Cups Access without being part of trusted networks: best practices

Imagine that i’d like to give access to my Cups server for few hosts of a different network, subnet connected to NethServer or public ip addreses…

Which his the more proper and “less unsafe” way to do it?
I was thinking for some rules on the firewall section but…

For external networks I would say a vpn would be the safest. For subnets I’ve read you have to allow subnets in cups.

https://www.linuxquestions.org/questions/linux-networking-3/configuring-cups-to-print-across-subnets-329731/

1 Like

if you know the remote network (remote but linked to your local networks), you can add this remote network as a trusted network (a lot of nethserver applications works with it, for example nethserver-fail2ban)

1 Like

Yup, that’s obvious, but use VPN also need a OpenVPN account user-based firewall rule; also IPP supports encryption on connection (IPP over HTTPS) so … IMO, maybe there’s a “less access way to do it” using only Cups and IPP

Yes and no. If i add the remote network as “trusted network” i also need some firewall rules to “disable” access from that remote network, so that’s not the goal.
I mean…
Consider the option for allow printing from hotspot interface.
Or…
A remote warehouse or facility not lan-connected with the headquarters that have to generate written reports of activities, without using email. I know that nowadays many MFP’s integrate an IpSec Client so maybe it’s needed only to throw over there the hardware, network connected and able to open a IPsecTunnel but… do NethServer support “like roadwarrior” ipsec connections.

I know that i could realize a little subnet of 2 hosts plus gateway and broadcast for deliver an IpSec connected device but… if i already have cups and user auth… why?

1 Like