[Pkg-samba-maint] Samba CUPS connection to localhost:631 timeout causes momentary interrupt in data stream from Samba server to clients
Jonathan Polom
jon at spkr.net
Tue Jan 3 13:34:49 UTC 2012
On Tue, Dec 27, 2011 at 2:15 PM, Steve Langasek <vorlon at debian.org> wrote:
> Hi Jonathan,
>
> On Thu, Dec 22, 2011 at 04:07:30PM -0500, Jonathan Polom wrote:
>> >> I guess if this is something that people have just learned and come to
>> >> accept, it should just be documented somewhere that Samba on Debian, by
>> >> default, wants to talk to CUPS at localhost:631 which may cause problems
>> >> if CUPS is not present or traffic is not allowed on that port.
>
>> > It does not cause problems if CUPS is not present. It only causes problems
>> > if traffic is not allowed on the port. It is not the place of the Samba
>> > package documentation to instruct users in proper configuration of a
>> > firewall.
>
>> Thanks for the reply. I understand where you're coming from in terms
>> of not fragmenting responsibilities all over the place.
>
>> What work-around do you propose? Currently my firewall is set to drop
>> all incoming packets unless I have a rule to allow a certain packet. I
>> have no rule allowing incoming connections on port 631 since I don't
>> have CUPS installed (`netstat -tl` shows that nothing is listening on
>> 631) and therefore shouldn't need to allow connections on that port. A
>> modified firewall rule to allow the connection or reject rather than
>> drop the packets seems natural, but only if I know that Samba's going
>> to want to talk on localhost:631 in the first place. I still think
>> this comes back to a default configuration that's going to cause
>> strange issues with the edge case of Samba with a firewall. I wouldn't
>> call my configuration wrong, given that I have no practical need to
>> allow connections on port 631 other than to make Samba quit
>> complaining and waiting. Thoughts?
>
> The two workarounds would be either:
>
> - use REJECT instead of DROP as the default target for your firewall. This
> is the sensible default in any case; unless you are dropping ALL traffic
> from a given host, the DROP target is actually an information leak,
> telling that the firewall is present. It's much better to use REJECT,
> both because it respects the intended semantics of TCP/IP and because it
> avoids giving a prospective attacker information about the shape of your
> firewall.
>
> or,
>
> - turn off printing in samba, as you have done.
>
> Either is sufficient; but the former is more correct per se, which is why I
> don't believe the samba defaults should be changed here.
>
> --
> Steve Langasek Give me a lever long enough and a Free OS
> Debian Developer to set it on, and I can move the world.
> Ubuntu Developer http://www.debian.org/
> slangasek at ubuntu.com vorlon at debian.org
Thanks Steve. I had an idea that changing the default target to REJECT
would solve the issue. I will note this for the future.
More information about the Pkg-samba-maint
mailing list