On 3/24/2012 7:43 PM, Craig White wrote:
On Sat, 2012-03-24 at 19:18 -0700, Paul Allen Newell wrote:
On 3/24/2012 6:30 AM, Reindl Harald wrote:
Am 24.03.2012 14:29, schrieb Craig White:
On Fri, 2012-03-23 at 22:07 -0700, Paul Allen Newell wrote:
Hello:
I am noticing that when I install a printer on my local network, I get
an entry added to iptables to the effect of:
+++
-A INPUT -m state --state NEW -m udp -p udp --dprot 631 -j ACCEPT
+++
----
generally default policies would allow everything to/from localhost
(127.0.0.1) so beyond the basic policies themselves regarding device lo,
there should be no need for rules that source or destine it.
CUPS (port 631) does have options to allow automatic discover of shared
printers on the LAN and it is often quite useful to allow your LAN
systems to access port 631.
but this is a stupid WORLDWIDE open port!
normally a machine should not offer any network port worldwide
-A INPUT -m state --state NEW -m udp -p udp --dprot 631 -j ACCEPT
Craig and Reindl:
Thanks for both of your responses.
It makes sense that 127.0.0.1 would be covered to/fro by default
policies. And it was clear to me from my initial Googling that CUPS /
port 631 made sense and is a relative old and stable standard.
But I am still wondering about the openness of the automatically added
rule ... it does seem to say that udp from any sourceIP to any destinIP
is legit when using dport 631 (yeah, a worldwide open port is a good way
to phrase it).
If this were a "real hole", then I would have to believe someone would
have flagged it a long time ago and I don't see evidence on the net for
such (given that I assume this auto-rule is added to anyone and
everyone's iptables when CUPS starts looking for printers?). This is
more of a question to help better understand iptables.
If I try to reach a solution based on my limited knowledge, it would
seem that one would want to change the udp to have a 127.0.0.1 sourceIP
and a destinIP restricting to the LAN (I am assuming simple home user
usage where there's a single LAN that has one connection through a
router to the outside world). Such would say that any other udp would
get rejected (or allowed by some other rule). Probably implies some
means at start-up (rc.local perhaps) to check to see if iptables has
changed from the last known settings (is there a way to get an email
from root to say "hey, I just changed iptables and you might like to
know it happened so you can see if this is what you want"?).
Once again, appreciate the information (and hopefully will be able to
get a bit more to see if I am getting all this correctly).
----
if port 631 is reachable from anyone on the Internet (ie - you don't
have a firewall/router blocking the Internet from your LAN traffic, then
yes, I wouldn't want the port to be acessible by anything other than
localhost. Otherwise, I want CUPS automatic discovery of shared
printers.
Craig
Craig:
Thanks, that confirms that I am at least understanding what the impact
of the automatically added rule is and what would need to be changed.
If I am correct in my understanding, I think I should have bypassed the
automatic discovery by making the printer a static IP in the LAN and
overriding the automated discovery with a "use this IP". It seemed that
different setup methods worked differently and that I had to give it the
address to get hp-setup to find the printer.
I kinda like the override as, while I am still sorting out all the
learning for iptables, firewalls, etc. on F16, any automatic processes
led to a "what is that?".
To make sure I really get it, I am going to modify the rule and see if
the printer still works. Then, on the next machine I bring up on F16
(thanks to Tim resurrecting my dead machine my suggesting its a fading
power supply and to "unplug stuff") I'll try to track whether it is
being added regardless of whether I use automatic discovery or manual
override
Paul
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
