The same old problem CUPS and the firewall now with 13.1

English Network/Internet
1

For many years, nevertheless opensuse version I have got the same problem in local network printing with CUPS. It is easy to be configured for printing in the local network with YAST, the problem is that over the time firewall automatically closes the 631 port on the client machine. Of course I have always put the tcp and udp 631 as permited services in the firewall, but that doesn’t prevent the firewall from closing down the port if the printing is not in use for some time. Closing down the firewall of the client machine automatically sent the printing task to the printer. That means that I have to close down and afterward switch on the firewall everytime I need to print something in the local network. Any help for keeping port 631 open all the time will be quite welcome. Thanks

OpenSuse 13.1 x64

2

I’ve never seen SuSEfirewall2 close down a port after some time, so that’s
interesting, though we may be configured differently for some reason. In
general there isn’t a need to open a firewall port to just print, though
perhaps you are sharing a printer from your computer to others which would
require a change. Care to post the output of the following command
before/after the problem occurs:

Code:

sudo /usr/sbin/iptables-save

You should get some output showing your firewall configuration at the
time. Another option is the ‘/usr/sbin/iptables -nvL’ command which also
gives you some nice statistics on things. Feel free to post the output
here and we’ll see what we can see.


Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…

3

Just a thought but if you are using LibreOffice it starts the session to the CUPS server when it starts ( it’s debatable if that’s a bug or a feature )
rather than when you try to print. As a result the remote CUPS server tends to time out if nothing interesting happens for a while. We set the
time out on the CUPS server to 2 hours ( adjust to taste here )
M

4

Here is the statement without remote cups printers available :

# Generated by iptables-save v1.4.19.1 on Wed Dec  4 23:55:45 2013
*raw
:PREROUTING ACCEPT [48436:47070975]
:OUTPUT ACCEPT [36391:4429547]
-A PREROUTING -i lo -j CT --notrack
-A OUTPUT -o lo -j CT --notrack
COMMIT
# Completed on Wed Dec  4 23:55:45 2013
# Generated by iptables-save v1.4.19.1 on Wed Dec  4 23:55:45 2013
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [35520:4290126]
:forward_ext - [0:0]
:input_ext - [0:0]
:reject_func - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
-A INPUT -j input_ext
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options
-A INPUT -j DROP
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
-A OUTPUT -o lo -j ACCEPT
-A input_ext -p udp -m pkttype --pkt-type broadcast -m udp --dport 137 -j ACCEPT
-A input_ext -p udp -m pkttype --pkt-type broadcast -m udp --dport 138 -j ACCEPT
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A input_ext -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A input_ext -p udp -m udp --sport 137 -m conntrack --ctstate RELATED -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 139 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 139 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 445 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 445 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 22 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 5900:5999 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 5900:5999 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 5801 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 5801 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 5901 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 5901 -j ACCEPT
-A input_ext -p udp -m udp --dport 137 -j ACCEPT
-A input_ext -p udp -m udp --dport 138 -j ACCEPT
-A input_ext -p udp -m limit --limit 3/min -m conntrack --ctstate NEW -m udp --dport 20048 -j LOG --log-prefix "SFW2-INext-ACC-RPC " --log-tcp-options --log-ip-options
-A input_ext -p udp -m udp --dport 20048 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m conntrack --ctstate NEW -m tcp --dport 20048 -j LOG --log-prefix "SFW2-INext-ACC-RPC " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 20048 -j ACCEPT
-A input_ext -p udp -m limit --limit 3/min -m conntrack --ctstate NEW -m udp --dport 2049 -j LOG --log-prefix "SFW2-INext-ACC-RPC " --log-tcp-options --log-ip-options
-A input_ext -p udp -m udp --dport 2049 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m conntrack --ctstate NEW -m tcp --dport 2049 -j LOG --log-prefix "SFW2-INext-ACC-RPC " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 2049 -j ACCEPT
-A input_ext -p udp -m limit --limit 3/min -m conntrack --ctstate NEW -m udp --dport 41318 -j LOG --log-prefix "SFW2-INext-ACC-RPC " --log-tcp-options --log-ip-options
-A input_ext -p udp -m udp --dport 41318 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m conntrack --ctstate NEW -m tcp --dport 35737 -j LOG --log-prefix "SFW2-INext-ACC-RPC " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 35737 -j ACCEPT
-A input_ext -p udp -m limit --limit 3/min -m conntrack --ctstate NEW -m udp --dport 41318 -j LOG --log-prefix "SFW2-INext-ACC-RPC " --log-tcp-options --log-ip-options
-A input_ext -p udp -m udp --dport 41318 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m conntrack --ctstate NEW -m tcp --dport 35737 -j LOG --log-prefix "SFW2-INext-ACC-RPC " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 35737 -j ACCEPT
-A input_ext -p udp -m limit --limit 3/min -m conntrack --ctstate NEW -m udp --dport 111 -j LOG --log-prefix "SFW2-INext-ACC-RPC " --log-tcp-options --log-ip-options
-A input_ext -p udp -m udp --dport 111 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m conntrack --ctstate NEW -m tcp --dport 111 -j LOG --log-prefix "SFW2-INext-ACC-RPC " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 111 -j ACCEPT
-A input_ext -p udp -m limit --limit 3/min -m conntrack --ctstate NEW -m udp --dport 35050 -j LOG --log-prefix "SFW2-INext-ACC-RPC " --log-tcp-options --log-ip-options
-A input_ext -p udp -m udp --dport 35050 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m conntrack --ctstate NEW -m tcp --dport 57341 -j LOG --log-prefix "SFW2-INext-ACC-RPC " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 57341 -j ACCEPT
-A input_ext -p udp -m limit --limit 3/min -m conntrack --ctstate NEW -m udp --dport 35050 -j LOG --log-prefix "SFW2-INext-ACC-RPC " --log-tcp-options --log-ip-options
-A input_ext -p udp -m udp --dport 35050 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m conntrack --ctstate NEW -m tcp --dport 57341 -j LOG --log-prefix "SFW2-INext-ACC-RPC " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 57341 -j ACCEPT
-A input_ext -m pkttype --pkt-type multicast -j DROP
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p udp -m limit --limit 3/min -m conntrack --ctstate NEW -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -j DROP
-A reject_func -p tcp -j REJECT --reject-with tcp-reset
-A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject_func -j REJECT --reject-with icmp-proto-unreachable
COMMIT

And now after shutting down and turning on again the firewall which makes remote cups printers available :

# Generated by iptables-save v1.4.19.1 on Thu Dec  5 00:01:07 2013
*raw
:PREROUTING ACCEPT [93:16532]
:OUTPUT ACCEPT [64:13311]
COMMIT
# Completed on Thu Dec  5 00:01:07 2013
# Generated by iptables-save v1.4.19.1 on Thu Dec  5 00:01:07 2013
*filter
:INPUT ACCEPT [93:16532]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [64:13311]
COMMIT
5

Actually it happens all the time nevertheless if libreoffice is used or not, but if there is an option to set the timeout for printing I will try then one too. Please let me know how to adjust the time .

6

Hi,
I had the same problem. This’ how, I solved it.

  1. Upgrade cups from 1.5 to 1.7 from obs:home:jsmeix repo. Because, there seem to be a great change in cups from 1.6 onwards - no more sharing of printers using cups, just mdns/avahi is used.
  2. Enable and start ‘cups-browsed service’ in yast2>services manager.
  3. In the firewall2,
    Allow mdns service (enough)
    Allowing broadcasting reply for all tcp/udp services with your lan network
  4. In yast2>printing, allow printing through network (of course, lan) and allow printing from lan network too.
  5. In Yast2>users and group management, add yourself to avahi and lp groups.
    These have allowed me the share my printer and print to lan systems.