[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CUPS and network interfaces



On Sun, 7 Oct 2007 14:00:16 -0600
Rob Sims <deb-lists-z@robsims.com> wrote:

> On Sun, Oct 07, 2007 at 09:18:27PM +0200, Markus Maria Miedaner wrote:
> > On Sun, Oct 07, 2007 at 02:47:32PM -0400, you (Celejar) wrote:
> > > Hi,
> > > 
> > > I have a pretty standard (default) CUPS installation.  cupsd.conf
> > > contains the lines:
> > > 
> > > > # Only listen for connections from the local machine.
> > > > Listen localhost:631
> > > > Listen /var/run/cups/cups.sock
> > > 
> > > Yet tiger complains:
> > > 
> > > > --WARN-- [lin002i] The process `cupsd' is listening on socket 631 (UDP) on every interface.
> 
> > depending on the level of security you'd like you may be continue thinking about it.
> > If you receive this "complain" on your desktop box and you don't have highly important
> > data on it that may be wanted by someone else.... I would not worry about it. 
> 
> I think the original poster is asking about the inconsistency between
> the cups config and the warning message, not complaining about the
> message.

Exactly.

> On to the real issue:
> Listen is poorly documented.  It affects the port for print connections
> only.  If you do netstat -anlp, you'll see that the tcp port 631 is
> listening only on the listed (local) interface.
> 
> udp port 631 is for a nearly unrelated activity of browsing.  Nothing
> stands out to me in the docs on limiting this port to certain
> interfaces, but there are several cupsd.conf Browse* directives to look
> at.  You may need IPTables to address the problem (though that won't
> make the message go away).

Got it; fairly fine-grained control is apparently possible with the
Browse* directives, including limiting the acceptance of browse packets
to those arriving on certain interfaces; here's an excerpt from the
on-line docs:

> BrowseAllow
> Examples
> 
> BrowseAllow from all
> BrowseAllow from none
> BrowseAllow from 192.0.2
> BrowseAllow from 192.0.2.0/24
> BrowseAllow from 192.0.2.0/255.255.255.0
> BrowseAllow from *.domain.com
> BrowseAllow from @LOCAL
> BrowseAllow from @IF(name)
> 
> Description
> 
> The BrowseAllow directive specifies a system or network to accept browse packets from. The default is to accept browse packets from all hosts.
> 
> Host and domain name matching require that you enable the HostNameLookups directive.
> 
> IP address matching supports exact matches, partial addresses that match networks using netmasks of 255.0.0.0, 255.255.0.0, and 255.255.255.0, or network addresses using the specified netmask or bit count.
> 
> The @LOCAL name will allow browse data from all local interfaces. The @IF(name) name will allow browse data from the named interface. In both cases, CUPS only allows data from the network that the interface(s) are configured for - data arriving on the interface from a foreign network will not be allowed.

I don't really need browsing, so I'm trying setting 'Browsing Off'.

> Rob

Thanks,
Celejar
--
mailmin.sourceforge.net - remote access via secure (OpenPGP) email
ssuds.sourceforge.net - A Simple Sudoku Solver and Generator



Reply to: