Printing continues to be a widely used feature of most computer networks. In some circumstances, users need to print information using printers connected to other systems on other networks. Users behind a firewall might want to print to printers on systems on the outside, or behind other firewalls. Others might want to be able to print from a remote system, for example from a mobile PC to a printer behind a firewall. The Gauntlet Firewall includes an lp proxy that securely handles the transfer of print requests.
This chapter discusses the concepts behind the lp proxy and explains how lp works, how to configure the proxy, and how to use lp services. The chapter consists of these sections:
The lp proxy is an application-level gateway that provides configurable access control and logging mechanisms. The lp proxy, which runs on the firewall, passes lp requests through the firewall using rules you supply. You can configure the lp proxy to allow file transfer activity based on:
source IP address
source hostname
destination IP address
destination hostname
lp commands (for example, number and priority)
printer queue
Using these options, you can configure your firewall to allow specific hosts on the inside network to print files on outside hosts. Employees working behind the firewall can send print jobs to printers at customer sites. Similarly, traveling employees can send print jobs to printers at corporate headquarters inside the defense perimeter. You can deny access to some lp commands, allowing users to print, but not allowing them to restart or remove print jobs.
The lp proxy logs all successful and unsuccessful file transfer attempts and the number of bytes transferred. These access controls allow you to have much more control over the files entering and leaving your system than using the standard IRIX lp program. The logging capabilities are also much more extensive.
The firewall runs the lp proxy (lp-gw) as a daemon listening for requests on the standard printer port (TCP port 515). When the firewall receives requests for services on this port, the lp proxy checks its configuration information and determines whether the initiating host has permission to use lp. If the host has permission, the proxy logs the transaction and passes the request to the printer server. The lp-gw proxy remains active until either side closes the connection.
The default configuration allows inside hosts to use lp. Users on inside hosts can continue to print to outside hosts as they did before the firewall was put into place. The default configuration does not allow outside hosts to connect to inside hosts for printing.
This configuration prohibits running an lp server on the firewall itself. Because the lp proxy is running on the standard lp port on the firewall, there is no way to start the lp daemon needed to service lp requests. Thus, you cannot print from the firewall itself.
However, a common configuration is to allow outside hosts to print to inside printers. Consider Yoyodyne's network, as shown in Figure 15-1. The Web server is on the outside network. When working on the web, the Webmaster needs to print files. It is possible to print files to the printer inside the firewall if the system outside the firewall, the firewall, and the system controlling the printer inside the firewall are all properly configured.
To configure this service, the administrator at Yoyodyne creates a remote print queue (called inside_fw) on the Web server that indicates that files to the print queue inside should be sent to the outside address of the firewall (204.255.154.1). On dimension, the system inside the firewall that controls the printer, the administrator creates a print queue (called from_fw) that sends requests to the printer (10.0.1.40). The administrator also configures dimension to accept requests from the inside address of the firewall (10.0.1.100) On the firewall, the administrator configures the lp proxy to take requests sent to the queue inside_fw and to send the requests to the queue from_fw on dimension.
Now, the Webmaster sends print jobs to the print queue inside_fw. The firewall acts as a relay and passes the print job to the print queue from_fw on dimension. The print queue from_fw sends the file on to the printer, which prints the job.
Configuring the print client involves creating a remote print queue to send print jobs to the firewall. You create a print queue using Print Manager.
 | Note: Consult your IRIX system documentation for additional information. |
To create a remote print queue using Print Manager, follow these steps:
Define the remote print queue using the Printer Manager in the Toolchest.
If you are not using transparency (as when printing from outside the firewall to inside the firewall), specify the host name of the firewall as the remote host.
If you are using transparency (the default configuration when printing from inside the firewall to outside the firewall), specify as the remote host the hostname of the system where the printer is connected.
Instruct users to print to the client queue name (inside_fw) to print to the remote printer queue.
Configuring the print server involves instructing the host running the print server to accept jobs from the firewall.
To configure the print server, follow these steps:
On the host running the print server, add the firewall to the lists of hosts that can print to the desired printer using lpadmin.
If the print server is inside the firewall, specify the IP address of the inside interface of the firewall:
10.0.1.100
If the print server is outside the firewall, specify the IP address of the outside interface of the firewall:
204.255.154.100
Create a print queue to send requests to the printer. You can create a separate print queue to handle requests from the firewall, or you can continue to use one of your standard print queues. Be sure that the print queue name matches the name you specified as the remote printer name on the client (from_fw).
Consult your IRIX system documentation for other standard steps in creating and starting print servers. Ensure that you create a print queue that actually will send print jobs to the printer.
To access the lp proxy configuration:
Configuring the Gauntlet Firewall involves planning, configuring the lp proxy to enforce your security policy, and enabling the proxy.
When planning lp proxy settings:
Determine which internal users and hosts can use these services.
Determine which external users and hosts can use these services.
Configure the lp proxy to enforce your security policies.
To configure lp proxy settings:
In the Lp window, select the lp-gw configuration to modify the default settings.
Click Modify.
The Modify Printer Services window displays.
Provide information about the printer queue to which the lp proxy sends requests.
Client Queue
Name of the remote print queue that you defined on the print client. For example, Yoyodyne enters inside_fw.
Print Server
IP address of the system running the lp daemon that will handle the print request. Specify by IP address or host name. If you are using transparency, this value is optional. For example, Yoyodyne enters “dimension.”
Server Queue
Name of the print queue on the print server. For example, Yoyodyne enters “from_fw.”
Click Add to add this printer information.
Click OK.
