[Nix-dev] Enabling CUPS unconditionally allows UDP/631 on the firewall
Eelco Dolstra
eelco.dolstra at logicblox.com
Tue Nov 12 15:22:10 CET 2013
Hi,
On 12/11/13 12:24, Pablo Costa wrote:
> on nixpkgs/nixos/modules/services/printing/cupsd.nix there is this line:
>
> 226 # Allow CUPS to receive IPP printer announcements via UDP.
> 227 networking.firewall.allowedUDPPorts = [ 631 ];
>
> which results on this rule in the nixos-fw chain:
>
> nixos-fw-accept udp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
> udp dpt:631
>
> I would expect a way to disable this default behaviour, e.g. a boolean value
> such as:
> services.printing.{listen|accept}NetworkAnnouncements
> or
> services.printing.openFirewall
>
> How do you feel about this?
I agreed. Given that CUPS works perfectly fine for many uses without that rule,
port 631 should not be opened by default.
--
Eelco Dolstra | LogicBlox, Inc. | http://nixos.org/~eelco/
More information about the nix-dev
mailing list