Results 1 to 9 of 9

Thread: OS 13.1 - Firewall prevent client to configure scanning via network using yast2

  1. #1
    Join Date
    Jun 2008
    Location
    South-West France
    Posts
    1,307

    Default OS 13.1 - Firewall prevent client to configure scanning via network using yast2

    hello,
    Following SDB:CUPS and SANE Firewall settings - openSUSE I have added :
    Code:
    FW_TRUSTED_NETS="192.168.xxx.0/24,tcp,30000:30100"
    FW_SERVICES_ACCEPT_RELATED_EXT="192.168.xxx.0/24,tcp,30000:30100"
    directly in the firewall config file : /etc/sysconfig/SuSEfirewall2

    I am unable to configure client on the network to use the scanner until I stop the firewall on the server where the scanner is connected to.

    Any help is welcome
    Thanks for helping. JCD
    __________
    server leap 15.0 -- ASUS g75vw KDE leap 15.2 -- ASUS G731GV KDE leap 15.2 -- acer aspire s13 win 10 home -- HP Omen win 10 home - scan EPSON V500 - Brother HL2250DN - Samsung CLP-325W

  2. #2

    Default Re: OS 13.1 - Firewall prevent client to configure scanning via networkusing yast2

    Remove the 'xxx' bits and put in the real network address from your
    network. Perhaps you meant to hide something, but there's no point since
    you're on a private network anyway and most of us probably use the same IP
    ranges, and none of us could reach eachother no matter which private
    networking is used.

    Also note that in that article you cited:

    Code:
    --------------------
    Note that FW_TRUSTED_NETS does not allow incomming UDP broadcast packages.
    To accept also UDP broadcast packages specify the matching UDP port(s)
    where UDP broadcast packages should be accepted via
    FW_ALLOW_FW_BROADCAST_EXT in the firewall configuration.
    --------------------

    Perhaps you need to add the FW_ALLOW_FW_BROADCAST_EXT parameter as mentioned.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...

  3. #3
    Join Date
    Jun 2008
    Location
    South-West France
    Posts
    1,307

    Default Re: OS 13.1 - Firewall prevent client to configure scanning via networkusing yast2

    Quote Originally Posted by ab View Post
    ...
    Have set firewall to log all errors.
    I got this one :
    Code:
    nf_conntrack: automatic helper assignment is deprecated and it will be removed soon. Use the iptables CT target to attach helpers instead.
    So what I am suppose to do ?
    Thanks for helping. JCD
    __________
    server leap 15.0 -- ASUS g75vw KDE leap 15.2 -- ASUS G731GV KDE leap 15.2 -- acer aspire s13 win 10 home -- HP Omen win 10 home - scan EPSON V500 - Brother HL2250DN - Samsung CLP-325W

  4. #4
    Join Date
    Jun 2008
    Location
    South-West France
    Posts
    1,307

    Default Re: OS 13.1 - Firewall prevent client to configure scanning via networkusing yast2

    Quote Originally Posted by ab View Post
    Remove the 'xxx' bits and put in the real network address from your
    network. Perhaps you meant to hide something, but there's no point since
    you're on a private network anyway and most of us probably use the same IP
    ranges, and none of us could reach eachother no matter which private
    networking is used.

    Also note that in that article you cited:

    Code:
    --------------------
    Note that FW_TRUSTED_NETS does not allow incomming UDP broadcast packages.
    To accept also UDP broadcast packages specify the matching UDP port(s)
    where UDP broadcast packages should be accepted via
    FW_ALLOW_FW_BROADCAST_EXT in the firewall configuration.
    --------------------

    Perhaps you need to add the FW_ALLOW_FW_BROADCAST_EXT parameter as mentioned.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...
    FW_ALLOW_FW_BROADCAST_EXT="6566"

    Here TCPDUMP with Firewall off --> scanner configuration possible ( in the following 192.168.130.104 is a samsung laser color printer which is offline ) :
    http://paste.opensuse.org/74504517

    Here TCPDUMP with Firewall ON --> scanner configuration not possible ( in the following 192.168.130.104 is a samsung laser color printer which is offline ) :
    SUSE Paste

    Here SuseFireWall config :
    SUSE Paste

    Log message when firewall is OFF :
    SUSE Paste

    Log message when firewall is ON :
    SUSE Paste

    Any help is welcome
    Thanks for helping. JCD
    __________
    server leap 15.0 -- ASUS g75vw KDE leap 15.2 -- ASUS G731GV KDE leap 15.2 -- acer aspire s13 win 10 home -- HP Omen win 10 home - scan EPSON V500 - Brother HL2250DN - Samsung CLP-325W

  5. #5

    Default Re: OS 13.1 - Firewall prevent client to configure scanning via networkusing yast2

    Guessing that the ports needed are blocked based on your original post as
    well as this:

    Code:
    --------------------
    192.168.130.80.58636 > LINUX-TEST-123.hathor-nwk.sane-port: Flags
    [F.], cksum 0xf07b (correct), seq 26, ack 106, win 115, options
    [nop,nop,TS val 9280945 ecr 9273623], length 0

    LINUX-TEST-123.hathor-nwk.sane-port > 192.168.130.80.58636: Flags [.],
    cksum 0xf00b (correct), seq 106, ack 26, win 227, options [nop,nop,TS val
    9273624 ecr 9280945], length 0
    --------------------

    Notice that the source port from the unsolicited packet from
    192.168.130.80 (presumably the other system) is up in the 50k range, not
    the 30k range that you have allowed. Fix it.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...

  6. #6
    Join Date
    Jun 2008
    Location
    South-West France
    Posts
    1,307

    Default Re: OS 13.1 - Firewall prevent client to configure scanning via networkusing yast2

    Quote Originally Posted by ab View Post
    Guessing that the ports needed are blocked based on your original post as
    well as this:

    Code:
    --------------------
    192.168.130.80.58636 > LINUX-TEST-123.hathor-nwk.sane-port: Flags
    [F.], cksum 0xf07b (correct), seq 26, ack 106, win 115, options
    [nop,nop,TS val 9280945 ecr 9273623], length 0

    LINUX-TEST-123.hathor-nwk.sane-port > 192.168.130.80.58636: Flags [.],
    cksum 0xf00b (correct), seq 106, ack 26, win 227, options [nop,nop,TS val
    9273624 ecr 9280945], length 0
    --------------------

    Notice that the source port from the unsolicited packet from
    192.168.130.80 (presumably the other system) is up in the 50k range, not
    the 30k range that you have allowed. Fix it.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...
    I can't fix port of the caller (192.168.130.80).
    It is always upper 50000
    192.168.130.80.60045 > LINUX-TEST-123.hathor-nwk.sane-port:



    On the server side :

    Firewall is configured as :==================
    FW_SERVICES_ACCEPT_RELATED_EXT="192.168.130.0/24,tcp,30000:30100 "
    FW_TRUSTED_NETS="192.168.130.0/24,tcp,30000:30100 "
    FW_ALLOW_FW_BROADCAST_EXT="yes"
    FW_SERVICES_EXT_TCP="14245" (for ssh )
    should I add 30000:30100 ?

    What about : FW_SERVICES_ACCEPT_EXT=""

    Network scan stuff is configured as
    ==========================
    1°) Server settings :
    Permitted client and port range is set (port 30000-30100; client ip adress 192.168.130.0/24)
    2°) Client settings
    connect_timeout=60,localhost

    On the client side (192.168.130.80) :
    Options of yast2/scanner/scan_via_network
    1°) Client settings
    192.168.130.100,connect_timeout=60,data_portrange=30000-30100,
    Thanks for helping. JCD
    __________
    server leap 15.0 -- ASUS g75vw KDE leap 15.2 -- ASUS G731GV KDE leap 15.2 -- acer aspire s13 win 10 home -- HP Omen win 10 home - scan EPSON V500 - Brother HL2250DN - Samsung CLP-325W

  7. #7
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    13,295
    Blog Entries
    2

    Default Re: OS 13.1 - Firewall prevent client to configure scanning via network using yast2

    IMO the referenced SDB article might have been a bit mis-leading.
    By including excerpts in the article from the firewall config file, it suggests those are the settings that should be manually configured.

    But, if you <read> the article in its entirety, it does describe the steps that should be configured <using the YAST FW applet> and IMO should be followed accordingly. The fw configs should be referenced <only> if you want to verify but isn't likely necessary.

    The bottom line is that if you use the YAST FW applet, it's easy to visualize what you're doing in each of the fw zones. You might be able to do the same editing the config files manually, but could also make a serious error that would have been apparent using the applet.

    IMO,
    TSU

  8. #8
    Join Date
    Jun 2008
    Location
    South-West France
    Posts
    1,307

    Default Re: OS 13.1 - Firewall prevent client to configure scanning via network using yast2

    Quote Originally Posted by tsu2 View Post
    IMO the referenced SDB article might have been a bit mis-leading.
    By including excerpts in the article from the firewall config file, it suggests those are the settings that should be manually configured.

    But, if you <read> the article in its entirety, it does describe the steps that should be configured <using the YAST FW applet> and IMO should be followed accordingly. The fw configs should be referenced <only> if you want to verify but isn't likely necessary.

    The bottom line is that if you use the YAST FW applet, it's easy to visualize what you're doing in each of the fw zones. You might be able to do the same editing the config files manually, but could also make a serious error that would have been apparent using the applet.

    IMO,
    TSU
    OK but there is still one problem :
    In the following :
    192.168.130.104 is a laser printer which is offline
    60:a4:4c:7d:b9:28 ( 192.168.130.80 ) is the client
    00:24:1d:c1:99:ba ( 192.168.130.100 LINUX-TEST-123 ) is the server where the scanner is attached to.
    Code:
    14:15:46.378984 60:a4:4c:7d:b9:28 (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.130.104 tell 192.168.130.80, length 46
    
    14:15:48.584805 60:a4:4c:7d:b9:28 (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has LINUX-TEST-123.hathor-nwk tell 192.168.130.80, length 46
    
    14:15:48.584865 00:24:1d:c1:99:ba (oui Unknown) > 60:a4:4c:7d:b9:28 (oui Unknown), ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Reply LINUX-TEST-123.hathor-nwk is-at 00:24:1d:c1:99:ba (oui Unknown), length 28
    
    14:15:48.584939 60:a4:4c:7d:b9:28 (oui Unknown) > 00:24:1d:c1:99:ba (oui Unknown), ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 64208, offset 0, flags [DF], proto TCP (6), length 60)
    
        192.168.130.80.58579 > LINUX-TEST-123.hathor-nwk.sane-port: Flags [S], cksum 0x9fce (correct), seq 4013898379, win 14600, options [mss 1460,sackOK,TS val 8634459 ecr 0,nop,wscale 7], length 0
    As you can see the client is calling the server with an unauthorized port (58579).
    On the server side, authorized port are 30000-31000

    How to fix that.

    By the way I must say that there is no firewall running on the clients
    Thanks for helping. JCD
    __________
    server leap 15.0 -- ASUS g75vw KDE leap 15.2 -- ASUS G731GV KDE leap 15.2 -- acer aspire s13 win 10 home -- HP Omen win 10 home - scan EPSON V500 - Brother HL2250DN - Samsung CLP-325W

  9. #9

    Default Re: OS 13.1 - Firewall prevent client to configure scanning via networkusing yast2

    >
    > As you can see the client is calling the server with an unauthorized
    > port (58579).
    > On the server side, authorized port are 30000-31000


    Authorized because you set them that way in the firewall configuration,
    right? If the ports in the documentation do not match your needs, fix it
    (as mentioned before).

    > How to fix that.


    The same steps you took to open ports 30000-31000, except change out the
    '30' for '50' and the '31' for '60', or whatever is right per these printers.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •