In my opinion, requiring the user to deactivate the firewall to add a wireless printer is very poor in terms of security. It seems it’s the only way to connect a printer (setting the zone to “internal” wasn’t enough for me.). I’m no security expert, but a firewall allowing printers seems more secure to me than no firewall at all.
It’s especially strange considering no other distro does that. I love Tumbleweed but this issue, in addition to being super infuriating, seems really easy to fix. I don’t know how this hasn’t been adressed yet.
It doesn’t require that, (although it’s often easier for new Linux users to do so on a temporary basis). In general, opening the IPP and mDNS/SD ports is sufficient for dynamic network printer discovery.
Well that’s the thing, setting the zone to internal and adding both ipp and ipp-client to the list of open ports didn’t do it. I restarted the firewall twice, rebooted twice, still nothing. Deactivating the firewall was the only way.
Couldn’t agree more. I realize openSUSE has strong ties to the enterprise SUSE…but openSUSE is not an enterprise distro. Therefore, in areas like this, the defaults should be more sane for the desktop user openSUSE is aimed at.
Not being able to easily set up a printer is what drove Linus Torvalds to switch to Fedora. That says everything about whether this is a sane default for desktop users.
The Originator doesn’t mention which Desktop is being used …
Here with KDE Plasma and Leap 15.5 –
Printer configuration has plagued me for years – YaST was never really discovering network printers.
Then, due to another issue, I checked Zeroconf – the package “kdnssd” was missing –
This package adds Zeroconf support to KIO, allowing the use of this protocol in all applications that are using KIO.
I used to believer that, YaST was Desktop independent but, suddenly, after installing the support for network service discovery to KIO (KDE Input/Output), YaST suddenly “found” (discovered) the network printers – currently connected to the printer via “dnssd:” and a UUID …
“lpinfo -v” also now finds the “ipp:” services as well as the “socket:” services via the fixed IPv4 addresses assigned to the printers by the DHCP server …
Nvm I found it, I chose my wifi connection from KDE’s network menu, and from there I can choose a firewall interface. Okay so it’s much clearer now, but I maintain it does be convoluted just to add a printer.
Not really. One (as the administrator of their system) just needs to be conscious of making sure that the firewall configuration is suitable fort heir needs. In this case the internal and home zones provide the necessary configuration for printer discovery via mDNS. Of course, the zones are just preset configurations that can be further configured as required for particular use cases.
Having used both openSUSE and Fedora extensively, there is a big difference. Fedora detects printers out-of-the-box, much like Ubuntu and Debian-based distros…openSUSE does not.
Fedora may use firewalld, but they have it pre-configured to allow printing, while openSUSE has it locked down and requires the user to set it up.
You didn’t need to do that. As a watcher, I see the reply anyway.
Yes, perhaps openSUSE is stricter, but that reduces security risk, and as the administrator of the openSUSE distro it is expected that users can cope with reading documentation as required and adjusting firewalls to suit their own needs. Not hard to change the zone (even via Networkmanager when configuring the network).
I don’t disagree that it makes it more secure, that’s one of the things I like about openSUSE. Nonetheless, when Linus Torvalds can’t even get printers working, it can be argued that it’s not just a matter of “reading documentation as required.”
openSUSE is literally the only mainstream distro that cannot print OOTB, without mucking around with the firewall. At some point, it doesn’t matter what the rational is. When this keeps coming up over and over again, with many saying “just disable the firewall to print,” there’s an opportunity to do something better.
Perhaps a simple toggle on the welcome screen for newer users, a button that asks if they want printing enabled, that automatically sets the correct zone.
The problem here is not that OpenSuse defaults to the safer public zone and other distros do not. It’s expecting the end-user to know about firewalls and zones in the first place.
The documentation shows a deprecated GUI utility to switch firewall zones.
The simplest solution would be to ask the user when they’re connecting to a new network whether to trust it or not. For example, this is what Windows does. You can always go into the network properties and make it public/private after the fact too.
On that note, does anyone here using firewalld change their zones before connecting to a different network? What do you use to do that, a bash alias, some toggling widget that executes the firewall-cmd command?
