Firewall
Tim Waugh
twaugh at redhat.com
Tue Dec 7 09:50:22 UTC 2010
On Mon, 2010-12-06 at 21:50 +0000, Richard W.M. Jones wrote:
> Still not seeing how /etc/iptables.d wouldn't work ...
Here is how:
When I ask CUPS for a list of network printers, it runs the backends
in /usr/lib/cups/backend. One of those is /usr/lib/cups/backend/snmp,
which:
a) binds to a local unprivileged UDP port
b) sends a broadcast SNMP request
c) listens for (unicast) responses to that request
We don't hear any of those responses because they are not recognised as
"related" by the kernel. The iptables rules drop them.
If the CUPS snmp backend could say to "the firewall", "hey, please allow
responses on this port I've got for the next few seconds" -- which can
be controlled using PolicyKit -- then this network discovery would
finally work.
There's no way to know the local UDP port in advance
so /etc/iptables.d-like systems all fail here.
Tim.
*/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/devel/attachments/20101207/0ebb14c5/attachment.bin
More information about the devel
mailing list