Bug 1088447 - Firewall prevents DNS-SD/Bonjoir/AirPrint
Firewall prevents DNS-SD/Bonjoir/AirPrint
Status: RESOLVED INVALID
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: YaST2
Current
Other Other
: P5 - None : Normal (vote)
: ---
Assigned To: Johannes Meixner
Jiri Srain
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-04-06 10:18 UTC by Andreas Lauser
Modified: 2018-04-07 08:54 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Lauser 2018-04-06 10:18:37 UTC
When I tried to set up my DNS-SD printer (i.e., a Canon Pixma MX920) via yast2 on a freshly updated OpenSuse Tumbleweed system, nothing was found initially. I found this a bit surprising because everything worked fine with even older versions of Ubuntu.

after disabling the firewall via `systemctl stop firewalld.service` the printer was properly discovered and works fine.
Comment 1 Steffen Winterfeldt 2018-04-06 11:23:11 UTC
yes, that's basically the idea.

Johannes summarized the situation in

https://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings

From what I understand the current situation is what it is.
Comment 3 Andreas Lauser 2018-04-06 11:51:30 UTC
I think this is quite a showstopper for openSuse for most affected people. ("Ubuntu is much better than OpenSuse, because there my printer works") For advanced users like me, the problem with this was that there were no useful google results for "Tumbleweed DNS-SD printer" et cetera.

I propose that Yast2 should at least show a dialog which tells the user that DNS-SD printers will not be usable with an active firewall before starting the printer discovery procedure.
Comment 4 Johannes Meixner 2018-04-06 11:52:01 UTC
Yes, things work as intended so that
there is no bug and the issue is invalid, cf.
https://bugzilla.suse.com/page.cgi?id=status_resolution_matrix.html

Andreas Lauser,
in particular see the section about
"It is crucial to not accept remote print queue information
 from untrusted hosts"
in that openSUSE SDB article in comment#1.

FYI
why
"everything worked fine with even older versions of Ubuntu"
see
https://fate.opensuse.org/316708
that reads (excerpt):
==============================================================
Regarding Ubuntu and firewall, see

https://help.ubuntu.com/13.10/serverguide/firewall.html
that reads:

---------------------------------------------- 
The default firewall configuration tool 
for Ubuntu is ufw. 
... 
ufw by default is initially disabled. 
-----------------------------------------------
==============================================================
versus
https://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings
that reads (excerpt):
==============================================================
The intended purpose of security measures is to make things
not "just work" which means security causes some kind of
annoyance for the user when things do not "just work"
out of the box. If everything would "just work" by default,
it would be totally insecure. 
==============================================================
Comment 5 Andreas Lauser 2018-04-06 12:01:44 UTC
> If everything would "just work" by default, it would be totally insecure.

yes, on the other hand, a totally secure system is one where nothing works ;)

to be clear: I'm okay if I have to do something to make things work, but I would like to get some hints of what needs to be done.