On Thu, Jan 17, 2008 at 12:07:52AM +0000, Bastien Nocera wrote: Definitely. Also mdns enabled on desktop doesn't make sence for me. I think only ssh will be enabled on both server and desktop. Adam -- Adam Tkac, Red Hat, Inc.

On Thu, 2008-01-17 at 17:13 +0100, Tim Niemueller wrote: Does the "sharee" also need the IPP ports open? So a user would need to explicitly set "show printers shared by other systems" in s-c-printers--it couldn't be the default. ISTR some discussion in the past of why it was a bad idea for s-c-printers to open and close the ipp and lpr ports. (Don't have a link handy, but I think there was a BZ about this issue). -- Matthew Saltzman Clemson University Math Sciences mjs AT clemson DOT edu http://www.math.clemson.edu/~mjs

I just realized that my previous email was rather short. The current setup for printing and mDNS is perfect for our desktop machines. Let me give you a few impressions of the scenario why it fits so well: We have a central Fedora-based print-server. This uses cups broadcast messages to announce printers. A freshly installed desktop or laptop with udp:631 open will catch these messages and have the printer available, no configuration needed at all! So this port has to be open on the clients to get these auto-configure messages! On our network we make use of mDNS. For example our robots announce there services on the network. So in the control application you can just choose any of the currently available robots and start working, no typing of a robot name needed. For servicing it is also good to see VNC hosts in vinagre. No typing, it just works. About IPSec I'm not completely sure. But we are using a Cisco VPN Concentrator with vpnc. I don't know for sure atm if that is tunneled via UDP or if this needs AH/ESP at all. This should be investigated as this is a service provided by default via NetworkManager-vpnc! So I think having these ports open on a freshly installed desktop in fact makes a lot of sense, because it complements the "just works" ambitions the desktop has. For the IPSec more investigation would be needed if the protocols actually need to be open to establish a client connection. Tim -- Tim Niemueller <tim(a)niemueller.de&gt; www.niemueller.de ================================================================= Imagination is more important than knowledge. (Albert Einstein)

On Thu, Jan 17, 2008 at 12:48:27PM -0500, Jon Stanley wrote: I think you don't need open ports for VPN clients. State firewall should take care about such situation, doesn't? Adam -- Adam Tkac, Red Hat, Inc.

On Wed, 2008-01-16 at 18:52 +0100, Thomas Woerner wrote: I don't think it's a good default to have IPP disabled. The cupsd process already binds to localhost by default, and only binds to '*' when a printer is explicitly shared by the user. As for RPC services binding to the IPP port instead -- well, this is a bug that needs to be fixed regardless. Whether it's done with SELinux policy, or with a port reservation daemon, or with portmap/glibc hacks, I don't mind. It would be differnet if there were a mechanism that system-config-printer could use to request that the IPP port be opened (with user approval), perhaps based on PolicyKit. The truth is that there is no such mechanism, even though I have repeatedly asked for it. (No, lokkit is not sufficient: it needs to be something that a non-root user application can request, as system-config-printer will not run as root in the future.) Until that mechanism is provided, blocking the IPP port will make the user experience of sharing printers quite a lot worse, and will probably lead to people disabling the firewall altogether in the same way they have previously disabled SELinux. Just my humble opinion, Tim. */