[opensuse] Re: How to set up CUPS for shared printer?
I often find the CUPS web interface more friendly than YaST (as of printer setup). The main problem I have i that I not yet understand the meaning of all the options for network setup and the "search printer" never worked on suse (it works on mandriva!!) My main printer is an HP 5m laserjet, one of the most common HW on the market! I finally got thet it have to be setup as "socket" (whatever this may mean) notice it's not better on windows jdd -- http://www.dodin.net http://valerie.dodin.org http://news.opensuse.org/2009/04/13/people-of-opensuse-jean-daniel-dodin/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday, 2009-12-22 at 10:22 +0100, jdd-gmane wrote:
I often find the CUPS web interface more friendly than YaST (as of printer setup).
That is true. However, for setting a cups network server, you need also to reconfigure the server, which I think the web interface doesn't do, and also you need to open the firewall, which, if I recall correctly, YaST does. And Johannes is right, YaST is easier now than it was. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAksws0MACgkQtTMYHG2NR9UWogCfQUW6PZrETJxfmorVuKexhu2a nfEAn3nXGVAx8fmMiIE30A1yU52usTP9 =EZlq -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hello, On Dec 22 12:53 Carlos E. R. wrote (shortened):
... for setting a cups network server, you need also to reconfigure the server, which I think the web interface doesn't do,
The CUPS web interface has a few predefined settings to configure the cupsd.
... open the firewall, which, if I recall correctly, YaST does.
The YaST printer module does not open ports in the firewall because whenever you need it for printing in the network, you are in a problematic network environment (nobody lets arbitraty users print on his printer). Trusted networks should have well separated network interfaces so that those network interfaces can be assigned to the INT zone to have the trusted network well separated from the rest, see "Regarding firewall" at http://en.opensuse.org/SDB:CUPS_in_a_Nutshell Anything else is a problematic mix-up of trusted and non-trusted stuff in one same network environment. E.g. when both the internal network and the connection to the Internet happens via one same "router-box" device. In such a case this device is the crucial point (in particular the point of possible failure) regarding network security. Such kind of firewall setup to deal with such cases must be done via yast2-firewall which is THE tool for any more sophisticated firewall setup. By the way: An active firewall for the INT zone does not make sense because this makes the "INT" zone effectively "EXT". Just opening ports in the EXT zone also does not make much sense because allow any access from any host or network to particular ports does not provide any protection for this ports. As far as I see the only reason for a firewall setup which is only based upon ports is when certain services are listening but access should be allowed only to some of them (e.g. allow access to the HTTP server but do not allow access to whatever other running server). I instead of opening ports for arbitrary access one should first and foremost specify in the firewall setup which hosts and networks are trusted. Then the question which ports/services are allowed to be accessed from the trusted hosts and networks becomes of secondary importance. The easiest, simplest and safest way to do this is when trusted networks have well separated network interfaces so that those network interfaces can be assigned to the INT zone. Of course this means to have at least two network interface cards to have the trusted (internal) network well separated from the rest (i.e. from the network interface card which provides the connection to the Internet). Kind Regards Johannes Meixner -- SUSE LINUX Products GmbH, Maxfeldstrasse 5, 90409 Nuernberg, Germany AG Nuernberg, HRB 16746, GF: Markus Rex -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday, 2009-12-22 at 14:56 +0100, Johannes Meixner wrote:
... open the firewall, which, if I recall correctly, YaST does.
The YaST printer module does not open ports in the firewall because whenever you need it for printing in the network, you are in a problematic network environment (nobody lets arbitraty users print on his printer).
Trusted networks should have well separated network interfaces so that those network interfaces can be assigned to the INT zone to have the trusted network well separated from the rest, see "Regarding firewall" at http://en.opensuse.org/SDB:CUPS_in_a_Nutshell
Mmmm. However, I always set up the firewall for the internal network, too. Or, when the internal network is connected to internet via a not very good router (like those given by the ISP) I consider the internal network to be external, to be a bit on the paranoid side. Thus, if I need to share a printer, I have to open the firewall, at least, for a range of IPs. Otherwise, I would need two eths on each computer, or set up a good firewall to internet. All those solutions cost money.
Anything else is a problematic mix-up of trusted and non-trusted stuff in one same network environment. E.g. when both the internal network and the connection to the Internet happens via one same "router-box" device. In such a case this device is the crucial point (in particular the point of possible failure) regarding network security.
Such kind of firewall setup to deal with such cases must be done via yast2-firewall which is THE tool for any more sophisticated firewall setup.
At least, YaST cups setup tool can remind the user that perhaps the firewall needs to be opened at such port. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAksw/3wACgkQtTMYHG2NR9XE+QCgjShfvWGUv5+R+ckYdprGnBs/ OhMAniV9ySguKkwMSr7E05NCkVw+RDlg =vS1e -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hello, On Dec 22 18:18 Carlos E. R. wrote (shortened):
On Tuesday, 2009-12-22 at 14:56 +0100, Johannes Meixner wrote: ...
Trusted networks should have well separated network interfaces so that those network interfaces can be assigned to the INT zone to have the trusted network well separated from the rest, ... Or, when the internal network is connected to internet via a not very good router (like those given by the ISP) I consider the internal network to be external, to be a bit on the paranoid side.
Thus, if I need to share a printer, I have to open the firewall, at least, for a range of IPs.
Otherwise, I would need two eths on each computer, or set up a good firewall to internet. All those solutions cost money.
Choose what you prefer: Pay money to get the internal network separated by hardware or pay your time to maintain a sophisticated firewall setup. If internal network traffic uses the same network hardware as the untrusted Internet-related traffic, you cannot be 100% sure that something may get somehow mixed up. For example depending on your internal IPs and what exactly your ISP does, it might be possible that someone from outside could send you packages with a source IP within the range of your internal IPs. In contrast when you use different network interface cards, it is simple and reliably to distinguish internal network traffic from untrusted Internet-related traffic.
At least, YaST cups setup tool can remind the user that perhaps the firewall needs to be opened at such port.
I implemented this in the current up-to-date yast2-printer for openSUSE 11.2, see "Up to date packages for openSUSE 11.2" at http://en.opensuse.org/YaST/Development/Printer_Enhancement The yast2-printer-2.19.2 RPM changelog reads: ----------------------------------------------------------------- * Wed Dec 09 2009 jsmeix@suse.de ... - Added BrowsePoll support for "Print via Network" (see Novell/Suse Bugzilla bnc#433047). ... * Fri Oct 30 2009 jsmeix@suse.de - Added a generic test if a firewall is used to Printerlib.ycp and if yes show popup info to the user regarding CUPS+firewall for the "Print via Network" and "Share Printers" dialogs (see Novell/Suse Bugzilla bnc#549065). ----------------------------------------------------------------- and to the "Print via Network" help text this was added regarding BrowsePoll support: ------------------------------------------------------------------------- If you can access remote CUPS servers for printing but those servers do not publish their printer information via network or when you cannot accept incomming information about published printers (e.g. because you must have firewall protection for the network zone in which printers are published), you can request printer information from CUPS servers (provided the CUPS servers allow your access). For each CUPS server which is requested, a cups-polld process is launched by the CUPS daemon process (cupsd) on your host. By default each cups-polld polls a remote CUPS server every 30 seconds for printer information. ------------------------------------------------------------------------- Kind Regards Johannes Meixner -- SUSE LINUX Products GmbH, Maxfeldstrasse 5, 90409 Nuernberg, Germany AG Nuernberg, HRB 16746, GF: Markus Rex -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (3)
-
Carlos E. R. -
jdd-gmane -
Johannes Meixner