Ignoramus9437 skrev:
> I have a server with Ubuntu Hardy (8.04).
>
> I have a printer on the inside network with a 10.* address (HP 4050N).
>
> I just set it up as a default printer on my Hardy server (which has a
> static internet IP).
>
> My question is, is that secure. Does the printer server limit itself to
> local network only (based on interfaces and netmasks)?
>
> Or can any internet user connect to my printer service? (undesirable)
>
> i

If your server is connected directly (and without a firewall) to the
Internet, then it will be possible for users (from anywhere) to print.
You should install a firewall and configure it to only allow local
machines to print.

--
Best regards Jacob Tranholm
Karl R. Popper: Observation statements and statements of experimental
results are always interpretations of the facts observed.

Ignoramus9437 wrote:
> I have a server with Ubuntu Hardy (8.04).
>
> I have a printer on the inside network with a 10.* address (HP 4050N).
>
> I just set it up as a default printer on my Hardy server (which has a
> static internet IP).
>
> My question is, is that secure. Does the printer server limit itself to
> local network only (based on interfaces and netmasks)?
>
> Or can any internet user connect to my printer service? (undesirable)

it is secure, because you are using an ip address that is defined as a
"Private ip address". by definition, private ip addresses are the
following ranges:

10.0.0.0 - 10.255.255.255
192.168.0.0 - 192.168.255.255
172.16.0.0 - 172.31.255.255

anything addessed with these ranges will not be accessible from the
internet, only from within your local area network.

On 2008-04-11, Jacob Tranholm wrote:
> Ignoramus9437 skrev:
>> I have a server with Ubuntu Hardy (8.04).
>>
>> I have a printer on the inside network with a 10.* address (HP 4050N).
>>
>> I just set it up as a default printer on my Hardy server (which has a
>> static internet IP).
>>
>> My question is, is that secure. Does the printer server limit itself to
>> local network only (based on interfaces and netmasks)?
>>
>> Or can any internet user connect to my printer service? (undesirable)
>>
>> i
>
> If your server is connected directly (and without a firewall) to the
> Internet, then it will be possible for users (from anywhere) to print.
> You should install a firewall and configure it to only allow local
> machines to print.
>

Thanks. Just double checking, do you know this for a fact or just
guessing?

Some services are good about checking whether a connection comes from
a local address, and some allow all machines and defer this question
to the firewall.

i

On 2008-04-11, Rodger Lee wrote:
> Ignoramus9437 wrote:
>> I have a server with Ubuntu Hardy (8.04).
>>
>> I have a printer on the inside network with a 10.* address (HP 4050N).
>>
>> I just set it up as a default printer on my Hardy server (which has a
>> static internet IP).
>>
>> My question is, is that secure. Does the printer server limit itself to
>> local network only (based on interfaces and netmasks)?
>>
>> Or can any internet user connect to my printer service? (undesirable)
>
> it is secure, because you are using an ip address that is defined as a
> "Private ip address". by definition, private ip addresses are the
> following ranges:
>
> 10.0.0.0 - 10.255.255.255
> 192.168.0.0 - 192.168.255.255
> 172.16.0.0 - 172.31.255.255
>
> anything addessed with these ranges will not be accessible from the
> internet, only from within your local area network.

No.

The printer has a private address 10.*.

The Linux server has two addresses, Internet address 75.* and private
address 10.*. That's how it both sees the printer and can act as a
Internet server for HTTP, SSH etc.

What I am concerned is that printing is possibly shared to all
internet users through 75.* IP address.

i

Ignoramus9437 wrote:
> On 2008-04-11, Rodger Lee wrote:

> What I am concerned is that printing is possibly shared to all
> internet users through 75.* IP address.

per /etc/services, if you are using cups with your printer, then block
port 631 at your firewall to prevent internet printing:


$ cat /etc/services | grep 631

ipp 631/tcp # Internet Printing Protocol
ipp 631/udp

Ignoramus9437 wrote:
> Thanks. Just double checking, do you know this for a fact or just
> guessing?
>
> Some services are good about checking whether a connection comes from
> a local address, and some allow all machines and defer this question
> to the firewall.
>
> i

I know for a fact that CUPS in some configurations are accessible from
the Internet. Whether this is true for the default Hardy config, or your
config, I am not sure... I have always configured my CUPS to only allow
local access and further configured a firewall to block internet access.

--
Best regards Jacob Tranholm
Karl R. Popper: Observation statements and statements of experimental
results are always interpretations of the facts observed.

Jacob Tranholm wrote:
> Ignoramus9437 skrev:
>> I have a server with Ubuntu Hardy (8.04).
>>
>> I have a printer on the inside network with a 10.* address (HP 4050N).
>>
>> I just set it up as a default printer on my Hardy server (which has a
>> static internet IP).
>> My question is, is that secure. Does the printer server limit itself to
>> local network only (based on interfaces and netmasks)?
>> Or can any internet user connect to my printer service? (undesirable)
>>
>> i
>
> If your server is connected directly (and without a firewall) to the
> Internet, then it will be possible for users (from anywhere) to print.
> You should install a firewall and configure it to only allow local
> machines to print.
>
I do not know about Ubuntu, but CentOS 4's CUPS system provides a screen for
sharing printers. If you open the machine to anything other than itself, you
can list those other IP addresses that are allowed to use your printer. So
in my case, I allow only the other computer on my LAN to use it. But if I
really trusted you, I could allow your machine to print on my printer too.

--
.~. Jean-David Beyer Registered Linux User 85642.
/V\ PGP-Key: 9A2FC99A Registered Machine 241939.
/( )\ Shrewsbury, New Jersey http://counter.li.org
^^-^^ 13:40:01 up 24 days, 18:42, 5 users, load average: 4.07, 4.17, 4.14

Ignoramus9437 wrote:
>
> Thanks. Just double checking, do you know this for a fact or just
> guessing?
>
> Some services are good about checking whether a connection comes from
> a local address, and some allow all machines and defer this question
> to the firewall.
>
> i

You can check your /etc/cups/cupsd.conf and make sure you have either:


Order allow,deny
Allow @LOCAL


Or something similar (for instance Allow 10.*, Allow 127.* or Allow
@IF(eth1) (if your local network is at eth1 and internet at eth0)) defined.

But I would still also configure a firewall...

--
Best regards Jacob Tranholm
Karl R. Popper: Observation statements and statements of experimental
results are always interpretations of the facts observed.

Thanks. I looked at cupsd.conf. By default, it only listens on
localhost. So I was safe.

However, now I think that this printer sharing is pointless -- the
printer is available as a 10.* IP address to the whole home network,
anyway, so each computer can be configured to just print on it
directly.

This continues my efforts to reduce dependency of my home network on
my home "server". I already moved DHCP service from my server to the
cable modem. I did the same with network forwarding, now the modem
acts as a gateway as opposed to my home linux server.

This makes my network more reliable in the light of possibility that
my basement server crashes or breaks or becomes disconnected.

So, for now, about the only function that my basement server would do
for my home computers, is file serving.

There is only one exception as to why sharing a printer on localhost
may be useful: it would be useful to print from a laptop that is away
from home, if I want to print something on the home printer. (example,
I just bought something from a website and want to print the receipt
page).

I can do a ssh tunnel from my laptop to home, to make home printer
appear as a local printer on port 631 on the laptop.

The regular home computers, would print on their own.

i