Bug 137259 - firewall and printing
firewall and printing
Status: CLOSED DUPLICATE of bug 124161
Product: Fedora
Classification: Fedora
Component: system-config-securitylevel (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Paul Nasrat
Depends On:
  Show dependency treegraph
Reported: 2004-10-26 20:07 EDT by Nathan Fredrickson
Modified: 2007-11-30 17:10 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-02-21 14:06:38 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Nathan Fredrickson 2004-10-26 20:07:03 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7)
Gecko/20040808 Firefox/0.9.3

Description of problem:
When printer sharing is enabled in system-config-printer it adds the
following line to /etc/sysconfig/iptables:

-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT

However to actually print to a shared printer, tcp port 631 also needs
to be opened.  Should system-config-printer be opening the tcp port as
well as the udp port?

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. default install of FC3-test3
2. setup a local printer
3. share this printer
4. attempt to print from another system

Actual Results:  Only port udp:631 was opened in /etc/sysconfig/iptables

Expected Results:  Port tcp:631 should be opened in

Additional info:
Comment 1 Tim Waugh 2004-10-27 03:16:26 EDT
The system-config-printer tool does not alter iptables.
Comment 2 Paul Nasrat 2004-10-27 04:03:55 EDT
Does not the related rule for tcp:631 not just work - it's browsing
that we can't use related with?
Comment 3 Nathan Fredrickson 2004-10-27 10:12:38 EDT
By "related rule", I assume you mean:
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

This related rule works on the printer client system which makes an
outgoing connection to tcp:631 on the print server.  However the
printer server system needs tcp:631 opened.  In a typical home or
small office, the "print server" is just the workstation that happens
to have the printer connected.

Ideally a rule to allow tcp:631 would be added when printer sharing is
enabled in s-c-printer.  At least, CUPS should be included in the list
of "Trusted services" in s-c-securitylevel.

As for browsing, yes that requires the udp:631 rule on the client:
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
Comment 4 Paul Nasrat 2004-10-27 10:41:10 EDT
Screen freeze meant a better trusted service ui didn't make FC3, it's
high on my list when we unfreeze.

You can add tcp:631 through the gui currently for the print server as
an additional port, this should mean that clients should work out of
the box - server slight manual config.  Better UI for selection will
follow.  Closing as duplicate of generic improvement bug.

*** This bug has been marked as a duplicate of 124161 ***
Comment 5 Red Hat Bugzilla 2006-02-21 14:06:38 EST
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.

Note You need to log in before you can comment on or make changes to this bug.