Bug 137259 - firewall and printing
Summary: firewall and printing
Keywords:
Status: CLOSED DUPLICATE of bug 124161
Alias: None
Product: Fedora
Classification: Fedora
Component: system-config-securitylevel
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Paul Nasrat
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-10-27 00:07 UTC by Nathan Fredrickson
Modified: 2007-11-30 22:10 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-02-21 19:06:38 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Nathan Fredrickson 2004-10-27 00:07:03 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7)
Gecko/20040808 Firefox/0.9.3

Description of problem:
When printer sharing is enabled in system-config-printer it adds the
following line to /etc/sysconfig/iptables:

-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT

However to actually print to a shared printer, tcp port 631 also needs
to be opened.  Should system-config-printer be opening the tcp port as
well as the udp port?


Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. default install of FC3-test3
2. setup a local printer
3. share this printer
4. attempt to print from another system
    

Actual Results:  Only port udp:631 was opened in /etc/sysconfig/iptables

Expected Results:  Port tcp:631 should be opened in
/etc/sysconfig/iptables

Additional info:

Comment 1 Tim Waugh 2004-10-27 07:16:26 UTC
The system-config-printer tool does not alter iptables.

Comment 2 Paul Nasrat 2004-10-27 08:03:55 UTC
Does not the related rule for tcp:631 not just work - it's browsing
that we can't use related with?

Comment 3 Nathan Fredrickson 2004-10-27 14:12:38 UTC
By "related rule", I assume you mean:
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

This related rule works on the printer client system which makes an
outgoing connection to tcp:631 on the print server.  However the
printer server system needs tcp:631 opened.  In a typical home or
small office, the "print server" is just the workstation that happens
to have the printer connected.

Ideally a rule to allow tcp:631 would be added when printer sharing is
enabled in s-c-printer.  At least, CUPS should be included in the list
of "Trusted services" in s-c-securitylevel.

As for browsing, yes that requires the udp:631 rule on the client:
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT

Comment 4 Paul Nasrat 2004-10-27 14:41:10 UTC
Screen freeze meant a better trusted service ui didn't make FC3, it's
high on my list when we unfreeze.

You can add tcp:631 through the gui currently for the print server as
an additional port, this should mean that clients should work out of
the box - server slight manual config.  Better UI for selection will
follow.  Closing as duplicate of generic improvement bug.

*** This bug has been marked as a duplicate of 124161 ***

Comment 5 Red Hat Bugzilla 2006-02-21 19:06:38 UTC
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.


Note You need to log in before you can comment on or make changes to this bug.