According to my notes [1], IPP uses TCP/631 for printing and UDP/631 for
browsing. This matches with a quick search in the CUPS docs, and other
search results. One page that states this pretty explicit is [2]:
cupsd uses UDP port 631 for sending and receiving "IPP browsing"
information.
Although a patch seems to be overkill for such a trivial change, it has
been requested to send one. So, here you go -- patch against macro.IPP
attached. :)
(Note that this covers the client to server part only. In case of a
tight firewall that restricts outgoing connections from the server, the
server itself still would not be able to browse other servers.)
karsten
[1] http://lists.shorewall.net/~kb/action.AllowCUPS
[2] http://en.opensuse.org/SDB:CUPS_in_a_Nutshell
--
[ESR] Eric S. Raymond: "How To Ask Questions The Smart Way"
http://www.catb.org/~esr/faqs/smart-questions.html
[SGT] Simon G. Tatham: "How to Report Bugs Effectively"
http://www.chiark.greenend.org.uk/~sgtatham/bugs.html
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
Karsten Bräckelmann wrote:> ==================================================================> --- Shorewall-common/macro.IPP (revision 5936) > +++ Shorewall-common/macro.IPP (working copy) > @@ -9,4 +9,5 @@ > #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ > # PORT PORT(S) DEST LIMIT GROUP > PARAM - - tcp 631 > +PARAM - - udp 631 > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVEKarsten, Have you tested this? I though that IPP used UDP 631 broadcasts; if so, you need to also include the (very insecure) rule: PARAM DEST SOURCE udp - 631 That allows any UDP traffic with source port 631 in the reverse direction. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Sun, 2007-04-15 at 14:17 -0700, Tom Eastep wrote:> Karsten Bräckelmann wrote: > > > ==================================================================> > --- Shorewall-common/macro.IPP (revision 5936) > > +++ Shorewall-common/macro.IPP (working copy) > > @@ -9,4 +9,5 @@ > > #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ > > # PORT PORT(S) DEST LIMIT GROUP > > PARAM - - tcp 631 > > +PARAM - - udp 631 > > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > Karsten, > > Have you tested this? I though that IPP used UDP 631 broadcasts; if so, > you need to also include the (very insecure) rule: > > PARAM DEST SOURCE udp - 631 > > That allows any UDP traffic with source port 631 in the reverse direction.That would be the "note" in my previous post, no? Anyway, why should one accept traffic from port 631 to a random destination port, if the CUPS server is listening on dest port 631 only? Unfortunately I don't have the time to test this right now, but hopefully I'll get around to it soon. karsten -- [ESR] Eric S. Raymond: "How To Ask Questions The Smart Way" http://www.catb.org/~esr/faqs/smart-questions.html [SGT] Simon G. Tatham: "How to Report Bugs Effectively" http://www.chiark.greenend.org.uk/~sgtatham/bugs.html ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Shorewall-devel mailing list Shorewall-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-devel