On Sat, 2012-03-24 at 19:18 -0700, Paul Allen Newell wrote: > On 3/24/2012 6:30 AM, Reindl Harald wrote: > > > > Am 24.03.2012 14:29, schrieb Craig White: > >> On Fri, 2012-03-23 at 22:07 -0700, Paul Allen Newell wrote: > >>> Hello: > >>> > >>> I am noticing that when I install a printer on my local network, I get > >>> an entry added to iptables to the effect of: > >>> +++ > >>> -A INPUT -m state --state NEW -m udp -p udp --dprot 631 -j ACCEPT > >>> +++ > >>> > >>> > >> ---- > >> generally default policies would allow everything to/from localhost > >> (127.0.0.1) so beyond the basic policies themselves regarding device lo, > >> there should be no need for rules that source or destine it. > >> > >> CUPS (port 631) does have options to allow automatic discover of shared > >> printers on the LAN and it is often quite useful to allow your LAN > >> systems to access port 631. > > but this is a stupid WORLDWIDE open port! > > normally a machine should not offer any network port worldwide > > > > -A INPUT -m state --state NEW -m udp -p udp --dprot 631 -j ACCEPT > > > > Craig and Reindl: > > Thanks for both of your responses. > > It makes sense that 127.0.0.1 would be covered to/fro by default > policies. And it was clear to me from my initial Googling that CUPS / > port 631 made sense and is a relative old and stable standard. > > But I am still wondering about the openness of the automatically added > rule ... it does seem to say that udp from any sourceIP to any destinIP > is legit when using dport 631 (yeah, a worldwide open port is a good way > to phrase it). > > If this were a "real hole", then I would have to believe someone would > have flagged it a long time ago and I don't see evidence on the net for > such (given that I assume this auto-rule is added to anyone and > everyone's iptables when CUPS starts looking for printers?). This is > more of a question to help better understand iptables. > > If I try to reach a solution based on my limited knowledge, it would > seem that one would want to change the udp to have a 127.0.0.1 sourceIP > and a destinIP restricting to the LAN (I am assuming simple home user > usage where there's a single LAN that has one connection through a > router to the outside world). Such would say that any other udp would > get rejected (or allowed by some other rule). Probably implies some > means at start-up (rc.local perhaps) to check to see if iptables has > changed from the last known settings (is there a way to get an email > from root to say "hey, I just changed iptables and you might like to > know it happened so you can see if this is what you want"?). > > Once again, appreciate the information (and hopefully will be able to > get a bit more to see if I am getting all this correctly). ---- if port 631 is reachable from anyone on the Internet (ie - you don't have a firewall/router blocking the Internet from your LAN traffic, then yes, I wouldn't want the port to be acessible by anything other than localhost. Otherwise, I want CUPS automatic discovery of shared printers. Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
