Network Scanning [Sane/Lexmark]

I known, I started similar thread previously. I checked it and nothing helps. I reinstall my system few weeks ago. Now, I must configure network scanning.

I look at SANE - ArchWiki and SDB:CUPS and SANE Firewall settings - openSUSE Wiki . When disabling firewall, scanimage -L detects my scanner. Yast do the same. Problem was, when firewall is activated.

My /etc/sane.d/saned.conf:

saned.conf

Configuration for the saned daemon

Daemon options

Port range for the data connection. Choose a range inside [1024 - 65535].

Avoid specifying too large a range, for performance reasons.

ONLY use this if your saned server is sitting behind a firewall. If your

firewall is a Linux machine, we strongly recommend using the

Netfilter nf_conntrack_sane connection tracking module instead.

data_portrange = 10000 - 10100

Access list

A list of host names, IP addresses or IP subnets (CIDR notation) that

are permitted to use local SANE devices. IPv6 addresses must be enclosed

in brackets, and should always be specified in their compressed form.

The hostname matching is not case-sensitive.

#scan-client.somedomain.firm
#192.168.0.1
#192.168.0.1/29
#[2001:db8:185e::42:12]
#[2001:db8:185e::42:12]/64

NOTE: /etc/inetd.conf (or /etc/xinetd.conf) and

/etc/services must also be properly configured to start

the saned daemon as documented in saned(8), services(4)

and inetd.conf(4) (or xinetd.conf(5)).

127.0.0.0/8
192.168.0.109/24

I unlock port tcp and udp 6566 and 10000-10100 . What I do wrong?

Network configuration:

Services on network:

Please use the Preformatted text button </> and NOT the Quote button ".

Hi. Sorry, but I cannot edit my post now.

That is correct, but I hope you remind that in the future so that people can really read and easily interpret your computer texts.

What I do currently:

  1. Ran skanlite
  2. Ran
while true; do sleep 1; lsof -iUDP -nP | grep -i skanlite   ; done 

It shows skanlite requires 3702 UDP and 5353. Both were added. But it also shown up 38090 UDP port. Skanlite still do not work, when firewall is enabled.

RE:
It’s odd.

skanlite  59694 slawomir 35u  IPv4 234451      0t0  UDP 192.168.0.137:49196 
skanlite  59694 slawomir 36u  IPv6 234452      0t0  UDP [fe80::c3ca:9c37:446:38f3]:59903 
skanlite  59694 slawomir 33u  IPv4 240175      0t0  UDP *:3702 
skanlite  59694 slawomir 34u  IPv6 240176      0t0  UDP *:3702 
skanlite  59694 slawomir 35u  IPv4 234451      0t0  UDP 192.168.0.137:49196 
skanlite  59694 slawomir 36u  IPv6 234452      0t0  UDP [fe80::c3ca:9c37:446:38f3]:59903 
skanlite  59694 slawomir 33u  IPv4 240175      0t0  UDP *:3702 
skanlite  59694 slawomir 34u  IPv6 240176      0t0  UDP *:3702 
skanlite  59694 slawomir 35u  IPv4 234451      0t0  UDP 192.168.0.137:49196 
skanlite  59694 slawomir 36u  IPv6 234452      0t0  UDP [fe80::c3ca:9c37:446:38f3]:59903

It looks skanlite try to open random ports, so maybe firewall prevents this. I would not mess up my system by opening each port or disabling firewall.

@Lachu: Are you using a saned server in the mix? Or just trying to use a network scanner device?

The firewall should not prevent solicited traffic. I would suggest allowing all traffic from the scanner IP address…

sudo firewall-cmd --zone=<zone_name> --add-source=<specific_ip>/32 --permanent

sudo firewall-cmd --zone=public --add-source=192.168.0.109/32 --permanent

Did not work.

You need to either restart firewalld or modify run-time configuration explicitly.

Yes. I do this. I see this page: firewalld-cmd Command in Linux: 24 Examples , so I enable logs by: sudo firewall-cmd --set-log-denied=all , but no additional information inside /var/log/firewalld . Maybe it is related to connection established from my machine, not from incomming connection?

Denies are emitted by kernel and go wherever kernel logs go (should be in journal at least or dmesg). /var/log/firewalld only contains (debug) messages from firewalld itself.

This does not the same? Only zone was changed.

[   32.427864] [      C5] filter_IN_private_REJECT: IN=wlp2s0 OUT= MAC= SRC=192.168.0.137 DST=224.0.0.251 LEN=235 TOS=0x00 PREC=0x00 TTL=255 ID=62472 DF PROTO=UDP SPT=5353 DPT=5353 LEN=215 
[   32.678290] [      C0] filter_IN_private_REJECT: IN=wlp2s0 OUT= MAC= SRC=192.168.0.137 DST=224.0.0.251 LEN=235 TOS=0x00 PREC=0x00 TTL=255 ID=62512 DF PROTO=UDP SPT=5353 DPT=5353 LEN=215 
[   32.928968] [      C1] filter_IN_private_REJECT: IN=wlp2s0 OUT= MAC= SRC=192.168.0.137 DST=224.0.0.251 LEN=235 TOS=0x00 PREC=0x00 TTL=255 ID=62514 DF PROTO=UDP SPT=5353 DPT=5353 LEN=215 
[   32.962602] [      C4] filter_IN_private_REJECT: IN=wlp2s0 OUT= MAC= SRC=192.168.0.137 DST=255.255.255.255 LEN=2158 TOS=0x00 PREC=0x00 TTL=64 ID=61683 PROTO=UDP SPT=1716 DPT=1716 LEN=2138 
[   32.962953] [      C4] filter_IN_private_REJECT: IN=wlp2s0 OUT= MAC= SRC=192.168.0.137 DST=224.0.0.251 LEN=68 TOS=0x00 PREC=0x00 TTL=1 ID=62522 DF PROTO=UDP SPT=46450 DPT=5353 LEN=48 
[   33.129681] [      C5] filter_IN_private_REJECT: IN=wlp2s0 OUT= MAC= SRC=192.168.0.137 DST=224.0.0.251 LEN=217 TOS=0x00 PREC=0x00 TTL=255 ID=62532 DF PROTO=UDP SPT=5353 DPT=5353 LEN=197 
[   34.188951] [      C3] filter_IN_private_REJECT: IN=wlp2s0 OUT= MAC= SRC=192.168.0.137 DST=224.0.0.251 LEN=217 TOS=0x00 PREC=0x00 TTL=255 ID=62678 DF PROTO=UDP SPT=5353 DPT=5353 LEN=197 
[   36.247579] [      C5] filter_IN_private_REJECT: IN=wlp2s0 OUT= MAC= SRC=192.168.0.137 DST=224.0.0.251 LEN=217 TOS=0x00 PREC=0x00 TTL=255 ID=62685 DF PROTO=UDP SPT=5353 DPT=5353 LEN=197 
[  682.575272] [    T882] BTRFS info (device nvme0n1p4): qgroup scan completed (inconsistency flag cleared)
[ 2628.644702] [      C1] filter_IN_private_REJECT: IN=wlp2s0 OUT= MAC= SRC=192.168.0.137 DST=224.0.0.251 LEN=73 TOS=0x00 PREC=0x00 TTL=255 ID=65320 DF PROTO=UDP SPT=5353 DPT=5353 LEN=53 
slawomir@localhost:~> 

It seems, there was ports, such like 1716, which could be closed.
I wonder why 5353 was rejected?

[ 1694.318671] [ C6] filter_IN_private_REJECT: IN=wlp2s0 OUT= MAC= SRC=192.168.0.137 DST=255.255.255.255 LEN=69 TOS=0x00 PREC=0x00 TTL=64 ID=42403 DF PROTO=UDP SPT=5353 DPT=5353 LEN=49

This seems firewall prevents programs to send MAC Broadcast (Ethernet protocol, as I remember) message. Or IP broadcast - I cannot read these information yet.

Sorry guys. I am stupid. I have bachelor of IT degree, but did not understood zones. When read from firewall-cmd, I got my wireless network card is inside public zone. It worked, because I add similar rules to other zone than public.

scanimage -L
device `LexmarkLegacy_1_0_0:libnet/002000AAC12A' is a Lexmark Pro200-S500 Series Scanner

Can somebody explain me, why? Can anybody explain me, how to cleanup system, which exactly ports to open and on which zone? Thanks!

When type: firewall-cmd --list-all-zones, I got public is the default and active, but also private is active. I think I got conjunction of public and private sets. But private do not have interfaces listed.

I created private zone due to some article on the web. I delete it and everything still working. I have these port opened now:

  1. TCP: 6566, 10000-10100, 30000-30100, 38000-38100, 5353
  2. UDP: 5353, 8610, 8612, 6566, 10000-10100, 30000-30100, 3702, 38000-38100, 38840, 1716
  3. Services: dhcpv6-client, ipp, kdeconnect, mdns, sane, slp

What can I turn off? I added slp service, mdns, sane and ipp. For ports, I need only to have opened for sane and kdeconnect.

I am by no means an expert in these firewall rules, but what I have understood from the threads here over the years is that those names are just names. They could be “bob” and “alice”, etc. but there are some preconfigured names to make configuration easier.
The only thing you do is to tell which network devices on the system belong to which zone. Remember that a true firewall connects the outside world and to the LAN (or WAN) and eventual to a de-militarised network. So it must be know which network devices connect to which “zone” (there can be more then one device connected to a zone). So why not name the zones to what they most probably represent? You can use those names or use others of your own design.

When that is done, one can decide which traffic to which zone is allowed or not.

Ok. I try to configure my scanner on other machine and this configuration works:



Sorry the windows are in Polish. If somebody need, I will do screenshots in English.

My mistake (posted in a hurry). It should have been a rich rule to allow traffic from a particular source IP address…

firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.109/32" accept'

then make permanent once tested…
firewall-cmd --runtime-to-permanent

1 Like

I did some research. I remove entire port list, but not UDP: 5353 . I have only mdns in services (and dhcpv6-client and kdeconnect if somebody had problems). Even adding sane and removing 5353 did not work correctly. I find sane service is for sharing scanners with other computers.
So everything seems to work with this minimal setup. This is fate of people reading some advises on network without understanding. If I did not add private zone, I will do not lost may time (and your too, sorry).

If you are only interested in discovery of a multi-functional device, it is usually sufficient to allow mdns (for DSNS-SD) traffic only. As I mentioned already the act of scanning generally only involves solicited traffic so should not be prevented by firewalld.