question on iptables, port 631 and CUPS
Paul Allen Newell
pnewell at cs.cmu.edu
Sun Mar 25 02:18:59 UTC 2012
On 3/24/2012 6:30 AM, Reindl Harald wrote:
>
> Am 24.03.2012 14:29, schrieb Craig White:
>> On Fri, 2012-03-23 at 22:07 -0700, Paul Allen Newell wrote:
>>> Hello:
>>>
>>> I am noticing that when I install a printer on my local network, I get
>>> an entry added to iptables to the effect of:
>>> +++
>>> -A INPUT -m state --state NEW -m udp -p udp --dprot 631 -j ACCEPT
>>> +++
>>>
>>>
>> ----
>> generally default policies would allow everything to/from localhost
>> (127.0.0.1) so beyond the basic policies themselves regarding device lo,
>> there should be no need for rules that source or destine it.
>>
>> CUPS (port 631) does have options to allow automatic discover of shared
>> printers on the LAN and it is often quite useful to allow your LAN
>> systems to access port 631.
> but this is a stupid WORLDWIDE open port!
> normally a machine should not offer any network port worldwide
>
> -A INPUT -m state --state NEW -m udp -p udp --dprot 631 -j ACCEPT
>
Craig and Reindl:
Thanks for both of your responses.
It makes sense that 127.0.0.1 would be covered to/fro by default
policies. And it was clear to me from my initial Googling that CUPS /
port 631 made sense and is a relative old and stable standard.
But I am still wondering about the openness of the automatically added
rule ... it does seem to say that udp from any sourceIP to any destinIP
is legit when using dport 631 (yeah, a worldwide open port is a good way
to phrase it).
If this were a "real hole", then I would have to believe someone would
have flagged it a long time ago and I don't see evidence on the net for
such (given that I assume this auto-rule is added to anyone and
everyone's iptables when CUPS starts looking for printers?). This is
more of a question to help better understand iptables.
If I try to reach a solution based on my limited knowledge, it would
seem that one would want to change the udp to have a 127.0.0.1 sourceIP
and a destinIP restricting to the LAN (I am assuming simple home user
usage where there's a single LAN that has one connection through a
router to the outside world). Such would say that any other udp would
get rejected (or allowed by some other rule). Probably implies some
means at start-up (rc.local perhaps) to check to see if iptables has
changed from the last known settings (is there a way to get an email
from root to say "hey, I just changed iptables and you might like to
know it happened so you can see if this is what you want"?).
Once again, appreciate the information (and hopefully will be able to
get a bit more to see if I am getting all this correctly).
Paul
More information about the users
mailing list