Page 3 of 5 FirstFirst 12345 LastLast
Results 21 to 30 of 49

Thread: Configuring the firewall so that hp-setup can find network printers

  1. #21
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    21,584
    Blog Entries
    1

    Default Re: Configuring the firewall so that hp-setup can find network printers

    Quote Originally Posted by malcolmlewis View Post
    Hi
    I would turn the firewall off, add the printer and re-enable.....
    Well, that was mentioned by both Neil and myself earlier in the thread.
    (However, the OP is trying to drill down into why discovery doesn't work as expected with the firewall enabled.)
    openSUSE Leap 15.2; KDE Plasma 5

  2. #22
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    21,584
    Blog Entries
    1

    Default Re: Configuring the firewall so that hp-setup can find network printers

    It's apparent that DNS-SD process is failing for hplip somehow. A multicast query presumably is sent and a printer device responds to the host that sent the muticast query but as the firewall can't match the response to the initial query (as printer responds with it's own address), it blocks it, unless port 5353 traffic is allowed . However, since avahi-daemon listens on this port I'm not sure if this might impact here. I guess that is why avahi is another 'hp-setup' discovery option (so that the hp utility can use that mechanism explicitly.)

    Printer discovery example...
    Code:
    dig @224.0.0.251 -p 5353 -t ptr +short _printer._tcp.local
    openSUSE Leap 15.2; KDE Plasma 5

  3. #23
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    28,833
    Blog Entries
    15

    Default Re: Configuring the firewall so that hp-setup can find network printers

    Quote Originally Posted by deano_ferrari View Post
    Well, that was mentioned by both Neil and myself earlier in the thread.
    (However, the OP is trying to drill down into why discovery doesn't work as expected with the firewall enabled.)
    Hi
    I suspect the printers have been setup with lpadmin (ipp and ddns) and not the HP tool set.... On my laptops I just disable firewall, ensure cups is running, run the HP tools to add printer, re-enable firewall and done... Print traffic is local to the cups server, then outbound from there to the printer....
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    SUSE SLE, openSUSE Leap/Tumbleweed (x86_64) | GNOME DE
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!

  4. #24
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    21,584
    Blog Entries
    1

    Default Re: Configuring the firewall so that hp-setup can find network printers

    Quote Originally Posted by malcolmlewis View Post
    Hi
    I suspect the printers have been setup with lpadmin (ipp and ddns) and not the HP tool set.... On my laptops I just disable firewall, ensure cups is running, run the HP tools to add printer, re-enable firewall and done... Print traffic is local to the cups server, then outbound from there to the printer....
    Yeah, but none of that explains why SLP and DNS-SD discovery not working as expected.
    openSUSE Leap 15.2; KDE Plasma 5

  5. #25
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    28,833
    Blog Entries
    15

    Default Re: Configuring the firewall so that hp-setup can find network printers

    Quote Originally Posted by deano_ferrari View Post
    Yeah, but none of that explains why SLP and DNS-SD discovery not working as expected.
    Hi
    Because that's not a function of the HP tools.... that's purely cups admin and tools (ippfind, ipadmin, cupsctl etc).
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    SUSE SLE, openSUSE Leap/Tumbleweed (x86_64) | GNOME DE
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!

  6. #26
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    21,584
    Blog Entries
    1

    Default Re: Configuring the firewall so that hp-setup can find network printers

    Not correct. The 'hp-setup' utility has that discovery capability inbuilt (refer to the 'Show Advanced Options'), and that is what the OP is referring to. Contemporary CUPS can use DNS-SD and SNMP...
    https://www.cups.org/doc/network.html
    openSUSE Leap 15.2; KDE Plasma 5

  7. #27
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    21,584
    Blog Entries
    1

    Default Re: Configuring the firewall so that hp-setup can find network printers

    Quote Originally Posted by malcolmlewis View Post
    Hi
    Shouldn't it be -bnet?
    Not necessarily. The -b option can be used to explicitly set the connectivity type
    Code:
    [OPTIONS]
      Bus to probe:                                                   -b<bus> or --bus=<bus>                                                                                                                      
                                                                      <bus>: cups, usb*, net, bt, fw, par (*default) (Note: bt and fw not supported in this release.)
    but when -m option is set to mdns (as I suggested), that automatically assumes network connectivity.

    Also, the 'hp-probe' output you posted proved discovery was working for you
    openSUSE Leap 15.2; KDE Plasma 5

  8. #28
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    28,833
    Blog Entries
    15

    Default Re: Configuring the firewall so that hp-setup can find network printers

    Quote Originally Posted by deano_ferrari View Post
    Not correct. The 'hp-setup' utility has that discovery capability inbuilt (refer to the 'Show Advanced Options'), and that is what the OP is referring to. Contemporary CUPS can use DNS-SD and SNMP...
    https://www.cups.org/doc/network.html
    Hi
    Ahh I see from the GUI....

    Likely a bug with hplip... I see outbound and inbound SLP traffic, with and without the firewall running.... it doesn't like the firewall.... even adding 427/udp 0.0.0.0/0 makes no difference.

    Code:
    firewall-cmd --zone=public --add-port 427/udp
    firewall-cmd --zone=public --add-source=0.0.0.0/0
     firewall-cmd --list-all
    
    public (active)
      target: default
      icmp-block-inversion: no
      interfaces: eth0
      sources: 0.0.0.0/0
      services: ssh dhcpv6-client
      ports: 427/udp
      protocols: 
      masquerade: no
      forward-ports: 
      source-ports: 
      icmp-blocks: 
      rich rules: 
    
    
    tcpdump -i eth0 -nn -s0 -v port 427
    
    tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
    22:11:45.552993 IP (tos 0x0, ttl 4, id 38846, offset 0, flags [DF], proto UDP (17), length 72)
        192.168.10.52.51879 > 224.0.1.60.427: UDP, length 44
    22:11:45.887231 IP (tos 0x0, ttl 64, id 59, offset 0, flags [none], proto UDP (17), length 369)
        192.168.10.5.427 > 192.168.10.52.51879: UDP, length 341
    
    hp-probe -bnet -m slp -ldebug
    
    HP Linux Imaging and Printing System (ver. 3.18.6) Printer Discovery Utility ver. 4.1  Copyright (c) 2001-15 HP Development Company, LP This software comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to distribute it under certain conditions. See COPYING file for more details.   -------------------- | DEVICE DISCOVERY | --------------------  Probing network for printers. Please wait, this will take approx. 10 seconds...  hp-probe[4905]: debug: {} warning: No devices found on the 'net' bus. If this isn't the result you are expecting, warning: check your network connections and make sure your internet warning: firewall software is disabled.  Done.
    It does say "Make sure your internet firewall software is disabled".....
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    SUSE SLE, openSUSE Leap/Tumbleweed (x86_64) | GNOME DE
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!

  9. #29
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    21,584
    Blog Entries
    1

    Default Re: Configuring the firewall so that hp-setup can find network printers

    Quote Originally Posted by malcolmlewis View Post
    Hi
    Ahh I see from the GUI....

    Likely a bug with hplip... I see outbound and inbound SLP traffic, with and without the firewall running.... it doesn't like the firewall.... even adding 427/udp 0.0.0.0/0 makes no difference.
    Exactly (consistent with the OP's finding).
    openSUSE Leap 15.2; KDE Plasma 5

  10. #30
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    21,584
    Blog Entries
    1

    Default Re: Configuring the firewall so that hp-setup can find network printers

    Quote Originally Posted by malcolmlewis View Post
    Code:
    tcpdump -i eth0 -nn -s0 -v port 427
    
    tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
    22:11:45.552993 IP (tos 0x0, ttl 4, id 38846, offset 0, flags [DF], proto UDP (17), length 72)
        192.168.10.52.51879 > 224.0.1.60.427: UDP, length 44
    22:11:45.887231 IP (tos 0x0, ttl 64, id 59, offset 0, flags [none], proto UDP (17), length 369)
        192.168.10.5.427 > 192.168.10.52.51879: UDP, length 341
    The packet capture is the crux of it. Ephemeral ports are in use by the hp-setup/hp-probe utility, so an iptables rule (for SLP) like this will fail
    Code:
    -A IN_public_allow -p udp -m udp --dport 427 -m conntrack --ctstate NEW -j ACCEPT
    It would need to look more like this
    Code:
    -A IN_public_allow -p udp -m udp --sport 427 -m conntrack --ctstate NEW -j ACCEPT
    The same likely applies with how it is doing mDNS/Bonjour discovery. (The Avahi discovery option will work as the OP describes.)

    The firewalld services for 'mdns' and 'slp' are built around the respective welll-known ports, and in the case of mdns provisioned for incoming multicast (specifically 224.0.0.251/32) traffic.

    So, yes the simplest (pragmatic) approach is just to drop the firewall while configuring printers when using 'hp-setup'.
    Last edited by deano_ferrari; 23-Jun-2020 at 22:48.
    openSUSE Leap 15.2; KDE Plasma 5

Page 3 of 5 FirstFirst 12345 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •