PDA

View Full Version : [ubuntu] Prevent people from seeing shared printer



jcd29
September 4th, 2010, 04:04 PM
I know it's very easy to share printers in Ubuntu, just went to System, Administration, Printing, Server Settings, Publish Printers connected to this system. Voilá.

My question is: How can I create an access list so only certain IP addresses are allowed to see it?

bilkay
September 4th, 2010, 05:14 PM
I know it's very easy to share printers in Ubuntu, just went to System, Administration, Printing, Server Settings, Publish Printers connected to this system. Voilá.

My question is: How can I create an access list so only certain IP addresses are allowed to see it?
I'm guessing here, but this might work:

In server's /etc/hosts.allow add a line "printer:{allowed clients}

In server's /etc/hosts.deny add a line "printer: ALL"

Note: If there's a line in hosts.allow "ALL: ALL" this won't work since that will let everything through.

sikander3786
September 4th, 2010, 05:30 PM
I use the built-in firewall, ufw for that.



sudo ufw default deny

sudo ufw enable


And then allow specific IP addresses to print to the shared printer.



sudo ufw allow proto tcp to any port 631 from whatever-ip-address

sudo ufw allow proto udp to any port 631 from whatever-ip-address


There are a few downsides of using this method but it usually serves me well. Post back if you wanna adopt this one.

Regards.

bilkay
September 4th, 2010, 09:27 PM
I'm guessing here, but this might work:

In server's /etc/hosts.allow add a line "printer:{allowed clients}

In server's /etc/hosts.deny add a line "printer: ALL"

Note: If there's a line in hosts.allow "ALL: ALL" this won't work since that will let everything through.
On second thought, I wouldn't recommend this without a lot of research.

bilkay
September 4th, 2010, 09:52 PM
I use the built-in firewall, ufw for that.



sudo ufw default deny

sudo ufw enable
And then allow specific IP addresses to print to the shared printer.



sudo ufw allow proto tcp to any port 631 from whatever-ip-address

sudo ufw allow proto udp to any port 631 from whatever-ip-address
There are a few downsides of using this method but it usually serves me well. Post back if you wanna adopt this one.

Regards.
Wouldn't this block all other non-port 631 traffic?

sikander3786
September 4th, 2010, 10:36 PM
It surely will block all other traffic. Haven't you enabled ufw already? I am posting from cell. Will provide you details later.

jcd29
September 5th, 2010, 06:38 PM
Would you recommend enabling ufw?

sikander3786
September 6th, 2010, 10:16 AM
See this thread.

http://ubuntuforums.org/showthread.php?t=823741


I looked for a current how-to for UFW and when I did not see one I wanted to add one.

(important note: UFW is not the firewall. UFW just configures your iptables)

in most cases I recommend doing the following immediately:



sudo ufw default deny
sudo ufw enable
Then fine tuning can start:



All ports are closed by default on Ubuntu. No need of a firewall unless you open up a few ports. If the computer is on a network, acting as some sort of a server, sharing files, proxy server, ssh server, web server etc etc, I will recommend to enable the firewall immediately.

BkkBonanza
September 6th, 2010, 10:31 AM
The CUPS Admin panel allows controlling user access via Classes. I haven't explored what limitations it has but it seems like something to look at first since it's built in.

Also in cupsd.conf you can specify "Allow from x.x.x.x" and so on, or Deny, or BrowseAllow etc.

man cupsd.conf