[opensuse] Why I'm not absolutely using CUPS
On 09/10/17 11:48 AM, Carlos E. R. wrote:
On 2017-10-09 17:45, Anton Aylward wrote:
It can also simplify ACLs. Personally I hate the idea of early binding ACLs but sometimes it is very useful.
I can tell my printer to refuse any device on the network that isn't my PC, my phone or or my laptop or my tablet. It is a simple security hack.
This could be interesting to force anybody in a network going to print to do it via the cups server instead of directly to the printer.
How do you do that?
Maybe on a different thread.
Well CUPS has its own ACL I did try installing CUPS for Android on my devices but either I couldn't get it configured or it was broken, so tablet -> cups server -> printer is a a No-Go. However the tablet and the phone, when on the same network (as opposed off on yet another NAT) can print to an IP address. For some reason a return address that being behind a another NAT won't permit kills that. I have a vague idea why, perhaps James can say it more definitively. But I don't want outsiders, even if they somehow get past the firewall or penetrate my wifi password, from accessing devices like the router or the printer. So they have IP based ACL. So 'known' devices have static IPs to make like more manageable. OK, so its not earth-moving insurmountable security, but it is enough to discourage a lot of the 'casual' and 'drive-past'. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 10/09/2017 09:35 AM, Anton Aylward wrote:
But I don't want outsiders, even if they somehow get past the firewall or penetrate my wifi password, from accessing devices like the router or the printer. So they have IP based ACL. So 'known' devices have static IPs to make like more manageable.
I use IP reservations (in the router - or whatever is doing dhcp) for this purpose. Especially useful if your dhcp sever does a local dynamic dns that does not rely on windows name resolution or wins server etc. You still have the single subnet issue of course. There's 5 or 8 Android print programs that find local printers just fine if they are on the same subnet. I've gravitated to PrintHand Premium of late, but its far from the only one. -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2017-10-09 18:35, Anton Aylward wrote:
On 09/10/17 11:48 AM, Carlos E. R. wrote:
On 2017-10-09 17:45, Anton Aylward wrote:
It can also simplify ACLs. Personally I hate the idea of early binding ACLs but sometimes it is very useful.
I can tell my printer to refuse any device on the network that isn't my PC, my phone or or my laptop or my tablet. It is a simple security hack.
This could be interesting to force anybody in a network going to print to do it via the cups server instead of directly to the printer.
How do you do that?
Maybe on a different thread.
Well CUPS has its own ACL
I did try installing CUPS for Android on my devices but either I couldn't get it configured or it was broken, so tablet -> cups server -> printer is a a No-Go.
However the tablet and the phone, when on the same network (as opposed off on yet another NAT) can print to an IP address. For some reason a return address that being behind a another NAT won't permit kills that. I have a vague idea why, perhaps James can say it more definitively.
But I don't want outsiders, even if they somehow get past the firewall or penetrate my wifi password, from accessing devices like the router or the printer. So they have IP based ACL. So 'known' devices have static IPs to make like more manageable.
OK, so its not earth-moving insurmountable security, but it is enough to discourage a lot of the 'casual' and 'drive-past'.
I must say I'm baffled, I don't understand it. Do you have a link to a quick read on this? ACLs on a network? -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" (Minas Tirith))
On 10/10/17 09:01 PM, Carlos E. R. wrote:
I must say I'm baffled, I don't understand it. Do you have a link to a quick read on this? ACLs on a network?
I'm sorry I don't see your problem. As far as the DHCP goes, it ONLY hands out addresses to known MAC addresses. As far as the switch goes, it only lets though known MAC addresses. If the device isn't on that list then it can't use the network. As I said:
OK, so its not earth-moving insurmountable security, but it is enough to discourage a lot of the 'casual' and 'drive-past'.
I realize this is only applicable for my home network or a small business but for larger networks Wellfleet and Cisco and others have their own security/accesscontrol packages. Ask them. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 10/10/2017 09:39 PM, Anton Aylward wrote:
As far as the DHCP goes, it ONLY hands out addresses to known MAC addresses. As far as the switch goes, it only lets though known MAC addresses. If the device isn't on that list then it can't use the network.
???? A switch learns MAC addresses from the frames it passes. The only thing I know of in switches that blocks or passes based on MAC addresses is a security feature, where only 1 or 2 MACs are allowed through a port on a managed switch. This is something that must be specifically configured. Beyond that, switches pass all valid Ethernet frames, usually via the port where the destination device can be found. Otherwise, the frames are broadcast out all ports as with broadcasts or for devices that it hasn't yet learned about. As soon as a switch receives a frame from a device, it knows the MAC for that device and which port it's connected to. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 10/10/17 10:07 PM, James Knott wrote:
This is something that must be specifically configured.
Yes that's what I'm saying. And yes it's not scalable. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 10/10/17 10:29 PM, Anton Aylward wrote:
On 10/10/17 10:07 PM, James Knott wrote:
This is something that must be specifically configured.
Yes that's what I'm saying.
And yes it's not scalable.
I should qualify: my switch is part of my Thompson modem/router. That may not make sense but its what the docco says and I have the MAC level control therein. Heck, when I think about it I had that capability in my Netgear switch as well and that was not a modem. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2017-10-11 03:39, Anton Aylward wrote:
On 10/10/17 09:01 PM, Carlos E. R. wrote:
I must say I'm baffled, I don't understand it. Do you have a link to a quick read on this? ACLs on a network?
I'm sorry I don't see your problem.
As far as the DHCP goes, it ONLY hands out addresses to known MAC addresses. As far as the switch goes, it only lets though known MAC addresses. If the device isn't on that list then it can't use the network.
Now I understand. Yes, I know that feature, just I did not know it was called "ACLs" on network. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
participants (4)
-
Anton Aylward -
Carlos E. R. -
James Knott -
John Andersen