Re: question on iptables, port 631 and CUPS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 3/24/2012 6:30 AM, Reindl Harald wrote:


Am 24.03.2012 14:29, schrieb Craig White:

On Fri, 2012-03-23 at 22:07 -0700, Paul Allen Newell wrote:

Hello:

I am noticing that when I install a printer on my local network, I get
an entry added to iptables to the effect of:
+++
-A INPUT -m state --state NEW -m udp -p udp --dprot 631 -j ACCEPT
+++



----
generally default policies would allow everything to/from localhost
(127.0.0.1) so beyond the basic policies themselves regarding device lo,
there should be no need for rules that source or destine it.

CUPS (port 631) does have options to allow automatic discover of shared
printers on the LAN and it is often quite useful to allow your LAN
systems to access port 631.

but this is a stupid WORLDWIDE open port!
normally a machine should not offer any network port worldwide

-A INPUT -m state --state NEW -m udp -p udp --dprot 631 -j ACCEPT



Craig and Reindl:

Thanks for both of your responses.
It makes sense that 127.0.0.1 would be covered to/fro by default policies. And it was clear to me from my initial Googling that CUPS / port 631 made sense and is a relative old and stable standard.
But I am still wondering about the openness of the automatically added rule ... it does seem to say that udp from any sourceIP to any destinIP is legit when using dport 631 (yeah, a worldwide open port is a good way to phrase it).
If this were a "real hole", then I would have to believe someone would have flagged it a long time ago and I don't see evidence on the net for such (given that I assume this auto-rule is added to anyone and everyone's iptables when CUPS starts looking for printers?). This is more of a question to help better understand iptables.
If I try to reach a solution based on my limited knowledge, it would seem that one would want to change the udp to have a 127.0.0.1 sourceIP and a destinIP restricting to the LAN (I am assuming simple home user usage where there's a single LAN that has one connection through a router to the outside world). Such would say that any other udp would get rejected (or allowed by some other rule). Probably implies some means at start-up (rc.local perhaps) to check to see if iptables has changed from the last known settings (is there a way to get an email from root to say "hey, I just changed iptables and you might like to know it happened so you can see if this is what you want"?).
Once again, appreciate the information (and hopefully will be able to get a bit more to see if I am getting all this correctly). 

Paul

--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux