On Fri, 2012-03-23 at 22:07 -0700, Paul Allen Newell wrote: > Hello: > > I am noticing that when I install a printer on my local network, I get > an entry added to iptables to the effect of: > +++ > -A INPUT -m state --state NEW -m udp -p udp --dprot 631 -j ACCEPT > +++ > > It actually shows up multiple times, which makes it look like each time > I reinstalled the printer to get things right it did an automatic entry > without bothering to check if it already there. > > Everything I can find online makes it sound like this is "to be > expected". However, I am seeing examples of manual additions of this > rule adding a "-s 127.0.0.1". I take this to mean that it limits the > request to "coming from my machine". > > Is this a good idea or even necessary? My knowledge of iptables (very > limited but getting better) thinks that the default rule allows any > source addr or destin addr and the only limitation is that it is > restricted to port 631. It would seem that if I wanted to really limit > it, I would make the source addr myself/machine and the destin addr > limited to my LAN (192.168.2.*) --- I'm still searching my notes from > this list for the proper syntax as I know I have been emailed that before. > > Am I understanding all this correctly? ---- generally default policies would allow everything to/from localhost (127.0.0.1) so beyond the basic policies themselves regarding device lo, there should be no need for rules that source or destine it. CUPS (port 631) does have options to allow automatic discover of shared printers on the LAN and it is often quite useful to allow your LAN systems to access port 631. Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
