Hello, On Sun, Apr 13, 2025 at 11:38:01AM -0400, Stefan Monnier wrote: > Why do you need cups ports open to print?
You presumably do not, in the general sense. On this machine, I have this: tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 10711/cupsd tcp6 0 0 ::1:631 :::* LISTEN 10711/cupsd Which indirectly implies that you can only attack it from localhost. > I understand you need the cups port to be open on the side of the > printer (or print-server), but not on the side of the machine that sends > the print job. Yes. Previous releases of cupsd had a broadcast UDP port open to the world, but that might be old. It was by the cups-browsed process on port 631. If it was open and not firewalled, then you would have been attackable by https://nvd.nist.gov/vuln/detail/cve-2024-47176 On this machine, the package cups-browsed is installed, but it is disabled and thus not started by systemd. Don't know if this is a default setting? cups-browsed is only required if you want to see the Bonjour available printers on your network, or if you want to make your local printers available through Bonjour (a broadcast discovery protocol). It might be that cups-browsed IS installed by default and open to the world on Debian installations?
