some issue with cups and firewall

nevegsuse · August 31, 2009, 3:04pm

As in object, I’ve some problem to configure cups in my desktop <opensuse 11.0>. The most big problem I think it is with firewall. I’ve noticed I can’t see my server cups if firewall is on, also if I configure ‘service ipp’ in my external zone eth0.
For say all, I don’t trust to much firewall, due to strange behavior, from yast if it’s running and I try to stop it, I can’t… it is unable do it, I must deactivate it from boot and restart it… hmmh
Now I’ve disable it, and my cups work fine in local and from client as well. But this is not of course the solution I want !

thx for any advice you could give me…

ab · August 31, 2009, 4:36pm

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Assuming you have configured the required ports in the firewall to be open
(631 I presume) and the service is listening on all IP addresses (and not
just localhost, which I believe is the default) I do not know why you
would have problems otherwise. Stopping the firewall is fairly reliable
using Yast but if not the following has always worked for me:

rcSuSEfirewall2 stop

Good luck.

nevegsuse wrote:
> As in object, I’ve some problem to configure cups in my desktop
> <opensuse 11.0>. The most big problem I think it is with firewall. I’ve
> noticed I can’t see my server cups if firewall is on, also if I
> configure ‘service ipp’ in my external zone eth0.
> For say all, I don’t trust to much firewall, due to strange behavior,
> from yast if it’s running and I try to stop it, I can’t… it is unable
> do it, I must deactivate it from boot and restart it… hmmh
> Now I’ve disable it, and my cups work fine in local and from client as
> well. But this is not of course the solution I want !
>
> thx for any advice you could give me…
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJKm9/ZAAoJEF+XTK08PnB5CgAP/15vjuVggpEmviq6/isj7IcM
WjcCgcj4huiYKqzJuNwPTLVVxRlx9+i13ameJ9gVQ668+nCm5/Pf29uaeA7RSlHm
82/E1nIcjAoNzl5jQMqlZSbaqjtiRsgd+9olan5nbIhxLVcM+94zlNBJB5/aWrH1
KTN9PyDUBUj5iezsdd84IMefBleAk1MLXecjd+RjYF/kUsFM+9IjrOHdDU2HWhQk
OZwLt5IlnHbVFlrgXp2ly+IZO+LwXyHzjF3gbvqxhz6nHSQp3EKsYpTSrm9sPqR8
ocG4vC/AdmhUrB/o5R8cPN0AH0iVUf41+2HGU9OcJPedy4rufSP5EjTwn201FQ61
lzJ0Qpxpk5HBMp2/cyFXR5fEZgxK9WW0cgy7yuUdhx3IEgjb7Gob7vZfOk/ti8iH
uUv7Y4TnAmZWCK/aa3ufDvptius/q4hXgWIdUHlMH6jHqQGtsJLaXWmnttJLYCjw
64/8uJbPAH3nCHNKuRTiGrJNTLzzjCjpMPi/g887V/LnYJrXhaPMF4eiRMDF3jDI
fY/qcSRcR51x9CLFCmu7GxiXlz/swhZwDNiWeo+sGZAblfLhqv+EuxIRPfIiXJu8
vIjwEA80OIBAIJJTtgu7fR0XRhUk+JP8El8tWjbPmnbIx3M+wVoe/l7eKrAM8cKJ
crG3QOskSWNl99MX1LPZ
=8xdT
-----END PGP SIGNATURE-----

vodoo · August 31, 2009, 5:47pm

Can you tell us a little bit more about your setup?

My print server (which is part of the LAN and has a printer attached) uses the following firewall rule:

FW_SERVICES_EXT_TCP=“515 631 domain ipp smtp ssh”

This works for me. Likely there is something wrong with your firewall configuration. You should be able to start and stop it with the following commands (as root):

rcSuSEfirewall2 stop
rcSuSEfirewall2 start

If that doesn’t work something is terribly wrong. You may want to show the output of:

cat /etc/sysconfig/SuSEfirewall2 | sed -e "/^#/d" -e "/^$/d"

nevegsuse · August 31, 2009, 5:52pm

hi ab

thx for your answer… yes you are on the way

it seem probably more a problem of firewall then yast…

after boot if I check status of firewall with command “SuSEfirewall status” I don’t see port 613 enabled, notice service cups is in the list yast>firewall

…and if I type SuSEfirewall stop I get this output:

pulsarx:/home/myhome # SuSEfirewall2 stop
SuSEfirewall2: /var/lock/SuSEfirewall2.booting exists which means system boot in progress, exit.

googling, this has remaind me to this link [Bug 387075] New: rcSuSEfirewall2 stop silently fails (/var/lock/ SuSEfi](http://lists.opensuse.org/opensuse-bugs/2008-05/msg02434.html)
as u advice me if I type “rcSuSEfirewall2 start” everything go fine… it seem firewall doesn’t boot fine for some reason.

So now If I restart firewall from command line after boot I get firewall on and cups server “visible” from client I can print ! …so ok, “firewall boot” is another problem I need check…

But I don’t understand why from a client I’m unable to see printers with browser http://192.168.52.57:631/printers/ ?!?

it gives me “Access denied”

but I think I must access it with this /etc/cups/cupsd.conf


LogLevel info
SystemGroup sys root
# Allow remote access
#Port 631
Listen localhost:631
Listen 192.168.52.57:631
Listen /var/run/cups/cups.sock
# Enable printer sharing and shared printers.
Browsing On
BrowseOrder allow,deny
BrowseAllow @LOCAL
BrowseAddress @LOCAL
<Location />
AuthType None
Allow From all
  # Allow shared printing and remote administration...
Order Allow,Deny
Allow From all
</Location>
<Location /admin>
Allow From all
  # Allow remote administration...
Order allow,deny
Allow From all
</Location>
<Location /admin/conf>
Allow From all
  # Allow remote access to the configuration files...
Order allow,deny
Allow From all
</Location>
<Policy default>
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
Require user @OWNER @SYSTEM
Order deny,allow
</Limit> 
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Limit> 
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Accept-Jobs CUPS-Reject-Jobs>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Limit> 
<Limit CUPS-Authenticate-Job>
Require user @OWNER @SYSTEM
Order deny,allow
</Limit> 
<Limit All>
Order deny,allow
</Limit> 
</Policy> 
BrowseAddress @LOCAL
<Location /classes>
Allow From all
Order Allow,Deny
</Location>
<Location /printers>
Allow From all
Order Allow,Deny
</Location>

thx in advance

nevegsuse · September 1, 2009, 10:49am

thx vodoo

here the output:


pulsarx:/home/myhome# cat /etc/sysconfig/SuSEfirewall2 | sed -e "/^#/d" -e "/^$/d"
FW_DEV_EXT="eth0"
FW_DEV_INT=""
FW_DEV_DMZ=""
FW_ROUTE="no"
FW_MASQUERADE="no"
FW_MASQ_DEV="zone:ext"
FW_MASQ_NETS="0/0"
FW_NOMASQ_NETS=""
FW_PROTECT_FROM_INT="no"
FW_SERVICES_EXT_TCP=""
FW_SERVICES_EXT_UDP="631"
FW_SERVICES_EXT_IP=""
FW_SERVICES_EXT_RPC=""
FW_CONFIGURATIONS_EXT="cups"
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_DMZ_RPC=""
FW_CONFIGURATIONS_DMZ=""
FW_SERVICES_INT_TCP=""
FW_SERVICES_INT_UDP=""
FW_SERVICES_INT_IP=""
FW_SERVICES_INT_RPC=""
FW_CONFIGURATIONS_INT=""
FW_SERVICES_DROP_EXT=""
FW_SERVICES_DROP_DMZ=""
FW_SERVICES_DROP_INT=""
FW_SERVICES_REJECT_EXT=""
FW_SERVICES_REJECT_DMZ=""
FW_SERVICES_REJECT_INT=""
FW_SERVICES_ACCEPT_EXT=""
FW_SERVICES_ACCEPT_DMZ=""
FW_SERVICES_ACCEPT_INT=""
FW_SERVICES_ACCEPT_RELATED_EXT=""
FW_SERVICES_ACCEPT_RELATED_DMZ=""
FW_SERVICES_ACCEPT_RELATED_INT=""
FW_TRUSTED_NETS=""
FW_ALLOW_INCOMING_HIGHPORTS_TCP=""
FW_ALLOW_INCOMING_HIGHPORTS_UDP=""
FW_FORWARD=""
FW_FORWARD_REJECT=""
FW_FORWARD_DROP=""
FW_FORWARD_MASQ=""
FW_REDIRECT=""
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="no"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_LOG_LIMIT=""
FW_LOG=""
FW_KERNEL_SECURITY="yes"
FW_STOP_KEEP_ROUTING_STATE="no"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="no"
FW_ALLOW_FW_SOURCEQUENCH=""
FW_ALLOW_FW_BROADCAST_EXT=""
FW_ALLOW_FW_BROADCAST_INT=""
FW_ALLOW_FW_BROADCAST_DMZ=""
FW_IGNORE_FW_BROADCAST_EXT="yes"
FW_IGNORE_FW_BROADCAST_INT="no"
FW_IGNORE_FW_BROADCAST_DMZ="no"
FW_ALLOW_CLASS_ROUTING=""
FW_CUSTOMRULES=""
FW_REJECT=""
FW_REJECT_INT="yes"
FW_HTB_TUNE_DEV=""
FW_IPv6=""
FW_IPv6_REJECT_OUTGOING=""
FW_IPSEC_TRUST="no"
FW_ZONES=""
FW_USE_IPTABLES_BATCH=""
FW_LOAD_MODULES="nf_conntrack_netbios_ns"
FW_FORWARD_ALWAYS_INOUT_DEV=""
FW_FORWARD_ALLOW_BRIDGING=""

btw I can confirm this status:

I boot… and my server cups is not visible from client… if I check with “SuSEfirewall2 status” I get this output <notice no port 631 is open (but in yast service cups is allowed) > :


pulsarx:/home/myhome# SuSEfirewall2 status
### iptables filter ###
Chain INPUT (policy DROP 99 packets, 11473 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   28  2122 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
  188 50194 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state ESTABLISHED 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED 

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 279 packets, 54985 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   28  2122 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           

Chain reject_func (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with tcp-reset 
    0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable 
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-proto-unreachable 

### iptables mangle ###
Chain PREROUTING (policy ACCEPT 318 packets, 64682 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 315 packets, 63789 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 307 packets, 57107 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 355 packets, 63047 bytes)
 pkts bytes target     prot opt in     out     source               destination         

### iptables nat ###
Chain PREROUTING (policy ACCEPT 53 packets, 5909 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 101 packets, 20889 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 101 packets, 20889 bytes)
 pkts bytes target     prot opt in     out     source               destination

So if after this check I type :

pulsarx:/home/myhome# rcSuSEfirewall2 force-reload
Starting Firewall Initialization (phase 2 of 2) SuSEfirewall2: Warning: no default firewall zone defined, assuming ‘ext’
pulsarx:/home/myhome#

And now if I check the firewall status It seem port 631 be open… or better client see server cups, here the output after:


pulsarx:/home/myhome# SuSEfirewall2 status
### iptables filter ###
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1880  915K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
 1162  868K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state ESTABLISHED 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED 
  493 57069 input_ext  all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 input_ext  all  --  vboxnet0 *       0.0.0.0/0            0.0.0.0/0           
    0     0 input_ext  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-IN-ILL-TARGET ' 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWD-ILL-ROUTING ' 

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1880  915K ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
 1237  182K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW,RELATED,ESTABLISHED 
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-OUT-ERROR ' 

Chain forward_ext (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_ext (3 references)
 pkts bytes target     prot opt in     out     source               destination         
  460 55041 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           PKTTYPE = broadcast 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 4 
    2   120 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 
    1    60 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 5 tcp dpt:631 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 
    1    60 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:631 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:631 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:631 
    4   264 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 5 PKTTYPE = multicast LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT ' 
    4   264 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           PKTTYPE = multicast 
   15   720 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT ' 
    0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT ' 
    6   540 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT ' 
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 5 state INVALID LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT-INV ' 
   26  1584 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain reject_func (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with tcp-reset 
    0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable 
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-proto-unreachable 

### iptables mangle ###
Chain PREROUTING (policy ACCEPT 3946 packets, 1914K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 3937 packets, 1912K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 3429 packets, 1154K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 3504 packets, 1164K bytes)
 pkts bytes target     prot opt in     out     source               destination         

### iptables nat ###
Chain PREROUTING (policy ACCEPT 609 packets, 67683 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 191 packets, 30177 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 191 packets, 30177 bytes)
 pkts bytes target     prot opt in     out     source               destination

mah ?!? :sarcastic:

thx

vodoo · September 1, 2009, 7:47pm

Hi nevegsuse

In the firewall configuration script ipp=631, they are equivalent. Use one or the other. Open that port for both, TCP and UDP. FW_CONFIGURATIONS_EXT=“cups” should do the same, so it’s double.

They changed the syntax for FW_DEV_EXT between some of the releases, but I don’t know when. On some systems it’s: FW_DEV_EXT=“any eth-id-00:30:1b:b9:4b:8c”. Please check the comments in /etc/sysconfig/SuSEfirewall2. It could be: FW_DEV_EXT=“any eth0”. You must be able to cleanly start and stop your firewall.

As for cups.conf: probably to have to check it again. But here I now almost nothing, sorry.

nevegsuse · September 2, 2009, 10:12am

Hi vodoo, here I’m again…

…
In the firewall configuration script ipp=631, they are equivalent. Use one or the other. Open that port for both, TCP and UDP. FW_CONFIGURATIONS_EXT=“cups” should do the same, so it’s double.

…yes I think so, I’ve noticed btw, if I select the checkbox “open port firewall” in yast>hardware>printers it inserts in the firewall services allowed list “SERVER IPP” and not “cups” … little bit funny ?!? btw I think it doesn’t matter, probably “SERVER IPP” and “cups” are double voice in the list ?! or we need insert both ?!?

They changed the syntax for FW_DEV_EXT between some of the releases, but I don’t know when. On some systems it’s: FW_DEV_EXT=“any eth-id-00:30:1b:b9:4b:8c”. Please check the comments in /etc/sysconfig/SuSEfirewall2. It could be: FW_DEV_EXT=“any eth0”. You must be able to cleanly start and stop your firewall.

So I insert the string “any eth0” but firewall behaviour is the same… Just booted my server cups is not visible and checkin’ its status no port 631 are visible and from client.
If I type “SuSEfirewall2 status” I get this… and no port 631 are visible…


### iptables filter ###
Chain INPUT (policy DROP 739 packets, 110K bytes)
 pkts bytes target     prot opt in     out     source               destination         
 8243 3297K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
17018   11M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state ESTABLISHED 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED 

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 8301 packets, 811K bytes)
 pkts bytes target     prot opt in     out     source               destination         
 8243 3297K ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           

Chain reject_func (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with tcp-reset 
    0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable 
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-proto-unreachable 

### iptables mangle ###
Chain PREROUTING (policy ACCEPT 26002 packets, 15M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 26000 packets, 15M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 16544 packets, 4107K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 16626 packets, 4119K bytes)
 pkts bytes target     prot opt in     out     source               destination         

### iptables nat ###
Chain PREROUTING (policy ACCEPT 651 packets, 95273 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 236 packets, 33158 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 236 packets, 33158 bytes)
 pkts bytes target     prot opt in     out     source               destination

note also (I booted about 20 min. ago) if I type “cat /var/log/messages | grep firewall | tail -10” I get


Sep  2 09:11:33 pulsarx SuSEfirewall2: /var/lock/SuSEfirewall2.booting exists which means system boot in progress, exit.
Sep  2 09:11:33 pulsarx SuSEfirewall2: /var/lock/SuSEfirewall2.booting exists which means system boot in progress, exit.
Sep  2 09:12:11 pulsarx SuSEfirewall2: /var/lock/SuSEfirewall2.booting exists which means system boot in progress, exit.
Sep  2 09:12:24 pulsarx SuSEfirewall2: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
Sep  2 09:12:25 pulsarx SuSEfirewall2: using default zone 'ext' for interface vboxnet0
Sep  2 09:12:25 pulsarx SuSEfirewall2: batch committing...
Sep  2 09:12:25 pulsarx SuSEfirewall2: Firewall rules successfully set
Sep  2 09:33:42 pulsarx SuSEfirewall2: batch committing...
Sep  2 09:33:43 pulsarx SuSEfirewall2: Firewall rules set to CLOSE.
Sep  2 09:33:52 pulsarx SuSEfirewall2: /var/lock/SuSEfirewall2.booting exists which means system boot in progress, exit.

I note the last line (after boot), it seems something keep in hang firewall…

If after I type rcSuSEfirewall2 force-reload o start… I can force and load “fine” firewall and now I get port 631 visible and client are able to catch my server cups…

bah really strange behaviour…

As for cups.conf: probably to have to check it again. But here I now almost nothing, sorry.

I think my cups.conf is somewhat fine… 'cause if I disable firewall or restart it, cups service are ok…

thx

vodoo · September 2, 2009, 11:11am

I suggest that you start a new thread in the networking forum regarding this firewall issue. And: please check if this stale lockfile /var/lock/SuSEfirewall2.booting is still present. Delete it and see what happens.

nevegsuse · September 2, 2009, 11:23am

Yes… I do, thx again for your support

user · October 12, 2009, 8:29am

I also had problems with firewall + CUPS, but CUPS itself must be configured to get it working for outside connections.

You can do that at the server using http://localhost:631 or by changing cups.conf like described above.

Than it should work. It least it solved my problem.

some issue with cups and firewall

…and if I type SuSEfirewall stop I get this output:

pulsarx:/home/myhome # SuSEfirewall2 stop SuSEfirewall2: /var/lock/SuSEfirewall2.booting exists which means system boot in progress, exit.

So if after this check I type :

pulsarx:/home/myhome# rcSuSEfirewall2 force-reload Starting Firewall Initialization (phase 2 of 2) SuSEfirewall2: Warning: no default firewall zone defined, assuming ‘ext’ pulsarx:/home/myhome#

pulsarx:/home/myhome # SuSEfirewall2 stop
SuSEfirewall2: /var/lock/SuSEfirewall2.booting exists which means system boot in progress, exit.

pulsarx:/home/myhome# rcSuSEfirewall2 force-reload
Starting Firewall Initialization (phase 2 of 2) SuSEfirewall2: Warning: no default firewall zone defined, assuming ‘ext’
pulsarx:/home/myhome#