lpd

Edward Glowacki glowack2@msu.edu
Fri, 24 Aug 2001 10:01:00 -0400


Quoted from Paul_Melson@keykertusa.com on Fri, Aug 24, 2001 at 09:18:44AM -0400:
> >the answer is: 
> >
> >add the following line to /etc/lpd.conf: 
> >forcelocalhost@
> 
> I think that this still leaves the socket open, it just denies the 
> queueing of any jobs.  If security is the main concern (eg. buffer 
> overflows, DoS attacks), it's probably best to just use something like 
> `ipchains -A input -p tcp -s 0.0.0.0/0 -d [external ip]/32 515 -j REJECT 
> -l` in combination with 'forcelocalhost@' to prevent abuse.

When you run it like this, there's no need to even start LPD.
Here's how things look on my FreeBSD box right now (with some
irrelevant stuff from sockstat removed):

#sockstat -4
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
root     sshd     38201    3 tcp4   *:22                  *:*
root     XFree86  68908    1 tcp4   *:6000                *:*
root     arlad    59241    4 udp4   *:4711                *:*

# ps ax |grep lpd
39750  pg  S+     0:00.00 grep lpd
# lpr /etc/rc.conf
# (a piece of paper came out of the printer with /etc/rc.conf on it...)

This is for a networked printer that has a printserver, so my
/etc/printcap has a host to connect to:

# more /etc/printcap

lp|printerX:\
        :lp=:rp=printerX:rm=printerX.foo.bar.com:\
        :sh:mx#0:
        :sd=/var/spool/printerX:

(rp= is the printer name, rm= is the remote machine, in this case
the printer itself)

So you don't have to worry about sockets at all... =)

-- 
Edward Glowacki			glowack2@msu.edu
Michigan State University	
"...a partial solution to the right problem is better than a complete
solution to the wrong one." (http://uiweb.com/issues/issue14.htm)