Beartooth wrote: > On Thu, 30 Oct 2008 22:44:19 +0100, Björn Persson wrote: > > 1: Check that Cups is actually listening on the network. Run this > > command as root on the machine where the printer is: > > > > netstat --inet --inet6 --listen --program --numeric | grep cupsd > > > > Does it say "192.168.x.y:631" or "127.0.0.1:631"? > > No, neither. > > [root Hbsk2 ~]# netstat --inet --inet6 --listen --program --numeric | > grep cupsd > tcp 0 0 0.0.0.0:631 > 0.0.0.0:* LISTEN 2526/cupsd > tcp 0 > 0 :::631 :::* LISTEN > 2526/cupsd > udp 0 0 0.0.0.0:631 > 0.0.0.0:* 2526/cupsd > [root Hbsk2 ~]# OK, "0.0.0.0" means "all addresses" in this case, so that's good. Cups is listening on the network. > > 2: Do you have a packet filter ("firewall") on the machine where the > > printer is? Have you opened the IPP ports in the packet filter? > > How do I tell? Run system-config-firewall and on the page "Trusted Services" check the box "Network Printing Server (IPP)". > Lacking the skills to be sure whether I've been cracked, let > alone those to recover, I try to be paranoid; I install denyhosts, for > instance, and likely other defenses that don't spring to mind. I don't think Denyhosts affects IPP, but if you have installed some product that's called a firewall, then it has probably replaced Fedora's packet filter. In that case you should allow IPP in that product instead of in system-config-firewall. > Also, the router that my ISP supplies (Netgear MBR 814) supplies > several kinds of defenses, which I have tried to set with caution. When I > want to do bittorrent, for instance, I have to go change the router > settings for a while. (I try to leave them changed long enough to give > back more that I take, before I change them back; but I haven't actually > used the torrent in months, so they are probably tight.) Yes, it's important that the Netgear router block IPP traffic if you're going to allow printing and administration over the network. Otherwise, as you said, some script kiddie might think it fun to print gibberish or mess with your printer configuration. It's also a safeguard against any security holes in Cups that could otherwise be exploited to crack your computer. Because of the way this kind of routers work, it most likely blocks anything that you haven't explicitly allowed. You should also be aware that if your wireless network is open, then anyone who happens to be in the neighbourhood will also be able to access your printer. Björn Persson
Description: This is a digitally signed message part.