Hello, On Aug 2 13:17 Ludwig Nussel wrote (excerpt):
What are you trying to protect against by running a firewall anyways? We always had the policy not run "unneeded" services by default. So cups and avahi are the only ones left. Both will hopefully be (local) socket activated in the future so they are only started if a local process actually requires their service, ie no ports open to the world by default at all anymore then.
By default cupsd is only accessible via the internal interface of the local host (lo) to accept print jobs via TCP port 631. Additionally by default cupsd is accessible via UDP port 631 to get "CUPS browsing information" from any remote host. If you like to receive "CUPS browsing information" you need a listening (i.e. running) cupsd on your local host which accepts "CUPS browsing information" from the remote host plus a firewall on your local host which permits incomming packages at UDP port 631. With socket activation, you may not receive "CUPS browsing information" unless the cupsd would also be activated if a package arrives at UDP port 631. But then I wonder if there is really better security because any malicious host could then send a package to UDP port 631 to get the cupsd activated there and afterwards send malicious "CUPS browsing information" to do "print job phishing". Kind Regards Johannes Meixner -- SUSE LINUX Products GmbH -- Maxfeldstrasse 5 -- 90409 Nuernberg -- Germany HRB 16746 (AG Nuernberg) GF: Jeff Hawn, Jennifer Guild, Felix Imendoerffer -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org