Bug 379149

Summary: firewall enabled by default: modify network settings in 1st stage
Product: [openSUSE] openSUSE 11.0 Reporter: Jiří Suchomel <jsuchome>
Component: YaST2Assignee: Michal Zugec <mzugec>
Status: RESOLVED FEATURE QA Contact: Jiri Srain <jsrain>
Severity: Enhancement    
Priority: P5 - None CC: coolo, locilka, security-team
Version: Alpha 3plus   
Target Milestone: ---   
Hardware: Other   
OS: Other   
See Also: https://fate.suse.com/303859
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Jiří Suchomel 2008-04-11 13:41:44 UTC 
The feature of "Automatic Configuration" has a nice effect of not asking users for accepting all the default settings. However, there's (at least) one setting that is default but still not widely accepted (I think so - at least I change it always): it's the firewall that is automatically running.

Wouldn't it be good to have some simple client, only opened from installation proposal upon user's request (so not by default) where could be this option configured?
Comment 1 Stephan Kulow 2008-04-13 17:54:01 UTC 
it's not a big problem, but I'm afraid of your "at least", because I think it would open a never ending flood of second stage features coming in. So I would like to wait for beta1 feedback, before I give green light.

I wonder how hard it is though, the users in first stage caused quite some effort, no?
Comment 2 Jiří Suchomel 2008-04-14 05:39:59 UTC 
(In reply to comment #1 from Stephan Kulow)

> I wonder how hard it is though, the users in first stage caused quite some
> effort, no?

Yes, but saving one boolean value would be a different thing. But it is true that than someone might want full network setup in the 1st stage...
Comment 3 Stephan Kulow 2008-04-16 07:29:33 UTC 
I know that it was actually the security teams's biggest concern that people will hate the default firewall even more if they are unable to disable it easily. Would this be ok to PM?
Comment 4 Marcus Meissner 2008-04-18 18:58:16 UTC 
from a security point of view, its fine to have a "firewall: yes/no" question in 1st stage.

there have not been that many complaints about the default firewall yet however.
Comment 5 Stephan Kulow 2008-04-19 07:23:16 UTC 
I don't have any objections either for this to go in if Michal's time allows. But please make sure that we don't pull the whole firewall/network stack into first stage. It really has to be a minimal client
Comment 6 Michal Zugec 2008-04-21 08:34:43 UTC 
Minimal network client - can we re-use that dropped one (used for set up network for additional repos in 1.st stage)?
Comment 7 Lukas Ocilka 2008-04-21 10:18:33 UTC 
It's not a 'dropped one', we still have and use it.
inst_network_check.ycp + inst_network_setup.ycp

And of course, the network setup is very different to anything used in second stage. Also writing a firewall isn't prepared for such a feature (write only?).
Comment 8 Jiří Suchomel 2008-04-21 10:25:33 UTC 
IMHO the implementation of this feature could be very simple: just writing somewhere (Directory::vardir) the information if firewall should be enabled or disabled. During the second stage, such information is read anyway by network configuration ("enable_firewall" in control.xml), the only added part here would be that if there exist some saved value from first stage, it would serve as a new default instead of the one found in control file.
Comment 10 Michal Zugec 2008-05-09 14:00:26 UTC 
Sorry, I don't have time for that now
Comment 11 Stephan Kulow 2008-06-25 09:11:22 UTC 
mass reopening of later+remind bugs of 11.0
Comment 13 Michal Zugec 2008-07-06 17:02:20 UTC 
Closed, it's feature in FaTE