[Nix-dev] Enabling CUPS unconditionally allows UDP/631 on the firewall
Pablo Costa
modulistic at gmail.com
Tue Nov 12 12:37:24 CET 2013
On 12 November 2013 12:24, Pablo Costa <modulistic at gmail.com> wrote:
on nixpkgs/nixos/modules/services/printing/cupsd.nix there is this line:
>
> 226 # Allow CUPS to receive IPP printer announcements via UDP.
> 227 networking.firewall.allowedUDPPorts = [ 631 ];
>
> which results on this rule in the nixos-fw chain:
>
> nixos-fw-accept udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631
>
> I would expect a way to disable this default behaviour
> [...]
>
In fact this might be a bigger question to consider, as e.g.
services.bacula-fd does not take the firewall into consideration.
Do you consider that closing 631 would be "crippling" CUPS? Perhaps the
easiest approach would be to decouple firewall configuration from service
configuration. Although this would require changes on deployed systems that
rely on 631/UDP being open.
I would love if you shared your thoughts on this.
Cheers,
pablo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.science.uu.nl/pipermail/nix-dev/attachments/20131112/0b36ab1a/attachment.html
More information about the nix-dev
mailing list