What setting(s) do I have to put in my firewall to allow my printers to work?

Hi All,
I have been wrestling with the problem of getting my printers to work on OpenSuse Tumbleweed. I only installed it a couple of days ago so still finding my way around.
After a lot of searching in forums I finally tried turning my firewall off, and waddyaknow, I got them both working with a minimum of fuss. So my question now is; what do I have to set in my firewall config to allow the printers to work? And still have the firewall active.
When I open the firewall utility I see that the “home” zone (which makes the most sense for me, I’m the only one using this computer) the allowed services are dhcpv6-client, mdns, samba-client, and ssh. None of these, apparently, will let my PC talk to my Brother hl-l2305w laser printer or my Epson Expression 442 printer. Both are using ipp I believe, but when I put ipp in the home zone services it still won’t print. These are the details.

All advice gratefully received.

Can you show the firewall configuration?

sudo firewall-cmd --zone=home --list-all

@deano_ferrari Thanks for the quick reply. Here’s the output.

ian@OpenSusian:~> sudo firewall-cmd --zone=home --list-all
home (active)
  target: default
  ingress-priority: 0
  egress-priority: 0
  icmp-block-inversion: no
  interfaces: enp5s0
  sources: 
  services: dhcpv6-client ipp ipp-client
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
ian@OpenSusian:~>

The mdns service is not allowed. That will be needed in order to resolve the Avahi hostnames defined in your printer configuration.

2 Likes

Like this?

ian@OpenSusian:~> sudo firewall-cmd --zone=home --list-all
home (active)
  target: default
  ingress-priority: 0
  egress-priority: 0
  icmp-block-inversion: no
  interfaces: enp5s0
  sources: 
  services: dhcpv6-client ipp ipp-client mdns
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
ian@OpenSusian:~> 


Well that seems to have done it! A print that was waiting printed as soon as I added mdns.

Thanks!
;-) Ian

@deano_ferrari Is there a way to mark the problem solved? And link to your post as the solution?

Glad to have been of guidance.

No, we don’t do that here, but those reading this thread will understand that it is resolved for you. :wink:

I thought I’d solved this problem with @deano_ferrari 's help, but now it’s occurring again. I’v had to completely reinstall OpenSuse since I posted this, so not sure if I’ve missed something else. Anyway, same problem, my printer won’t print unless I disable the firewall.

Not sure what I’ve done wrong. All advice gratefully received.

:-\

Did you reload the firewall after making changes?

I’m assuming that’s what the yast firewall gui does when I click “accept”. I’ve restarted since making the changes too so it should all be there. But when I print a test page the status is shown as “unable to locate printer”

But if I turn off the firewall it prints immediately.

<30 minutes later>

So I did a bit of RTFMing and I think, even though I changed the zone in the yast firewall app to “home”, I think it wasn’t actually using that zone, but the default zone, “public”. So I changed the zone to public in the yast app (to associate it with esp5s0(?) ) , which is the default zone, and added ipp, ipp-client, and mdns to the public zone, and it now seems to be working. No idea what the yast app is doing (and very confusing to use I have to say, for us mere mortals who are not experts on firewalls and how they work) but it seems I’ve stumbled on the/a solution.

Thanks, :slight_smile:

I don’t use the YaST app for firewall management, but in any case your firewall-cmd output showed the enp5s0 interface was assigned to the ‘home’ zone. Maybe that wasn’t the interface that is connected to your LAN? Always good to check the relevant zones and interfaces first.

If it can help, I struggled with the same kind of issue on TW for a long time, and ultimately gave up on relying on the Yast firewall module since changes done there don’t seem to be persisted as they should.

I run a script like this one whenever I need to reinstall my system:

sudo firewall-cmd --permanent --new-service=chromecast
sudo firewall-cmd --permanent --service=chromecast --set-description=Chromecast
sudo firewall-cmd --permanent --service=chromecast --set-short=chromecast
sudo firewall-cmd --permanent --service=chromecast --add-port=32768-61000/udp
sudo firewall-cmd --permanent --service=chromecast --add-port=8008-8009/tcp
sudo firewall-cmd --permanent --service=chromecast --add-source-port=32768-61000/udp

sudo firewall-cmd --permanent --new-service=chromecast-ssdp
sudo firewall-cmd --permanent --service=chromecast-ssdp --set-description=Chromecast\ SSDP
sudo firewall-cmd --permanent --service=chromecast-ssdp --set-short=chromecast-ssdp
sudo firewall-cmd --permanent --service=chromecast-ssdp --add-port=1900/udp
sudo firewall-cmd --permanent --service=chromecast-ssdp --set-destination=ipv4:239.255.255.250/32

sudo firewall-cmd --zone=home --add-service=chromecast-ssdp --permanent
sudo firewall-cmd --zone=home --add-service=chromecast --permanent
sudo firewall-cmd --zone=home --add-service=mdns --permanent
sudo firewall-cmd --zone=home --add-service=dhcpv6-client --permanent
sudo firewall-cmd --zone=home --add-service=ipp-client --permanent
sudo firewall-cmd --zone=home --add-service=samba-client --permanent
sudo firewall-cmd --zone=home --add-service=ssh --permanent
sudo firewall-cmd --reload

sudo firewall-cmd --set-default-zone=home

You probably won’t need all of it, skip the first two blocks if not interested in casting to Google Home/TV devices, and in the third block keep only mdns (ipp can also be useful for printing, IIRC).

And definitely keep the last command.

BTW I wonder if Chromecast service in the firewall settings could be shipped by default in new opensuse installs. I found those two blocks somewhere on the web, but would’ve been nice to find It pre-defined in the list of available fw services…

@malcolmlewis