question on iptables, port 631 and CUPS
Reindl Harald
h.reindl at thelounge.net
Sat Mar 24 13:30:58 UTC 2012
Am 24.03.2012 14:29, schrieb Craig White:
> On Fri, 2012-03-23 at 22:07 -0700, Paul Allen Newell wrote:
>> Hello:
>>
>> I am noticing that when I install a printer on my local network, I get
>> an entry added to iptables to the effect of:
>> +++
>> -A INPUT -m state --state NEW -m udp -p udp --dprot 631 -j ACCEPT
>> +++
>>
>> It actually shows up multiple times, which makes it look like each time
>> I reinstalled the printer to get things right it did an automatic entry
>> without bothering to check if it already there.
>>
>> Everything I can find online makes it sound like this is "to be
>> expected". However, I am seeing examples of manual additions of this
>> rule adding a "-s 127.0.0.1". I take this to mean that it limits the
>> request to "coming from my machine".
>>
>> Is this a good idea or even necessary? My knowledge of iptables (very
>> limited but getting better) thinks that the default rule allows any
>> source addr or destin addr and the only limitation is that it is
>> restricted to port 631. It would seem that if I wanted to really limit
>> it, I would make the source addr myself/machine and the destin addr
>> limited to my LAN (192.168.2.*) --- I'm still searching my notes from
>> this list for the proper syntax as I know I have been emailed that before.
>>
>> Am I understanding all this correctly?
> ----
> generally default policies would allow everything to/from localhost
> (127.0.0.1) so beyond the basic policies themselves regarding device lo,
> there should be no need for rules that source or destine it.
>
> CUPS (port 631) does have options to allow automatic discover of shared
> printers on the LAN and it is often quite useful to allow your LAN
> systems to access port 631.
but this is a stupid WORLDWIDE open port!
normally a machine should not offer any network port worldwide
-A INPUT -m state --state NEW -m udp -p udp --dprot 631 -j ACCEPT
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20120324/cd9fcf73/attachment.sig>
More information about the users
mailing list