Re: question on iptables, port 631 and CUPS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, 2012-03-24 at 19:18 -0700, Paul Allen Newell wrote:
> On 3/24/2012 6:30 AM, Reindl Harald wrote:
> >
> > Am 24.03.2012 14:29, schrieb Craig White:
> >> On Fri, 2012-03-23 at 22:07 -0700, Paul Allen Newell wrote:
> >>> Hello:
> >>>
> >>> I am noticing that when I install a printer on my local network, I get
> >>> an entry added to iptables to the effect of:
> >>> +++
> >>> -A INPUT -m state --state NEW -m udp -p udp --dprot 631 -j ACCEPT
> >>> +++
> >>>
> >>>
> >> ----
> >> generally default policies would allow everything to/from localhost
> >> (127.0.0.1) so beyond the basic policies themselves regarding device lo,
> >> there should be no need for rules that source or destine it.
> >>
> >> CUPS (port 631) does have options to allow automatic discover of shared
> >> printers on the LAN and it is often quite useful to allow your LAN
> >> systems to access port 631.
> > but this is a stupid WORLDWIDE open port!
> > normally a machine should not offer any network port worldwide
> >
> > -A INPUT -m state --state NEW -m udp -p udp --dprot 631 -j ACCEPT
> >
> 
> Craig and Reindl:
> 
> Thanks for both of your responses.
> 
> It makes sense that 127.0.0.1 would be covered to/fro by default 
> policies. And it was clear to me from my initial Googling that CUPS / 
> port 631 made sense and is a relative old and stable standard.
> 
> But I am still wondering about the openness of the automatically added 
> rule ... it does seem to say that udp from any sourceIP to any destinIP 
> is legit when using dport 631 (yeah, a worldwide open port is a good way 
> to phrase it).
> 
> If this were a "real hole", then I would have to believe someone would 
> have flagged it a long time ago and I don't see evidence on the net for 
> such (given that I assume this auto-rule is added to anyone and 
> everyone's iptables when CUPS starts looking for printers?). This is 
> more of a question to help better understand iptables.
> 
> If I try to reach a solution based on my limited knowledge, it would 
> seem that one would want to change the udp to have a 127.0.0.1 sourceIP 
> and a destinIP restricting to the LAN (I am assuming simple home user 
> usage where there's a single LAN that has one connection through a 
> router to the outside world). Such would say that any other udp would 
> get rejected (or allowed by some other rule). Probably implies some 
> means at start-up (rc.local perhaps) to check to see if iptables has 
> changed from the last known settings (is there a way to get an email 
> from root to say "hey, I just changed iptables and you might like to 
> know it happened so you can see if this is what you want"?).
> 
> Once again, appreciate the information (and hopefully will be able to 
> get a bit more to see if I am getting all this correctly).
----
if port 631 is reachable from anyone on the Internet (ie - you don't
have a firewall/router blocking the Internet from your LAN traffic, then
yes, I wouldn't want the port to be acessible by anything other than
localhost. Otherwise, I want CUPS automatic discovery of shared
printers.

Craig



-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org


[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux