Re: CUPS and network interfaces

On Sun, 7 Oct 2007 14:00:16 -0600
Rob Sims <deb-lists-z@robsims.com> wrote:

> On Sun, Oct 07, 2007 at 09:18:27PM +0200, Markus Maria Miedaner wrote:
> > On Sun, Oct 07, 2007 at 02:47:32PM -0400, you (Celejar) wrote:
> > > Hi,
> > >
> > > I have a pretty standard (default) CUPS installation. cupsd.conf
> > > contains the lines:
> > >
> > > > # Only listen for connections from the local machine.
> > > > Listen localhost:631
> > > > Listen /var/run/cups/cups.sock
> > >
> > > Yet tiger complains:
> > >
> > > > --WARN-- [lin002i] The process `cupsd' is listening on socket 631 (UDP) on every interface.
>
> > depending on the level of security you'd like you may be continue thinking about it.
> > If you receive this "complain" on your desktop box and you don't have highly important
> > data on it that may be wanted by someone else.... I would not worry about it.
>
> I think the original poster is asking about the inconsistency between
> the cups config and the warning message, not complaining about the
> message.

Exactly.

> On to the real issue:
> Listen is poorly documented. It affects the port for print connections
> only. If you do netstat -anlp, you'll see that the tcp port 631 is
> listening only on the listed (local) interface.
>
> udp port 631 is for a nearly unrelated activity of browsing. Nothing
> stands out to me in the docs on limiting this port to certain
> interfaces, but there are several cupsd.conf Browse* directives to look
> at. You may need IPTables to address the problem (though that won't
> make the message go away).

Got it; fairly fine-grained control is apparently possible with the Browse* directives, including limiting the acceptance of browse packets to those arriving on certain interfaces; here's an excerpt from the on-line docs:

> BrowseAllow
> Examples
>
> BrowseAllow from all
> BrowseAllow from none
> BrowseAllow from 192.0.2
> BrowseAllow from 192.0.2.0/24
> BrowseAllow from 192.0.2.0/255.255.255.0
> BrowseAllow from *.domain.com
> BrowseAllow from @LOCAL
> BrowseAllow from @IF(name)
>
> Description
>
> The BrowseAllow directive specifies a system or network to accept browse packets from. The default is to accept browse packets from all hosts.
>
> Host and domain name matching require that you enable the HostNameLookups directive.
>
> IP address matching supports exact matches, partial addresses that match networks using netmasks of 255.0.0.0, 255.255.0.0, and 255.255.255.0, or network addresses using the specified netmask or bit count.
>
> The @LOCAL name will allow browse data from all local interfaces. The @IF(name) name will allow browse data from the named interface. In both cases, CUPS only allows data from the network that the interface(s) are configured for - data arriving on the interface from a foreign network will not be allowed.

I don't really need browsing, so I'm trying setting 'Browsing Off'.

> Rob

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.debian.org Links debian-announce debian-apache debian-arm-changes debian-beowulf debian-boot debian-cd debian-cd-vendors debian-changes debian-changes-digest debian-isp debian-kde debian-laptop debian-mirrors-announce debian-news debian-security debian-security-announce debian-testing debian-user debian-user-digest Request more information about Pantek

Thanks,
Celejar

--
mailmin.sourceforge.net - remote access via secure (OpenPGP) email
ssuds.sourceforge.net - A Simple Sudoku Solver and Generator


-- 
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org