On Sun, 7 Oct 2007 14:00:16 -0600 Rob Sims <[EMAIL PROTECTED]> wrote:
> On Sun, Oct 07, 2007 at 09:18:27PM +0200, Markus Maria Miedaner wrote: > > On Sun, Oct 07, 2007 at 02:47:32PM -0400, you (Celejar) wrote: > > > Hi, > > > > > > I have a pretty standard (default) CUPS installation. cupsd.conf > > > contains the lines: > > > > > > > # Only listen for connections from the local machine. > > > > Listen localhost:631 > > > > Listen /var/run/cups/cups.sock > > > > > > Yet tiger complains: > > > > > > > --WARN-- [lin002i] The process `cupsd' is listening on socket 631 (UDP) > > > > on every interface. > > > depending on the level of security you'd like you may be continue thinking > > about it. > > If you receive this "complain" on your desktop box and you don't have > > highly important > > data on it that may be wanted by someone else.... I would not worry about > > it. > > I think the original poster is asking about the inconsistency between > the cups config and the warning message, not complaining about the > message. Exactly. > On to the real issue: > Listen is poorly documented. It affects the port for print connections > only. If you do netstat -anlp, you'll see that the tcp port 631 is > listening only on the listed (local) interface. > > udp port 631 is for a nearly unrelated activity of browsing. Nothing > stands out to me in the docs on limiting this port to certain > interfaces, but there are several cupsd.conf Browse* directives to look > at. You may need IPTables to address the problem (though that won't > make the message go away). Got it; fairly fine-grained control is apparently possible with the Browse* directives, including limiting the acceptance of browse packets to those arriving on certain interfaces; here's an excerpt from the on-line docs: > BrowseAllow > Examples > > BrowseAllow from all > BrowseAllow from none > BrowseAllow from 192.0.2 > BrowseAllow from 192.0.2.0/24 > BrowseAllow from 192.0.2.0/255.255.255.0 > BrowseAllow from *.domain.com > BrowseAllow from @LOCAL > BrowseAllow from @IF(name) > > Description > > The BrowseAllow directive specifies a system or network to accept browse > packets from. The default is to accept browse packets from all hosts. > > Host and domain name matching require that you enable the HostNameLookups > directive. > > IP address matching supports exact matches, partial addresses that match > networks using netmasks of 255.0.0.0, 255.255.0.0, and 255.255.255.0, or > network addresses using the specified netmask or bit count. > > The @LOCAL name will allow browse data from all local interfaces. The > @IF(name) name will allow browse data from the named interface. In both > cases, CUPS only allows data from the network that the interface(s) are > configured for - data arriving on the interface from a foreign network will > not be allowed. I don't really need browsing, so I'm trying setting 'Browsing Off'. > Rob Thanks, Celejar -- mailmin.sourceforge.net - remote access via secure (OpenPGP) email ssuds.sourceforge.net - A Simple Sudoku Solver and Generator -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
