Re: [opensuse-factory] suggested work around for zypper/libzypp
Stanislav Visnovsky wrote: Dňa Thursday 04 October 2007 16:24:43 Carlos E. R. ste napísal: The Thursday 2007-10-04 at 10:00 -0300, Gabriel . wrote: I agree that on a running system, this is not the most effective approach. What needs to be determined is to figure out how much space you can spare to download the packages and this is not very easy to do. Just imagine a package that will need to create a big new file in its post-install script (think initrd for a new kernel). You can hardly predict, only to use heuristics. I agree, but it could be an option (where the user configures the repos) to choose what method will be used. Remember that till suse 10.0 that was what was done. Yast first downloaded all, then installed all, then removed or kept (user option) all files. The point is to reinstate the old behaviour. Are you sure about this? He is right, but only in YOU mode. In YOU mode first all packages where downloaded, then all deltas applied, finally all packages got installed. This way you could go offline after download was finished (unless you used the nvidia, fonts etc. pseudo update). Normal installation and distro upgrade always downloaded and installed one package at a time. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [opensuse-factory] build vs. lbuild
Peter Czanik wrote: I tried to compile a package using current factory sources, and ran into the following problem using lbuild: expanding package dependencies... expansion error nothing provides /lib/libreadline.so.5.2 needed by bash nothing provides /lib/libhistory.so.5.2 needed by bash and it is actually right: pegasos0917:/data/10.3/suse/ppc # rpm -qp --provides libreadline5-5.2-16.ppc.rpm bash:/lib/libreadline.so.5 readline = 5.2 libhistory.so.5 libreadline.so.5 libreadline5 = 5.2-16 On the other hand 'build' can build the package from the same spec file. It's just a lot more slow to start up, and inconvenient to use... Which one is right? And a bonus question: is it worth reporting this dependency bug, now that only critical bugs are fixed? Or belongs this to the critical category? Even if it's not in factory, It certainly makes lbuild useless, which is also used by the PackMan team... (actually, I ran into the problem by trying to recompile a packman package for 10.3 on PPC). Please file a bug and assign it to me. Please include more details how to reproduce. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [opensuse-factory] Linux and HiDef TV
Donn Washburn wrote: I may being say goodbye to my old Hauppauge Model 401 pci buss TV/FM perfectly good card due to the FCC forcing HiDef down our throats. To that is there a good Linux PCI HiDef TV/FM card out there? As I remember at the first of 2009 this switch will take effect. The local FREE TV station will drop analog and go to the forced on the broadcaster and us HD TV. My guess is the US government is looking for fees, and taxes as income. Most people are happy with their old analog TVs Shades of Quad HiFi!! Digital TV is great and does not necessarily mean pay-TV, HDTV or even a conspiracy. Have a look at http://www.linuxtv.org/wiki Unfortunately DVB uses MPEG and many cards require firmware so you won't be able to watch TV out of the openSUSE box anymore even though the hardware is supported in principle. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [opensuse-factory] Linux and HiDef TV
Sid Boyce wrote: Ludwig Nussel wrote: Donn Washburn wrote: I may being say goodbye to my old Hauppauge Model 401 pci buss TV/FM perfectly good card due to the FCC forcing HiDef down our throats. To that is there a good Linux PCI HiDef TV/FM card out there? As I remember at the first of 2009 this switch will take effect. The local FREE TV station will drop analog and go to the forced on the broadcaster and us HD TV. My guess is the US government is looking for fees, and taxes as income. Most people are happy with their old analog TVs Shades of Quad HiFi!! Digital TV is great and does not necessarily mean pay-TV, HDTV or even a conspiracy. Have a look at http://www.linuxtv.org/wiki Unfortunately DVB uses MPEG and many cards require firmware so you won't be able to watch TV out of the openSUSE box anymore even though the hardware is supported in principle. Hm I've been using DVB cards for a few years now, just replacing replacing xine-lib from the distro. Should that read won't be able to watch TV with openSUSE out of the box? Sure. It's not rocket science but you still need to know where and what to look for. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [opensuse-factory] Factory update breaks the system (resmgr problem)
Silviu Marin-Caea wrote: I have just performed an update to latest factory, and there must be something broken with resmgr. /dev/null is not accessible by my user, I get /dev/null permission denied when I log in the console, and KDE does not start at all. I have stopped the resmgr service and then chmod a+rw /dev/null, to be able to use KDE. resmgr is completely unrelated here, it's syslog-ng. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [opensuse-factory] util-linux-crypto
Doctor Nemo wrote: I have OpenSuSE 10.3 Alpha6 I have a encrypted partition. Where is util-linux-crypto? I need it for decrypt the partion. The DVD no contains it. Renamed to cryptsetup. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [opensuse-factory] Re: no sound for $USER in 10.3Alpha5
Clayton wrote: If it's me, I'd like to know what it is I am doing to cause the system to assign wrong permissions during a clean install. If it's not me, then why is it still happening? What is causing me to run into this annoyance on almost every install I do? (I say almost because when I installed from the 10.3A5 KDE iso instead of the 10.3A5 GNOME iso on the same hardware in a clean partition it worked correctly without needing to fix permissions on /dev). The gnome 1CD version simply lacks hal-resmgr which is responsible for setting device permissions. I've just filed #285057 for that. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [opensuse-factory] Making Basic Utilities work under normal user
Jonathan Arsenault wrote: On Sat, 2007-05-26 at 02:35 +0300, Alexey Eremenko wrote: Anyways, I'm not satisfied. I want to have access to my ifconfig from normal user. Yes, lets change the UNIX way for the unsatisfied kid ... Snip from the FHS. /sbin : System binaries Purpose Utilities used for system administration (and other root-only commands) are stored in /sbin, /usr/sbin, and /usr/local/sbin. http://www.pathname.com/fhs/pub/fhs-2.3.html#SBINSYSTEMBINARIES So what? That doesn't tell anything about whether it makes sense to have sbin in $PATH. I'd vote for appending sbin to regular users' $PATH by default. There are many tools in sbin that can be called as user to display at least some status information (or even just the help text). The clueless don't use the shell anyways and therefore don't care. cu Ludwig -- (o_ Ludwig Nussel //\ SUSE Labs V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [opensuse-factory] Making Basic Utilities work under normal user
Jonathan Arsenault wrote: On Tue, 2007-05-29 at 09:08 +0200, Ludwig Nussel wrote: I'd vote for appending sbin to regular users' $PATH by default. There are many tools in sbin that can be called as user to display at least some status information (or even just the help text). The clueless don't use the shell anyways and therefore don't care. Many tool usable by user in there, like what ? ifconfig and iwlist are the exception and not the rule, ip that a user should use instead of deprecated ifconfig is symlinked to /bin already. route, traceroute, nfsstat, alsactl, lpc, mkfs ... I'm sure you'll find dozens more. Look at the 270'or so binary in /sbin and the 330'or so in /usr/sbin (/opt/gnome/sbin and /opt/kde3/sbin even) and tell me that they belong into a user path, if you think about answering yes to that then explain to me why they needed to be separated in the first place from normal bin. Lets just stuff hem all in a giant directory and be done with it ... The question was not whether the file system layout as we know it still makes sense but whether non-root users would benefit from quick access to sbin binaries by default. Changing the default[1] PATH is the probably the most simple way to achieve that if you don't want touch individual packages and add extra symlinks. cu Ludwig [1] which means you'd be free to change it back -- (o_ Ludwig Nussel //\ SUSE Labs V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [opensuse-factory] cryptsetup, some old, big and fat disks with encryption=twofish256, ...
Jochen Hayek wrote: I have a few disks with fstab entries like this one: noauto,nocheck,acl,user_xattr,loop=/dev/loop0,encryption=twofish256,phash=sha512,itercountk=100 I would like to mount them under 10.3Alpha3 resp. SUSE Factory. cryptsetup's manual page says COMPATABILITY WITH OLD SUSE TWOFISH PARTITIONS To read images created with SuSE Linux 9.2's loop_fish2 use --cipher twofish-cbc-null -s 256 -h sha512, for images created with even older SuSE Linux use --cipher twofish-cbc-null -s 192 -h ripemd160:20 but if twofish-cbc-null is not listed in /proc/crypto , there is no way getting this working, right? That's not the problem. The fstab line means you use losetup to set up an encrypted loop device. When migrating util-linux to util-linux-ng the loop-AES patch got dropped. The itercountk option was part of that patch. As quick workaround to be able to access your data you can install util-linux (or just mount/losetup) from 10.2. The plan is to not reintroduce the loop-AES patch (yast never offered to use any of it's options right?) and also to get rid of the loop_fish2 kernel module for 10.3 though. Shall I just forget twofish256 and migrate all my encrypted disks? If that's an option four you it certainly makes sense to use a more secure on-disk format. 10.3 should still be able to read old images though. Therefore cryptsetup/dm-crypt do suppport the loop_fish2 format (twofish-cbc-null) in factory already. What's missing atm is the ability to generate keys compatible with the loop-AES patch. Please file a bug and assign it to me, I'll consider implementing replacements for itercountk and pseed options in cryptsetup. cu Ludwig -- (o_ Ludwig Nussel //\ SUSE Labs V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [opensuse-factory] /etc/init.d/boot.crypto , LUKS extension, unattached devices
Volker Kuhlmann wrote: On Sun 29 Apr 2007 09:11:12 NZST +1200, Jochen Hayek wrote: May I suggest a change to /etc/init.d/boot.crypto ? Thanks for that, I second your suggestions. A few days ago I had a play with an encrypted removable disk. My comments: 1) The only way to create such a disk, on a removable memory gimmick which are of plentiful supply and very popular, is to go into yast disk partitioner and to click a few dire warnings this is only for advanced... out of the way, and going all the way with custom. Actually same issue with non-encrypted removable storage. Something more user-friendly would be a good idea for 10.4. 2) The only functional fstab entry I found is: /dev/disk/by-id/usb-HTS54104_MPB2LAX2xx_B26A82xx-part1 /media/portable2 ext3 loop,encryption=twofish256,acl,user_xattr,user,nosuid,nodev,noexec,noauto 0 0 For the reasons Jochen explained, reference by sdXN is useless. The yast fstab editor (disk partitioner) is unable to create such an entry, because as soon as encrypt filesystem is clicked, the button to enter the 4 advanced options disappears from the screen. Of those 4 options (of referencing the partition), only by-ID can work. So the other 3 (but UUID, etc) should be greyed out or disappear, but by-ID must stay, in fact it should be default. That's unrelated to boot.crypto. Please consider filing a bug for YaST. 3) The system (tested 10.2) fails to load the cryptoloop module. This must be loaded manually by root first, or the filesystem can never be mounted. One could add it to MODULES_LOADED_ON_BOOT. boot.crypto loads it but *only* if a fixed disk with encrypted fs is also in the system. 10.3 boot.crypto will not use cryptoloop so that problem should be obsolete. 4) Optical problem only: If /etc/cryptotab exists, boot.crypto switches to text console, finds it doesn't have to do anything because I commented out the lines but don't want to delete them as it has the info I need for fstab, or because the disk is currently not plugged in, then switches back to graphics boot screen. Please file a bug and assign it to me. 5) The removable disk must be mountable by $user, as the other movable storage things. 6) There's no desktop auto-popup asking for the fs crypto password. hal supports both for LUKS volumes at the backend side of things. KDE/GNOME need to implement the UI. On the command line you can mount such volumes with the halmount script (in a still slightly inconvenient way though). cu Ludwig -- (o_ Ludwig Nussel //\ SUSE Labs V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [opensuse-factory] Minutes from 2007-03-23 dist meeting
Andreas Jaeger wrote: Let's look what can be done for ntp - and later look at other services. Note the ntp service is also usefull for machines without network (serial DCF77 clock). Right now the dispatcher script sends a signal to ntp if the IP address changes but during boot ntp starts even if network is not running. Suggestion: ntp start script should figure out if NetworkManager is running and if it is only start if network is up - otherwise the dispatcher script will start it. At home my ntpd starts up with no servers defined and the ip-up script adds time servers via ntpdc IIRC. Requires that the local clock is sufficiently exact though. I'm not sure if there is a way to remove time servers from a running ntpd again though. Dial-in support for NetworkManager to support ISDN, Modem, UMTS, 3G cards is beeing worked on and should be ready for openSUSE 10.3. Whatever that means. Does it use existing config files as created by yast? cu Ludwig -- (o_ Ludwig Nussel //\ SUSE Labs V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [opensuse-factory] Minutes from 2007-03-23 dist meeting
JP Rosevear wrote: On Fri, 2007-03-23 at 14:44 +0100, Ludwig Nussel wrote: Andreas Jaeger wrote: Dial-in support for NetworkManager to support ISDN, Modem, UMTS, 3G cards is beeing worked on and should be ready for openSUSE 10.3. Whatever that means. Does it use existing config files as created by yast? Potentially, just as we can use yast info for wireless and wired configs now, however the upstream implementation will not do this by default of course, it will have its own PPP config UI. How much knowledge we can extract from yast to implement the upstream config is an open question. Which distro serves as model for the upstream config? cu Ludwig -- (o_ Ludwig Nussel //\ SUSE Labs V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [opensuse-factory] Linux audio foks
Sid Boyce wrote: I and several others have had similar permissions problems with gizmo which actually said there was no audio device. I did strace and submitted it to the forum, but the mystery continued. Then I had a brainwave, tried it as root and it was AOK. So I added the user to audio in /etc/group, also did the same for video a while back when kaffeine complained about no video, though OK with audio. Sound and DVB devices are supposed to be detected by hal. hal-resmgr will take care of device permissions when you log in then. There is no need to put users in the audio or video group. If permission handling doesn't work for some reason please file a bug report, assign it to me and attach the output of lshal, /usr/sbin/hal-resmgr --list-all and /sbin/resmgr sessions. cu Ludwig -- (o_ Ludwig Nussel //\ SUSE Labs V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [opensuse-factory] Printing in openSUSE 10.3
JP Rosevear wrote: On Thu, 2007-03-01 at 11:29 +0100, Ludwig Nussel wrote: JP Rosevear wrote: One good use case we've seen with customers is that they don't want to give out the root password because that would enable users to do anything they want like update packages. What specific part of printer configuration should a user be able to do without authentication? Demanding that users must be able to configure printers without knowing the root password is too coarse grained. AFAICS the YaST2 printer module for example offers to reconfigure the firewall and to install additional packages when needed also as part of printer configuration. Adding printers. You can get large setups with dozens or hundreds of printers. Are you talking about setups where you plug in your shiny new USB printer and want it to just work or are you talking about network printers? I was assuming you were talking about the former but I somehow doubt that hundreds of printers need to be configured in that scenario ;-) cu Ludwig -- (o_ Ludwig Nussel //\ SUSE Labs V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [opensuse-factory] Making the basesystem smaller
Klaus Kaempf wrote: * [EMAIL PROTECTED] [EMAIL PROTECTED] [Jan 18. 2007 09:52]: I think it would be enough to have a login and a !!small!! yast for installing more packages. If we are talking about a _really_ small base system, it should include RPM at most but not YaST. YaST is a convenience application for systems management and should be optional. Well, since yast asks for the root password in 2nd stage a system without yast would be somewhat useless as you couldn't even log in after installation. cu Ludwig -- (o_ Ludwig Nussel //\ SUSE LINUX Products GmbH, Development V_/_ http://www.suse.de/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [opensuse-factory] Massive Feature Request of new Yast Modules for 10.3
Lukas Ocilka wrote: Pascal Bleser wrote: Lukas Ocilka wrote: Pascal Bleser wrote: What do you think ? I'd rather vote for enhancing the firewall module ;) FTP server isn't a bad idea though, help about that is asked now and then on #suse (IRC). I have plans (and features) to enhance the firewall module in 10.3 but it would be nice to hear what exactly users need. Could you, please, give me more information? You can also send me a patch then :) ;) http://lists.opensuse.org/opensuse-factory/2006-06/msg00262.html I see, this one :) It's a planned feature for 10.3 (if possible). http://lists.opensuse.org/opensuse-factory/2006-06/msg00278.html http://lists.opensuse.org/opensuse-factory/2006-06/msg00265.html See also /usr/share/SuSEfirewall2/services/ cu Ludwig -- (o_ Ludwig Nussel //\ SUSE LINUX Products GmbH, Development V_/_ http://www.suse.de/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [opensuse-factory] Massive Feature Request of new Yast Modules for 10.3
Lukas Ocilka wrote: Hans Witvliet wrote: On Mon, 2006-11-27 at 18:04 +0100, Lukas Ocilka wrote: Pascal Bleser wrote: What do you think ? I'd rather vote for enhancing the firewall module ;) FTP server isn't a bad idea though, help about that is asked now and then on #suse (IRC). I have plans (and features) to enhance the firewall module in 10.3 but it would be nice to hear what exactly users need. IPv6 We have these features available for IPv6 in /etc/sysconfig/SuSEfirewall2: FW_IPv6 (no,drop,reject) # What to do with IPv6 Packets? FW_IPv6_REJECT_OUTGOING (yes,no) # Reject outgoing IPv6 Packets? I don't think those options should be exposed in the UI. They are just workarounds for kernels that lack v6 connection tracking These rules should also work for IPv6 if state matching is available: FW_SERVICES_*_TCP FW_SERVICES_*_UDP FW_SERVICES_*_IP FW_SERVICES_*_RPC But SuSEfirewall2 on my 10.2 says: Warning: ip6tables does not support state matching. Extended IPv6 support disabled. Whence it follows that there are two issues: 1.) Enable state matching in ip6tables (maybe simple) The new and AFAIK still experimental connection tracking code has to be enabled in the kernel. SuSEfirewall2 itself supports most of it's featues also with IPv6. It's untested since SLES9 though due to lack of kernel support. cu Ludwig -- (o_ Ludwig Nussel //\ SUSE LINUX Products GmbH, Development V_/_ http://www.suse.de/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [opensuse-factory] permissions for sound, dvd, etc
On Monday 21 August 2006 21:05, Andreas wrote: I would like to change the default permissions for the sound devices and the removable media. Right now (10.2 Alpha 3) the first user wins, meaning whoever logs on first gets the exclusive rights on the devices. Not very user friendly, except when you're the first one. That's not the case. All users logged in via console or xdm have access to sound devices thanks to resmgr (provided that the kernel supports ACLs on /dev). Mounting of removeable media is likely broken due to PolicyKit not beeing properly integrated yet, that's a problem unrelated to device permissions. cu Ludwig -- (o_ Ludwig Nussel //\ SUSE LINUX Products GmbH, Development V_/_ http://www.suse.de/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [opensuse-factory] SPAM: Warning! SuseFirewall2 by default allow any port for INCOMING!
houghi wrote: [...] Is it trafic generated by the server then it is outbound. If it is traffic for the server, then it is inbound. If the server IS the firewall, then a connection from WAN to LAN will be both inbound and outbound. Client asks the server access on port 80 - Inbound. Server passes it on the the crrect place - Outbound. from iptables' point of view it's neither. Packets not destined for the host itself travel through the FORWARD chain and don't show up in INPUT nor OUTPUT. cu Ludwig -- (o_ Ludwig Nussel //\ SUSE LINUX Products GmbH, Development V_/_ http://www.suse.de/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [opensuse-factory] SPAM: Warning! SuseFirewall2 by default allow any port for INCOMING!
jdd wrote: [...] I already noted that the documentation of SuSEfirewall2 is extremely ambiguous on this respect. Where? Send patches to me. cu Ludwig -- (o_ Ludwig Nussel //\ SUSE LINUX Products GmbH, Development V_/_ http://www.suse.de/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [opensuse-factory] Idea for SuSEfirewall2
On Friday 30 June 2006 08:41, Pascal Bleser wrote: Just a little idea I stumbled upon... How about having a directory that allows dropping in files as part of packages (e.g. /etc/sysconfig/SuSEfirewall2.d/). Those files could include stuff like - a detailed description of the ports that are relevant to the package - parsable data for SuSEfirewall2, to be able to open (or close) ports based on that information ---8 susefirewall2-service id=xmpp summaryXMPP/Jabber/summary description Open these ports to allow communication with an XMPP/Jabber server hosted in your network. /description ports port proto=udp port=5222 / port-range proto=tcp range=5222-5223/ /ports susefirewall2-service ---8 (of course, it should be capable of being localized) I'd like to have that too :-) It's nothing SuSEfirewall2 should deal with though. The YaST firewall module can make use of that information instead. Currently the information about ports is hardcoded in /usr/share/YaST2/modules/SuSEFirewallServices.ycp cu Ludwig -- (o_ Ludwig Nussel //\ SUSE LINUX Products GmbH, Development V_/_ http://www.suse.de/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]