Hello:
I am noticing that when I install a printer on my local network, I get an entry added to iptables to the effect of: +++ -A INPUT -m state --state NEW -m udp -p udp --dprot 631 -j ACCEPT +++
It actually shows up multiple times, which makes it look like each time I reinstalled the printer to get things right it did an automatic entry without bothering to check if it already there.
Everything I can find online makes it sound like this is "to be expected". However, I am seeing examples of manual additions of this rule adding a "-s 127.0.0.1". I take this to mean that it limits the request to "coming from my machine".
Is this a good idea or even necessary? My knowledge of iptables (very limited but getting better) thinks that the default rule allows any source addr or destin addr and the only limitation is that it is restricted to port 631. It would seem that if I wanted to really limit it, I would make the source addr myself/machine and the destin addr limited to my LAN (192.168.2.*) --- I'm still searching my notes from this list for the proper syntax as I know I have been emailed that before.
Am I understanding all this correctly?
Thanks in advance, Paul
On Fri, 2012-03-23 at 22:07 -0700, Paul Allen Newell wrote:
Hello:
I am noticing that when I install a printer on my local network, I get an entry added to iptables to the effect of: +++ -A INPUT -m state --state NEW -m udp -p udp --dprot 631 -j ACCEPT +++
It actually shows up multiple times, which makes it look like each time I reinstalled the printer to get things right it did an automatic entry without bothering to check if it already there.
Everything I can find online makes it sound like this is "to be expected". However, I am seeing examples of manual additions of this rule adding a "-s 127.0.0.1". I take this to mean that it limits the request to "coming from my machine".
Is this a good idea or even necessary? My knowledge of iptables (very limited but getting better) thinks that the default rule allows any source addr or destin addr and the only limitation is that it is restricted to port 631. It would seem that if I wanted to really limit it, I would make the source addr myself/machine and the destin addr limited to my LAN (192.168.2.*) --- I'm still searching my notes from this list for the proper syntax as I know I have been emailed that before.
Am I understanding all this correctly?
---- generally default policies would allow everything to/from localhost (127.0.0.1) so beyond the basic policies themselves regarding device lo, there should be no need for rules that source or destine it.
CUPS (port 631) does have options to allow automatic discover of shared printers on the LAN and it is often quite useful to allow your LAN systems to access port 631.
Craig
Am 24.03.2012 14:29, schrieb Craig White:
On Fri, 2012-03-23 at 22:07 -0700, Paul Allen Newell wrote:
Hello:
I am noticing that when I install a printer on my local network, I get an entry added to iptables to the effect of: +++ -A INPUT -m state --state NEW -m udp -p udp --dprot 631 -j ACCEPT +++
It actually shows up multiple times, which makes it look like each time I reinstalled the printer to get things right it did an automatic entry without bothering to check if it already there.
Everything I can find online makes it sound like this is "to be expected". However, I am seeing examples of manual additions of this rule adding a "-s 127.0.0.1". I take this to mean that it limits the request to "coming from my machine".
Is this a good idea or even necessary? My knowledge of iptables (very limited but getting better) thinks that the default rule allows any source addr or destin addr and the only limitation is that it is restricted to port 631. It would seem that if I wanted to really limit it, I would make the source addr myself/machine and the destin addr limited to my LAN (192.168.2.*) --- I'm still searching my notes from this list for the proper syntax as I know I have been emailed that before.
Am I understanding all this correctly?
generally default policies would allow everything to/from localhost (127.0.0.1) so beyond the basic policies themselves regarding device lo, there should be no need for rules that source or destine it.
CUPS (port 631) does have options to allow automatic discover of shared printers on the LAN and it is often quite useful to allow your LAN systems to access port 631.
but this is a stupid WORLDWIDE open port! normally a machine should not offer any network port worldwide
-A INPUT -m state --state NEW -m udp -p udp --dprot 631 -j ACCEPT
On 3/24/2012 6:30 AM, Reindl Harald wrote:
Am 24.03.2012 14:29, schrieb Craig White:
On Fri, 2012-03-23 at 22:07 -0700, Paul Allen Newell wrote:
Hello:
I am noticing that when I install a printer on my local network, I get an entry added to iptables to the effect of: +++ -A INPUT -m state --state NEW -m udp -p udp --dprot 631 -j ACCEPT +++
generally default policies would allow everything to/from localhost (127.0.0.1) so beyond the basic policies themselves regarding device lo, there should be no need for rules that source or destine it.
CUPS (port 631) does have options to allow automatic discover of shared printers on the LAN and it is often quite useful to allow your LAN systems to access port 631.
but this is a stupid WORLDWIDE open port! normally a machine should not offer any network port worldwide
-A INPUT -m state --state NEW -m udp -p udp --dprot 631 -j ACCEPT
Craig and Reindl:
Thanks for both of your responses.
It makes sense that 127.0.0.1 would be covered to/fro by default policies. And it was clear to me from my initial Googling that CUPS / port 631 made sense and is a relative old and stable standard.
But I am still wondering about the openness of the automatically added rule ... it does seem to say that udp from any sourceIP to any destinIP is legit when using dport 631 (yeah, a worldwide open port is a good way to phrase it).
If this were a "real hole", then I would have to believe someone would have flagged it a long time ago and I don't see evidence on the net for such (given that I assume this auto-rule is added to anyone and everyone's iptables when CUPS starts looking for printers?). This is more of a question to help better understand iptables.
If I try to reach a solution based on my limited knowledge, it would seem that one would want to change the udp to have a 127.0.0.1 sourceIP and a destinIP restricting to the LAN (I am assuming simple home user usage where there's a single LAN that has one connection through a router to the outside world). Such would say that any other udp would get rejected (or allowed by some other rule). Probably implies some means at start-up (rc.local perhaps) to check to see if iptables has changed from the last known settings (is there a way to get an email from root to say "hey, I just changed iptables and you might like to know it happened so you can see if this is what you want"?).
Once again, appreciate the information (and hopefully will be able to get a bit more to see if I am getting all this correctly).
Paul
On Sat, 2012-03-24 at 19:18 -0700, Paul Allen Newell wrote:
On 3/24/2012 6:30 AM, Reindl Harald wrote:
Am 24.03.2012 14:29, schrieb Craig White:
On Fri, 2012-03-23 at 22:07 -0700, Paul Allen Newell wrote:
Hello:
I am noticing that when I install a printer on my local network, I get an entry added to iptables to the effect of: +++ -A INPUT -m state --state NEW -m udp -p udp --dprot 631 -j ACCEPT +++
generally default policies would allow everything to/from localhost (127.0.0.1) so beyond the basic policies themselves regarding device lo, there should be no need for rules that source or destine it.
CUPS (port 631) does have options to allow automatic discover of shared printers on the LAN and it is often quite useful to allow your LAN systems to access port 631.
but this is a stupid WORLDWIDE open port! normally a machine should not offer any network port worldwide
-A INPUT -m state --state NEW -m udp -p udp --dprot 631 -j ACCEPT
Craig and Reindl:
Thanks for both of your responses.
It makes sense that 127.0.0.1 would be covered to/fro by default policies. And it was clear to me from my initial Googling that CUPS / port 631 made sense and is a relative old and stable standard.
But I am still wondering about the openness of the automatically added rule ... it does seem to say that udp from any sourceIP to any destinIP is legit when using dport 631 (yeah, a worldwide open port is a good way to phrase it).
If this were a "real hole", then I would have to believe someone would have flagged it a long time ago and I don't see evidence on the net for such (given that I assume this auto-rule is added to anyone and everyone's iptables when CUPS starts looking for printers?). This is more of a question to help better understand iptables.
If I try to reach a solution based on my limited knowledge, it would seem that one would want to change the udp to have a 127.0.0.1 sourceIP and a destinIP restricting to the LAN (I am assuming simple home user usage where there's a single LAN that has one connection through a router to the outside world). Such would say that any other udp would get rejected (or allowed by some other rule). Probably implies some means at start-up (rc.local perhaps) to check to see if iptables has changed from the last known settings (is there a way to get an email from root to say "hey, I just changed iptables and you might like to know it happened so you can see if this is what you want"?).
Once again, appreciate the information (and hopefully will be able to get a bit more to see if I am getting all this correctly).
---- if port 631 is reachable from anyone on the Internet (ie - you don't have a firewall/router blocking the Internet from your LAN traffic, then yes, I wouldn't want the port to be acessible by anything other than localhost. Otherwise, I want CUPS automatic discovery of shared printers.
Craig
On 3/24/2012 7:43 PM, Craig White wrote:
On Sat, 2012-03-24 at 19:18 -0700, Paul Allen Newell wrote:
On 3/24/2012 6:30 AM, Reindl Harald wrote:
Am 24.03.2012 14:29, schrieb Craig White:
On Fri, 2012-03-23 at 22:07 -0700, Paul Allen Newell wrote:
Hello:
I am noticing that when I install a printer on my local network, I get an entry added to iptables to the effect of: +++ -A INPUT -m state --state NEW -m udp -p udp --dprot 631 -j ACCEPT +++
generally default policies would allow everything to/from localhost (127.0.0.1) so beyond the basic policies themselves regarding device lo, there should be no need for rules that source or destine it.
CUPS (port 631) does have options to allow automatic discover of shared printers on the LAN and it is often quite useful to allow your LAN systems to access port 631.
but this is a stupid WORLDWIDE open port! normally a machine should not offer any network port worldwide
-A INPUT -m state --state NEW -m udp -p udp --dprot 631 -j ACCEPT
Craig and Reindl:
Thanks for both of your responses.
It makes sense that 127.0.0.1 would be covered to/fro by default policies. And it was clear to me from my initial Googling that CUPS / port 631 made sense and is a relative old and stable standard.
But I am still wondering about the openness of the automatically added rule ... it does seem to say that udp from any sourceIP to any destinIP is legit when using dport 631 (yeah, a worldwide open port is a good way to phrase it).
If this were a "real hole", then I would have to believe someone would have flagged it a long time ago and I don't see evidence on the net for such (given that I assume this auto-rule is added to anyone and everyone's iptables when CUPS starts looking for printers?). This is more of a question to help better understand iptables.
If I try to reach a solution based on my limited knowledge, it would seem that one would want to change the udp to have a 127.0.0.1 sourceIP and a destinIP restricting to the LAN (I am assuming simple home user usage where there's a single LAN that has one connection through a router to the outside world). Such would say that any other udp would get rejected (or allowed by some other rule). Probably implies some means at start-up (rc.local perhaps) to check to see if iptables has changed from the last known settings (is there a way to get an email from root to say "hey, I just changed iptables and you might like to know it happened so you can see if this is what you want"?).
Once again, appreciate the information (and hopefully will be able to get a bit more to see if I am getting all this correctly).
if port 631 is reachable from anyone on the Internet (ie - you don't have a firewall/router blocking the Internet from your LAN traffic, then yes, I wouldn't want the port to be acessible by anything other than localhost. Otherwise, I want CUPS automatic discovery of shared printers.
Craig
Craig:
Thanks, that confirms that I am at least understanding what the impact of the automatically added rule is and what would need to be changed.
If I am correct in my understanding, I think I should have bypassed the automatic discovery by making the printer a static IP in the LAN and overriding the automated discovery with a "use this IP". It seemed that different setup methods worked differently and that I had to give it the address to get hp-setup to find the printer.
I kinda like the override as, while I am still sorting out all the learning for iptables, firewalls, etc. on F16, any automatic processes led to a "what is that?".
To make sure I really get it, I am going to modify the rule and see if the printer still works. Then, on the next machine I bring up on F16 (thanks to Tim resurrecting my dead machine my suggesting its a fading power supply and to "unplug stuff") I'll try to track whether it is being added regardless of whether I use automatic discovery or manual override
Paul
On Sat, 2012-03-24 at 19:18 -0700, Paul Allen Newell wrote:
If I try to reach a solution based on my limited knowledge, it would seem that one would want to change the udp to have a 127.0.0.1 sourceIP and a destinIP restricting to the LAN (I am assuming simple home user usage where there's a single LAN that has one connection through a router to the outside world). Such would say that any other udp would get rejected (or allowed by some other rule).
127.x.y.z addresses are not LAN addresses, they're only for the machine itself (internal communication).
If one is being secure, particularly when you connect your computers to random networks, or directly to the internet with no intervening gadget that acts like a firewall, then you probably do not want to use the default firewall rules that Fedora users (allow everything by default, have a few specific rules, then a final deny rule). You'd want to go the opposite way: Deny everything by default, poke holes through for the few things that you want to allow.
And, of course, configure all your services correctly. Do not rely on a firewall to stop access to a service that you don't want public access. Configure *that* service to ignore unwanted connections.
It's particularly important if you're one of those people who are going to disable the firewall to try and work out some problem. Because it only takes mere moments for some hacker to do their business on a vulnerable system. And that moment might be when you've dropped your firewall.
On 3/25/2012 3:22 AM, Tim wrote:
On Sat, 2012-03-24 at 19:18 -0700, Paul Allen Newell wrote:
If I try to reach a solution based on my limited knowledge, it would seem that one would want to change the udp to have a 127.0.0.1 sourceIP and a destinIP restricting to the LAN (I am assuming simple home user usage where there's a single LAN that has one connection through a router to the outside world). Such would say that any other udp would get rejected (or allowed by some other rule).
127.x.y.z addresses are not LAN addresses, they're only for the machine itself (internal communication).
If one is being secure, particularly when you connect your computers to random networks, or directly to the internet with no intervening gadget that acts like a firewall, then you probably do not want to use the default firewall rules that Fedora users (allow everything by default, have a few specific rules, then a final deny rule). You'd want to go the opposite way: Deny everything by default, poke holes through for the few things that you want to allow.
And, of course, configure all your services correctly. Do not rely on a firewall to stop access to a service that you don't want public access. Configure *that* service to ignore unwanted connections.
It's particularly important if you're one of those people who are going to disable the firewall to try and work out some problem. Because it only takes mere moments for some hacker to do their business on a vulnerable system. And that moment might be when you've dropped your firewall.
Tim:
Thanks for the reply.
I appreciate the corrections on my language regarding 127.*
You have clearly detected that I am trying to understand "being secure". I've posted many times trying to get understanding on iptables and I know that once I sort that out, I have to deal with firewall issues. Let me digest your email (along with the other posts regarding exactly what port 3535 is) and get back.
Best, Paul
-
Craig White -
Paul Allen Newell -
Reindl Harald -
Tim