Firewall is blocking Printing to remote printer

caprus · January 11, 2010, 2:29am

Printer is connected via USB to server PC running OpenSUSE 11.1
Client PCs are running 11.1, XP, Vista
No problem printing from the Windoze machines

Printing is trouble free with the 11.1 client’s firewall disabled, but no printer is available with firewall running.

In hopes of diagnosing the problem I figured I’d open everything I could think of until the printer remained available with the firewall running. Then I planned to start removing exceptions one at a time 'til removing one caused the printer to disappear.

I’ve gone to Yast>Security and Users>Firewall>Allowed Services>External Zone and tried addingSamba Server
NetBIOS server
Samba Client
Samba Server
VNC
Cups
And to Yast>Security and Users>Firewall>Broadcast and tried adding Samba Browsing
SLP browsing
UDP - all services
TCP - all services
Unfortunately I still have the same problem I started with, even with all those open ports and exceptions.

Here’s the result of # SuSEfirewall2 status

iptables filter

Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all – lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
0 0 ACCEPT icmp – * * 0.0.0.0/0 0.0.0.0/0 state RELATED
0 0 input_ext all – eth0 * 0.0.0.0/0 0.0.0.0/0
1 201 input_ext all – wlan0 * 0.0.0.0/0 0.0.0.0/0
0 0 input_ext all – wmaster0 * 0.0.0.0/0 0.0.0.0/0
0 0 input_ext all – * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all – * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-IN-ILL-TARGET ’
0 0 DROP all – * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 LOG all – * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWD-ILL-ROUTING ’

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all – * lo 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
0 0 LOG all – * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-OUT-ERROR ’

Chain forward_ext (0 references)
pkts bytes target prot opt in out source destination

Chain input_ext (4 references)
pkts bytes target prot opt in 0 0 ACCEPT udp – * * 0 0 ACCEPT udp – * * 1 201 DROP all – * * 0 0 ACCEPT icmp – * * 0 0 ACCEPT icmp – * * 0 0 ACCEPT udp – * * 0 0 ACCEPT udp – * * 0 0 ACCEPT udp – * * 0 0 ACCEPT all – * * 0 0 ACCEPT udp – * * 0 0 LOG tcp – * * 0 0 ACCEPT tcp – * * 0 0 LOG tcp – * * 0 0 ACCEPT tcp – * * 0 0 LOG tcp – * * 0 0 ACCEPT tcp – * * 0 0 LOG tcp – * * 0 0 ACCEPT tcp – * * 0 0 ACCEPT udp – * * 0 0 ACCEPT udp – * * 0 0 ACCEPT udp – * * 0 0 ACCEPT udp – * * 0 0 ACCEPT udp – * * 0 0 ACCEPT udp – * * 0 0 LOG all – * * 0 0 LOG icmp – * * 0 0 LOG all – * * 0 0 DROP all – * * out source destination
0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast udp dpt:137
0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast udp dpt:138
0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast
0.0.0.0/0 0.0.0.0/0 icmp type 4
0.0.0.0/0 0.0.0.0/0 icmp type 8
192.168.0.0/24 0.0.0.0/0 udp spt:137 state RELATED
192.168.0.0/24 0.0.0.0/0 udp spt:427 state RELATED
192.168.0.0/24 0.0.0.0/0 state RELATED
192.168.0.0/24 0.0.0.0/0 state RELATED
0.0.0.0/0 0.0.0.0/0 udp spt:137 state RELATED
0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:135 flags:0x17/0x02 LOG flags 6 level 4 prefix SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:135 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:139 flags:0x17/0x02 LOG flags 6 level 4 prefix SFW2-INext-ACC-TCP ’
0.0.0.0/0 0.0.0.0/0 tcp dpt:139
0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:445 flags:0x17/0x02 LOG flags 6 level 4 prefix SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:631 flags:0x17/0x02 LOG flags 6 level 4 prefix SFW2-INext-ACC-TCP ’
0.0.0.0/0 0.0.0.0/0 tcp dpt:631
0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:631 flags:0x17/0x02 LOG flags 6 level 4 prefix SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:631 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:139 flags:0x17/0x02 LOG flags 6 level 4 prefix SFW2-INext-ACC-TCP ’
0.0.0.0/0 0.0.0.0/0 tcp dpt:139
0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:445 flags:0x17/0x02 LOG flags 6 level 4 prefix SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpts:5900:5999 flags:0x17/0x02 LOG flags 6 level 4 prefix SFW2-INext-ACC-TCP ’
0.0.0.0/0 0.0.0.0/0 tcp dpts:5900:5999
0.0.0.0/0 0.0.0.0/0 udp dpt:137
0.0.0.0/0 0.0.0.0/0 udp dpt:138
0.0.0.0/0 0.0.0.0/0 udp dpt:631
0.0.0.0/0 0.0.0.0/0 udp dpt:631
0.0.0.0/0 0.0.0.0/0 udp dpt:137
0.0.0.0/0 0.0.0.0/0 udp dpt:138
0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 PKTTYPE = multicast LOG flags 6 level 4 prefix SFW2-INext-DROP-DEFLT ' 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix SFW2-INext-DROP-DEFLT ’
0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix SFW2-INext-DROP-DEFLT ' 0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix SFW2-INext-DROP-DEFLT ’
0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 state INVALID LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT-INV ’
0.0.0.0/0 0.0.0.0/0

Chain reject_func (0 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp – * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
0 0 REJECT udp – * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all – * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-proto-unreachable

iptables raw

Chain PREROUTING (policy ACCEPT 270K packets, 187M bytes)
pkts bytes target prot opt in out source destination
0 0 NOTRACK all – lo * 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 238K packets, 37M bytes)
pkts bytes target prot opt in out source destination
0 0 NOTRACK all – * lo 0.0.0.0/0 0.0.0.0/0

venzkep · January 11, 2010, 3:33am

On Sun January 10 2010 07:36 pm, caprus wrote:

>
> Printer is connected via USB to server PC running OpenSUSE 11.1
> Client PCs are running 11.1, XP, Vista
> No problem printing from the Windoze machines
>
> Printing is trouble free with the 11.1 client’s firewall disabled, but
> no printer is available with firewall running.
>
> In hopes of diagnosing the problem I figured I’d open everything I
> could think of until the printer remained available with the firewall
> running. Then I planned to start removing exceptions one at a time 'til
> removing one caused the printer to disappear.
>
> I’ve gone to Yast>Security and Users>Firewall>Allowed Services>External
> Zone and tried addingSamba Server
> NetBIOS server
> Samba Client
> Samba Server
> VNC
> Cups
> And to Yast>Security and Users>Firewall>Broadcast and tried
> adding Samba Browsing
> SLP browsing
> UDP - all services
> TCP - all services
> Unfortunately I still have the same problem I started with,
> even with all those open ports and exceptions.
>
> Here’s the result of -# SuSEfirewall2 status-
>
> ### iptables filter ###
> Chain INPUT (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 ACCEPT all – lo * 0.0.0.0/0
> 0.0.0.0/0
> 0 0 ACCEPT all – * * 0.0.0.0/0
> 0.0.0.0/0 state ESTABLISHED
> 0 0 ACCEPT icmp – * * 0.0.0.0/0
> 0.0.0.0/0 state RELATED
> 0 0 input_ext all – eth0 * 0.0.0.0/0
> 0.0.0.0/0
> 1 201 input_ext all – wlan0 * 0.0.0.0/0
> 0.0.0.0/0
> 0 0 input_ext all – wmaster0 * 0.0.0.0/0
> 0.0.0.0/0
> 0 0 input_ext all – * * 0.0.0.0/0
> 0.0.0.0/0
> 0 0 LOG all – * * 0.0.0.0/0
> 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix
> `SFW2-IN-ILL-TARGET ’

0 0 DROP all – * * 0.0.0.0/0
0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 LOG all – * * 0.0.0.0/0
0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix
SFW2-FWD-ILL-ROUTING ' > > > Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source > destination > 0 0 ACCEPT all -- * lo 0.0.0.0/0 > 0.0.0.0/0 > 0 0 ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0 state NEW,RELATED,ESTABLISHED > > > 0 0 LOG all -- * * 0.0.0.0/0 > 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix > SFW2-OUT-ERROR ’

Chain forward_ext (0 references)

pkts bytes target prot opt in out source
destination

Chain input_ext (4 references)

pkts bytes target prot opt in out source
destination
0 0 ACCEPT udp – * * 0.0.0.0/0
0.0.0.0/0 PKTTYPE = broadcast udp dpt:137

0 0 ACCEPT udp – * * 0.0.0.0/0
0.0.0.0/0 PKTTYPE = broadcast udp dpt:138

1 201 DROP all – * * 0.0.0.0/0
0.0.0.0/0 PKTTYPE = broadcast
0 0 ACCEPT icmp – * * 0.0.0.0/0
0.0.0.0/0 icmp type 4
0 0 ACCEPT icmp – * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
0 0 ACCEPT udp – * * 192.168.0.0/24
0.0.0.0/0 udp spt:137 state RELATED
0 0 ACCEPT udp – * * 192.168.0.0/24
0.0.0.0/0 udp spt:427 state RELATED
0 0 ACCEPT udp – * * 192.168.0.0/24
0.0.0.0/0 state RELATED
0 0 ACCEPT all – * * 192.168.0.0/24
0.0.0.0/0 state RELATED
0 0 ACCEPT udp – * * 0.0.0.0/0
0.0.0.0/0 udp spt:137 state RELATED
0 0 LOG tcp – * * 0.0.0.0/0
0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:135 flags:0x17/0x02
LOG flags 6 level 4 prefix SFW2-INext-ACC-TCP ' > > 0 0 ACCEPT tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:135 > 0 0 LOG tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:139 flags:0x17/0x02 > LOG flags 6 level 4 prefix SFW2-INext-ACC-TCP ’

0 0 ACCEPT tcp – * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:139
0 0 LOG tcp – * * 0.0.0.0/0
0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:445 flags:0x17/0x02
LOG flags 6 level 4 prefix SFW2-INext-ACC-TCP ' > > 0 0 ACCEPT tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:445 > 0 0 LOG tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:631 flags:0x17/0x02 > LOG flags 6 level 4 prefix SFW2-INext-ACC-TCP ’

0 0 ACCEPT tcp – * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:631
0 0 LOG tcp – * * 0.0.0.0/0
0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:631 flags:0x17/0x02
LOG flags 6 level 4 prefix SFW2-INext-ACC-TCP ' > 0 0 ACCEPT tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:631 > 0 0 LOG tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:139 flags:0x17/0x02 > LOG flags 6 level 4 prefix SFW2-INext-ACC-TCP ’
0 0 ACCEPT tcp – * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:139
0 0 LOG tcp – * * 0.0.0.0/0
0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:445 flags:0x17/0x02
LOG flags 6 level 4 prefix SFW2-INext-ACC-TCP ' > 0 0 ACCEPT tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:445 > 0 0 LOG tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpts:5900:5999 > flags:0x17/0x02 LOG flags 6 level 4 prefix SFW2-INext-ACC-TCP ’
0 0 ACCEPT tcp – * * 0.0.0.0/0
0.0.0.0/0 tcp dpts:5900:5999
0 0 ACCEPT udp – * * 0.0.0.0/0
0.0.0.0/0 udp dpt:137
0 0 ACCEPT udp – * * 0.0.0.0/0
0.0.0.0/0 udp dpt:138
0 0 ACCEPT udp – * * 0.0.0.0/0
0.0.0.0/0 udp dpt:631
0 0 ACCEPT udp – * * 0.0.0.0/0
0.0.0.0/0 udp dpt:631
0 0 ACCEPT udp – * * 0.0.0.0/0
0.0.0.0/0 udp dpt:137
0 0 ACCEPT udp – * * 0.0.0.0/0
0.0.0.0/0 udp dpt:138
0 0 LOG all – * * 0.0.0.0/0
0.0.0.0/0 limit: avg 3/min burst 5 PKTTYPE = multicast LOG
flags 6 level 4 prefix SFW2-INext-DROP-DEFLT ' > 0 0 DROP all -- * * 0.0.0.0/0 > 0.0.0.0/0 PKTTYPE = multicast > 0 0 LOG tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 limit: avg 3/min burst 5 tcp flags:0x17/0x02 LOG > flags 6 level 4 prefix SFW2-INext-DROP-DEFLT ’
0 0 LOG icmp – * * 0.0.0.0/0
0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix
SFW2-INext-DROP-DEFLT ' > 0 0 LOG udp -- * * 0.0.0.0/0 > 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix > SFW2-INext-DROP-DEFLT ’
0 0 LOG all – * * 0.0.0.0/0
0.0.0.0/0 limit: avg 3/min burst 5 state INVALID LOG flags 6
level 4 prefix `SFW2-INext-DROP-DEFLT-INV ’
> 0 0 DROP all – * * 0.0.0.0/0
> 0.0.0.0/0
>
> Chain reject_func (0 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 REJECT tcp – * * 0.0.0.0/0
> 0.0.0.0/0 reject-with tcp-reset
> 0 0 REJECT udp – * * 0.0.0.0/0
> 0.0.0.0/0 reject-with icmp-port-unreachable
> 0 0 REJECT all – * * 0.0.0.0/0
> 0.0.0.0/0 reject-with icmp-proto-unreachable
>
> ### iptables raw ###
> Chain PREROUTING (policy ACCEPT 270K packets, 187M bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 NOTRACK all – lo * 0.0.0.0/0
> 0.0.0.0/0
>
> Chain OUTPUT (policy ACCEPT 238K packets, 37M bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 NOTRACK all – * lo 0.0.0.0/0
> 0.0.0.0/0
>
caprus;

If you have the CUPS port open:631(server and client), allowed outside
connection to CUPS on the server and published the printers. Then CUPS on
the 11.1 client should find the printers and automatically connect to them.
To allow outside connections to Cups on the server, you will need to
edit /etc/cups/cupsd.conf. The config file is quite well documented
internally and it should be quite clear as to what is needed. Additional
documentation can be found here:
http://www.cups.org/

P. V.
“We’re all in this together, I’m pulling for you.” Red Green

caprus · January 11, 2010, 1:14pm

Perhaps you missed the following entry in my post.

> Printing is trouble free with the 11.1 client’s firewall disabled, but
> no printer is available with firewall running.

Note: The cupsd.conf is copied from an earlier 11.1 installation that worked flawlessly. (unfortunately I failed to backup the firewall setup as well)

venzkep · January 12, 2010, 6:09am

On Mon January 11 2010 06:16 am, caprus wrote:

>
> Perhaps you missed the following entry in my post.
>
>> Printing is trouble free with the 11.1 client’s firewall disabled,
> but
>> no printer is available with firewall running.
>
> Note: The cupsd.conf is copied from an earlier 11.1 installation that
> worked flawlessly. (unfortunately I failed to backup the firewall setup
> as well)
>
>
caprus;

I’m suggesting that you use ipp printing directly through Cups, by passing
Samba altogether. To do that you need to make sure the cups ports are open,
which it appears by your first post is true. However, you need to allow
remote access to cups in your servers cupsd.conf. This HowTo might help.

http://opensuse.swerdna.org/suseprintipp.html

Although swerdna suggests using an external editor, it is possible to edit the
cupsd.conf directly in cups {http://localhost:631/} By default the Cups
server only allows “localhost”. If the client does not automatically find
the printers, just use cups (on the client) to set up ipp printing.

It appears from your first post that you have enabled smbd, nmbd and cups
properly on the client’s firewall, double check Broadcasts. You might try to
change the logging options to log all the dropped packets. This might give
you some idea what is wrong. The only thing I can see in your client
firewall is that udp broadcasts on port 631 are not accepted. This should
only mean that cups will not discover printers shared by other systems.

–
P. V.
“We’re all in this together, I’m pulling for you.” Red Green

caprus · January 12, 2010, 2:19pm

@ venkep

update: The problem may have been resolved, though not as expected. After reading your post, and before I’d had a chance to try your suggestions, I noticed that the printer is showing up in CUPS and is now available for use with the firewall enabled. The only possible explanation I can offer is that I’d updated the kernel last night to resolve an unrelated problem with a new NIC. I can’t imagine why that would have solved this issue, but I’ll leave things alone for now in keeping with “if it ain’t broke don’t fix it”.

I’l repost here if the problem reoccurs. Thanks for your time and effort.

venzkep · January 13, 2010, 6:17am

On Tue January 12 2010 07:26 am, caprus wrote:

>
> @ venkep
>
> update: The problem may have been resolved, though not as expected.
> After reading your post, and before I’d had a chance to try your
> suggestions, I noticed that the printer is showing up in CUPS and is now
> available for use with the firewall enabled. The only possible
> explanation I can offer is that I’d updated the kernel last night to
> resolve an unrelated problem with a new NIC. I can’t imagine why that
> would have solved this issue, but I’ll leave things alone for now in
> keeping with “if it ain’t broke don’t fix it”.
>
> I’l repost here if the problem reoccurs. Thanks for your time and
> effort.
>
>
caprus;

Go figure. As long as it works that’s all that really counts. Good luck and
enjoy your printer.

P. V.
“We’re all in this together, I’m pulling for you.” Red Green

Firewall is blocking Printing to remote printer

iptables filter

iptables raw

Go figure. As long as it works that’s all that really counts. Good luck and enjoy your printer.

Go figure. As long as it works that’s all that really counts. Good luck and
enjoy your printer.