[andreasvc]

In a home network you typically have a router that separates your LAN (local area network) from the internet and shares one public IP among the devices in your network; in that case you have little to worry about. You can tell by the kinds of IP addresses your devices have: if it starts with 192.168.x.y, 172.x.y.z, or 10.x.y.z, then it's not reachable from the internet. The problem with these printers is that on their network there's no such separation and they are listening on a publicly routed IP address, but they've been designed with the tacit assumption that they will be used on a secured network.

[X-Istence]

Unless you have IPv6 turned on ... in which case many of these printers will automatically grab an IPv6 and be publicly accessible.

[ingenium]

Depends. Some builds of Tomato (Toastman's for sure) put a firewall up on IPv6 by default. Asus's firmware does NOT firewall IPv6 at all. If you have shell access to your router, I suggest putting up a firewall on IPv6. The following should work (change br0 to the bridged LAN interface and eth0 to the WAN interface, sometimes it's a vlan):

  ip6tables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
  ip6tables -A FORWARD -i eth0 -o br0 -p all -j DROP
  ip6tables -A FORWARD -i br0 -j ACCEPT
  ip6tables -A FORWARD -o br0 -j ACCEPT
  ip6tables -A FORWARD -j DROP

Of course insert whatever open ports you want after the first line.