hp-setup can't discover HP printer unless firewall off

Hi,

I’m trying to get hp-setup to discover a HP printer on wifi on Leap 15.0. I’m quite sure it is a problem with the firewall, but I’m unable to track it down. The aim is to get Vuescan to work which use hp-setup to search for printers/scanners.

If I turn off the firewall hp-setup is able to find the printer using mDNS/Bonjour only. SLP and Avahi returns no results. If I turn on the firewall it cannot discover the printer.

Wireshark gives the following which doesn’t show up when the firewall is off:
ISMP: Destination unreachable (Host administratively prohibited) from 192.168.1.10 (the desktop) to 192.168.1.129 (the printer)

But I’m not sure if this is related to the problem.

I’ve tried to enable/disable the following on the firewall:

  • mdns
  • slp
  • UDP ports 5353 and 427

Same result. So what can I do to find the problem?

In the hp-setup Device Discovery window, click the Network radio button, then the Show Advanced Options bar, then the Manual Discovery button. Put the printer’s IP address in the field and click Next. This works on my system, and hopefully will on yours.
Regards,

Yes, but my goal is to get Vuescan working, and this has no manual option only on the fly detection.

The HP guide indicates only Avahi should be required for printer discovery, so not clear to me why it’s not working for you.
https://developers.hp.com/hp-linux-imaging-and-printing/KnowledgeBase/EnableServicesInFirewall.html

Can you confirm that the changes were applied? Correct interface/zone? Perhaps show us the current running config…

firewall-cmd --list-all
ojt@zappa:~> firewall-cmd --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client mdns slp
  ports: 5353/udp 427/udp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


Hmmm, you don’t have an interface assigned to that zone. I would expect something more like

ojt@zappa:~> firewall-cmd --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: dhcpv6-client mdns slp

Seems that when the default zone is used the interface is not visible. Anyway eth0 is now set, but still same problem. Tried both using services mdns and slp and open ports:

ojt@zappa:~> firewall-cmd --list-all --zone=home
home (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: ssh samba-client dhcpv6-client mdns slp
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

ojt@zappa:~> firewall-cmd --list-all --zone=home
home (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: ssh samba-client dhcpv6-client
  ports: 5353/udp 427/udp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

Do you specifically prefer using Vuescan over other scanning apps such as hp-scan or simple-scan?

Yes, that is correct. Vuescan has a much cleaner interface and can for instance handle multipage scans.

That’s because you’re using the home zone, so no interface assigned to the default (public) zone. There’s nothing wrong with using a different zone though.

As an experiment, you could try allowing all traffic from the IP address assigned to the HP device. For example, let’s assume 192.168.2.8…

firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.2.8" accept'

then see if Vuescan can discover the network scanner.

That fixed the problem!

Does this open the firewall completely for all data from 192.168.2.8? Is that a security problem?

How do I make this permanent?

As an experiment, you could try allowing all traffic from the IP address assigned to the HP device. For example, let’s assume 192.168.2.8…

firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.2.8" accept'

then see if Vuescan can discover the network scanner.

Glad to have been of assistance! :slight_smile:

To make permanent…

sudo firewall-cmd --runtime-to-permanent

Reference:

–runtime-to-permanent

    Save active runtime configuration and overwrite permanent configuration with it. The way this is supposed to work is that when configuring firewalld you do runtime changes only and once you're happy with the configuration and you tested that it works the way you want, you save the configuration to disk.

Yes.

Is that a security problem?

Within a LAN environment (and usually behind a firewall) it is acceptable IMHO. With more analysis (eg wireshark), you could probably determine what ports are being used for communication, and then adjust the firewall appropriately, but life is short and I would consider this firewall rule a pragmatic option for a trusted host on the network.

If you want a more general solution that works without opening your firewall to all traffic from this hard-coded IP address, there is this thread.