hello,
Following SDB:CUPS and SANE Firewall settings - openSUSE I have added :
FW_TRUSTED_NETS="192.168.xxx.0/24,tcp,30000:30100"
FW_SERVICES_ACCEPT_RELATED_EXT="192.168.xxx.0/24,tcp,30000:30100"
directly in the firewall config file : /etc/sysconfig/SuSEfirewall2
I am unable to configure client on the network to use the scanner until I stop the firewall on the server where the scanner is connected to.
Any help is welcome
Remove the ‘xxx’ bits and put in the real network address from your
network. Perhaps you meant to hide something, but there’s no point since
you’re on a private network anyway and most of us probably use the same IP
ranges, and none of us could reach eachother no matter which private
networking is used.
Also note that in that article you cited:
Perhaps you need to add the FW_ALLOW_FW_BROADCAST_EXT parameter as mentioned.
–
Good luck.
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…
Have set firewall to log all errors.
I got this one :
nf_conntrack: automatic helper assignment is deprecated and it will be removed soon. **Use the iptables CT target to attach helpers instead**.
So what I am suppose to do ?
FW_ALLOW_FW_BROADCAST_EXT=“6566”
Here TCPDUMP with Firewall off → scanner configuration possible ( in the following 192.168.130.104 is a samsung laser color printer which is offline ) :
http://paste.opensuse.org/74504517
Here TCPDUMP with Firewall ON → scanner configuration not possible ( in the following 192.168.130.104 is a samsung laser color printer which is offline ) :
SUSE Paste
Here SuseFireWall config :
SUSE Paste
Log message when firewall is OFF :
SUSE Paste
Log message when firewall is ON :
SUSE Paste
Any help is welcome
Guessing that the ports needed are blocked based on your original post as
well as this:
192.168.130.80.58636 > LINUX-TEST-123.hathor-nwk.sane-port: Flags
[F.], cksum 0xf07b (correct), seq 26, ack 106, win 115, options
[nop,nop,TS val 9280945 ecr 9273623], length 0
Notice that the source port from the unsolicited packet from
192.168.130.80 (presumably the other system) is up in the 50k range, not
the 30k range that you have allowed. Fix it.
–
Good luck.
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…
I can’t fix port of the caller (192.168.130.80).
It is always upper 50000
192.168.130.80.60045 > LINUX-TEST-123.hathor-nwk.sane-port:
On the server side :
Firewall is configured as :==================
FW_SERVICES_ACCEPT_RELATED_EXT="192.168.130.0/24,tcp,30000:30100 "
FW_TRUSTED_NETS="192.168.130.0/24,tcp,30000:30100 "
FW_ALLOW_FW_BROADCAST_EXT=“yes”
FW_SERVICES_EXT_TCP=“14245” (for ssh )
** should I add 30000:30100** ?
What about : FW_SERVICES_ACCEPT_EXT=""
1°) Server settings :
Permitted client and port range is set (port 30000-30100; client ip adress 192.168.130.0/24)
2°) Client settings
connect_timeout=60,localhost
On the client side (192.168.130.80) :
Options of yast2/scanner/scan_via_network
1°) Client settings
192.168.130.100,connect_timeout=60,data_portrange=30000-30100,
IMO the referenced SDB article might have been a bit mis-leading.
By including excerpts in the article from the firewall config file, it suggests those are the settings that should be manually configured.
But, if you <read> the article in its entirety, it does describe the steps that should be configured <using the YAST FW applet> and IMO should be followed accordingly. The fw configs should be referenced <only> if you want to verify but isn’t likely necessary.
The bottom line is that if you use the YAST FW applet, it’s easy to visualize what you’re doing in each of the fw zones. You might be able to do the same editing the config files manually, but could also make a serious error that would have been apparent using the applet.
IMO,
TSU
OK but there is still one problem :
In the following :
192.168.130.104 is a laser printer which is offline
60:a4:4c:7d:b9:28 ( 192.168.130.80 ) is the client
00:24:1d:c1:99:ba ( 192.168.130.100 LINUX-TEST-123 ) is the server where the scanner is attached to.
14:15:46.378984 60:a4:4c:7d:b9:28 (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.130.104 tell 192.168.130.80, length 46
14:15:48.584805 60:a4:4c:7d:b9:28 (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has LINUX-TEST-123.hathor-nwk tell 192.168.130.80, length 46
14:15:48.584865 00:24:1d:c1:99:ba (oui Unknown) > 60:a4:4c:7d:b9:28 (oui Unknown), ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Reply LINUX-TEST-123.hathor-nwk is-at 00:24:1d:c1:99:ba (oui Unknown), length 28
14:15:48.584939 60:a4:4c:7d:b9:28 (oui Unknown) > 00:24:1d:c1:99:ba (oui Unknown), ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 64208, offset 0, flags [DF], proto TCP (6), length 60)
**192.168.130.80.58579** > LINUX-TEST-123.hathor-nwk.sane-port: Flags [S], cksum 0x9fce (correct), seq 4013898379, win 14600, options [mss 1460,sackOK,TS val 8634459 ecr 0,nop,wscale 7], length 0
As you can see the client is calling the server with an unauthorized port (58579).
On the server side, authorized port are 30000-31000
How to fix that.
By the way I must say that there is no firewall running on the clients
>
> As you can see the client is calling the server with an unauthorized
> port (58579).
> On the server side, authorized port are 30000-31000
Authorized because you set them that way in the firewall configuration,
right? If the ports in the documentation do not match your needs, fix it
(as mentioned before).
> How to fix that.
The same steps you took to open ports 30000-31000, except change out the
‘30’ for ‘50’ and the ‘31’ for ‘60’, or whatever is right per these printers.
–
Good luck.
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…