CUPS and Firewall

Running Suse 12.2 with KDE 4.8.5, Epson Stylus SX400 (NOT a wifi printer)

Is there a way of allowing CUPS port 631 in the firewall settings? I’m trying to share my printer via the LAN so I can print from my tablet, and although the printer is visible in the tablet’s printer app, it is impossible to print from it. Most error messages seem to indicate, that it could be a firewall problem. (see tab’s screenshots)

For example, this is the error I get when I try to set up the printer this way:

ping: unknown host cellar
Testing share ‘Stylus-SX400’ on ‘Workgroup/cellar’:
protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Share ‘Stylus-SX400’ on ‘Workgroup/cellar’ does not accept print jobs (share may not exist?)
Host ‘cellar’ unreachable (network issue or wrong host or firewall active?)

And if I try it that way (14.4), I get this message:

The server ‘’ is not accessible via port 631 (IPP/CUPS).
The server ‘’ does not respond to a ‘ping’ in the network.
The server name ‘’ is not known in the network.

If I got to (being my machine) port 631 manually, it says forbidden.

When I go to firewall settings for internal zone I can’t see CUPS. I can’t add it manually either because everything is greyed out.
To be honest I don’t know much about LANs etc and this is the first time I have tried to share a printer, also I’m not trying to share the printer with a windows machine, but I can’t seem to find any tuts on how to just share it with an Android.

Any help is greatly appreciated.

Normaly, when you configure something using YaST, YaST also organises for you that the firewal is configured. Thus when in the pronter server you use YaST > Hardware > Printers and then go to the Sharing Printers item and configure there, this should be sufficient. Isn’t that working?

And of course you must be able to ping that system on your LAN. Those messages you show are a bit messy. but can you do a

ping -c 1

And whenn the result is positive (when not you first haveto repair there):

telnet 631

What is the result

(and please do copy/paste this complete (including prompt. command, output, next prompt) in a post here between CODE ags by using th # button in the toolbar of the posy editor)

Als I see somewhere in your pictures things about Windows workgroups. Are we talking about SAMBA?
I am not very fluent in SAMBA, but I doubt that printing from one system to another using CUPS has anything to do with SAMBA.

So to see if it is a Firewall Problem, you could turn off the Firewall and see if it does work. If it does not work, the Firewall is not the immediate problem you are having. If it does work, then you can (from KDE) go to:

YaST / Security and Users / Firewall / Allowed Services (On Left) / Advanced button (Bottom Right) and enter a single port number or a range of numbers as in Starting_Number:Last_Number, inclusive.

Thank You,

Ok, due to a mad clicking session of mine, I had to re-install Opensuse and therefore it reset all my network and printer settings, etc, which I suppose is a good thing, because I did a heck of a lot of messing around.

samba and filesharing are currently not enabled.

Back to printer sharing: In Yast > Hardware > Printer > Share Printers I enabled “Allow Remote Access” and ticked the two boxes underneath. I get a YAST pop up, telling me that “A firewall may prevent remote access”. The internal settings for the firewall are still greyed out (and still no CUPS in sight) and I noticed that the firewall is disabled.

None of the android apps find the printer (printer is turned on and CUPS says it’s shared)

The output of the ping is as follows:

gila@linux-b52i:~> ping -c 1
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=64 time=0.026 ms

--- ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.026/0.026/0.026/0.000 ms

and for the telnet

gila@linux-b52i:~> telnet
telnet: connect to address Connection refused

About the Workgroups in the earlier screenshots, I had samba enabled for filesharing and the only way I could even see the printer on the network from the tablet was to pretend it’s a Windows network.

To be frank, I don’t really know how file and printer sharing work (as you can probably tell)

As you are a bit amiss in some of the terms and things used, I hope the following will help to sort out things a bit.

Samba is software to enable Windows type file sharing and printer sharing. The server side was originaly made to be able to create stable and thus non-Windows file/printer servers on Unix systems to serve Windows desktop clients. Later the client side was also implemented. I guess to enable Linux desktops to have access to Windows type file/printer sharing in a mixed environment.

Of course Unix/Linux have their own software for using remote file systems and software for using remote printers. Remark the different wording (there is no “sharing” here) and the fact that both have no relation to each other, other then that they fit in the general client/server model that TCP/IP offers.

Thus, when you want to use a printer from a Linux system on another Linux system, then Samba is not the thing to be used.

Back to ypur problem.

I hope ypou now know what you want. Can you please confirm that you have two Linux system (openSUSE?) and that you want one (that has apperently a printer attached) become printer server for the other system (usng CUPS as the client/server protocol)?

Or else that you want something different like using Samba.


The OP is using some unfortunate language causing confusion.

Since the protocol used is IPP (Intenet Printing Protocol), he is <not> “sharing” the printer but sending print jobs directly to the openSUSE functioning as a Printer Server.

If you have installed your Printer correctly (eg can you print a test page locally from your openSUSE Printer Server), you should be able to simply open the appropriate firewall ports using Yast. Verify those ports are correct and run the CUPs app (I even highly recommend installing hplip regardless whether your printer is HP or not) to configure and verify your printer is working properly on the Server before you try print jobs from remote clients.

Of course, use the IP address if you don’t have name resolution enabled on your LAN.


Thank you for explanation in your previous post. It is much appreciated.

There are two computers connected to one router, one with Windows 7 and one with Opensuse 12.2. Those two are otherwise not “connected”, ie no sharing of any kind going on between them.

The computer in question has OpenSuse installed with a printer attached. I want to be able to send print jobs from my Android tablet (client?) to the printer attached to my OpenSuse machine (server?).

Sorry for the language confusion. The printer is working perfectly (printed a testpage via cups) and hplip is installed. I don’t know how to open the port in the firewall, the internal zone being all greyed out.

Since SUSE firewall doesn’t have a pre-configured Service definition for IPP(the available service list is way too short) you’ll need to create a couple custom rules. There is no Internal zone unless you have more than one NIC, to openSUSE with only one NIC everything not on the box is considered “external.”

YAST2 > Security and Users > Firewall

IPP Inbound port 631 TCP
IPP Discovery Inbound port 631 UDP


I am still wondering if the firewall on your server is on.

Can you please check that in YaST > Security and Users > Firewall?

Dumb question, but where do I open these ports? ‘Allowed services’ and just clicking ‘add’ or under ‘Custom Rules’?

The firewall is on. Even if I turn the firewall off temporarily, I still get a pop-up saying, that the firewall still may reject printer announcements.

I’m assuming, that I am to setup the printer this way:

Procedure 14.4. Printing via a Single CUPS Server

  •    Start the YaST printer module with Hardware+Printer. 
  • From the left pane launch the Print via Network screen. —> this is where I get the pop-up
  •    Check Do All Your Printing Directly via One Single CUPS       Server and specify the name or IP address of the server. 
  •    Click Test Server to make sure you have chosen the       correct name or IP address.      ---&gt; the test fails with firewall on or off (Server is not accessible) 
  •    Click OK to return to the Printer Configurations       screen. All printers available via the CUPS server are now listed.

On 1/20/2013 6:46 AM, gilap wrote:
> Dumb question, but where do I open these ports? ‘Allowed services’ and
> just clicking ‘add’ or under ‘Custom Rules’?


YaST > Security and Users > Firewall > Allowed Services > Advanced. You can
enter any port ( or range of ports) to open.

“We’re all in this together, I’m pulling for you” Red Green

I found that I needed to add a custom rule to allow UDP from port 161 on my local network in for this to work. So for my network I allowed

Source IP =
Protocol = UDP
Source port = 161 (snmp)

Now you could tighten this further if you put your printers on a small range of IP addresses and alter the source IP and mask just to include that range.