I known, I started similar thread previously. I checked it and nothing helps. I reinstall my system few weeks ago. Now, I must configure network scanning.
while true; do sleep 1; lsof -iUDP -nP | grep -i skanlite ; done
It shows skanlite requires 3702 UDP and 5353. Both were added. But it also shown up 38090 UDP port. Skanlite still do not work, when firewall is enabled.
Yes. I do this. I see this page: firewalld-cmd Command in Linux: 24 Examples , so I enable logs by: sudo firewall-cmd --set-log-denied=all , but no additional information inside /var/log/firewalld . Maybe it is related to connection established from my machine, not from incomming connection?
Denies are emitted by kernel and go wherever kernel logs go (should be in journal at least or dmesg). /var/log/firewalld only contains (debug) messages from firewalld itself.
This seems firewall prevents programs to send MAC Broadcast (Ethernet protocol, as I remember) message. Or IP broadcast - I cannot read these information yet.
Sorry guys. I am stupid. I have bachelor of IT degree, but did not understood zones. When read from firewall-cmd, I got my wireless network card is inside public zone. It worked, because I add similar rules to other zone than public.
scanimage -L
device `LexmarkLegacy_1_0_0:libnet/002000AAC12A' is a Lexmark Pro200-S500 Series Scanner
Can somebody explain me, why? Can anybody explain me, how to cleanup system, which exactly ports to open and on which zone? Thanks!
When type: firewall-cmd --list-all-zones, I got public is the default and active, but also private is active. I think I got conjunction of public and private sets. But private do not have interfaces listed.
I am by no means an expert in these firewall rules, but what I have understood from the threads here over the years is that those names are just names. They could be “bob” and “alice”, etc. but there are some preconfigured names to make configuration easier.
The only thing you do is to tell which network devices on the system belong to which zone. Remember that a true firewall connects the outside world and to the LAN (or WAN) and eventual to a de-militarised network. So it must be know which network devices connect to which “zone” (there can be more then one device connected to a zone). So why not name the zones to what they most probably represent? You can use those names or use others of your own design.
When that is done, one can decide which traffic to which zone is allowed or not.
I did some research. I remove entire port list, but not UDP: 5353 . I have only mdns in services (and dhcpv6-client and kdeconnect if somebody had problems). Even adding sane and removing 5353 did not work correctly. I find sane service is for sharing scanners with other computers.
So everything seems to work with this minimal setup. This is fate of people reading some advises on network without understanding. If I did not add private zone, I will do not lost may time (and your too, sorry).
If you are only interested in discovery of a multi-functional device, it is usually sufficient to allow mdns (for DSNS-SD) traffic only. As I mentioned already the act of scanning generally only involves solicited traffic so should not be prevented by firewalld.