From: Grant Taylor <gtaylor@riverviewtech.net>
To: Mail List - Netfilter <netfilter@vger.kernel.org>
Subject: Re: iptables rules for cups printer discovery
Date: Thu, 14 Aug 2008 20:35:04 -0500 [thread overview]
Message-ID: <48A4DD48.3080004@riverviewtech.net> (raw)
In-Reply-To: <19894-78618@sneakemail.com>
On 8/14/2008 1:51 PM, Stephen Isard wrote:
> I'm wondering whether there are iptables rules that will permit cups
> snmp printer discovery to operate without creating a serious security risk.
I wonder if you could not use the "recent" match extension to ""remember
when a cups broadcast has gone through. If there is a reply packet from
a unicast IP going back to a unicast host that has recently sent a
broadcast packet.
I suppose you would have to set / update a recent list every time a
unicast source sends a broadcast (high -> low port) to the service in
question. That way you could allow the reply (low -> high port) from a
unicast source to the unicast destination that recently sent a broadcast.
This type of rule should help by not having to allow all traffic from
the source port through.
Grant. . . .
next prev parent reply other threads:[~2008-08-15 1:35 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-08-14 18:51 iptables rules for cups printer discovery Stephen Isard
2008-08-14 20:00 ` Jan Engelhardt
2008-08-14 20:23 ` Stephen Isard
2008-08-14 20:37 ` Jan Engelhardt
[not found] ` <11653-43715@sneakemail.com>
[not found] ` <alpine.LNX.1.10.0808141744490.18538@fbirervta.pbzchgretzou.qr>
2008-08-14 23:01 ` Stephen Isard
2008-08-15 1:35 ` Grant Taylor [this message]
2008-08-15 1:53 ` Jan Engelhardt
2008-08-15 2:00 ` Grant Taylor
2008-08-15 2:04 ` Jan Engelhardt
2008-08-15 2:14 ` Grant Taylor
2008-08-15 2:26 ` Jan Engelhardt
2008-08-15 13:10 ` Stephen Isard
2008-08-15 13:23 ` Jan Engelhardt
2008-08-15 14:17 ` Stephen Isard
2008-08-15 15:21 ` Grant Taylor
2008-08-15 15:38 ` Stephen Isard
2008-08-15 16:16 ` Grant Taylor
2008-08-15 16:28 ` Stephen Isard
2008-08-15 18:01 ` Grant Taylor
2008-08-15 15:16 ` Grant Taylor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48A4DD48.3080004@riverviewtech.net \
--to=gtaylor@riverviewtech.net \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.