Configuring the firewall so that hp-setup can find network printers

Hi,

I’m new to OpenSUSE (coming from Ubuntu where everything was automagical) and have a problem connecting my laptop to HP printers over the network. The printer here is a HP OfficeJet Pro 8715.

I’ve read the previous thread about related issues where they brute forced the problem by hard-coding a firewall rule that opens everything for the IP address of the printer. However I would prefer to avoid that, because I’m traveling a lot and would prefer to avoid clobbering my firewall with site-specific IP exceptions.

When I try to autodiscover printers over the network with hp-setup, I get the following error message:

$ hp-setup

HP Linux Imaging and Printing System (ver. 3.19.12)
Printer/Fax Setup Utility ver. 9.0


Copyright (c) 2001-18 HP Development Company, LP
This software comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to distribute it
under certain conditions. See COPYING file for more details.


Searching... (bus=net, timeout=5, ttl=4, search=(None) desc=0, method=slp)
error: No devices found on bus: net
error:  HPLIP cannot detect printers in your network.  This may be due to existing firewall settings blocking the required ports.
When you are in a trusted network environment, you may open the ports for network services like mdns and slp in the firewall. For detailed steps follow the link.
http://hplipopensource.com/node/374  


Done.

When I disable the firewall with sudo systemctl stop firewalld.service, the printer is detected, so the problem is definitely the firewall.

The firewall is configured as follows, as you can see mdns and slp are both enabled:

$ sudo firewall-cmd --get-active-zoneshome
  interfaces: wlan0

$ sudo firewall-cmd --zone=home --list-all
home (active)
  target: default
  icmp-block-inversion: no
  interfaces: wlan0
  sources: 
  services: dhcpv6-client mdns samba-client slp ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

What changes do I need to make to the firewall’s home zone configuration to allow the necessary services?

Addendum: here’s an analogous discussion in the German OpenSUSE forum, so far with no results; if a solution should come up there, I will double it here.

HP uses mDNS (Bonjour) for printer discovery so open 5353/UDP for traffic.


sudo firewall-cmd --permanent --zone=home --add-port=5353/udp
sudo firewall-cmd --reload

That might do the trick. Might consider opening it for public as well.

I have found it easiest to leave the firewall alone, and use manual discovery. Our printer has a static network address. In the hp-setup window, click the network connection, then Show Advanced Options. In the new area, click Manual Discovery, then type the printer’s IP address in the box. This has always immediately found the printer for me.

Configuring my network printer at home:

Step 1: disable the firewall
Step 2: configure the printer
Step 3: re-enable the firewall.

But I don’t try to do this when travelling with a laptop.

Thank you. For some reason, the default method in hp-setup appears to be not mDNS, but SLP (see the error message in the first post).

I got it to work now by allowing port 5353 through the firewall (–add-service=mdns) and then, in hp-setup, selecting Avahi under Advanced Configuration. It has to be Avahi; if I select mDNS, it doesn’t work…

I’m curious why the default SLP doesn’t work even if I enable SLP on the firewall, either by --add-service=slp or by opening port 427 manually. Any idea what could be the issue with SLP? Maybe a multicast problem?

That would be my approach as well.

I don’t use SLP for printer discovery, but are you sure that the printer is using this mechanism anyway? Is it enabled in the printer?

It works with SLP when I disable the firewall, so I’m pretty sure that SLP would work if I only had the right firewall rule to let it through.

Try adding the following direct rule for IPv4 multicast packets…

sudo firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -m pkttype --pkt-type multicast -j ACCEPT
sudo firewall-cmd --reload

FWIW, a similar thread I recall…
https://forums.opensuse.org/showthread.php/536373-hp-setup-can-t-discover-HP-printer-unless-firewall-off?p=2905543#post2905543

Thank you. Yes, I saw that other thread (I linked to it in my initial post). There the solution was to open a hard firewall exception for a single IP address, in a home setting that’s probably fine, but I’m moving from network to network (and from printer to printer) and I would prefer to get it working as intended :slight_smile:

I was also thinking that maybe multicast (which I know almost nothing about) is the issue, however that doesn’t seem to work - hp-setup still does not see the printer not using mDNS or SLP, only using “avahi”:

**#** hp-setup

**HP Linux Imaging and Printing System (ver. 3.19.12)**
**Printer/Fax Setup Utility ver. 9.0**

Copyright (c) 2001-18 HP Development Company, LP
This software comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to distribute it
under certain conditions. See COPYING file for more details.

QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-root'
Searching... (bus=net, timeout=5, ttl=4, search=(None) desc=0, method=slp)
**error: No devices found on bus: net**
**error:  HPLIP cannot detect printers in your network.  This may be due to existing firewall settings blocking the required po**rts.                                                                                                                          
**                When you are in a trusted network environment, you may open the ports for network services like mdns and slp **in the firewall. For detailed steps follow the link.                                                                          
**                 http://hplipopensource.com/node/374  **                                                                        
Searching... (bus=net, timeout=5, ttl=4, search=(None) desc=0, method=mdns)
**error: No devices found on bus: net**
**error:  HPLIP cannot detect printers in your network.  This may be due to existing firewall settings blocking the required po**rts.                                                                                                                          
**                When you are in a trusted network environment, you may open the ports for network services like mdns and slp **in the firewall. For detailed steps follow the link.                                                                          
**                 http://hplipopensource.com/node/374  **                                                                        
Searching... (bus=net, timeout=5, ttl=4, search=(None) desc=0, method=avahi)
  
Done.

Here is my firewall configuration:

**#** firewall-cmd --list-all
home (active)
  target: default
  icmp-block-inversion: no
  interfaces: wlan0
  sources:  
  services: dhcpv6-client mdns samba-client slp ssh
  ports: 5353/udp
  protocols: igmp
  masquerade: no
  forward-ports:  
  source-ports:  
  icmp-blocks:  
  rich rules: 
**#** firewall-cmd --direct --get-all-rules
ipv4 filter INPUT 0 -m pkttype --pkt-type multicast -j ACCEPT
ipv6 filter INPUT 0 -m pkttype --pkt-type multicast -j ACCEPT

Interesting that mDNS in hp-setup doesn’t work, but Avahi does:

**#** avahi-browse -at  
+  wlan0 IPv6 HP OfficeJet Pro 8710 [AD5ECE]                _uscans._tcp         local
+  wlan0 IPv4 HP OfficeJet Pro 8710 [AD5ECE]                _uscans._tcp         local
+  wlan0 IPv6 HP OfficeJet Pro 8710 [AD5ECE]                _privet._tcp         local
+  wlan0 IPv4 HP OfficeJet Pro 8710 [AD5ECE]                _privet._tcp         local
+  wlan0 IPv6 HP OfficeJet Pro 8710 [AD5ECE]                Secure Internet Printer local
+  wlan0 IPv4 HP OfficeJet Pro 8710 [AD5ECE]                Secure Internet Printer local
+  wlan0 IPv6 HP OfficeJet Pro 8710 [AD5ECE]                _uscan._tcp          local
+  wlan0 IPv4 HP OfficeJet Pro 8710 [AD5ECE]                _uscan._tcp          local
+  wlan0 IPv6 HP OfficeJet Pro 8710 [AD5ECE]                _http-alt._tcp       local
+  wlan0 IPv4 HP OfficeJet Pro 8710 [AD5ECE]                _http-alt._tcp       local
+  wlan0 IPv6 HP OfficeJet Pro 8710 [AD5ECE]                _scanner._tcp        local
+  wlan0 IPv4 HP OfficeJet Pro 8710 [AD5ECE]                _scanner._tcp        local
+  wlan0 IPv6 HP OfficeJet Pro 8710 [AD5ECE]                Web Site             local
+  wlan0 IPv4 HP OfficeJet Pro 8710 [AD5ECE]                Web Site             local
+  wlan0 IPv6 HP OfficeJet Pro 8710 [AD5ECE]                Internet Printer     local
+  wlan0 IPv4 HP OfficeJet Pro 8710 [AD5ECE]                Internet Printer     local
+  wlan0 IPv6 HP OfficeJet Pro 8710 [AD5ECE]                PDL Printer          local
+  wlan0 IPv4 HP OfficeJet Pro 8710 [AD5ECE]                PDL Printer          local
+  wlan0 IPv6 HP OfficeJet Pro 8710 [AD5ECE]                UNIX Printer         local
+  wlan0 IPv4 HP OfficeJet Pro 8710 [AD5ECE]                UNIX Printer         local
(some other devices omitted)

I wonder whethere there is some more SLP-specific multicast configuration I need to do, or am I missing something in my firewall config?

DNS-SD (same port as mDNS) is used by many printers to advertise their presence in a network. All part of the Avahi implementation. The ‘avahi-browse’ output shows that it is working, so not a firewall issue at all. You don’t need to include port 5353 explicitly, as the ‘mdns’ firewalld service provides that configuration, and is all that should be needed. (SLP should not really be required at all.)

It would be interesting to see if the network printer is enumerated using DNS-SD via these two commands…

sudo lpinfo -l -v
sudo hp-check -t

[quote=“deano_ferrari,post:13,topic:140894”]
It would be interesting to see if the network printer is enumerated using DNS-SD via these two commands…

sudo lpinfo -l -v

Here it is enumerated, but that may be because hp-setup has set up a print queue for it?

**$**** **sudo **lpinfo** -l -v
Gerät: URI = beh
       Klasse = network
       Info = Backend Error Handler
       Hersteller-und-Modell = Unknown
       Geräte-ID =  
       Standort =  
Gerät: URI = beh.pl
       Klasse = network
       Info = Backend Error Handler
       Hersteller-und-Modell = Unknown
       Geräte-ID =  
       Standort =  
Gerät: URI = pipe
       Klasse = direct
       Info = Forward print job data like a pipe to another command
       Hersteller-und-Modell = Unknown
       Geräte-ID =  
       Standort =  
Gerät: URI = ipp
       Klasse = network
       Info = Internet Printing Protocol (ipp)
       Hersteller-und-Modell = Unknown
       Geräte-ID =  
       Standort =  
Gerät: URI = hp
       Klasse = direct
       Info = HP Printer (HPLIP)
       Hersteller-und-Modell = Unknown
       Geräte-ID =  
       Standort =  
Gerät: URI = smb
       Klasse = network
       Info = Windows Printer via SAMBA
       Hersteller-und-Modell = Unknown
       Geräte-ID =  
       Standort =  
Gerät: URI = lpd
       Klasse = network
       Info = LPD/LPR-Host oder -Drucker
       Hersteller-und-Modell = Unknown
       Geräte-ID =  
       Standort =  
Gerät: URI = https
       Klasse = network
       Info = Internet Printing Protocol (https)
       Hersteller-und-Modell = Unknown
       Geräte-ID =  
       Standort =  
Gerät: URI = http
       Klasse = network
       Info = Internet Printing Protocol (http)
       Hersteller-und-Modell = Unknown
       Geräte-ID =  
       Standort =  
Gerät: URI = ipps
       Klasse = network
       Info = Internet Printing Protocol (ipps)
       Hersteller-und-Modell = Unknown
       Geräte-ID =  
       Standort =  
Gerät: URI = socket
       Klasse = network
       Info = AppSocket/HP JetDirect
       Hersteller-und-Modell = Unknown
       Geräte-ID =  
       Standort =  
Gerät: URI = hpfax
       Klasse = direct
       Info = HP Fax (HPLIP)
       Hersteller-und-Modell = Unknown
       Geräte-ID =  
       Standort =  
Gerät: URI = dnssd://HP%20OfficeJet%20Pro%208710%20%5BAD5ECE%5D._ipp._tcp.local/?uuid=1c852a4d-b800-1f08-abcd-b4b686ad5ece
       Klasse = network
       Info = HP OfficeJet Pro 8710 [AD5ECE]
       Hersteller-und-Modell = HP OfficeJet Pro 8710
       Geräte-ID = MFG:HP;MDL:OfficeJet Pro 8710;CMD:PCL,JPEG,URF,PWG;
       Standort =  
Gerät: URI = ipp://HP%20OfficeJet%20Pro%208710%20%5BAD5ECE%5D._ipp._tcp.local/
       Klasse = network
       Info = HP OfficeJet Pro 8710 (driverless)
       Hersteller-und-Modell = HP OfficeJet Pro 8710
       Geräte-ID = MFG:HP;MDL:OfficeJet Pro 8710;CMD:PCLM,PCL,PWGRaster,AppleRaster,JPEG,URF,PWG;
       Standort =  

Should I remove the two CUPS print queues for it (for printing and fax) and try again?

Here I get a bunch of error messages related to missing libraries:

**$**** **sudo hp-check -t                                                                                                     
/usr/bin/hp-check:685: SyntaxWarning: "is not" with a literal. Did you mean "!="?
  if 'getfacl' not in g and '' is not g and 'file' not in g:
Saving output in log file: /home/reichmuth/hp-check.log

HP Linux Imaging and Printing System (ver. 3.19.12)
Dependency/Version Check Utility ver. 15.1

Copyright (c) 2001-18 HP Development Company, LP
This software comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to distribute it
under certain conditions. See COPYING file for more details.

Note: hp-check can be run in three modes:
1. Compile-time check mode (-c or --compile): Use this mode before compiling the HPLIP supplied tarball (.tar.gz or .run) to  
determine if the proper dependencies are installed to successfully compile HPLIP.                                             
2. Run-time check mode (-r or --run): Use this mode to determine if a distro supplied package (.deb, .rpm, etc) or an already
built HPLIP supplied tarball has the proper dependencies installed to successfully run.                                       
3. Both compile- and run-time check mode (-b or --both) (Default): This mode will check both of the above cases (both         
compile- and run-time dependencies).                                                                                          

Check types:                                                                                                                  
a. EXTERNALDEP - External Dependencies                                                                                        
b. GENERALDEP - General Dependencies (required both at compile and run time)                                                  
c. COMPILEDEP - Compile time Dependencies                                                                                     
d. [All are run-time checks]                                                                                                  
PYEXT SCANCONF QUEUES PERMISSION                                                                                              

Status Types:
    OK
    MISSING       - Missing Dependency or Permission or Plug-in
    INCOMPAT      - Incompatible dependency-version or Plugin-version

warning: 3-20200621 version is not supported. Using 3-15.1 versions dependencies to verify and install...

---------------
| SYSTEM INFO |
---------------

 Kernel: 5.7.1-1-default #1 SMP Wed Jun 10 11:53:46 UTC 2020 (6a549f6) GNU/Linux
 Host: calypso
 Proc: 5.7.1-1-default #1 SMP Wed Jun 10 11:53:46 UTC 2020 (6a549f6) GNU/Linux
 Distribution: 3 20200621
 Bitness: 64 bit


-----------------------
| HPLIP CONFIGURATION |
-----------------------

HPLIP-Version: HPLIP 3.19.12
HPLIP-Home: /usr/share/hplip
warning: HPLIP-Installation: Auto installation is not supported for 3 distro  20200621 version  

Current contents of '/etc/hp/hplip.conf' file:
# hplip.conf.  Generated from hplip.conf.in by configure.

[hplip]
version=3.19.12

[dirs]
home=/usr/share/hplip
run=/var/run
ppd=/usr/share/cups/model/manufacturer-PPDs/hplip
ppdbase=/usr/share/cups/model/manufacturer-PPDs
doc=/usr/share/doc/packages/hplip
html=/usr/share/doc/packages/hplip
icon=/usr/share/applications
cupsbackend=/usr/lib/cups/backend
cupsfilter=/usr/lib/cups/filter
drv=/usr/lib/cups/driver
bin=/usr/bin
apparmor=/etc/apparmor.d
# Following values are determined at configure time and cannot be changed.
[configure]
network-build=yes
libusb01-build=no
pp-build=no
gui-build=yes
scanner-build=yes
fax-build=yes
dbus-build=yes
cups11-build=no
doc-build=yes
shadow-build=no
hpijs-install=yes
foomatic-drv-install=no
foomatic-ppd-install=yes
foomatic-rip-hplip-install=no
hpcups-install=yes
cups-drv-install=no
cups-ppd-install=yes
internal-tag=3.19.12
restricted-build=no
ui-toolkit=qt5
qt3=no
qt4=no
qt5=yes
policy-kit=no
lite-build=no
udev_sysfs_rules=no
hpcups-only-build=no
hpijs-only-build=no
apparmor_build=no
class-driver=no


Current contents of '/var/lib/hp/hplip.state' file:
Plugins are not installed. Could not access file: No such file or directory

Current contents of '~/.hplip/hplip.conf' file:
warning: Could not access file: No such file or directory
 <Package-name>        <Package-Desc>      <Required/Optional> <Min-Version> <Installed-Version> <Status>   <Comment>

-------------------------
| External Dependencies |
-------------------------

 cups                 CUPS - Common Unix Printing System                           REQUIRED        1.1             2.3       
      OK         'CUPS Scheduler is running'
 gs                   GhostScript - PostScript and PDF language interpreter and previewer REQUIRED        7.05            9.5
2            OK         -
 error: xsane         xsane - Graphical scanner frontend for SANE                  OPTIONAL        0.9             -         
      MISSING    'xsane needs to be installed'
 scanimage            scanimage - Shell scanning program                           OPTIONAL        1.0             1.0.29    
      OK         -
 error: dbus          DBus - Message bus system                                    REQUIRED        -               1.12.16   
      MISSING    'DBUS may not be installed or not running'
 policykit            PolicyKit - Administrative policy framework                  OPTIONAL        -               0.116     
      OK         -
 network              network -wget                                                OPTIONAL        -               1.20.3    
      OK         -
 avahi-utils          avahi-utils                                                  OPTIONAL        -               0.7       
      OK         -

------------------------
| General Dependencies |
------------------------

 error: libjpeg       libjpeg - JPEG library                                       REQUIRED        -               -         
      MISSING    'libjpeg needs to be installed'
 error: cups-devel    CUPS devel- Common Unix Printing System development files    REQUIRED        -               2.3       
      MISSING    'cups-devel needs to be installed'
 error: cups-image    CUPS image - CUPS image development files                    REQUIRED        -               2.3       
      MISSING    'cups-image needs to be installed'
 libpthread           libpthread - POSIX threads library                           REQUIRED        -               b'2.31'   
      OK         -
 error: libusb        libusb - USB library                                         REQUIRED        -               1.0       
      MISSING    'libusb needs to be installed'
 sane                 SANE - Scanning library                                      REQUIRED        -               -         
      OK         -
 error: sane-devel    SANE - Scanning library development files                    REQUIRED        -               -         
      MISSING    'sane-devel needs to be installed'
 error: libnetsnmp-devel libnetsnmp-devel - SNMP networking library development files REQUIRED        5.0.9           5.8    
         MISSING    'libnetsnmp-devel needs to be installed'
 error: libcrypto     libcrypto - OpenSSL cryptographic library                    REQUIRED        -               1.1.1     
      MISSING    'libcrypto needs to be installed'
 python3X             Python 2.2 or greater - Python programming language          REQUIRED        2.2             3.8.3     
      OK         -
 error: python3-notify2 Python libnotify - Python bindings for the libnotify Desktop notifications OPTIONAL        -         
      -               MISSING    'python3-notify2 needs to be installed'
Traceback (most recent call last):
  File "/usr/bin/hp-check", line 862, in <module>
    num_errors, num_warns = dep.validate(time_flag, is_quiet_mode)
  File "/usr/bin/hp-check", line 367, in validate
    self.__update_deps_info(supported_distro_vrs, dep,
  File "/usr/bin/hp-check", line 210, in __update_deps_info
    installed_ver = self.core.version_func[deps_info[6]]()
  File "/usr/share/hplip/installer/dcheck.py", line 303, in get_pyQt4_version
    from PyQt4 import QtCore
ImportError: cannot import name 'QtCore' from 'PyQt4' (unknown location)

Ok, so the CUPS backends have picked up the printer, including the dnssd backend.

Should I remove the two CUPS print queues for it (for printing and fax) and try again?

I doubt that would change anything.

Does hp-probe find the printer?

hp-probe -m mdns

No:

**$**** **hp-probe -m mdns

**HP Linux Imaging and Printing System (ver. 3.19.12)**
**Printer Discovery Utility ver. 4.1**

Copyright (c) 2001-18 HP Development Company, LP
This software comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to distribute it
under certain conditions. See COPYING file for more details.


--------------------
| DEVICE DISCOVERY |
--------------------

**Probing network for printers. Please wait, this will take approx. 10 seconds...**

-**warning: No devices found on the 'net' bus. If this isn't the result you are expecting,**
**warning: check your network connections and make sure your internet**
**warning: firewall software is disabled.**

Done.

Hi
Shouldn’t it be -bnet?


hp-probe -bnet

HP Linux Imaging and Printing System (ver. 3.19.12)
Printer Discovery Utility ver. 4.1

Copyright (c) 2001-18 HP Development Company, LP
This software comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to distribute it
under certain conditions. See COPYING file for more details.


--------------------
| DEVICE DISCOVERY |
--------------------

Probing network for printers. Please wait, this will take approx. 10 seconds...

  Device URI                                                Model                             Name         
  --------------------------------------------------------  --------------------------------  -------------
  hp:/net/HP_LaserJet_Professional_P_1102w?ip=xxx.xxx.xxx.xxx  HP_LaserJet_Professional_P_1102w  printer-name

Found 1 printer(s) on the 'net' bus.


Done.

No firewall running though…

This should provide the information on ports to open…
https://support.hp.com/us-en/document/c02480766

It’s also described here
https://developers.hp.com/hp-linux-imaging-and-printing/KnowledgeBase/EnableServicesInFirewall.html

However, OP has done this (re their firewall output earlier in this thread).

Hi
I would turn the firewall off, add the printer and re-enable…