.TH LP-GW 8 "August 2007" "OpenFWTK" .SH NAME lp-gw \- line printer protocol proxy .SH SYNOPSIS .B lp-gw .RB "[-daemon ] " .RB "[-fastdaemon ] [-as ]" .sp .SH DESCRIPTION .IX "lp-gw" "" "\(em line printer protocol proxy" The Firewall Toolkit lp proxy is an application level proxy that provides configurable access control, authentication and logging mechanisms. The lp proxy, which runs on the firewall, passes print jobs and control requests through the firewall (at the application level), using rules you supply. You can configure the proxies to allow connections based on: .IP "\(bu" 4m source IP address .IP "\(bu" 4m source host name .IP "\(bu" 4m print queue name .IP "\(bu" 4m source port (protocol conformance) .IP "\(bu" 4m lpd command (say, print or remove) .IP "\(bu" 4m user name .PP All packets, and therefore all application requests go to the firewall. On the firewall, the lp proxy software relays information from one side of the firewall to the other. The proxy prevents the applications on outside networks from talking directly with the applications on your inside network, and vice versa. No IP packets pass from one side of the firewall to the other. All data are passed at the application level. .PP To use the proxy in non-transparent mode, you should configure client - server queue mapping and use firewall's IP address or hostname as print server definition with client queue name. .PP The line printer proxy .RB "(" lp-gw ")" generally runs as a daemon (invoked from system startup script, p.e. .IR "/etc/rc.local" ) and listens for requests on the specified port (tcp/515, as indicated in .IR "/etc/services" ,is reasonable default). Whenever the system receives an lpd request on this port, the lp proxy checks its configuration information (in the .IR "netperm-table" ) and determines whether the initiating host has permission to use spooler. If the host does not have permission, the proxy logs the connection attempt and displays an error message. .PP The proxy may also be invoked from tcp/ip "superserver" (inetd or xinetd). .IR "-daemon" parameter should be omitted in this case. .PP If the host has permission, the proxy authenticates the user (if required), logs the transaction and passes the request to the destination host. .PP .SH OPTIONS .SS Command Line Options The line printer proxy recognizes the following command line options (whether started from the command line or from within .IR /etc/rc.local ): .TP .BI "-daemon " port Indicates that the line printer proxy runs as a daemon, and the port (name or number) on which the line printer proxy listens. When .IR "-daemon" option is used, configuration is being read from .IR netperm-table for every new connection accepted by proxy. .IP .I port Specifies either a numeric id or symbolic name from the .I /etc/services file. .TP .BI "-fastdaemon " port Indicates that the line printer proxy runs as a daemon, and the port (name or number) on which the line printer proxy listens. When .IR "-fastdaemon" option is used, configuration is being read from .IR netperm-table once the daemon starts or if .IR SIGHUP is received. .TP .BI "-as " tag Changes default application tag for .IR netperm-table from "lp-gw" to any given string. .SS Configuration Options The line printer proxy reads configuration rules from the .IR "/usr/local/etc/netperm-table" . It reads all rules using the .B lp-gw and .B * (wildcard) keywords. The line printer proxy reads the .I netperm-table from top to bottom. If there are multiple rules in the table that could apply for a particular attribute, the line printer proxy uses the first one that it finds. See .BR "netperm-table" (5) for a more complete explanation of .I netperm-table syntax and precedence. .PP The line printer proxy recognizes the following attributes: .TP .BI hosts .I host-pattern [host-pattern...] [options] .PP rules specify host and access permissions. Typically, a hosts rule will be in the form of: .na .sp 1 lp-gw: deny-hosts unknown .sp lp-gw: hosts 192.33.112.* 192.94.214.* -queue laserjet4 .ad .sp 1 There may be several host patterns following the "hosts" keyword, ending with the first optional parameter beginning with '-'. Optional parameters permit the selective enabling or disabling of logging information, etc. Sub-options are: .IP .IP .B \-transparent specifies that the proxy runs in transparent mode; see OS-specific details on how to setup transparent redirection. Proxy destination host is not extracted from username part but taken from connection properties instead. This makes proxy "transparent", so no special client setup is required. .IP .B \-plug-to .I server-address specifies that proxy is "hardwired" to a given server. .IP .B \-log .I operation .br .B \-log { .I "operation [operation..]" .B } .br specifies that a log entry to the system log should be made whenever the listed operations are performed through the proxy. Known operations are .RS .IP \(bu 4n null .IP \(bu 4n restart .IP \(bu 4n print .IP \(bu 4n qstate_s .IP \(bu 4n qstate_l .IP \(bu 4n remove .IP \(bu 4n * (any of the above) .PP .B \-queue .I queue .br .B \-queue { .I queue [queue..] .B } .br specifies a list of allowed client queues. If no list is specified, all destinations are considered valid. The -queue list is processed in order as it appears on the options line. -queue entries preceeded with a '!' character are treated as negation entries. Therefore the rule: .sp .nf .na -queue { !declaser * } .fi .ad .sp will permit access to any queue except "declaser". .PP .B \-deny .I operation .br .B \-deny { .I "operation [operation..]" .B } .br specifies that a specific operation(s) is denied. The list is similar to `-log' command. .PP .B \-user .I username .br .B \-user { .I "username [username..] .B } specifies a list of users allowed to communicate to remote print server. By default, all users are permitted. .PP .B \-authuser .I username specifies user name for extended authorization .PP .B \-extnd specifies that the proxy should request per-operation permissions from authsrv. .PP .B \-lprng enforces strict lpd rfc1179 conformance for originating port number (usually for lprNG clients). .PP .B \-anyport disables originator port checks completely (useful for NATed clients and Windows spoolers) .PP .B \-force-user force client user identification to one specified by -authuser .PP .B \-client-dscp .I dscp-tag-name .br .B \-client-dscp .I dscp-hex-value specifies diffserv codepoint (QoS/ToS mark) for client to proxy connection. .PP .B \-server-dscp .I dscp-tag-name .br .B \-server-dscp .I dscp-hex-value specifies diffserv codepoint (QoS/ToS mark) for proxy to server connection. .RE .PP .BI printer .I queue [ .B -printer .I server-queue ] [ .B -host .I server ] .PP Defines cleint to server queue mapping. .RS .TP .I queue Specifies visible queue name on firewall. If `*', map any allowed queues to given server .TP .I server-queue Specifies server queue name to map. .TP .I server specifies lpd server name or address. .RE .TP .BI "directory " directory Specifies the directory that the line printer proxy makes its root directory before providing service. .TP .BI "groupid " group Specifies the name of the group the line printer proxy uses when running. .RS .TP .I group Specifies either a name or numeric id from the .I /etc/group file. .RE .TP .BI "timeout " seconds Specifies the number of seconds the line printer proxy is idle (with no network activity) before disconnecting .TP .BI "userid " user Specifies the user ID the proxy uses when running. .RS .TP .I user Specifies either a name or numeric id from the .I /etc/passwd file. This option is equivalent to the .B -user command in previous versions. .RE .SH EXAMPLES The following example defines simple lpd access policy. .sp .nf .na .RS # permit workstations at LAN to access printer in DMZ lp-gw: permit-hosts 10.0.0.* -queue officelj lp-gw: printer officelj -printer laserjet -host pserv1 .RE .fa .fi .SH FILES .IP /etc/rc.local Command script that controls automatic reboot, and includes startup information for the printer proxy. .IP /usr/local/etc/netperm-table The network permissions file contains configuration information for the Firewall Toolkit, including the line printer proxy. .SH BUGS Printer queue operation names are different from Gauntlet. .sp Only LPD protocol is supported, no CUPS or "raw" printing. .sp Report bugs to arkenoi@gmail.com or fwtk-users@buoy.com mailing list. Include a complete example, explaining what you expected to happen and what actually happened. Be sure to indicate the type of system (operating system, hardware, etc.) you are using, as well as the version of the line printer proxy. .SH AUTHOR ArkanoiD. .SH SEE ALSO .BR netperm-table "(5), " rc "(8), "authsrv "(8), "netacl "(8)"