Closing port 631 from other computers

Jarmo Hurri jarmo.hurri at iki.fi
Fri Oct 31 09:34:14 UTC 2014 

Greetings.

After the recent security incidents I am trying to increase the security
of my computer by closing unnecessary ports from outside world.

The only listening port in my system right now is port 631 (ipp), as
"lsof -i | grep -i listen" reports:

************************************************************************
cupsd     2349   root   10u  IPv4  37790      0t0  TCP *:ipp (LISTEN)
cupsd     2349   root   11u  IPv6  37791      0t0  TCP *:ipp (LISTEN)
************************************************************************

I tried disabling cups services, but then printing stopped working.

So ok, I need a connection from my computer to port 631 for
printing. But that port should be closed from all other computers. At
the moment it is open to the outside world (10.13.3.247 is the address
of my computer in LAN):

************************************************************************
[jarmo at localhost ~]$ nmap -sT 10.13.3.247
Nmap scan report for 10.13.3.247
Not shown: 999 closed ports
PORT    STATE SERVICE
631/tcp open  ipp
************************************************************************

I tried to close the port using firewalld. But the port does not seem to
be open, and firewall can not close it. I can freely take a telnet
connection to the port. The first commands show that firewalld is
running and iptables is not.

************************************************************************
[jarmo at localhost ~]$ systemctl status firewalld.service
firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
   Active: active (running) since Fri 2014-10-31 07:27:45 EET; 3h 58min ago

[jarmo at localhost ~]$ systemctl status iptables.service
iptables.service
   Loaded: not-found (Reason: No such file or directory)
   Active: inactive (dead)

[jarmo at localhost ~]$ firewall-cmd --state
running

[jarmo at localhost ~]$ firewall-cmd --get-active-zones
public
  interfaces: em1

[jarmo at localhost ~]$ firewall-cmd --zone=public --list-ports

[jarmo at localhost ~]$ firewall-cmd --zone=public --list-all
public (default, active)
  interfaces: em1
  sources: 
  services: dhcpv6-client mdns
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 

[jarmo at localhost ~]$ firewall-cmd --zone=public --remove-port=631/tcp
Warning: NOT_ENABLED: '631:tcp' not in 'public'

[jarmo at localhost ~]$ nmap -sT 10.13.3.247
Nmap scan report for 10.13.3.247
Not shown: 999 closed ports
PORT    STATE SERVICE
631/tcp open  ipp

[jarmo at localhost ~]$ telnet 10.13.3.247 631
Trying 10.13.3.247...
Connected to 10.13.3.247.
Escape character is '^]'.
************************************************************************

So I must be doing something wrong. My questions are:

1. Have I diagnosed the situation correctly? Is port 631 really open to
   the outside world?

2. If port 631 is open, why can I not close it using firewalld?

3. What is the best way to deny connections to the port from any other
   computer than that of my own? Is it the approach I have taken now?

Thank you for all your help in advance.

Jarmo

More information about the users mailing list