Bug 90946
| Summary: | Printer browsing does not work... | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Jim Gettys <jim.gettys> | ||||||||
| Component: | system-config-securitylevel | Assignee: | Chris Lumens <clumens> | ||||||||
| Status: | CLOSED RAWHIDE | QA Contact: | Brock Organ <borgan> | ||||||||
| Severity: | medium | Docs Contact: | |||||||||
| Priority: | medium | ||||||||||
| Version: | rawhide | CC: | aleksey, clumens, kyrsjo, mjs, nobody+pnasrat, twaugh | ||||||||
| Target Milestone: | --- | ||||||||||
| Target Release: | --- | ||||||||||
| Hardware: | All | ||||||||||
| OS: | Linux | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2005-12-02 16:29:32 UTC | Type: | --- | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Bug Depends On: | |||||||||||
| Bug Blocks: | 116998, 150221 | ||||||||||
| Attachments: |
|
||||||||||
Perhaps anaconda ought to have a checkbox for that in the firewall screen. It would be nice if there was some generic way for an app to (a) find out if the firewall is blocking ports it might want to use, (b) prompt the user about it, (c) optionally (at user control) punch a hole through. This is problem that needs to be handled by the distribution post-install. The high level of firewall is intended to prevent any ports from being exposed. This is the default, intended behavior. Perhaps lokkit needs to be modified to change the meaning of the 'medium' setting if it does not let this transaction occur. *** Bug 91162 has been marked as a duplicate of this bug. *** *** Bug 115058 has been marked as a duplicate of this bug. *** In dup bug 115058 I suggested that r-c-p on "Activate" should ask user whether the firewall rules should be updated. Bill: so what's the solution to this? Ideally? Have the kernel understand that responses to such broadcast requests fall into the 'RELATED' category so that the firewall will let them through. Broadcast requests? There are none. cupsd just listens for IPP browse broadcasts. Ah, so it's unlike SMB in that respect; it does not actually send a query. cups printers just occasionally broadcast their availability? Yes, as I understand it. So can we at the very least say something in the online anaconda help about "put ipp:udp in this box if you want to print" ? Well... In FC2 lokkit now reads and acts on the current firewall config. So, you can just run: lokkit --port=ipp:udp and it will modify the currently running firewall. Thanks, that ought to do it. :-) Seriously, it shouldn't be something you can't do with the mouse at install time. Hmm, so actually that means that system-config-printer can request a hole in the firewall? Is there a way for it to ask if there is already such a hole? If so it makes an easy pop-up dialog. No, there's not a really *good* way to ask for the hole. It can read through /etc/sysconfig/system-config-securitylevel. But that's sort of a hack. THis is currently in FC3. Doesn't fully work though. See: https://www.redhat.com/archives/fedora-test-list/2005-March/msg00156.html Created attachment 111922 [details]
patch to add IPP checkbox
Created attachment 111923 [details]
gtk.FALSE is deprecated, use False instead patch
gtk.FALSE is deprecated, use False instead patch
Created attachment 111929 [details]
cleanup, add better descriptions and set https manually
The last three patches go in sequence on:
system-config-securitylevel-1.5.1
RFE ... 1. Change "Trusted services" to "Hosted Servers\nOpen Portal". 2. Add a new section "Network Discovery\nOpen Portal" for setting/unsetting ports for various udp listening services: IPP (Printer discovery) 224.0.0.251:5353 (Apple Rendezvous) 3. Move "Trusted devices" to a new tab at top labeled "Network Interfaces". 4. Change "Trusted devices" to "Network Interfaces" and add a column showing the IP address. 5. Change "Trusted" to "Firewall" and invert the logic. 6. Change "Masquerade" to "Internet" If you agree with these I'll workup some patchs. Iâm open for comments or suggestions. One more thing. Change the format for entering "Other ports" to allow the specification of port ranges. Example: "23:25, 34/tcp, 44:48/udp" Would open ports 23 to 25 for all protocols, port 34 for tcp and 44 to 48 for udp. *** Bug 142549 has been marked as a duplicate of this bug. *** *** Bug 145243 has been marked as a duplicate of this bug. *** Taking the easy fix and adding a hole for ipp:tcp as well. I have bigger plans for the firewalling in s-c-securitylevel along the lines of making it more task-based and allowing programs to request ports opened temporarily/permanently for post-FC5 so it's not worth doing a huge amount of work on this right now. Please test tomorrow's s-c-securitylevel package in Rawhide. |
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20030502 Debian/1.2.1-9woody3 Description of problem: Can't see printers being offered from CUPS servers; browsing isn't working. Version-Release number of selected component (if applicable): redhat-config-printer-0.6.53.1 How reproducible: Always Steps to Reproduce: 1. Install fresh redhat 9; enable firewall when requested 2. configure a printer and export it for public use. 3. Look for that printer from another machine. Actual Results: No printer is visible. Expected Results: Printer should be visible from another machine. Additional info: Best guess is that the firewall was inhibiting the browse packets to/from cups, so no printers are seen. I've since turned off the firewall "feature", and things work. Services such as this need some way to enable the right ports.