SuSe 11.4 firewall blocking CUPS network printers

Since upgrading from 11.2 to 11.4 I am now unable to see any network printers in either applications such as Libre, Okular etc, or in Cups admin page. I can now only see my local USB printer.
Disabling the firewall does allow the network printers to get listed in CUPS - and of course then in Libre, Okular etc. The 11.4 Firewall options do not include CUPS as a service that can be allowed - very helpful!! Accordingly I have added port 631 to TCP/IP under the advanced tab. Still no joy - as soon as the firewall is running all network printers disappear again from CUPS, turn off firewall and they all appear again. I further tried adding ports 9100 and 9300 - seem to recall they have something to do with printing - but still no joy. Anyone have an idea of exactly what I need to allow in the firewall to get allow network printers???


port 631 to TCP/IP

IPP (Internet Printing Protocol) listens on UDP port 631

Thanks - I had already also tried addingto UDP but still it failed with the firewall on. I eventually found the answer when I went into Yast printer setup. when selecting print by network option a warning window opens advisng that “firewall configuration may block internet printing” and to please read the help displayed at the bottom of the setup page. Within this help it specifies that the network interface must be assigned to the internal zone. It also states that contrary to all the advice I found on the net that port 631 should never be opened on the external zone. It would appear that as my network printing worked fine before upgrading form 11.2 to 11.4 that somehow the upgrade messed up my firewall settings. I do not recall ever having manually to set the interface to ‘internal’ before to get CUPS to work so I can only assume that 11.2 used to assign it to internal by default whereas 11.4 assigns it to external by default… Anyways - as soon as I set it to internal and closed up 631 all the available network printers immediately showed up in Yast printer setup. CUPS now also lists all printers and they are aslo availabe to select in Libre etc. Hopefull this will help quite a few others who are also posting about 11.4 breaking CUPS.

I had (apparently mistakenly) assumed that you had read the warnings in YaST and gone through the printer configuration settings, applying them appropriately.

If you had you would have realised that making an interface “internal” turns the firewall off for that interface by default.

The upgrade probably did not “messed up my firewall settings”. The change is that an undefined interface is treated as if it were external, which is a good position to take now that wireless connections are so common. Permitting any machine on your network to connect (via e.g. an IPP, or avahi/bonfour/zero-config broadcast) may be “user-friendly” but is not safe (part of why Apple and MS networks are insecure by design/default).

You seem to be confusing connecting to a network printer (a physical printer with its own network connection, usually via TCP port 9001) and connecting to a remote printer server (e.g. a CUPS server running on another workstation). YaST makes it easy to permit any connect to or allow connections from any defined machines without removing the firewall. This has not changed for several years (certainly before SuSE-9.1)

Hi, Thanks for the extra info.
I don’t have any confusion about network printers connected directly to the network or shared printers on another machine running CUPS.
The issue was/is that before upgrading, and indeed for the last 7/8 years I have always used CUPS administration to find/add/manage network printers.
It used to be in 11.2 and previous versions that CUPS was a listed service that could be allowed through the firewall - however it appears that this is now not the case - why, why why??
Similarly manually adding port 631 as many people suggest to UDP didnt allow CUPS to see any network printers with the firewall turned on - although it may well have been the case that I could have manually defined them. However with over 20 on my network that is a bit of a pain…
I now appreciate that swapping my interface to the internal zone means that it is now not protected by the firewall so that is not really a fix - maybe not too bad for me as I am behind a corporate firewall anyway, but certainly not good for the ‘normal’ user out in the big wide world :wink:
However I now see that the solution is that I had mistakenly added port 9100 to TCP instead of port 9001 as you state. With that corrected printer browsing is now available in CUPS again - even with the interface now more safely assigned to the external zone - so many thanks for that!!
I’m guessing that in 11.2 and previous versions allowing the listed CUPS service through the firewall added both these ports which is why I have never had a problem before.

I guess the moral here is that I really should have followed my usual practice of doing a ‘fresh’ install, rather than trying the ‘upgrade’ method and expecting everything to still work!

Thanks again

Thanks for this info, the networking printing info in OpenSUSE is pretty awful (too many screens and too many options for a simple printing task across a local network) but I came to the conclusion that the firewall was killing the connection I was trying to make too. Thanks for the pointer about local zone and network interface. Changing this status in the Yast/Firewall app sorted things out nicely.