Firewall and network printer services

Hi,
I have an network of 7 comps loaded with Open SuSE 12.2 x64 or Open SuSE 11.4 x32 . They share common printers. The printers are managed by one comp with openSuse 12.2 x64 which act as a servers for printing services. I have noticed that over time the firewall of all comps close down the 631 port, which had been opened to all machine in order to allow them to print. Shutting down and switching on again the firewalls of the server comp and client comp reopens the port and the printing is available again. Is there a configuration of firewall that will prevent of closing of a port if it is not in use for a while ?
Thanks

OpenSuSE 12.2 x64, NVidia 304.xx , KDE 4.10 x64 , Gnome 3.6 x64 and so on.

Do you mean that the firewall “spontaniously” (from your point of view) closes port 631?
It seems that you are thinking that this happens when such a port is not connected to for some amount of time. This is not the case. We have to search in another direction to findd a cause for this phenomenon.

BTW it is: openSUSE. You can stop bothering yourself in trying to spell it in as many different ways as you can imagine.

On 03/02/2013 11:26 AM, hcvv wrote:
>
> Do you mean that the firewall “spontaniously” (from your point of view)
> closes port 631?
> It seems that you are thinking that this happens when such a port is
> not connected to for some amount of time. This is not the case. We have
> to search in another direction to findd a cause for this phenomenon.

An open connection is tracked, but this can not be the case… :-?

Maybe the port is not splicitly opened in the firewall.


Cheers/Saludos
Carlos E. R. (12.3 Dartmouth test at Minas-Anor)

I have opened the 631 port on all of the comps in the network using system setting section of Yast2 - Network- Firewall - SuSEfirewall2 - FW_SERVICES_EXT_TCP and same for UDP. Then in Yast2 - Firewall section the port appeared in the summary as opened.

If I were to guess, the FW isn’t closing the port, the service (printing service) behind the port has gone unresponsive.

More than likely the machine has gone to sleep due to inactivity.

Recommend
Disable ACPI
Modify power settings in the Desktop to disable all power saving settings.

TSU

I did as you suggested but with no success. The client computer needs closing down and starting up its firewall in order to send a query for printing. Is there a way make the cup daemon not to going sleep over time ?

Are you saying both 11.4 and 12.2 clients are closing their own firewall ports? That would be a serious bug IMHO, but me too thinks this is not the case. Please post output of


su -c 'cat /var/log/firewall | grep 631'
lpstat -t

Here is the asked output :


4 ID=30969 DF PROTO=TCP SPT=56897 DPT=631 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A00612EE70000000001030307) 
Mar  8 17:56:44 black kernel: [12073.181744] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=28:45:a7:f3:18:00:00:22:15:67:6a:25:08:00 SRC=192.168.0.101 DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=32689 DF PROTO=TCP SPT=56980 DPT=631 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A006253E40000000001030307) 
Mar  8 18:01:44 black kernel: [12373.213607] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=28:45:a7:f3:18:00:00:22:15:67:6a:25:08:00 SRC=192.168.0.101 DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=31625 DF PROTO=TCP SPT=57073 DPT=631 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A006378E00000000001030307) 
Mar  8 18:06:44 black kernel: [12673.244483] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=28:45:a7:f3:18:00:00:22:15:67:6a:25:08:00 SRC=192.168.0.101 DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=6635 DF PROTO=TCP SPT=57150 DPT=631 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A00649DDB0000000001030307) 
Mar  8 18:11:44 black kernel: [12973.275987] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=28:45:a7:f3:18:00:00:22:15:67:6a:25:08:00 SRC=192.168.0.101 DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=34020 DF PROTO=TCP SPT=57237 DPT=631 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A0065C2D60000000001030307) 
Mar  8 18:16:44 black kernel: [13273.302096] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=28:45:a7:f3:18:00:00:22:15:67:6a:25:08:00 SRC=192.168.0.101 DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=40609 DF PROTO=TCP SPT=57310 DPT=631 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A0066E7D00000000001030307) 
Mar  8 18:21:44 black kernel: [13573.332567] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=28:45:a7:f3:18:00:00:22:15:67:6a:25:08:00 SRC=192.168.0.101 DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=42584 DF PROTO=TCP SPT=57388 DPT=631 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A00680CCB0000000001030307) 
Mar  8 18:26:44 black kernel: [13873.362647] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=28:45:a7:f3:18:00:00:22:15:67:6a:25:08:00 SRC=192.168.0.101 DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=38636 DF PROTO=TCP SPT=57462 DPT=631 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A006931C60000000001030307) 
Mar  8 18:31:44 black kernel: [14173.393285] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=28:45:a7:f3:18:00:00:22:15:67:6a:25:08:00 SRC=192.168.0.101 DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=60060 DF PROTO=TCP SPT=57548 DPT=631 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A006A56C10000000001030307) 
Mar  8 18:36:44 black kernel: [14473.424415] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=28:45:a7:f3:18:00:00:22:15:67:6a:25:08:00 SRC=192.168.0.101 DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=63948 DF PROTO=TCP SPT=57621 DPT=631 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A006B7BBC0000000001030307) 
Mar  8 18:41:44 black kernel: [14773.455596] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=28:45:a7:f3:18:00:00:22:15:67:6a:25:08:00 SRC=192.168.0.101 DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=44790 DF PROTO=TCP SPT=57703 DPT=631 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A006CA0B70000000001030307) 
Mar  8 18:45:45 black kernel: [15015.066313] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=28:45:a7:f3:18:00:00:22:b0:85:a7:14:08:00 SRC=114.26.16.185 DST=192.168.0.100 LEN=293 TOS=0x00 PREC=0x00 TTL=114 ID=28227 PROTO=UDP SPT=11442 DPT=7881 LEN=273 
Mar  8 18:46:44 black kernel: [15073.489937] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=28:45:a7:f3:18:00:00:22:15:67:6a:25:08:00 SRC=192.168.0.101 DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=46902 DF PROTO=TCP SPT=57789 DPT=631 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A006DC5B30000000001030307) 
Mar  8 18:51:44 black kernel: [15373.522546] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=28:45:a7:f3:18:00:00:22:15:67:6a:25:08:00 SRC=192.168.0.101 DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=23164 DF PROTO=TCP SPT=57873 DPT=631 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A006EEAAF0000000001030307) 
Mar  8 18:56:44 black kernel: [15673.554263] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=28:45:a7:f3:18:00:00:22:15:67:6a:25:08:00 SRC=192.168.0.101 DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=29805 DF PROTO=TCP SPT=57956 DPT=631 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A00700FAA0000000001030307) 
Mar  8 19:01:44 black kernel: [15973.585664] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=28:45:a7:f3:18:00:00:22:15:67:6a:25:08:00 SRC=192.168.0.101 DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=6681 DF PROTO=TCP SPT=58051 DPT=631 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A007134A50000000001030307) 
Mar  8 19:06:44 black kernel: [16273.616394] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=28:45:a7:f3:18:00:00:22:15:67:6a:25:08:00 SRC=192.168.0.101 DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=15112 DF PROTO=TCP SPT=58132 DPT=631 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A007259A10000000001030307) 
Mar  8 19:11:44 black kernel: [16573.647952] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=28:45:a7:f3:18:00:00:22:15:67:6a:25:08:00 SRC=192.168.0.101 DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=24422 DF PROTO=TCP SPT=58210 DPT=631 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A00737E9C0000000001030307) 
Mar  8 19:16:44 black kernel: [16873.680055] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=28:45:a7:f3:18:00:00:22:15:67:6a:25:08:00 SRC=192.168.0.101 DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=48946 DF PROTO=TCP SPT=58292 DPT=631 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A0074A3970000000001030307) 
Mar  8 19:21:44 black kernel: [17173.706806] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=28:45:a7:f3:18:00:00:22:15:67:6a:25:08:00 SRC=192.168.0.101 DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=27357 DF PROTO=TCP SPT=58376 DPT=631 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A0075C8910000000001030307) 
Mar  8 19:26:44 black kernel: [17473.738386] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=28:45:a7:f3:18:00:00:22:15:67:6a:25:08:00 SRC=192.168.0.101 DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=17251 DF PROTO=TCP SPT=58458 DPT=631 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A0076ED8D0000000001030307) 
Mar  8 19:31:44 black kernel: [17773.770798] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=28:45:a7:f3:18:00:00:22:15:67:6a:25:08:00 SRC=192.168.0.101 DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=5136 DF PROTO=TCP SPT=58541 DPT=631 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A007812880000000001030307) 
Mar  8 19:36:44 black kernel: [18073.801737] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=28:45:a7:f3:18:00:00:22:15:67:6a:25:08:00 SRC=192.168.0.101 DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=23918 DF PROTO=TCP SPT=58625 DPT=631 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A007937830000000001030307) 
Mar  8 19:41:44 black kernel: [18373.832268] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=28:45:a7:f3:18:00:00:22:15:67:6a:25:08:00 SRC=192.168.0.101 DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=1902 DF PROTO=TCP SPT=58706 DPT=631 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A007A5C7E0000000001030307) 
Mar  8 19:46:44 black kernel: [18673.864309] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=28:45:a7:f3:18:00:00:22:15:67:6a:25:08:00 SRC=192.168.0.101 DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=53979 DF PROTO=TCP SPT=58787 DPT=631 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A007B817A0000000001030307) 
Mar  8 19:51:44 black kernel: [18973.896229] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=28:45:a7:f3:18:00:00:22:15:67:6a:25:08:00 SRC=192.168.0.101 DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=46428 DF PROTO=TCP SPT=58878 DPT=631 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A007CA6750000000001030307) 
Mar  8 19:56:44 black kernel: [19273.930604] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=28:45:a7:f3:18:00:00:22:15:67:6a:25:08:00 SRC=192.168.0.101 DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=39594 DF PROTO=TCP SPT=58952 DPT=631 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A007DCB710000000001030307) 
Mar  8 20:01:44 black kernel: [19573.961877] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=28:45:a7:f3:18:00:00:22:15:67:6a:25:08:00 SRC=192.168.0.101 DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=33830 DF PROTO=TCP SPT=59047 DPT=631 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A007EF06C0000000001030307) 
Mar  8 20:06:44 black kernel: [19873.993001] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=28:45:a7:f3:18:00:00:22:15:67:6a:25:08:00 SRC=192.168.0.101 DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=44208 DF PROTO=TCP SPT=59128 DPT=631 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A008015670000000001030307) 
Mar  8 20:11:44 black kernel: [20174.021214] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=28:45:a7:f3:18:00:00:22:15:67:6a:25:08:00 SRC=192.168.0.101 DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=21243 DF PROTO=TCP SPT=59199 DPT=631 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A00813A620000000001030307) 
Mar  8 20:16:44 black kernel: [20474.050964] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=28:45:a7:f3:18:00:00:22:15:67:6a:25:08:00 SRC=192.168.0.101 DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=6429 DF PROTO=TCP SPT=59282 DPT=631 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A00825F5D0000000001030307)

Hello olegue,

What about using CODE tags around such output, to make it readable? (The # button in the toolbar above the post editor).

On 2013-03-09 15:26, olegue wrote:
> Here is the asked output :

Unreadable. You did not use code tags.


Cheers / Saludos,

Carlos E. R.
(from 11.4, with Evergreen, x86_64 “Celadon” (Minas Tirith))

On 03/09/2013 09:44 PM, Carlos E. R. pecked at the keyboard and wrote:
> On 2013-03-09 15:26, olegue wrote:
>> Here is the asked output :
> Unreadable. You did not use code tags.
>
I can’t believe you are that ignorant the the use of “code” tags make a
difference.

Grow up!

Also, when posting info/data you need to specify the computer it came from.

The client FWs themselves should not be relevant, only the server FW might block. You may need to describe exactly what you’re doing on the client machines when you’re stop/restarting your FWs.

You can also install hplip even if you’re not using HP printers (and definitely should if an HP printer) to visually detect active printer connections. You may be able to verify as I originally speculated that the problem may not be a FW issue.

TSU

On 2013-03-10 14:36, tsu2 wrote:
>
> Also, when posting info/data you need to specify the computer it came
> from.
>
> The client FWs themselves should not be relevant, only the server FW
> might block. You may need to describe exactly what you’re doing on the
> client machines when you’re stop/restarting your FWs.

I had a second look at the firewall log he posted, which is quite
difficult to read here, and he is getting packets rejected on port 631.


Cheers / Saludos,

Carlos E. R.
(from 11.4, with Evergreen, x86_64 “Celadon” (Minas Tirith))

On 2013-03-10 21:38, Ken Schneider wrote:
> On 03/09/2013 09:44 PM, Carlos E. R. pecked at the keyboard and wrote:
>> On 2013-03-09 15:26, olegue wrote:
>>> Here is the asked output :
>> Unreadable. You did not use code tags.
>>
> Aww. Didn’t like my opinion so you just delete it.
>
> -----------------------
>
> grow up when it comes to using “code” tags. And where the the “RULES”
> posted on using them?
>
> --------------------------

I have no idea what you are talking about :-? :-o


Cheers / Saludos,

Carlos E. R.
(from 11.4, with Evergreen, x86_64 “Celadon” (Minas Tirith))

Hi folks

Same problem here (OpenSuSE 12.2 x64)!!!
1: Opening TCP-Services for a specific machine (in YAST/firewall: CustomRules)
2: Works for an hour or so
3: Begins to drop all TCP-Packages for specific machine (SFW2-INext-DROP-DEFLT)
4: Stoping an Starting firewall
5: GoTo 2:

How ist this possible?