[opensuse-factory] CUPS external printers blocked by the firewall
Hi, I noticed that the internal firewall blocks by default for CUPS printers in the network. Is this by the design or is it a bug? I would prefer that openSUSE by default had the CUPS port open. Kind Regards Birger -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Birger Kollstrand wrote:
I noticed that the internal firewall blocks by default for CUPS printers in the network.
Is this by the design or is it a bug?
The external zone by default has no ports open. That's intentional of course. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday, 2008-10-27 at 09:23 +0100, Ludwig Nussel wrote:
Birger Kollstrand wrote:
I noticed that the internal firewall blocks by default for CUPS printers in the network.
Is this by the design or is it a bug?
The external zone by default has no ports open. That's intentional of course.
Printing to a printer needs opening ports? :-? I thought we needed opening the port only if other computers wanted to print to "my" cups. If it needs opening a port, shouldn't yast automatically open it, or at least, advise to open it, as soon as it knows I want to use a network printer? I couldn't finish configure the printer, yast only works in ncurses mode (known bug) and I couldn't figure out what was happening. It could be because of closed port, dunno. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkkFhCsACgkQtTMYHG2NR9V85wCeP9YWF6t2F2f1MX3sEHSFgnVJ PYQAn3LH2vRFPfoeDzUO09ut8AIxq9BF =daD4 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Dne Monday 27 of October 2008 10:04:42 Carlos E. R. napsal(a):
On Monday, 2008-10-27 at 09:23 +0100, Ludwig Nussel wrote:
Birger Kollstrand wrote:
I noticed that the internal firewall blocks by default for CUPS printers in the network.
Is this by the design or is it a bug?
The external zone by default has no ports open. That's intentional of course.
Printing to a printer needs opening ports? :-?
No, it does not.
I thought we needed opening the port only if other computers wanted to print to "my" cups.
You need to open TCP port 631 to be able to accept printing jobs from remote hosts. You need to open UDP port 631 to accept IPP broadcasts announcing presence of printing servers and their queues. This is a comfortable way to have all available network queues available when roaming between multiple networks, but it is not necessary in order to print to a remote host at all.
If it needs opening a port, shouldn't yast automatically open it, or at least, advise to open it, as soon as it knows I want to use a network printer?
I couldn't finish configure the printer, yast only works in ncurses mode (known bug) and I couldn't figure out what was happening. It could be because of closed port, dunno.
Please, file a bugreport about this and attach the logs. -- Regards, Jiri Srain YaST Team Leader --------------------------------------------------------------------- SUSE LINUX, s.r.o. e-mail: jsrain@suse.cz Lihovarska 1060/12 tel: +420 284 028 959 190 00 Praha 9 fax: +420 284 028 951 Czech Republic http://www.suse.cz
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Content-ID: <alpine.LSU.2.00.0810271032191.5305@nimrodel.valinor> On Monday, 2008-10-27 at 10:23 +0100, Jiri Srain wrote:
Printing to a printer needs opening ports? :-?
No, it does not.
Ok.
I thought we needed opening the port only if other computers wanted to print to "my" cups.
You need to open TCP port 631 to be able to accept printing jobs from remote hosts.
You need to open UDP port 631 to accept IPP broadcasts announcing presence of printing servers and their queues. This is a comfortable way to have all available network queues available when roaming between multiple networks, but it is not necessary in order to print to a remote host at all.
That's what I thought, but I wasn't sure. Thanks for the clarification.
If it needs opening a port, shouldn't yast automatically open it, or at least, advise to open it, as soon as it knows I want to use a network printer?
I couldn't finish configure the printer, yast only works in ncurses mode (known bug) and I couldn't figure out what was happening. It could be because of closed port, dunno.
Please, file a bugreport about this and attach the logs.
About yast only working in ncurses mode? That's Bug 439074. And unless yast works in graphical mode, I'm not testing the add printer again. Too confusing. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkkFi08ACgkQtTMYHG2NR9VCvwCdF5amo4YwJFW8TtZAWls5Mta6 AvwAnjUBaOSqS/brb8DUOe5vPPwZRCRp =KuCr -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Carlos E. R. wrote:
On Monday, 2008-10-27 at 09:23 +0100, Ludwig Nussel wrote:
Birger Kollstrand wrote:
I noticed that the internal firewall blocks by default for CUPS printers in the network.
Is this by the design or is it a bug?
The external zone by default has no ports open. That's intentional of course.
Printing to a printer needs opening ports? :-? I thought we needed opening the port only if other computers wanted to print to "my" cups.
Most of the time you do not need to manually configure a print server in cups. Cups instead listens for broadcasts to discover print servers automatically. For that purpose you need to open a port or otherwise unblock your LAN.
If it needs opening a port, shouldn't yast automatically open it, or at least, advise to open it, as soon as it knows I want to use a network printer?
There is a warning message in the printer proposal when installing without automatic mode IIRC. Opening the port in the external zone is not necessarily the correct thing to do anyways, better set your LAN interface to internal (ie unprotected). That will also make other discovery services work. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday, 2008-10-27 at 10:27 +0100, Ludwig Nussel wrote:
The external zone by default has no ports open. That's intentional of course.
Printing to a printer needs opening ports? :-? I thought we needed opening the port only if other computers wanted to print to "my" cups.
Most of the time you do not need to manually configure a print server in cups. Cups instead listens for broadcasts to discover print servers automatically. For that purpose you need to open a port or otherwise unblock your LAN.
Printer was not discovered. I had to enter the address, and press "test" - which did nothing, no report of either working or not working. This was yast in ncurses mode. Then it did not suggest the correct model, it gave the entire list in alphabetical order of all printers of all makers. Here I abandoned, till YaST in graphical mode works.
If it needs opening a port, shouldn't YaST automatically open it, or at least, advise to open it, as soon as it knows I want to use a network printer?
There is a warning message in the printer proposal when installing without automatic mode IIRC. Opening the port in the external zone is not necessarily the correct thing to do anyways, better set your LAN interface to internal (ie unprotected). That will also make other discovery services work.
I saw no warning. And... I don't trust the firewall in my router that much to switch to "internal". I prefer external and open exactly what is needed and from the exact IPs needed. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkkFjOIACgkQtTMYHG2NR9WkMQCgkxD1yFpu4KGn4Qn5zx4gIyoZ C8YAn2zc1LeUETUlrlCfmgyvtz5bE+Lq =39C2 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Hello, On Oct 27 10:41 Carlos E. R. wrote (shortened):
Printer was not discovered. I had to enter the address, and press "test" - which did nothing
I assume the "test" functionality is not yet implemented in the "Connection Wizard", compare https://bugzilla.novell.com/show_bug.cgi?id=421192
And... I don't trust the firewall in my router that much to switch to "internal". I prefer external and open exactly what is needed and from the exact IPs needed.
For special cases use the YaST firewall module. I wonder when you don't trust the firewall in your router but have open IPP ports on your computer, how much you can trust that no external user can access your printing system? Kind Regards Johannes Meixner -- SUSE LINUX Products GmbH, Maxfeldstrasse 5, 90409 Nuernberg, Germany AG Nuernberg, HRB 16746, GF: Markus Rex -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday, 2008-10-28 at 09:29 +0100, Johannes Meixner wrote:
On Oct 27 10:41 Carlos E. R. wrote (shortened):
Printer was not discovered. I had to enter the address, and press "test" - which did nothing
I assume the "test" functionality is not yet implemented in the "Connection Wizard", compare https://bugzilla.novell.com/show_bug.cgi?id=421192
Ah, I didn't know that the button was not supposed to work.
And... I don't trust the firewall in my router that much to switch to "internal". I prefer external and open exactly what is needed and from the exact IPs needed.
For special cases use the YaST firewall module.
I wonder when you don't trust the firewall in your router but have open IPP ports on your computer, how much you can trust that no external user can access your printing system?
I don't have it open :-P For example, if my digital TV top box wants to save the movie to my computer via samba, I do: FW_TRUSTED_NETS=" ... 192.168.1.2,tcp,microsoft-ds 192.168.1.2,tcp,netbios-ssn \ 192.168.1.2,udp,netbios-dgm 192.168.1.2,udp,netbios-ns \ ... so only that IP can use samba. That's a sample. About the printer, I have it on the network because the printer has a cute web page, showing things like toner levels, which the USB driver hasn't in Linux. I don't really like or need it there, otherwise. I might connect it via USB again. And in this case, I was just trying to test Yast functionality in the Beta 3 - and as yast in graphical mode does NOT work under gnome, which is known it seems since Beta 2, I can not test it further till that is repaired. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkkG8s0ACgkQtTMYHG2NR9XalQCfexF2zYBu8ctXOWJGgWaSTBDK vpYAoJFLWgmBqPUBMgbn+s26wu33DayM =XS+B -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Hello, On Oct 27 10:27 Ludwig Nussel wrote (shortened):
On Monday, 2008-10-27 at 09:23 +0100, Ludwig Nussel wrote:
Birger Kollstrand wrote:
I noticed that the internal firewall blocks by default for CUPS printers in the network.
Is this by the design or is it a bug?
The external zone by default has no ports open. That's intentional of course.
Exactly. And it is intentional that the YaST printer module does not open ports in the external zone. And for the internal zone, all is open by default so that there is no need that the YaST printer module can open ports in the internal zone.
Opening the port in the external zone is not necessarily the correct thing to do anyways
In 99.99% of the cases it is plain worng to have open IPP ports in the external zone (nobody lets arbitraty external users access his printing system).
better set your LAN interface to internal (ie unprotected).
Exactly. Read http://en.opensuse.org/SDB:CUPS_in_a_Nutshell ----------------------------------------------------------------- Configuring CUPS in the Network ... Regarding firewall: In particular note that port 631 TCP and UDP must be allowed in firewall settings, see the above section "The Spooler". In the YaST firewall module there are predefined "services" for IPP so that it should be easiest to use the YaST firewall module. Check if a firewall is active for a network zone in which services should be used which require trusted users (nobody lets arbitraty users print on his printer). By default the Suse firewall allows any access via a network interface which belongs to the "internal zone" because this zone is trusted by default. If the CUPS server and the client systems are in an internal network and when you trust all what there is in your internal network, your network interface must be set to be in the "internal zone". It doesn't make sense to have a network setup in a trusted internal network with a network interface which belongs to the untrusted "external zone" (which is the default to be safe). In particular do not disable firewall protection for CUPS (i.e. for IPP which uses TCP port 631 and UDP port 631) for the untrusted "external zone". ----------------------------------------------------------------- Kind Regards Johannes Meixner -- SUSE LINUX Products GmbH, Maxfeldstrasse 5, 90409 Nuernberg, Germany AG Nuernberg, HRB 16746, GF: Markus Rex -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday, 2008-10-28 at 09:22 +0100, Johannes Meixner wrote:
better set your LAN interface to internal (ie unprotected).
Exactly.
I make a point of closing the internal interface, too >:-) Only open what is needed, like IPP if required. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkkG82sACgkQtTMYHG2NR9XqBgCeO+VK3lbpDEsnHAD3UM+qXgOX N2wAmgOwM6nNod97rIaSfrcqyPizzYjd =gfPw -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
participants (5)
-
Birger Kollstrand -
Carlos E. R. -
Jiri Srain -
Johannes Meixner -
Ludwig Nussel