Ubuntu Hardy and "Printer Sharing" -- securiry question
Ignoramus9437
I have a printer on the inside network with a 10.* address (HP 4050N).
I just set it up as a default printer on my Hardy server (which has a
static internet IP).
My question is, is that secure. Does the printer server limit itself to
local network only (based on interfaces and netmasks)?
Or can any internet user connect to my printer service? (undesirable)
i
Jacob Tranholm
If your server is connected directly (and without a firewall) to the
Internet, then it will be possible for users (from anywhere) to print.
You should install a firewall and configure it to only allow local
machines to print.
--
Best regards Jacob Tranholm <http://jtranholm.dk/>
Karl R. Popper: Observation statements and statements of experimental
results are always interpretations of the facts observed.
Ignoramus9437
> Ignoramus9437 skrev:
>> I have a server with Ubuntu Hardy (8.04).
>>
>> I have a printer on the inside network with a 10.* address (HP 4050N).
>>
>> I just set it up as a default printer on my Hardy server (which has a
>> static internet IP).
>>
>> My question is, is that secure. Does the printer server limit itself to
>> local network only (based on interfaces and netmasks)?
>>
>> Or can any internet user connect to my printer service? (undesirable)
>>
>> i
>
> If your server is connected directly (and without a firewall) to the
> Internet, then it will be possible for users (from anywhere) to print.
> You should install a firewall and configure it to only allow local
> machines to print.
>
Thanks. Just double checking, do you know this for a fact or just
guessing?
Some services are good about checking whether a connection comes from
a local address, and some allow all machines and defer this question
to the firewall.
i
Jacob Tranholm
> Thanks. Just double checking, do you know this for a fact or just
> guessing?
>
> Some services are good about checking whether a connection comes from
> a local address, and some allow all machines and defer this question
> to the firewall.
>
> i
I know for a fact that CUPS in some configurations are accessible from
the Internet. Whether this is true for the default Hardy config, or your
config, I am not sure... I have always configured my CUPS to only allow
local access and further configured a firewall to block internet access.
Jean-David Beyer
> Ignoramus9437 skrev:
>> I have a server with Ubuntu Hardy (8.04).
>>
>> I have a printer on the inside network with a 10.* address (HP 4050N).
>>
>> I just set it up as a default printer on my Hardy server (which has a
>> static internet IP).
>> My question is, is that secure. Does the printer server limit itself to
>> local network only (based on interfaces and netmasks)?
>> Or can any internet user connect to my printer service? (undesirable)
>>
>> i
>
> If your server is connected directly (and without a firewall) to the
> Internet, then it will be possible for users (from anywhere) to print.
> You should install a firewall and configure it to only allow local
> machines to print.
>
sharing printers. If you open the machine to anything other than itself, you
can list those other IP addresses that are allowed to use your printer. So
in my case, I allow only the other computer on my LAN to use it. But if I
really trusted you, I could allow your machine to print on my printer too.
--
.~. Jean-David Beyer Registered Linux User 85642.
/V\ PGP-Key: 9A2FC99A Registered Machine 241939.
/( )\ Shrewsbury, New Jersey http://counter.li.org
^^-^^ 13:40:01 up 24 days, 18:42, 5 users, load average: 4.07, 4.17, 4.14
Jacob Tranholm
>
> Thanks. Just double checking, do you know this for a fact or just
> guessing?
>
> Some services are good about checking whether a connection comes from
> a local address, and some allow all machines and defer this question
> to the firewall.
>
> i
You can check your /etc/cups/cupsd.conf and make sure you have either:
<Location /some.path>
Order allow,deny
Allow @LOCAL
</Location>
Or something similar (for instance Allow 10.*, Allow 127.* or Allow
@IF(eth1) (if your local network is at eth1 and internet at eth0)) defined.
But I would still also configure a firewall...
Ignoramus9437
localhost. So I was safe.
However, now I think that this printer sharing is pointless -- the
printer is available as a 10.* IP address to the whole home network,
anyway, so each computer can be configured to just print on it
directly.
This continues my efforts to reduce dependency of my home network on
my home "server". I already moved DHCP service from my server to the
cable modem. I did the same with network forwarding, now the modem
acts as a gateway as opposed to my home linux server.
This makes my network more reliable in the light of possibility that
my basement server crashes or breaks or becomes disconnected.
So, for now, about the only function that my basement server would do
for my home computers, is file serving.
There is only one exception as to why sharing a printer on localhost
may be useful: it would be useful to print from a laptop that is away
from home, if I want to print something on the home printer. (example,
I just bought something from a website and want to print the receipt
page).
I can do a ssh tunnel from my laptop to home, to make home printer
appear as a local printer on port 631 on the laptop.
The regular home computers, would print on their own.
i