question on iptables, port 631 and CUPS

Craig White craigwhite at azapple.com
Sun Mar 25 02:43:50 UTC 2012 

On Sat, 2012-03-24 at 19:18 -0700, Paul Allen Newell wrote:
> On 3/24/2012 6:30 AM, Reindl Harald wrote:
> >
> > Am 24.03.2012 14:29, schrieb Craig White:
> >> On Fri, 2012-03-23 at 22:07 -0700, Paul Allen Newell wrote:
> >>> Hello:
> >>>
> >>> I am noticing that when I install a printer on my local network, I get
> >>> an entry added to iptables to the effect of:
> >>> +++
> >>> -A INPUT -m state --state NEW -m udp -p udp --dprot 631 -j ACCEPT
> >>> +++
> >>>
> >>>
> >> ----
> >> generally default policies would allow everything to/from localhost
> >> (127.0.0.1) so beyond the basic policies themselves regarding device lo,
> >> there should be no need for rules that source or destine it.
> >>
> >> CUPS (port 631) does have options to allow automatic discover of shared
> >> printers on the LAN and it is often quite useful to allow your LAN
> >> systems to access port 631.
> > but this is a stupid WORLDWIDE open port!
> > normally a machine should not offer any network port worldwide
> >
> > -A INPUT -m state --state NEW -m udp -p udp --dprot 631 -j ACCEPT
> >
> 
> Craig and Reindl:
> 
> Thanks for both of your responses.
> 
> It makes sense that 127.0.0.1 would be covered to/fro by default 
> policies. And it was clear to me from my initial Googling that CUPS / 
> port 631 made sense and is a relative old and stable standard.
> 
> But I am still wondering about the openness of the automatically added 
> rule ... it does seem to say that udp from any sourceIP to any destinIP 
> is legit when using dport 631 (yeah, a worldwide open port is a good way 
> to phrase it).
> 
> If this were a "real hole", then I would have to believe someone would 
> have flagged it a long time ago and I don't see evidence on the net for 
> such (given that I assume this auto-rule is added to anyone and 
> everyone's iptables when CUPS starts looking for printers?). This is 
> more of a question to help better understand iptables.
> 
> If I try to reach a solution based on my limited knowledge, it would 
> seem that one would want to change the udp to have a 127.0.0.1 sourceIP 
> and a destinIP restricting to the LAN (I am assuming simple home user 
> usage where there's a single LAN that has one connection through a 
> router to the outside world). Such would say that any other udp would 
> get rejected (or allowed by some other rule). Probably implies some 
> means at start-up (rc.local perhaps) to check to see if iptables has 
> changed from the last known settings (is there a way to get an email 
> from root to say "hey, I just changed iptables and you might like to 
> know it happened so you can see if this is what you want"?).
> 
> Once again, appreciate the information (and hopefully will be able to 
> get a bit more to see if I am getting all this correctly).
----
if port 631 is reachable from anyone on the Internet (ie - you don't
have a firewall/router blocking the Internet from your LAN traffic, then
yes, I wouldn't want the port to be acessible by anything other than
localhost. Otherwise, I want CUPS automatic discovery of shared
printers.

Craig



-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the users mailing list