[Pkg-samba-maint] Samba CUPS connection to localhost:631 timeout causes momentary interrupt in data stream from Samba server to clients

Steve Langasek vorlon at debian.org
Tue Dec 27 19:15:31 UTC 2011 

Hi Jonathan,

On Thu, Dec 22, 2011 at 04:07:30PM -0500, Jonathan Polom wrote:
> >> I guess if this is something that people have just learned and come to
> >> accept, it should just be documented somewhere that Samba on Debian, by
> >> default, wants to talk to CUPS at localhost:631 which may cause problems
> >> if CUPS is not present or traffic is not allowed on that port.

> > It does not cause problems if CUPS is not present.  It only causes problems
> > if traffic is not allowed on the port.  It is not the place of the Samba
> > package documentation to instruct users in proper configuration of a
> > firewall.

> Thanks for the reply. I understand where you're coming from in terms
> of not fragmenting responsibilities all over the place.

> What work-around do you propose? Currently my firewall is set to drop
> all incoming packets unless I have a rule to allow a certain packet. I
> have no rule allowing incoming connections on port 631 since I don't
> have CUPS installed (`netstat -tl` shows that nothing is listening on
> 631) and therefore shouldn't need to allow connections on that port. A
> modified firewall rule to allow the connection or reject rather than
> drop the packets seems natural, but only if I know that Samba's going
> to want to talk on localhost:631 in the first place. I still think
> this comes back to a default configuration that's going to cause
> strange issues with the edge case of Samba with a firewall. I wouldn't
> call my configuration wrong, given that I have no practical need to
> allow connections on port 631 other than to make Samba quit
> complaining and waiting. Thoughts?

The two workarounds would be either:

 - use REJECT instead of DROP as the default target for your firewall.  This
   is the sensible default in any case; unless you are dropping ALL traffic
   from a given host, the DROP target is actually an information leak,
   telling that the firewall is present.  It's much better to use REJECT,
   both because it respects the intended semantics of TCP/IP and because it
   avoids giving a prospective attacker information about the shape of your
   firewall.

or,

 - turn off printing in samba, as you have done.

Either is sufficient; but the former is more correct per se, which is why I
don't believe the samba defaults should be changed here.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek at ubuntu.com                                     vorlon at debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 828 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-samba-maint/attachments/20111227/53e90751/attachment.pgp>

More information about the Pkg-samba-maint mailing list