Re: CUPS and network interfaces
On Sun, 7 Oct 2007 14:00:16 -0600
Rob Sims <deb-lists-z@robsims.com> wrote:
> On Sun, Oct 07, 2007 at 09:18:27PM +0200, Markus Maria Miedaner wrote:
> > On Sun, Oct 07, 2007 at 02:47:32PM -0400, you (Celejar) wrote:
> > > Hi,
> > >
> > > I have a pretty standard (default) CUPS installation. cupsd.conf
> > > contains the lines:
> > >
> > > > # Only listen for connections from the local machine.
> > > > Listen localhost:631
> > > > Listen /var/run/cups/cups.sock
> > >
> > > Yet tiger complains:
> > >
> > > > --WARN-- [lin002i] The process `cupsd' is listening on socket 631 (UDP) on every interface.
>
> > depending on the level of security you'd like you may be continue thinking about it.
> > If you receive this "complain" on your desktop box and you don't have highly important
> > data on it that may be wanted by someone else.... I would not worry about it.
>
> I think the original poster is asking about the inconsistency between
> the cups config and the warning message, not complaining about the
> message.
Exactly.
> On to the real issue:
> Listen is poorly documented. It affects the port for print connections
> only. If you do netstat -anlp, you'll see that the tcp port 631 is
> listening only on the listed (local) interface.
>
> udp port 631 is for a nearly unrelated activity of browsing. Nothing
> stands out to me in the docs on limiting this port to certain
> interfaces, but there are several cupsd.conf Browse* directives to look
> at. You may need IPTables to address the problem (though that won't
> make the message go away).
Got it; fairly fine-grained control is apparently possible with the
Browse* directives, including limiting the acceptance of browse packets
to those arriving on certain interfaces; here's an excerpt from the
on-line docs:
> BrowseAllow
> Examples
>
> BrowseAllow from all
> BrowseAllow from none
> BrowseAllow from 192.0.2
> BrowseAllow from 192.0.2.0/24
> BrowseAllow from 192.0.2.0/255.255.255.0
> BrowseAllow from *.domain.com
> BrowseAllow from @LOCAL
> BrowseAllow from @IF(name)
>
> Description
>
> The BrowseAllow directive specifies a system or network to accept browse packets from. The default is to accept browse packets from all hosts.
>
> Host and domain name matching require that you enable the HostNameLookups directive.
>
> IP address matching supports exact matches, partial addresses that match networks using netmasks of 255.0.0.0, 255.255.0.0, and 255.255.255.0, or network addresses using the specified netmask or bit count.
>
> The @LOCAL name will allow browse data from all local interfaces. The @IF(name) name will allow browse data from the named interface. In both cases, CUPS only allows data from the network that the interface(s) are configured for - data arriving on the interface from a foreign network will not be allowed.
I don't really need browsing, so I'm trying setting 'Browsing Off'.
> Rob
Thanks,
Celejar
--
mailmin.sourceforge.net - remote access via secure (OpenPGP) email
ssuds.sourceforge.net - A Simple Sudoku Solver and Generator
Reply to: