Firewall blocking network scanner - is there a way out

I recently acquired a Brother DCP9020 all-in-one printer/scanner.
I want to use the printer/scanner from various PCs in my home network.
Hence I want to use it in networked mode, not via USB.

The printer works nicely from various PCs.
For scanning I use Vuescan.

Vuescan cannot see the scanner when the Suse Firewall is active.
When I switch off the firewall, Vuescan can communicate with the Brother without problems.
I had the same issues with an HP All in One printer.

I suspect the issue is caused by the firewall blocking responses from the scanner.

This is what I see in dmesg when I fire up Vuescan a couple of times.
The firewall blocks responses from the scanner (ip=192.168.1.20) to the host (ip=192.168.1.13).
The port numbers being used by the scanner seem to be different each time (DPT=41592, DPT=58945).

Is there a way out - I would rather not switch off the firewall.


SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=6c:62:6d:c9:e0:4e:44:1c:a8:38:50:d0:08:00 SRC=192.168.1.20 DST=192.168.1.13 LEN=1260 TOS=0x00 PREC=0x00 TTL=0 ID=21 PROTO=UDP SPT=5353 DPT=41592 LEN=1240 
SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=6c:62:6d:c9:e0:4e:44:1c:a8:38:50:d0:08:00 SRC=192.168.1.20 DST=192.168.1.13 LEN=1260 TOS=0x00 PREC=0x00 TTL=0 ID=22 PROTO=UDP SPT=5353 DPT=41592 LEN=1240 
SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=6c:62:6d:c9:e0:4e:44:1c:a8:38:50:d0:08:00 SRC=192.168.1.20 DST=192.168.1.13 LEN=1260 TOS=0x00 PREC=0x00 TTL=0 ID=23 PROTO=UDP SPT=5353 DPT=41592 LEN=1240 
SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=6c:62:6d:c9:e0:4e:44:1c:a8:38:50:d0:08:00 SRC=192.168.1.20 DST=192.168.1.13 LEN=1260 TOS=0x00 PREC=0x00 TTL=0 ID=25 PROTO=UDP SPT=5353 DPT=58945 LEN=1240 
SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=6c:62:6d:c9:e0:4e:44:1c:a8:38:50:d0:08:00 SRC=192.168.1.20 DST=192.168.1.13 LEN=1260 TOS=0x00 PREC=0x00 TTL=0 ID=26 PROTO=UDP SPT=5353 DPT=58945 LEN=1240 
SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=6c:62:6d:c9:e0:4e:44:1c:a8:38:50:d0:08:00 SRC=192.168.1.20 DST=192.168.1.13 LEN=1260 TOS=0x00 PREC=0x00 TTL=0 ID=27 PROTO=UDP SPT=5353 DPT=58945 LEN=1240

Thanks in advance for your observations

Suse Leap 42.1 Kernel~4.1.27-27-default x86_64

If you’re behind a router, and operating within your LAN, then the network interfaces really only need to be treated as internal interfaces, and thus behind the firewall. You must have yours configured as external. Port 5353 is used for Avahi (network discovery), and it is likely this port that needs to be opened to allow the discovery process. The response communication from the network scanner should not be impacted by the firewall, so don’t worry about that.

HPLIP has a page explaining what is required with respect to firewall configuration when needed
http://hplipopensource.com/node/375

Thanks so much for this link!!! I’ve been trying to figure it out for ages…have just been running with the firewall off, due to the scanner. This info fixed the problem and the scanner is now working with the firewall active.

Glad to have been of help.

And I saved the info as a text file…along with the many other wonderful tips I get here, so in the future, I don’t have to try to search for them again!

Excellent advice. I did have the 5353 port open, but not the other bits. Thanks a lot.

Thanks or the update. Pass the knowledge along! :slight_smile: