Electrical-Forenics Home ray@RayFranco.com                       601.529.7473
   © Dr. Ray Franco, PhD, PE  -  208 Fairways Dr., Vicksburg, MS 39183

Raspberry Pi - Printers

The current version of the Raspberry Pi OS (1/14/2022) comes with cups and hplip installed. The default user, pi, is a member of the lpadmin group, and there is a graphical user interface (gui) for installing printers.

If you have a modern printer, use the gui (under Preferences / Print Settings) to add your printer. Click on the Network Printers drop down arrow and be patient. Your network printer will eventually show up. Click on your printer, and then the forward button until it is installed.

The web interface is the IP_address:631, where 631 is the port number.

Whenever Windows 10 says the printer needs attention, you have to login to the web interface and resume the printer. I do not know what causes this problem.

Firewalld Blocking CUPS

By default, Firewalld will block CUPS, and prevent it from finding your network printer. To enable CUPS to find your printer and install a Linux driver, enter the following two commands:
 
sudo firewall-cmd --zone=internal --add-source=192.168.0.1/24 --permanent
sudo firewall-cmd --zone=internal --add-service=ipp --permanent
 
Reboot your computer.

Printing from your Mobile Phone

Apple's AirPrint
 
Apple's AirPrint is a driverless printing protocol. It was introduced in 2010. It is an extension of the Internet Printing Protocol. It was developed for Apple's IOS and MAC OS. In most Linux distributions, Airport support should be automatic with the default printing subsystem since version 1.4.6 CUPS servers.

Wi-Fi Direct Printing
 
Wi-Fi Direct printing allows your Wi-Fi cable device i.e. smart phone, tablets or computer to make a Wireless connection directly to a printer without using a wireless router or access point.

Google's Cloud Printing
 
Built into Android devices is Google Cloud Printing. It allows you to print files from any device anywhere - whether you are on the same Wi-Fi network as the printer or not.

ePrint
 
ePrint is a secure cloud-based service that lets you print from anywhere using an email account and active internet connection. Setting this up varies from manufacturer to manufacturer. It works by assigning an email address to the printer. HP's ePrint work by installing HP Smart on you phone via Apple App Store or Google Play or on your computer via Microsoft or Mac App Store. For Linux there is EPrints which is free from https://www.eprints.org/uk/.

Updated on 8/3/2025

CUPS

CUPS is both a server and a client. Apple was actively involved in the development of CUPS from 2002 to 2020 [1,2]. In 2021, OpenPrinting became the official upstream home for CUPS [2].

In 2024, a critical vulnerability involving remote code execution in CUPS was found impacting all GNU/Linux systems [3,4].

I have two older laserJet printers: an HP1320nw and a Dell1760nw. Both have USB type B ports and can be directly connected to a computer. Both are Ethernet and wireless network printers. However, wireless is limited to Wi-Fi b and g.

My original goal was to use two Raspberry Pi 2W's to convert these printers to Driverless printer (IPP Everywhere, AirPrint, Mopria). However, this requires automatic discover of the printers, which assumes a trusted network. The US National Security Agency (NAS) Security Guide [1] uses a Zero Trust security model. That is, it assumes that threats may come from inside the network.

This tutorial describes how to set up a driverless printer using static printer ip addresses and no auto-detection.

  1. NSA - Network Infrastructure Security Guide - October 2023

Server Setup

The following procedure assumes that the cups server has been assigned a static IP addresses. If this is not case, assign the server a static IP address before proceeding.

The easiest way to set up the cups server is via cups' built-in web-interface. To do this remotely you will first have to use the command line to enable remote setup:

For Debian and its derivatives, before you can enable remote set up, you need to be a member of the lpadmin group:

sudo gpasswd -a users_name lpadmin
sudo reboot

Now enable cups remote administration with the command:

cupsctl --remote-admin --remote-any
sudo reboot

The cups server set up can now be done from any computer on the same network through a web browser.

  1. In the address bar of a web browser, type: 
     
http://Static_IP_Address_of_CUPS_Embedded_Server:631
    (CUPS is based on the Internet Printer Protocol (IPP), which uses tcp port 631.)
  2. When the CUPS embedded web server appears, click on the Administration tab, then click on the Add Printer button.
  3. This wil bring up a security warning page. Click on the Advance...button, then click on the Accept the Risk and Continue button.
  4. This wil bring you back to the Adminstration Page. Click the Add Printer button again.
  5. This time, a pop up dialog box will appear. Enter the user_name and password of the host.
  6. The attached printer should appear as one of the Local Printer radio buttons. Select the radio button that matches your printer.
  7. Select, your printer's manufacturer.
  8. Select the CUPS driver for your printer.
  9. You will get a message that the printer is installed and a warning; "Print drivers and raw queues are depreciated and will stop working on a future version of cups."
     
    Click the Set Defaults button, and Select the Default Paper Size.
  10. Select Maintenance and Print Test Page.

If the page prints, you have successfully set up your cups server.

However, you will need to know the full address of this printer to set up the client. Click on the Printers Tab and select your printer. The address bar will change and show the full address of the cups network printer.

The address will be in the form: 

 
http://Static_IP_Address_of_CUPS_Embedded_Server:631/printers/your_priner_name

Write down or save the full address.

Linux Client Setup

If cups works the way that it should, you may not have to set up the client, or at the very least just select the "Discovered Network" printer. However, in practice, this does not work well. After using it for a while, I would get one of the two following errors:

To set up the client so it does not depend on auto-discovery:

On the client machine, type the following into the address bar of a web browser: 


localhost:631

Even if you see your printer listed under Discovered Network printers, do not select it. Instead under "Other Network Printers" select the radio button ipp, and then the continue button.

You will be prompted to manually enter the full address of the cups server. Enter the address you saved earlier and hit continue.

You will see a list of printer manufacturers. Do not select your manufacturer. Instead, select RAW then select raw queue.

The reason for selecting RAW instead of the manufacturer is that the printer driver for this printer is already installed at the server. cups refers to these as print filters. Selecting the manufacture and driver at client would result in double filtering (drivers at both the client and server).

Next select default options and make sure the correct paper size is selected.

Select "Administrator", "Maintenance" and "Print Test Page". If the page prints, you have successfully set up the CUPS driver for the client.

Microsoft Client Setup

To access the cups printer server from a Microsoft Windows machine:

Security

You should not allow any host on the network to manage cups. To disable remote cups management:

cupsctl --no-remote-admin

For extra security, you might want to also remove the remote computer from the lpadmin group:

sudo gpasswd -d user_name lpadmin

Remove unused packages

This method does not use cups-browsed or avahi (Apple's Zeroconf/Bonjour framework). They can be removed along with their dependencies.

To remove cups:

sudo apt remove --purge cups
sudo apt autoremove --purge

The last command will remove the package libavahi-glib1.

To remove avahi:

sudo apt remove --purge avahi-daemeon

This will remove both avahi-daemon and ipp-usb.

sudo apt autoremove --purge

This will remove avahi-daemon's dependencies: libavahi-core7, libdaemon0, and libnss-mdns.

CUPS 3.0

CUPS 3.0 will eliminate print driver and raw queques

.

I'm sure there will be anouncements, but to be on the safe side, I have decided to hold cups updates:

sudo apt-mark hold cups

After I have established that this is not version 3.0, I release the hold:

sudo apt-mark unhold cups

Install the update and reinstall the hold.

How to Remove and Reinstall CUPS

If you get frustrated and want to start over, you can remove and reinstall cups.

When you install cups, the following 21 packages are installed: 


$ sudo apt install cups
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  bc cups-browsed cups-client cups-common cups-core-drivers cups-daemon
  cups-filters cups-filters-core-drivers cups-ipp-utils cups-ppdc
  cups-server-common libfontembed1 liblouis-data liblouis20 liblouisutdml-bin
  liblouisutdml-data liblouisutdml9 libpoppler-cpp0v5 libqpdf29 ssl-cert
Suggested packages:
  cups-bsd cups-pdf foomatic-db-compressed-ppds | foomatic-db smbclient
  antiword docx2txt imagemagick ooo2dbk rtf2xml
The following NEW packages will be installed:
  bc cups cups-browsed cups-client cups-common cups-core-drivers cups-daemon
  cups-filters cups-filters-core-drivers cups-ipp-utils cups-ppdc
  cups-server-common libfontembed1 liblouis-data liblouis20 liblouisutdml-bin
  liblouisutdml-data liblouisutdml9 libpoppler-cpp0v5 libqpdf29 ssl-cert
0 upgraded, 21 newly installed, 0 to remove and 0 not upgraded.
Need to get 5,861 kB/5,900 kB of archives.
After this operation, 33.1 MB of additional disk space will be used.
Do you want to continue? [Y/n]

Unfortunately, when you remove cups all of the packages that were installed are not removed!

To remove cups:

sudo apt remove --purge cups
sudo apt remove --purge cups-common
sudo apt autoremove --purge

Check if "cusp-server-common" is removed.

To re-install cups:

sudo apt update
sudo apt install cups
sudo apt hplip

References

Cups-browsed listens on UDP Port 631 [4].

  1. Wikipedia - Cups
  2. Debian Wiki - The Debian Printing Portal
  3. That doomsday critical Linux bug: It's CUPS. May lead to remote hijacking of devices
  4. 2024 - Understanding the New Vulnerabilities on Linux’s CUPS: What You Should Know
  5. Red Hat Documentation - Configuring and using a CUPS printing server
  6. Debian Wiki - CUPSDriverlessPrinting
  7. Debian Wiki - CUPSPrinterQueues
  8. Debian Wiki - CUPSPrinterQueues#cupsbrowsed
  9. Debian Wiki - CUPSPrinterQueues#cupsbrowsed
  10. Using a Driverless Printer on Debian (Without Avahi)
  11. LinuxQuestions.org - HeadsUp: Current64: cups: printer drivers and raw queues deprecated
  12. Debian Wiki - CUPSNewArchitecture
  13. OpenPrinting CUPS 3.0

nftable

My nftable for the Pi Zero Print Server is: 


           #!/usr/bin/nft -f

# Pi Zero 2W - CUPS Print Server - lockdown updated on 2025-08-04

flush ruleset
table ip zero31 {

# ----------------------------------------------------------------
# Customized the sets below for your network

define This_Host = 192.168.0.31

set ssh_allow_in {
	typeof ip saddr
	elements = { 192.168.0.40, 192.168.37.41 }
}

set ping_allow_in {
	typeof ip saddr
	elements = { 192.168.0.40, 192.168.37.42 }
}

set allow_printing_from {
	typeof ip saddr
	elements = { 192.168.37.40, 192.168.37.43 }
}

# Customize the sets below for your OS
set update_debian_bookworm {
	typeof ip daddr
	elements = { 151.101.2.132, 151.101.66.132, 151.101.130.132,
                     151.101.194.132, 146.75.94.132, 199.232.66.132,
                     151.101.46.132, 146.75.126.132, 199.232.90.132,
                     151.101.18.132, 146.75.106.132, 151.101.22.132,
                     151.101.114.132, 199.232.98.132, 199.232.38.132,
                     146.75.42.132, 151.101.162.132, 151.101.202.132,
                     146.75.78.132, 151.101.134.132, 151.101.14.132,
                     151.101.74.132, 151.101.50.132, 151.101.250.132,
                     146.75.122.132
                   }
}

set update_pi_bookworm {
	typeof ip daddr
	elements = { 176.126.240.167, 176.126.243.6, 46.235.231.151,
                     46.235.231.111, 93.93.135.118, 93.93.135.141,
                     93.93.135.117, 176.126.240.86, 176.126.240.84,
                     46.235.231.145, 176.126.243.5, 176.126.243.3
                    }
}
#--------------------- End Customization ---------------------------

   chain INPUT  {
       type filter hook input priority filter; policy drop;

       ct state established,related counter accept
       iif lo ip daddr 127.0.0.1/8 counter accept

       # allow only certain ip addresses to ping and limit rate
       ip saddr @ping_allow_in icmp type echo-request limit rate 5/second accept;

       # allow only certain ip addresses to SSH into this machine
       ip saddr @ssh_allow_in tcp dport ssh accept

      # allow only certain ip addresses to print
      ip saddr @allow_printing_from ip daddr $This_Host tcp dport 631 accept

      drop # everyting else
   }

   chain OUTPUT {
      type filter hook output  priority filter; policy drop;

      # allow established and existing traffic
      ct state established,related counter accept

      # allow DNS out - need for OS updates
      udp dport 53 ct state new counter accept
      tcp dport 53 ct state new counter accept

      # Debian Updates
      tcp dport 80 ip daddr @update_debian_bookworm counter accept
      # Raspberry Pi Updates
      tcp dport 80 ip daddr @update_pi_bookworm counter accept

      # Network Time Protocol
      udp dport 123 counter accept

      drop # everything else
   }

}

© Copyright Dr. Ray Franco, PhD, PE | 2006-2022. All rights reserved.

tracking cookies finger printing Valid HTML 4.01 Transitional Valid CSS!