ACLs for CUPS Traffic

Marc Seery seery at csee.wvu.edu
Wed Nov 16 08:58:38 PST 2011


Hi Folks,

I'm working to clean up some access control lists between some of our networks. One of our CUPS servers lives on a separate network than the printers and requires some routing. The router has strict access control lists in place.

Is it common for a CUPS server to initiate traffic TO a printer on it's own and for what reason? Monitoring status perhaps? Here is a snippet of traffic from our router:

Nov 16 10:23:31 est: %SEC-6-IPACCESSLOGP: list XXX-XXXX-XXXXX-in denied tcp XX.XX.XX.XX(33044) (VlanXX XXXX.XXXX.XXXX) -> XX.XX.XX.XX(9100), 1 packet
Nov 16 10:24:01 est: %SEC-6-IPACCESSLOGP: list XXX-XXXX-XXXXX-in denied tcp XX.XX.XX.XX(33045) (VlanXX XXXX.XXXX.XXXX) -> XX.XX.XX.XX(9100), 1 packet
Nov 16 10:24:31 est: %SEC-6-IPACCESSLOGP: list XXX-XXXX-XXXXX-in denied tcp XX.XX.XX.XX(33046) (VlanXX XXXX.XXXX.XXXX) -> XX.XX.XX.XX(9100), 1 packet
Nov 16 10:25:00 est: %SEC-6-IPACCESSLOGP: list XXX-XXXX-XXXXX-in denied tcp XX.XX.XX.XX(33047) (VlanXX XXXX.XXXX.XXXX) -> XX.XX.XX.XX(9100), 1 packet
Nov 16 10:25:30 est: %SEC-6-IPACCESSLOGP: list XXX-XXXX-XXXXX-in denied tcp XX.XX.XX.XX(33048) (VlanXX XXXX.XXXX.XXXX) -> XX.XX.XX.XX(9100), 1 packet

Unfortunately, my network admin give me no other info that this and won't doesn't let the traffic through as it's considered a miscreant system.

The traffic obviously initiates on high ports on the CUPS server with a destination of the JetDirect port. In this case, each instance is to the same printer.

Any insight?

Thanks.

Thanks.




More information about the cups mailing list