Re: cups problem on 3.9

jch <cnx@xxxxxxxxxxx> wrote:
jKILLSPAM.schipper@xxxxxxxxxx wrote:

Not to be snarky, and I apologize for not having the faintest clue how
to answer your question.

But don't you think that the problem is that you're running a printing
daemon - and a rather bulky one like CUPS at that - on a firewall?
_____
Forgot to mention that i also executed /usr/local/sbin/cups-enable as
per instructions that appear on screen after pkg_add of cups, and that i
added a line to start cupsd in /etc/rc.local.

No, running a print server on a firewall is not really an issue at all.
There is lots of spare power (with a 233 MHz i586 CPU and 128Mb RAM).
In fact, downloads via ftp went from a typical 60 - 70 kb/sec to about
400 kb/sec due to faster CPU, and good quality 3Com brand NICs (2 x ISA
3C509B, rev A for LAN/DMZ, and PCI 3C905B 10/100 for cable modem to
Internet)

A year ago i had a hardware router with a print server built in, and i
liked it. Unfortunately, it failed after 29 days! It is actually very
convenient for me to have the firewall act as a print server because of
my network topology. Because the firewall runs 24/7, all the other
computers (W2000, Win NT4, OS/2, Linux, OBSD, iMac PPC) on the LAN can
print (once i get it working with cups). My (Linux) workstation
currently acts as the print server for the LAN. There are times when
that machine comes down, thus stopping the print function. I will be
replacing the Linux OS shortly with OBSD v3.9 (already built and in test
mode running the FVWM window manager).

Again, sorry for not having the faintest clue, but...

Cups is a *huge* pile of code. Most of it is internet-attached, and a
much too large part of it speaks HTTP (which always arouses my
suspicion). It was not written with security as a priority.

In short, it doesn't belong on the firewall. Sure, it may be convenient,
but it's not a good idea.

Of course, many people use a combined firewall/home server. There are
many things wrong with this architecture, but there are also very real
benefits. Don't call it a firewall, though - it's not, it's just a
server with a slightly 'harder' OS that also does packet filtering.

So far, file /var/log/messages shows nothing at all. Will set cupsd
debug output in /etc/cups/cupsd.conf to level 2, and restart it. File
/etc/cups/cupsd.conf will have:
.....
#LogLevel info
LogLevel debug2
# MaxLogSize: controls the maximum size of each log file .....
#MaxLogSize 0
MaxLogSize 5
.....

/var/log/lpd-errs as yet is empty. Directory /var/spool/cups/ shows test
page dumps as below:
$ ls -al /var/spool/cups/
total 44
drwx--x--- 3 root _cups 512 Jun 10 11:34 .
drwxr-xr-x 10 root wheel 512 Jun 9 11:09 ..
.....
-rw------- 1 root _cups 577 Jun 10 11:24 c00008
-rw------- 1 root _cups 577 Jun 10 11:27 c00009
-rw------- 1 root _cups 577 Jun 10 11:34 c00010
drwxrwx--T 2 root _cups 512 Jun 10 11:33 tmp

What's in them?

I wonder if there are some incorrect permissions or if there is an entry
missing in the /etc/group file. Will compare with the Linux system to
see if anything obvious shows up.

A final comment; X is _not_ installed for obvious reasons. However, i
will need to put samba on the firewall too in order to accommodate
Windows machines, or does cups understand SMB as well?

ISTR that SAMBA was, indeed, necessary if Windows wants to print
natively.

The above warning also applies to SAMBA, but it has a far worse history
of vulnerabilities. It does not belong on an edge device, and if it is
there, at least firewall it *very* well.

Joachim
.