question on iptables, port 631 and CUPS

Sun Mar 25 02:53:34 UTC 2012

On 3/24/2012 7:43 PM, Craig White wrote:
> On Sat, 2012-03-24 at 19:18 -0700, Paul Allen Newell wrote:
>> On 3/24/2012 6:30 AM, Reindl Harald wrote:
>>> Am 24.03.2012 14:29, schrieb Craig White:
>>>> On Fri, 2012-03-23 at 22:07 -0700, Paul Allen Newell wrote:
>>>>> Hello:
>>>>>
>>>>> I am noticing that when I install a printer on my local network, I get
>>>>> an entry added to iptables to the effect of:
>>>>> +++
>>>>> -A INPUT -m state --state NEW -m udp -p udp --dprot 631 -j ACCEPT
>>>>> +++
>>>>>
>>>>>
>>>> ----
>>>> generally default policies would allow everything to/from localhost
>>>> (127.0.0.1) so beyond the basic policies themselves regarding device lo,
>>>> there should be no need for rules that source or destine it.
>>>>
>>>> CUPS (port 631) does have options to allow automatic discover of shared
>>>> printers on the LAN and it is often quite useful to allow your LAN
>>>> systems to access port 631.
>>> but this is a stupid WORLDWIDE open port!
>>> normally a machine should not offer any network port worldwide
>>>
>>> -A INPUT -m state --state NEW -m udp -p udp --dprot 631 -j ACCEPT
>>>
>> Craig and Reindl:
>>
>> Thanks for both of your responses.
>>
>> It makes sense that 127.0.0.1 would be covered to/fro by default
>> policies. And it was clear to me from my initial Googling that CUPS /
>> port 631 made sense and is a relative old and stable standard.
>>
>> But I am still wondering about the openness of the automatically added
>> rule ... it does seem to say that udp from any sourceIP to any destinIP
>> is legit when using dport 631 (yeah, a worldwide open port is a good way
>> to phrase it).
>>
>> If this were a "real hole", then I would have to believe someone would
>> have flagged it a long time ago and I don't see evidence on the net for
>> such (given that I assume this auto-rule is added to anyone and
>> everyone's iptables when CUPS starts looking for printers?). This is
>> more of a question to help better understand iptables.
>>
>> If I try to reach a solution based on my limited knowledge, it would
>> seem that one would want to change the udp to have a 127.0.0.1 sourceIP
>> and a destinIP restricting to the LAN (I am assuming simple home user
>> usage where there's a single LAN that has one connection through a
>> router to the outside world). Such would say that any other udp would
>> get rejected (or allowed by some other rule). Probably implies some
>> means at start-up (rc.local perhaps) to check to see if iptables has
>> changed from the last known settings (is there a way to get an email
>> from root to say "hey, I just changed iptables and you might like to
>> know it happened so you can see if this is what you want"?).
>>
>> Once again, appreciate the information (and hopefully will be able to
>> get a bit more to see if I am getting all this correctly).
> ----
> if port 631 is reachable from anyone on the Internet (ie - you don't
> have a firewall/router blocking the Internet from your LAN traffic, then
> yes, I wouldn't want the port to be acessible by anything other than
> localhost. Otherwise, I want CUPS automatic discovery of shared
> printers.
>
> Craig
>
>

Craig:

Thanks, that confirms that I am at least understanding what the impact 
of the automatically added rule is and what would need to be changed.

If I am correct in my understanding, I think I should have bypassed the 
automatic discovery by making the printer a static IP in the LAN and 
overriding the automated discovery with a "use this IP". It seemed that 
different setup methods worked differently and that I had to give it the 
address to get hp-setup to find the printer.

I kinda like the override as, while I am still sorting out all the 
learning for iptables, firewalls, etc. on F16, any automatic processes 
led to a "what is that?".

To make sure I really get it, I am going to modify the rule and see if 
the printer still works. Then, on the next machine I bring up on F16 
(thanks to Tim resurrecting my dead machine my suggesting its a fading 
power supply and to "unplug stuff") I'll try to track whether it is 
being added regardless of whether I use automatic discovery or manual 
override

Paul