Re: CUPS and network interfaces

To: debian-security@lists.debian.org
Subject: Re: CUPS and network interfaces
From: Celejar <celejar@gmail.com>
Date: Sun, 7 Oct 2007 19:02:13 -0400
Message-id: <[🔎] 20071007190213.68b6851d.celejar@gmail.com>
In-reply-to: <[🔎] 20071007200016.GH30438@robsims.com>
References: <[🔎] 20071007144732.77c71e5f.celejar@gmail.com> <[🔎] 20071007191827.GA3805@montreal> <[🔎] 20071007200016.GH30438@robsims.com>

On Sun, 7 Oct 2007 14:00:16 -0600
Rob Sims <deb-lists-z@robsims.com> wrote:

> On Sun, Oct 07, 2007 at 09:18:27PM +0200, Markus Maria Miedaner wrote:
> > On Sun, Oct 07, 2007 at 02:47:32PM -0400, you (Celejar) wrote:
> > > Hi,
> > > 
> > > I have a pretty standard (default) CUPS installation.  cupsd.conf
> > > contains the lines:
> > > 
> > > > # Only listen for connections from the local machine.
> > > > Listen localhost:631
> > > > Listen /var/run/cups/cups.sock
> > > 
> > > Yet tiger complains:
> > > 
> > > > --WARN-- [lin002i] The process `cupsd' is listening on socket 631 (UDP) on every interface.
> 
> > depending on the level of security you'd like you may be continue thinking about it.
> > If you receive this "complain" on your desktop box and you don't have highly important
> > data on it that may be wanted by someone else.... I would not worry about it. 
> 
> I think the original poster is asking about the inconsistency between
> the cups config and the warning message, not complaining about the
> message.

Exactly.

> On to the real issue:
> Listen is poorly documented.  It affects the port for print connections
> only.  If you do netstat -anlp, you'll see that the tcp port 631 is
> listening only on the listed (local) interface.
> 
> udp port 631 is for a nearly unrelated activity of browsing.  Nothing
> stands out to me in the docs on limiting this port to certain
> interfaces, but there are several cupsd.conf Browse* directives to look
> at.  You may need IPTables to address the problem (though that won't
> make the message go away).

Got it; fairly fine-grained control is apparently possible with the
Browse* directives, including limiting the acceptance of browse packets
to those arriving on certain interfaces; here's an excerpt from the
on-line docs:

> BrowseAllow
> Examples
> 
> BrowseAllow from all
> BrowseAllow from none
> BrowseAllow from 192.0.2
> BrowseAllow from 192.0.2.0/24
> BrowseAllow from 192.0.2.0/255.255.255.0
> BrowseAllow from *.domain.com
> BrowseAllow from @LOCAL
> BrowseAllow from @IF(name)
> 
> Description
> 
> The BrowseAllow directive specifies a system or network to accept browse packets from. The default is to accept browse packets from all hosts.
> 
> Host and domain name matching require that you enable the HostNameLookups directive.
> 
> IP address matching supports exact matches, partial addresses that match networks using netmasks of 255.0.0.0, 255.255.0.0, and 255.255.255.0, or network addresses using the specified netmask or bit count.
> 
> The @LOCAL name will allow browse data from all local interfaces. The @IF(name) name will allow browse data from the named interface. In both cases, CUPS only allows data from the network that the interface(s) are configured for - data arriving on the interface from a foreign network will not be allowed.

I don't really need browsing, so I'm trying setting 'Browsing Off'.

> Rob

Thanks,
Celejar
--
mailmin.sourceforge.net - remote access via secure (OpenPGP) email
ssuds.sourceforge.net - A Simple Sudoku Solver and Generator

Reply to:

References:
- CUPS and network interfaces
  - From: Celejar <celejar@gmail.com>
- Re: CUPS and network interfaces
  - From: Markus Maria Miedaner <Markus-Miedaner@web.de>
- Re: CUPS and network interfaces
  - From: Rob Sims <deb-lists-z@robsims.com>

Prev by Date: Re: CUPS and network interfaces
Next by Date: debsums: no md5sums for a lot of important packages on sarge
Previous by thread: Re: CUPS and network interfaces
Next by thread: debsums: no md5sums for a lot of important packages on sarge
Index(es):
- Date
- Thread