Page 5 of 5 FirstFirst ... 345
Results 41 to 49 of 49

Thread: Configuring the firewall so that hp-setup can find network printers

  1. #41
    Join Date
    Jun 2020
    Posts
    25

    Default Re: Configuring the firewall so that hp-setup can find network printers

    Quote Originally Posted by arvidjaar View Post
    nfct tells kernel to use user mode helper with name "slp". You also need user mode process that will accept kernel request for "slp" helper and return suitable decision. This is conntrackd. You also need to tell conntrackd which helpers to serve. This is by default /etc/conntrackd/conntrackd.conf. Uncomment Helper section and slp helper.

    This is default content with comments removed.Start conntrackd (systemctl start conntrackd.service). Note that conntrackd needs to be started after "nfct add helper".
    Got it, thank you! I had run conntrackd, but without uncommenting the helpers in the config file... By the way, do I need to re-run "nfct add helper" after every boot, or is this persistent? What would be the best way to set it at boot to make sure it comes up before the conntrackd service does?

    Now with the SLP and mDNS helpers enabled, SLP discovery works. However, mDNS discovery still doesn't:

    Code:
    calypso:~ # systemctl start conntrackd.service
    calypso:~ # nfct list helper
    {
            .name = mdns,
            .queuenum = 6,
            .l3protonum = 2,
            .l4protonum = 17,
            .priv_data_len = 0,
            .status = enabled,
    };
    {
            .name = slp,
            .queuenum = 7,
            .l3protonum = 2,
            .l4protonum = 17,
            .priv_data_len = 0,
            .status = enabled,
    };
    calypso:~ # firewall-cmd --direct --get-all-rules
    ipv4 raw OUTPUT 0 -m addrtype --dst-type MULTICAST -p udp --dport 427 -j CT --helper slp
    ipv4 raw OUTPUT 0 -m addrtype --dst-type BROADCAST -p udp --dport 427 -j CT --helper slp
    ipv4 raw OUTPUT 0 -m addrtype --dst-type MULTICAST -p udp --dport 5353 -j CT --helper mdns
    ipv4 raw OUTPUT 0 -m addrtype --dst-type BROADCAST -p udp --dport 5353 -j CT --helper mdns
    ipv4 filter INPUT 0 -m conntrack --ctstate ESTABLISHED -j ACCEPT
    ipv4 filter INPUT 0 -m conntrack --ctstate RELATED -j ACCEPT
    calypso:~ # hp-setup
    
    HP Linux Imaging and Printing System (ver. 3.19.12)
    Printer/Fax Setup Utility ver. 9.0
    
    Copyright (c) 2001-18 HP Development Company, LP
    This software comes with ABSOLUTELY NO WARRANTY.
    This is free software, and you are welcome to distribute it
    under certain conditions. See COPYING file for more details.
    
    QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-root'
    Searching... (bus=net, timeout=5, ttl=4, search=(None) desc=0, method=slp)
    Searching... (bus=net, timeout=5, ttl=4, search=(None) desc=0, method=mdns)
    error: No devices found on bus: net
    error:  HPLIP cannot detect printers in your network.  This may be due to existing firewall settings blocking the required ports.
                    When you are in a trusted network environment, you may open the ports for network services like mdns and slp in the firewall. For detailed steps follow the link.
                     http://hplipopensource.com/node/374  
    
    Done.
    Here is the `tcpdump` and `conntrack -E expect` output during the mDNS search. Note how the same expectation is created and destroyed again, over and over again:

    Code:
    $sudotcpdump -i wlan0 -nn -s0 port 5353
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on wlan0, link-type EN10MB (Ethernet), capture size 262144 bytes
    21:44:52.753118 IP 192.168.1.37.44980 > 224.0.0.251.5353: 0 PTR (QM)? _pdl-datastream._tcp.local. (44)
    21:44:52.757331 IP 192.168.1.36.5353 > 192.168.1.37.44980: 0*- 1/0/5 PTR HP OfficeJet Pro 8710 [AD5ECE]._pdl-datastream._tcp.local. (625)
    21:44:53.760334 IP 192.168.1.37.44980 > 224.0.0.251.5353: 0 [1a] PTR (QM)? _pdl-datastream._tcp.local. (89)
    21:44:55.763763 IP 192.168.1.37.44980 > 224.0.0.251.5353: 0 [1a] PTR (QM)? _pdl-datastream._tcp.local. (89)
    
    # conntrack -E expect
        [NEW] 30 proto=17 src=0.0.0.0 dst=192.168.1.37 sport=5353 dport=44980 mask-src=0.0.0.0 mask-dst=0.0.0.0 sport=65535 dport=65535 master-src=192.168.1.37 master-dst=224.0.0.251 sport=44980 dport=5353 PERMANENT class=0 helper=mdns
    [DESTROY] 30 proto=17 src=0.0.0.0 dst=192.168.1.37 sport=5353 dport=44980 mask-src=0.0.0.0 mask-dst=0.0.0.0 sport=65535 dport=65535 master-src=192.168.1.37 master-dst=224.0.0.251 sport=44980 dport=5353 PERMANENT class=0 helper=mdns
        [NEW] 30 proto=17 src=0.0.0.0 dst=192.168.1.37 sport=5353 dport=44980 mask-src=0.0.0.0 mask-dst=0.0.0.0 sport=65535 dport=65535 master-src=192.168.1.37 master-dst=224.0.0.251 sport=44980 dport=5353 PERMANENT class=0 helper=mdns
    [DESTROY] 30 proto=17 src=0.0.0.0 dst=192.168.1.37 sport=5353 dport=44980 mask-src=0.0.0.0 mask-dst=0.0.0.0 sport=65535 dport=65535 master-src=192.168.1.37 master-dst=224.0.0.251 sport=44980 dport=5353 PERMANENT class=0 helper=mdns
        [NEW] 30 proto=17 src=0.0.0.0 dst=192.168.1.37 sport=5353 dport=44980 mask-src=0.0.0.0 mask-dst=0.0.0.0 sport=65535 dport=65535 master-src=192.168.1.37 master-dst=224.0.0.251 sport=44980 dport=5353 PERMANENT class=0 helper=mdns
    [DESTROY] 28 proto=17 src=0.0.0.0 dst=192.168.1.37 sport=5353 dport=44980 mask-src=0.0.0.0 mask-dst=0.0.0.0 sport=65535 dport=65535 master-src=192.168.1.37 master-dst=224.0.0.251 sport=44980 dport=5353 PERMANENT class=0 helper=mdns
        [NEW] 30 proto=17 src=0.0.0.0 dst=192.168.1.37 sport=5353 dport=44980 mask-src=0.0.0.0 mask-dst=0.0.0.0 sport=65535 dport=65535 master-src=192.168.1.37 master-dst=224.0.0.251 sport=44980 dport=5353 PERMANENT class=0 helper=mdns
    [DESTROY] 30 proto=17 src=0.0.0.0 dst=192.168.1.37 sport=5353 dport=44980 mask-src=0.0.0.0 mask-dst=0.0.0.0 sport=65535 dport=65535 master-src=192.168.1.37 master-dst=224.0.0.251 sport=44980 dport=5353 PERMANENT class=0 helper=mdns
        [NEW] 30 proto=17 src=0.0.0.0 dst=192.168.1.37 sport=5353 dport=44980 mask-src=0.0.0.0 mask-dst=0.0.0.0 sport=65535 dport=65535 master-src=192.168.1.37 master-dst=224.0.0.251 sport=44980 dport=5353 PERMANENT class=0 helper=mdns
    [DESTROY] 30 proto=17 src=0.0.0.0 dst=192.168.1.37 sport=5353 dport=44980 mask-src=0.0.0.0 mask-dst=0.0.0.0 sport=65535 dport=65535 master-src=192.168.1.37 master-dst=224.0.0.251 sport=44980 dport=5353 PERMANENT class=0 helper=mdns
        [NEW] 30 proto=17 src=0.0.0.0 dst=192.168.1.37 sport=5353 dport=44980 mask-src=0.0.0.0 mask-dst=0.0.0.0 sport=65535 dport=65535 master-src=192.168.1.37 master-dst=224.0.0.251 sport=44980 dport=5353 PERMANENT class=0 helper=mdns
    [DESTROY] 27 proto=17 src=0.0.0.0 dst=192.168.1.37 sport=5353 dport=44980 mask-src=0.0.0.0 mask-dst=0.0.0.0 sport=65535 dport=65535 master-src=192.168.1.37 master-dst=224.0.0.251 sport=44980 dport=5353 PERMANENT class=0 helper=mdns
        [NEW] 30 proto=17 src=0.0.0.0 dst=192.168.1.37 sport=5353 dport=44980 mask-src=0.0.0.0 mask-dst=0.0.0.0 sport=65535 dport=65535 master-src=192.168.1.37 master-dst=224.0.0.251 sport=44980 dport=5353 PERMANENT class=0 helper=mdns
    [DESTROY] 30 proto=17 src=0.0.0.0 dst=192.168.1.37 sport=5353 dport=44980 mask-src=0.0.0.0 mask-dst=0.0.0.0 sport=65535 dport=65535 master-src=192.168.1.37 master-dst=224.0.0.251 sport=44980 dport=5353 PERMANENT class=0 helper=mdns
        [NEW] 30 proto=17 src=0.0.0.0 dst=192.168.1.37 sport=5353 dport=44980 mask-src=0.0.0.0 mask-dst=0.0.0.0 sport=65535 dport=65535 master-src=192.168.1.37 master-dst=224.0.0.251 sport=44980 dport=5353 PERMANENT class=0 helper=mdns
    [DESTROY] 30 proto=17 src=0.0.0.0 dst=192.168.1.37 sport=5353 dport=44980 mask-src=0.0.0.0 mask-dst=0.0.0.0 sport=65535 dport=65535 master-src=192.168.1.37 master-dst=224.0.0.251 sport=44980 dport=5353 PERMANENT class=0 helper=mdns
        [NEW] 30 proto=17 src=0.0.0.0 dst=192.168.1.37 sport=5353 dport=44980 mask-src=0.0.0.0 mask-dst=0.0.0.0 sport=65535 dport=65535 master-src=192.168.1.37 master-dst=224.0.0.251 sport=44980 dport=5353 PERMANENT class=0 helper=mdns
    ^Cconntrack v1.4.6 (conntrack-tools): 17 expectation events have been shown.
    Anyway unless this is a super easy fix, I think we can leave it at that - getting the default SLP to work and understanding the principle was already worth a lot.

  2. #42
    Join Date
    Sep 2012
    Posts
    5,854

    Default Re: Configuring the firewall so that hp-setup can find network printers

    Quote Originally Posted by rxmd View Post
    By the way, do I need to re-run "nfct add helper" after every boot?
    Yes
    What would be the best way to set it at boot to make sure it comes up before the conntrackd service does?
    There is no infrastructure for it. Brute force is to add drop-in to conntrackd.service with something like
    Code:
    [Service]
    ExecStartPre=/usr/sbin/nfct add helper slp inet udp
    ...
    I have feeling that the whole helpers part never went beyond mere proof of concept. In particular I do not see any technical reason why conntrackd cannot register helpers itself - it has exactly the same information as nfct.

    mDNS discovery still doesn't ... unless this is a super easy fix
    Stopping avahi service is. The problem is, avahi daemon joins multicast group 224.0.0.251 and apparently kernel connection tracking does not like it. In the mean time I can reproduce it without avahi daemon running by just joining 224.0.0.251 on an interface.

  3. #43
    Join Date
    Jun 2020
    Posts
    25

    Default Re: Configuring the firewall so that hp-setup can find network printers

    Quote Originally Posted by arvidjaar View Post
    There is no infrastructure for it. Brute force is to add drop-in to conntrackd.service with something like
    Code:
    [Service]
    ExecStartPre=/usr/sbin/nfct add helper slp inet udp
    Thank you, I got it to work now by adding the following:

    Code:
    # cat /etc/systemd/system/conntrackd.service.d/nfct.conf  
    [Service]
    ExecStartPre=-/usr/sbin/nfct add helper slp inet udp
    # ExecStartPre=-/usr/sbin/nfct add helper mdns inet udp
    ExecStartPost=/usr/bin/firewall-cmd --reload
    The ExecStartPost line is so that the firewall rules for the SLP helper are brought up properly - by default the firewall is brought up before conntrackd is loaded, so the rules will initially fail to restore and need to be reloaded again after conntrackd is up. The dash before the ExecStartPre line helps with stopping/reloading the service laeter, because the SLP helper can be added only once; with the dash failing to add it again later won't stop the service from loading.

    I have feeling that the whole helpers part never went beyond mere proof of concept. In particular I do not see any technical reason why conntrackd cannot register helpers itself - it has exactly the same information as nfct.
    That's true. Also I've tried to look at a few distros how they package it, and none seem to include much in the way of configuring this. Nevertheless, new helpers continue to appear

    Stopping avahi service is. The problem is, avahi daemon joins multicast group 224.0.0.251 and apparently kernel connection tracking does not like it. In the mean time I can reproduce it without avahi daemon running by just joining 224.0.0.251 on an interface.
    Yes, this is now more proof of concept anyway - if you're going to use mDNS, you might just as well use avahi directly, unless you're debugging HPLIP or something.

    Thank you and @deano_ferrari, you've helped me a lot. I'll add a compact writeup of the result for posterity in another post.

  4. #44
    Join Date
    Jun 2020
    Posts
    25

    Default Re: Configuring the firewall so that hp-setup can find network printers

    OK, so here's the writeup of the solution:

    Problem:
    Automatic discovery of network printers, scanners etc. does not work with the firewall enabled. In particular, the HP printer configuration tool hp-setup is not able to discover a printer, unless you disable the firewall.

    Diagnosis:
    hp-setup has three different ways of discovering a printer: the Service Location Protocol (SLP, port 427), its own implementation of the Multicast DNS protocol (mDNS aka Zeroconf/Bonjour, port 5353), and using mDNS through the standard avahi service. The default is SLP.

    All of them use multicast TCP/IP and ports that may not be open on your firewall, depending on what zone you're in.

    In addition, hp-setup uses a non-standard UDP port for SLP and mDNS, in order to avoid conflicts with other programs that may use these ports on users' systems. As a result, when the device responds to hp-setup's requests, its UDP response packets go to this non-standard port and get blocked by the firewall, even if you open the standard ports 427 and 5353. As a result, no communication is possible.

    Workarounds:
    If you know the device's IP address, you can avoid autodiscovery altogether and add it in hp-setup by hand.

    If you know the device's IP address, but need to use autodiscovery (e.g. for VueScan), you can open a firewall exception that allows inbound traffic from the printer's IP address (as in this thread). Note that this can be dangerous if you leave your home network.

    Solution:
    The solution has two steps. The first to get autodiscovery working at all. For most users that will be enough.
    The second step is to get it to work with the default SLP protocol; this is useful in those cases where you can't use hp-setup's GUI, for example if another program makes use of the HPLIP libraries to discover devices.

    Step 1. Autodiscovery using Avahi / mDNS

    Linux supports autodiscovery of printers using the Avahi daemon. Avahi uses a protocol known as mDNS, Zeroconf or Bonjour. However, on many systems the firewall is configured to block the UDP port 5353 that mDNS is using. OpenSUSE uses firewalld, which has the necessary exception for the mDNS service built-in.

    Find whatever firewall zone you're in - often this will be "public" or "home", and enable the mDNS service in this firewall zone.
    You can use YAST for this, or you can use the command line, so if you are in the "home" zone, it would look like this:

    [CODE]calypso:~ # firewall-cmd --zone=home --add-service=mdns[CODE]

    This should be enough to get it working. If the mdns service is enabled, the firewall configuration should look like this:

    Code:
    calypso:~ # firewall-cmd --list-all
    home (active)
      target: default
      icmp-block-inversion: no
      interfaces: wlan0
      sources:  
      services: dhcpv6-client mdns ssh
      ports:  
      protocols:  
      masquerade: no
      forward-ports:  
      source-ports:  
      icmp-blocks:  
      rich rules: 
    To check whether avahi is working, you can use avahi-browse (from the avahi-utils package) to show a list of all devices that are discoverable on your network:

    Code:
    calypso:~ # avahi-browse -at
    +  wlan0 IPv4 calypso                                       SSH Remote Terminal  local
    +  wlan0 IPv4 calypso                                       SFTP File Transfer   local
    +  wlan0 IPv6 calypso                                       SSH Remote Terminal  local
    +  wlan0 IPv6 calypso                                       SFTP File Transfer   local
    +  wlan0 IPv6 HP OfficeJet Pro 8710 [AD5ECE]                _privet._tcp         local
    +  wlan0 IPv4 HP OfficeJet Pro 8710 [AD5ECE]                _privet._tcp         local
    +  wlan0 IPv4 HP OfficeJet Pro 8710 [AD5ECE]                UNIX Printer         local
    +  wlan0 IPv4 HP OfficeJet Pro 8710 [AD5ECE]                PDL Printer          local
    +  wlan0 IPv4 HP OfficeJet Pro 8710 [AD5ECE]                Internet Printer     local
    +  wlan0 IPv4 HP OfficeJet Pro 8710 [AD5ECE]                Web Site             local
    +  wlan0 IPv4 HP OfficeJet Pro 8710 [AD5ECE]                _scanner._tcp        local
    +  wlan0 IPv4 HP OfficeJet Pro 8710 [AD5ECE]                _http-alt._tcp       local
    +  wlan0 IPv4 HP OfficeJet Pro 8710 [AD5ECE]                _uscan._tcp          local
    +  wlan0 IPv4 HP OfficeJet Pro 8710 [AD5ECE]                Secure Internet Printer local
    +  wlan0 IPv4 HP OfficeJet Pro 8710 [AD5ECE]                _uscans._tcp         local
    +  wlan0 IPv6 HP OfficeJet Pro 8710 [AD5ECE]                UNIX Printer         local
    +  wlan0 IPv6 HP OfficeJet Pro 8710 [AD5ECE]                PDL Printer          local
    +  wlan0 IPv6 HP OfficeJet Pro 8710 [AD5ECE]                Internet Printer     local
    +  wlan0 IPv6 HP OfficeJet Pro 8710 [AD5ECE]                Web Site             local
    +  wlan0 IPv6 HP OfficeJet Pro 8710 [AD5ECE]                _scanner._tcp        local
    +  wlan0 IPv6 HP OfficeJet Pro 8710 [AD5ECE]                _http-alt._tcp       local
    +  wlan0 IPv6 HP OfficeJet Pro 8710 [AD5ECE]                _uscan._tcp          local
    +  wlan0 IPv6 HP OfficeJet Pro 8710 [AD5ECE]                Secure Internet Printer local
    +  wlan0 IPv6 HP OfficeJet Pro 8710 [AD5ECE]                _uscans._tcp         local
    
    Now, when using hp-setup to set up the printer, choose "Network" under "Connection type", then click on "Show Advanced Options", and under "Network Discovery Method" select "Avahi". Be careful not to choose "mDNS/Bonjour", even though they use the same protocol. Your printer should appear.

    If this is enough for you to start printing, you can stop here. Otherwise if for some reason you need to use HPLIP's default discovery method, continue.

    Step 2. Autodiscovery using the default SLP

    If you need/want to use SLP as the discovery method for some reason, it gets a little more complicated. The problem is that hp-setup uses non-standard ports for SLP, so we need to identify this traffic on the fly and open exceptions for it.

    Step 2.1 Enabling SLP through the firewall

    First, enable the exception for SLP service on your firewall, so that the computer and device can communicate at all. Again you can use YAST for this, or you can use the command line, so if you are in the "home" zone, it would look like this:

    Code:
    calypso:~ # firewall-cmd --zone=home --add-service=slp


    This should be enough to get it working. The firewall configuration should look somwewhat like this:

    Code:
    calypso:~ # firewall-cmd --list-all 
    home (active) 
     target: default 
     icmp-block-inversion: no 
     interfaces: wlan0 
     sources:  
     services: dhcpv6-client mdns slp ssh 
     ports:  
     protocols:  
     masquerade: no 
     forward-ports:  
     source-ports:  
     icmp-blocks:  
     rich rules: 
    Step 2.2 Getting SLP to work on non-standard ports

    The next problem is that hp-setup uses SLP on a non-standard port. So we need to teach our firewall to recognize outgoing SLP packets from these ports and open exceptions on the fly. Dor this, we can use the Netfilter connection tracking daemon conntrackd, which comes with userspace helpers that can recognize common protocol traffic and open firewall exceptions for it.

    First, install the conntrackd and conntrack-tools packages.

    First, enable SLP tracking in conntrack. Edit the conntrackd configuration file (/etc/conntrackd/conntrackd.conf). It has a helpers section that is commented by default. Uncomment the section header, opening and closing braces, and the slp helper section within it:

    Code:
    Helper {
            # Before this, you have to make sure you have registered the `ftp'
            # user-space helper stub via:
            #
            # nfct add helper ftp inet tcp
            #
    #       Type ftp inet tcp {
    #               #
    ...
    #       Type mdns inet udp {
    #               QueueNum 6
    #               QueueLen 10240
    #               Policy mdns {
    #                       ExpectMax 8
    #                       ExpectTimeout 30
    #               }
    #       }
            Type slp inet udp {
                    QueueNum 7
                    QueueLen 10240
                    Policy slp {
                            ExpectMax 8
                            ExpectTimeout 16
                    }
            }
    }
    Enable the SLP helper for conntrackd, and then start conntrackd (in this order):
    Code:
    calypso:~ # nfct add helper slp inet udp
    calypso:~ # systemctl start conntrackd.service
    Now you need to add firewall rules so that outgoing SLP packets trigger an exception that will allow related return packets back in through the firewall:

    Code:
    calypso:~ # firewall-cmd --direct --add-rule ipv4 raw OUTPUT 0\
     -m addrtype --dst-type MULTICAST -p udp --dport 427 -j CT --helper slp 
    success
    calypso:~ # firewall-cmd --direct --add-rule ipv4 raw OUTPUT 0\
     -m addrtype --dst-type BROADCAST -p udp --dport 427 -j CT --helper slp 
    success
    calypso:~ # firewall-cmd --direct --add-rule ipv4 filter INPUT 0\
     -m conntrack --ctstate ESTABLISHED -j ACCEPT
    success
    calypso:~ # firewall-cmd --direct --add-rule ipv4 filter INPUT 0\
     -m conntrack --ctstate RELATED -j ACCEPT
    success
    calypso:~ # firewall-cmd --direct --get-all-rules
    ipv4 raw OUTPUT 0 -m addrtype --dst-type MULTICAST -p udp --dport 427 -j CT --helper slp
    ipv4 raw OUTPUT 0 -m addrtype --dst-type BROADCAST -p udp --dport 427 -j CT --helper slp
    ipv4 filter INPUT 0 -m conntrack --ctstate ESTABLISHED -j ACCEPT
    ipv4 filter INPUT 0 -m conntrack --ctstate RELATED -j ACCEPT
    
    At this moment, hp-setup should be able to find your printer using SLP.

    Step 2.3 Making the changes permanent

    To get these changes to persist after boot, you'll need to make sure to add the SLP helper before loading conntrackd, and to reload the firewall rules after conntrackd is up. Firstly make the firewall rules permanent:

    Code:
    calypso:~ # firewall-cmd --direct --permanent --add-rule ipv4 raw OUTPUT 0\
     -m addrtype --dst-type MULTICAST -p udp --dport 427 -j CT --helper slp 
    success
    calypso:~ # firewall-cmd --direct --permanent --add-rule ipv4 raw OUTPUT 0\
     -m addrtype --dst-type BROADCAST -p udp --dport 427 -j CT --helper slp 
    success
    calypso:~ # firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 0\
     -m conntrack --ctstate ESTABLISHED -j ACCEPT
    success
    calypso:~ # firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 0\
     -m conntrack --ctstate RELATED -j ACCEPT
    success
    calypso:~ # firewall-cmd --reload 
    success
    calypso:~ # firewall-cmd --direct --get-all-rules
    ipv4 raw OUTPUT 0 -m addrtype --dst-type MULTICAST -p udp --dport 427 -j CT --helper slp
    ipv4 raw OUTPUT 0 -m addrtype --dst-type BROADCAST -p udp --dport 427 -j CT --helper slp
    ipv4 filter INPUT 0 -m conntrack --ctstate ESTABLISHED -j ACCEPT
    ipv4 filter INPUT 0 -m conntrack --ctstate RELATED -j ACCEPT
    
    The easiest way to do this is to create a drop-in for the conntrackd service that does this. Create a file in /etc/systemd/system/conntrackd.service.d (by hand or using systemctl --edit conntrackd.service) that could look like this:

    Code:
    calypso:~ # cat /etc/systemd/system/conntrackd.service.d/nfct.conf 
    [Service]
    ExecStartPre=-/usr/sbin/nfct add helper slp inet udp
    ExecStartPost=/usr/bin/firewall-cmd --reload


    Reload the changes to the systemd configuration, and enable conntrackd.service at boot using systemctl. After a reboot, you should be able to see the SLP helper and firewall rules:

    Code:
    calypso:~ # nfct list helper
    {
            .name = slp,
            .queuenum = 7,
            .l3protonum = 2,
            .l4protonum = 17,
            .priv_data_len = 0,
            .status = enabled,
    };
    calypso:~ # firewall-cmd --direct --get-all-rules
    ipv4 raw OUTPUT 0 -m addrtype --dst-type MULTICAST -p udp --dport 427 -j CT --helper slp
    ipv4 raw OUTPUT 0 -m addrtype --dst-type BROADCAST -p udp --dport 427 -j CT --helper slp
    ipv4 filter INPUT 0 -m conntrack --ctstate ESTABLISHED -j ACCEPT
    ipv4 filter INPUT 0 -m conntrack --ctstate RELATED -j ACCEPT
    
    This should be enough to get SLP autodiscovery to work permanently, no matter what network you are in.
    Thanks to everyone who helped with this.

  5. #45
    Join Date
    Sep 2012
    Posts
    5,854

    Default Re: Configuring the firewall so that hp-setup can find network printers

    Quote Originally Posted by rxmd View Post
    Code:
    calypso:~ # firewall-cmd --direct --add-rule ipv4 filter INPUT 0\
     -m conntrack --ctstate ESTABLISHED -j ACCEPT
    success
    calypso:~ # firewall-cmd --direct --add-rule ipv4 filter INPUT 0\
     -m conntrack --ctstate RELATED -j ACCEPT
    success
    calypso:~ #
    This is default in firewalld anyway. Actually I guess in any firewall implementation, as otherwise no outbound connection were possible.

  6. #46
    Join Date
    Jun 2020
    Posts
    25

    Default Re: Configuring the firewall so that hp-setup can find network printers

    Quote Originally Posted by arvidjaar View Post
    This is default in firewalld anyway. Actually I guess in any firewall implementation, as otherwise no outbound connection were possible.
    I took this from the example in the helper source code, but you're right, it works without these two rules, too,

    Actually it's also redundant to open port 427 on the firewall explicitly with firewall-cmd --add-service, if later we're going to also add helpers for SLP. So step 2.1 is also not necessary

    Unfortunately I can't edit the post, but it should be clear.

  7. #47
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    21,933
    Blog Entries
    1

    Default Re: Configuring the firewall so that hp-setup can find network printers

    Quote Originally Posted by rxmd View Post
    I took this from the example in the helper source code, but you're right, it works without these two rules, too,

    Actually it's also redundant to open port 427 on the firewall explicitly with firewall-cmd --add-service, if later we're going to also add helpers for SLP. So step 2.1 is also not necessary

    Unfortunately I can't edit the post, but it should be clear.
    That's ok, you can copy your post to the "how to" forum, along with the desired edit(s). This forum is really only for helping with technical issues anyway.

    Just some clarification/minor corrections to some of your notes so far...

    1)
    Problem:
    Automatic discovery of network printers, scanners etc. does not work with the firewall enabled. In particular, the HP printer configuration tool hp-setup is not able to discover a printer, unless you disable the firewall.
    It should be clarified that allowing incoming traffic on port 5353, UDP (defined as mDNS service in the firewalld definition) is sufficient to have most local network printers discovered via Avahi when configuring CUPS, or any application using Avahi. The problem specifically relates to how the HP utilities implement the discovery for themselves.

    BTW, network scanners are a different beast altogether, and probably best not mentioned in your "how to". Perhaps even consider restricting the scope of your findings to HPLIP-supported devices. With respect to scanners, there are many different user-land backends that discover their respective supported hardware using their own custom ports. For example, from 'man sane-pixma' (sone Canon hardware)...
    FIREWALLING FOR NETWORKED SCANNERS
    The sane pixma backend communicates with port 8610 for MFNP or port 8612 for BJNP on the scanner. So you will have to allow outgoing
    traffic TO port 8610 or 8612 on the common subnet for scanning.

    Scanner detection is slightly more complicated. The pixma backend sends a broadcast on all direct connected subnets it can find (pro-
    vided your OS allows for enumeration of all netowrk interfaces). The broadcast is sent FROM port 8612 TO port 8610 or 8612 on the
    broadcast address of each interface. The outgoing packets will be allowed by the rule described above.

    Responses from the scanner are sent back to the computer TO port 8612. Connection tracking however does not see a match as the
    response does not come from the broadcast address but from the scanners own address. For automatic detection of your scanner, you
    will therefore have to allow incoming packets TO port 8612 on your computer. This applies to both MFNP and BJNP.

    So in short: open the firewall for all traffic from your computer to port 8610 (for MFNP) or 8612 (for BJNP) AND to port 8612 (for
    both BJNP and MFNP) to your computer.

    With the firewall rules above there is no need to add the scanner to the pixma.conf file, unless the scanner is on a network that is
    not directly connected to your computer.
    Sorry for such a convoluted discussion, but just wanted you to be clear on this.

    2)
    Diagnosis:
    hp-setup has three different ways of discovering a printer: the Service Location Protocol (SLP, port 427), its own implementation of the Multicast DNS protocol (mDNS aka Zeroconf/Bonjour, port 5353), and using mDNS through the standard avahi service.
    The mDNS (multicastDNS) protocol is only a part of Avahi functionality. Port 5353 is used by Aavhi as standard, and Avahi is a free Linux implementation of Zeroconf, including mDNS (for hostname resolution) and DNS-SD (for service discovery) functions.

    3)
    Diagnosis:
    hp-setup has three different ways of discovering a printer: the Service Location Protocol (SLP, port 427), its own implementation of the Multicast DNS protocol (mDNS aka Zeroconf/Bonjour, port 5353),
    Probably best said as "its own implementation of mDNS/Bonjour discovery, which includes the use of non-standard (ephemeral ports) and so incoming traffic is blocked by firewalld (by default)."

    4)
    In addition, hp-setup uses a non-standard UDP port for SLP and mDNS, in order to avoid conflicts with other programs that may use these ports on users' systems.
    These non-standard UDP ports are known as ephemeral_ports.

    5)
    Step 1. Autodiscovery using Avahi / mDNS

    Linux supports autodiscovery of printers using the Avahi daemon. Avahi uses a protocol known as mDNS, Zeroconf or Bonjour.
    Avahi (a free Zeroconf/Bonjour implementation) facilitates service discovery and hostname resolution on a local network via the mDNS/DNS-SD protocol suite.
    Last edited by deano_ferrari; 27-Jun-2020 at 17:45.
    openSUSE Leap 15.2; KDE Plasma 5

  8. #48
    Join Date
    Jun 2020
    Posts
    25

    Default Re: Configuring the firewall so that hp-setup can find network printers

    Quote Originally Posted by deano_ferrari View Post
    That's ok, you can copy your post to the "how to" forum, along with the desired edit(s). This forum is really only for helping with technical issues anyway.
    Done, here's the "How to" thread.

  9. #49
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    21,933
    Blog Entries
    1

    Default Re: Configuring the firewall so that hp-setup can find network printers

    Quote Originally Posted by rxmd View Post
    Done, here's the "How to" thread.
    Ok, I'll take a look.
    openSUSE Leap 15.2; KDE Plasma 5

Page 5 of 5 FirstFirst ... 345

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •