewall info popup initially when those dialogs are launced provided that the settings in those dialogs are such that the firewall info popup makes sense, i.e.: In the "Print via Network" dialog only when something regarding "Accept printer information ..." is set and in the "Share Printers" dialog only if something regarding "Allow remote access" is set. If a user did such settings without a running firewall (i.e. no firewall info popup would have been shown) but later he starts the firewall which causes that prining stuff does no longer work, the user may launch those dialogs in the printer module to find out what is wrong there and then the test would notice a running firewall and show the firewall info popup so that the user is informed that the firewall is the actual reason why his prining stuff does no longer work.
Sounds like a good idea to me :-)
Of course this _IS_(!) a good idea ;-)
Fixed in YaST SVN trunk (i.e. for openSUSE 11.3) --------------------------------------------------------------------- - Added a generic test if a firewall is used to Printerlib.ycp and if yes show popup info to the user regarding CUPS+firewall for the "Print via Network" and "Share Printers" dialogs (see Novell/Suse Bugzilla bnc#549065). - 2.19.0 ---------------------------------------------------------------------