OPNsense Forum

Archive => 18.1 Legacy Series => Topic started by: esurplusplus on March 31, 2018, 10:29:42 pm

Title: CUPS print server for Opnsense
Post by: esurplusplus on March 31, 2018, 10:29:42 pm
Hoping for an official CUPS package for Opnsense. Manually installing from FreeBSD mirror has proven a PITA, plus no idea what issues it may cause, will it continue to work after updates, etc.

Thankyou
Title: Re: CUPS print server for Opnsense
Post by: Alphakilo on April 01, 2018, 02:35:58 pm
It is probably not the best idea to install cups on your firewall, given the attack surface it presents.
cups track record  (https://www.cvedetails.com/vulnerability-list/vendor_id-3886/Cups.html)doesn't look pretty either.

Your firewall is very much the last thing that you want compromised. Please put cups on a different host.
Title: Re: CUPS print server for Opnsense
Post by: fabian on April 01, 2018, 05:38:45 pm
Your firewall is very much the last thing that you want compromised. Please put cups on a different host.
Probably a RPI is well suited for that job (no performance required, small energy consumption).
Title: Re: CUPS print server for Opnsense
Post by: loredo on April 01, 2018, 07:12:32 pm
Wouldn't this be a typical case to use a Jail?
I'm currently playing with iocell on a OPNsense test machine and it looks quite promising.
Title: Re: CUPS print server for Opnsense
Post by: fabian on April 01, 2018, 07:56:20 pm
Not really, A jail is for isolating an application but still share the kernel. Due to some hardware exploits like spectre and meltdown it would be possible to attack the Firewall (for example extract IPsec secrets) or break out with of the jail using a kernel exploit.
Title: Re: CUPS print server for Opnsense
Post by: franco on April 04, 2018, 07:57:35 am
Which FreeBSD package are we talking about?
Title: Re: CUPS print server for Opnsense
Post by: Davesworld on April 04, 2018, 10:22:59 pm
 I really wish people would only use a firewall appliance for their edge appliance and quit trying to make it into a swiss army knife do it all appliance. Don't get so caught up in whether you can that you ignore whether you should.

If this printer will need to be accessed from the internet, run something specifically for the printer server and make a dmz for it. Personally I just use cloud aware printers these days. I even travel with one that has wifi and cloud print.
Title: Re: CUPS print server for Opnsense
Post by: franco on April 05, 2018, 06:51:12 pm
To be fair, you can take an OPNsense, use a WAN-only setup, slap your risky plugins / packages on it and use it like a server in a LAN or DMZ, preferably protected by a capable firewall elsewhere. ;)


Cheers,
Franco
Title: Re: CUPS print server for Opnsense
Post by: RickNY on April 05, 2018, 08:05:56 pm
I have a Brother color laser printer that does not support iOS AirPrint.. I had looked into running a CUPS server on my OPNSense box.. I had also tried on an RPI3.. In the end, the RPI3 was not powerful enough to render the postscript necessary, and what I ended up doing was setting up a Debian VM on my Windows machine that is always powered on.  Takes up a tiny footprint, and worked great.
Title: Re: CUPS print server for Opnsense
Post by: fabian on April 05, 2018, 11:38:59 pm
I have a Brother color laser printer that does not support iOS AirPrint.. I had looked into running a CUPS server on my OPNSense box..
We will very likely not provide that in the near future because it has absolutely nothing to do with a firewall and may introduce vulnerabilities.

I had also tried on an RPI3.. In the end, the RPI3 was not powerful enough to render the postscript necessary, and what I ended up doing was setting up a Debian VM on my Windows machine that is always powered on.
Is the GUI enabled? The RPI 3 needs around 100MB RAM so around 800 MB are free for applications as far as I know. Also the CPU is not that bad. Should be enough for common printing stuff.
Title: Re: CUPS print server for Opnsense
Post by: Davesworld on April 06, 2018, 08:36:13 am
I have a Brother color laser printer that does not support iOS AirPrint.. I had looked into running a CUPS server on my OPNSense box.. I had also tried on an RPI3.. In the end, the RPI3 was not powerful enough to render the postscript necessary, and what I ended up doing was setting up a Debian VM on my Windows machine that is always powered on.  Takes up a tiny footprint, and worked great.

Funny you should mention Brother. I got a printer a Samsung C3060FW to replace my rock solid reliable Brother MFC-9970cdw. The latter was great except it would not do any cloud printing and to print envelopes you had to open the rear and flip a few levers. It could stay up for months without becoming unresponsive. The Samsung (their printer division spun off to HP last Summer) is good too but becomes unresponsive after a period of weeks. I just updated the firmware so I'll see how that holds. I do know the need for cloud printing once you know about it and use it. The newer Brother printers support all this. The envelope thing if it's still a thing would keep me away. It's a lot to suggest a new printer as we are don't all sweat money from our pores but if you can pull it off I would rather than all the sometimes risky workarounds.