Re: question on iptables, port 631 and CUPS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


Am 24.03.2012 14:29, schrieb Craig White:
> On Fri, 2012-03-23 at 22:07 -0700, Paul Allen Newell wrote:
>> Hello:
>>
>> I am noticing that when I install a printer on my local network, I get 
>> an entry added to iptables to the effect of:
>> +++
>> -A INPUT -m state --state NEW -m udp -p udp --dprot 631 -j ACCEPT
>> +++
>>
>> It actually shows up multiple times, which makes it look like each time 
>> I reinstalled the printer to get things right it did an automatic entry 
>> without bothering to check if it already there.
>>
>> Everything I can find online makes it sound like this is "to be 
>> expected". However, I am seeing examples of manual additions of this 
>> rule adding a "-s 127.0.0.1". I take this to mean that it limits the 
>> request to "coming from my machine".
>>
>> Is this a good idea or even necessary? My knowledge of iptables (very 
>> limited but getting better) thinks that the default rule allows any 
>> source addr or destin addr and the only limitation is that it is 
>> restricted to port 631. It would seem that if I wanted to really limit 
>> it, I would make the source addr myself/machine and the destin addr 
>> limited to my LAN (192.168.2.*) --- I'm still searching my notes from 
>> this list for the proper syntax as I know I have been emailed that before.
>>
>> Am I understanding all this correctly?
> ----
> generally default policies would allow everything to/from localhost
> (127.0.0.1) so beyond the basic policies themselves regarding device lo,
> there should be no need for rules that source or destine it.
> 
> CUPS (port 631) does have options to allow automatic discover of shared
> printers on the LAN and it is often quite useful to allow your LAN
> systems to access port 631.

but this is a stupid WORLDWIDE open port!
normally a machine should not offer any network port worldwide

-A INPUT -m state --state NEW -m udp -p udp --dprot 631 -j ACCEPT

Attachment: signature.asc
Description: OpenPGP digital signature

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux