question on iptables, port 631 and CUPS
Craig White
craigwhite at azapple.com
Sun Mar 25 02:43:50 UTC 2012
On Sat, 2012-03-24 at 19:18 -0700, Paul Allen Newell wrote:
> On 3/24/2012 6:30 AM, Reindl Harald wrote:
> >
> > Am 24.03.2012 14:29, schrieb Craig White:
> >> On Fri, 2012-03-23 at 22:07 -0700, Paul Allen Newell wrote:
> >>> Hello:
> >>>
> >>> I am noticing that when I install a printer on my local network, I get
> >>> an entry added to iptables to the effect of:
> >>> +++
> >>> -A INPUT -m state --state NEW -m udp -p udp --dprot 631 -j ACCEPT
> >>> +++
> >>>
> >>>
> >> ----
> >> generally default policies would allow everything to/from localhost
> >> (127.0.0.1) so beyond the basic policies themselves regarding device lo,
> >> there should be no need for rules that source or destine it.
> >>
> >> CUPS (port 631) does have options to allow automatic discover of shared
> >> printers on the LAN and it is often quite useful to allow your LAN
> >> systems to access port 631.
> > but this is a stupid WORLDWIDE open port!
> > normally a machine should not offer any network port worldwide
> >
> > -A INPUT -m state --state NEW -m udp -p udp --dprot 631 -j ACCEPT
> >
>
> Craig and Reindl:
>
> Thanks for both of your responses.
>
> It makes sense that 127.0.0.1 would be covered to/fro by default
> policies. And it was clear to me from my initial Googling that CUPS /
> port 631 made sense and is a relative old and stable standard.
>
> But I am still wondering about the openness of the automatically added
> rule ... it does seem to say that udp from any sourceIP to any destinIP
> is legit when using dport 631 (yeah, a worldwide open port is a good way
> to phrase it).
>
> If this were a "real hole", then I would have to believe someone would
> have flagged it a long time ago and I don't see evidence on the net for
> such (given that I assume this auto-rule is added to anyone and
> everyone's iptables when CUPS starts looking for printers?). This is
> more of a question to help better understand iptables.
>
> If I try to reach a solution based on my limited knowledge, it would
> seem that one would want to change the udp to have a 127.0.0.1 sourceIP
> and a destinIP restricting to the LAN (I am assuming simple home user
> usage where there's a single LAN that has one connection through a
> router to the outside world). Such would say that any other udp would
> get rejected (or allowed by some other rule). Probably implies some
> means at start-up (rc.local perhaps) to check to see if iptables has
> changed from the last known settings (is there a way to get an email
> from root to say "hey, I just changed iptables and you might like to
> know it happened so you can see if this is what you want"?).
>
> Once again, appreciate the information (and hopefully will be able to
> get a bit more to see if I am getting all this correctly).
----
if port 631 is reachable from anyone on the Internet (ie - you don't
have a firewall/router blocking the Internet from your LAN traffic, then
yes, I wouldn't want the port to be acessible by anything other than
localhost. Otherwise, I want CUPS automatic discovery of shared
printers.
Craig
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the users
mailing list