[Pkg-samba-maint] Samba CUPS connection to localhost:631 timeout causes momentary interrupt in data stream from Samba server to clients

Jonathan Polom jon at spkr.net
Tue Jan 3 16:03:54 UTC 2012


On Tue, Jan 3, 2012 at 8:34 AM, Jonathan Polom <jon at spkr.net> wrote:
> On Tue, Dec 27, 2011 at 2:15 PM, Steve Langasek <vorlon at debian.org> wrote:
>> Hi Jonathan,
>>
>> On Thu, Dec 22, 2011 at 04:07:30PM -0500, Jonathan Polom wrote:
>>> >> I guess if this is something that people have just learned and come to
>>> >> accept, it should just be documented somewhere that Samba on Debian, by
>>> >> default, wants to talk to CUPS at localhost:631 which may cause problems
>>> >> if CUPS is not present or traffic is not allowed on that port.
>>
>>> > It does not cause problems if CUPS is not present.  It only causes problems
>>> > if traffic is not allowed on the port.  It is not the place of the Samba
>>> > package documentation to instruct users in proper configuration of a
>>> > firewall.
>>
>>> Thanks for the reply. I understand where you're coming from in terms
>>> of not fragmenting responsibilities all over the place.
>>
>>> What work-around do you propose? Currently my firewall is set to drop
>>> all incoming packets unless I have a rule to allow a certain packet. I
>>> have no rule allowing incoming connections on port 631 since I don't
>>> have CUPS installed (`netstat -tl` shows that nothing is listening on
>>> 631) and therefore shouldn't need to allow connections on that port. A
>>> modified firewall rule to allow the connection or reject rather than
>>> drop the packets seems natural, but only if I know that Samba's going
>>> to want to talk on localhost:631 in the first place. I still think
>>> this comes back to a default configuration that's going to cause
>>> strange issues with the edge case of Samba with a firewall. I wouldn't
>>> call my configuration wrong, given that I have no practical need to
>>> allow connections on port 631 other than to make Samba quit
>>> complaining and waiting. Thoughts?
>>
>> The two workarounds would be either:
>>
>>  - use REJECT instead of DROP as the default target for your firewall.  This
>>   is the sensible default in any case; unless you are dropping ALL traffic
>>   from a given host, the DROP target is actually an information leak,
>>   telling that the firewall is present.  It's much better to use REJECT,
>>   both because it respects the intended semantics of TCP/IP and because it
>>   avoids giving a prospective attacker information about the shape of your
>>   firewall.
>>
>> or,
>>
>>  - turn off printing in samba, as you have done.
>>
>> Either is sufficient; but the former is more correct per se, which is why I
>> don't believe the samba defaults should be changed here.
>>
>> --
>> Steve Langasek                   Give me a lever long enough and a Free OS
>> Debian Developer                   to set it on, and I can move the world.
>> Ubuntu Developer                                    http://www.debian.org/
>> slangasek at ubuntu.com                                     vorlon at debian.org
>
> Thanks Steve. I had an idea that changing the default target to REJECT
> would solve the issue. I will note this for the future.

I forgot to mention that I still think this should be documented
somewhere. Is it possible to contribute something to a man page or the
Debian manual/FAQ?



More information about the Pkg-samba-maint mailing list