Am 24.03.2012 14:29, schrieb Craig White: > On Fri, 2012-03-23 at 22:07 -0700, Paul Allen Newell wrote: >> Hello: >> >> I am noticing that when I install a printer on my local network, I get >> an entry added to iptables to the effect of: >> +++ >> -A INPUT -m state --state NEW -m udp -p udp --dprot 631 -j ACCEPT >> +++ >> >> It actually shows up multiple times, which makes it look like each time >> I reinstalled the printer to get things right it did an automatic entry >> without bothering to check if it already there. >> >> Everything I can find online makes it sound like this is "to be >> expected". However, I am seeing examples of manual additions of this >> rule adding a "-s 127.0.0.1". I take this to mean that it limits the >> request to "coming from my machine". >> >> Is this a good idea or even necessary? My knowledge of iptables (very >> limited but getting better) thinks that the default rule allows any >> source addr or destin addr and the only limitation is that it is >> restricted to port 631. It would seem that if I wanted to really limit >> it, I would make the source addr myself/machine and the destin addr >> limited to my LAN (192.168.2.*) --- I'm still searching my notes from >> this list for the proper syntax as I know I have been emailed that before. >> >> Am I understanding all this correctly? > ---- > generally default policies would allow everything to/from localhost > (127.0.0.1) so beyond the basic policies themselves regarding device lo, > there should be no need for rules that source or destine it. > > CUPS (port 631) does have options to allow automatic discover of shared > printers on the LAN and it is often quite useful to allow your LAN > systems to access port 631.
but this is a stupid WORLDWIDE open port! normally a machine should not offer any network port worldwide -A INPUT -m state --state NEW -m udp -p udp --dprot 631 -j ACCEPT
signature.asc
Description: OpenPGP digital signature
-- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
