Opening firewall for local network scanner

Opening firewall for local network scanner

Postby kirmonkey » Jan 21st, '18, 19:05

Hi all,

I have a scanner on my local network that I need to access. At the moment access it blocked by the 'personal firewall'. With the firewall enabled I get the following output when attempting to contact the scanner with
Code: Select all
sudo scanimage -L


No scanners were identified. If you were expecting something different,
check that the scanner is plugged in, turned on and detected by the
sane-find-scanner tool (if appropriate). Please read the documentation
which came with this software (README, FAQ, manpages).


And this output from dmesg/Shorewall:

Shorewall:net-fw:DROP:IN=enp2s0 OUT= MAC=78:e3:b5:c5:71:bc:ac:18:26:39:e1:e9:08:00 SRC=192.168.0.20 DST=192.168.0.19 LEN=104 TOS=0x00 PREC=0x00 TTL=30 ID=25938 PROTO=UDP SPT=3289 DPT=39377 LEN=84


I'm familiar with opening access with ufw for this scanner (Debian runs my laptop), where I use the ip address of the scanner as so:

sudo ufw allow from 192.168.0.20


I can't interpret the output in dmesg to set the appropriate ports as open in the 'personal firewall' advanced settings. It looks like, from the Shorewall output, I need to open udp port 3289. The following part foxes me though:
DPT=39377


I'm assuming this is the tcp port? It changes with every attempt to scanimage -L the scanner.

With the 'personal firewall' turned off, I can access the scanner without issue.

device `epson2:net:192.168.0.20' is a Epson PID 08B9 flatbed scanner


I'm running Mageia 6 with updates installed. I'm recovering my system from a hardware failure and can't remember how I got it to work in Mageia 5 (my last install on this machine).

Thanks in advance.
kirmonkey
 
Posts: 22
Joined: Sep 26th, '11, 14:17
Location: United Kingdom

Re: Opening firewall for local network scanner

Postby xboxboy » Jan 22nd, '18, 00:05

I have a networked printer/scanner, which when I scan (from the display panel on the printer) it saves the image back on my mageia box through a samba server. I assume this is what you're trying to achieve?

How I opened the firewall, is using the mageia tools.

Open MCC, mageia control centre.
Select security tab on the left.
Select set up your personal firewall
Tick Windows File Sharing (SMB)
Then ok, and I find the following defaults to be ok for my situation.
xboxboy
 
Posts: 391
Joined: Jun 2nd, '13, 06:41

Re: Opening firewall for local network scanner

Postby doktor5000 » Jan 22nd, '18, 00:35

kirmonkey wrote:I can't interpret the output in dmesg to set the appropriate ports as open in the 'personal firewall' advanced settings. It looks like, from the Shorewall output, I need to open udp port 3289. The following part foxes me though:
DPT=39377


I'm assuming this is the tcp port? It changes with every attempt to scanimage -L the scanner.

Client ports are usually always dynamically allocated, it will suffice if you simply allow udp port 3289 as you mentioned - did you try that yet?
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 17629
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany

Re: Opening firewall for local network scanner

Postby jiml8 » Jan 22nd, '18, 03:17

DPT is "destination port". It is the port your machine will listen on for responses from the server (the scanner). SPT is "source port" - the port the client must connect with on the server.

From your perspective, typing on the client box, "source" and "destination" seem backward, but it is easy enough to keep track of when you realize that the port naming conventions are taken from the perspective of the server, not the client.

Your DPT will always be defined dynamically, and will likely change on every connection. So ignore it; the firewall will allow traffic through to that port from the server once a request to the server specifying that DPT is sent.

So all you need to do is open SPT on the firewall and it should work.
jiml8
 
Posts: 1253
Joined: Jul 7th, '13, 18:09

Re: Opening firewall for local network scanner

Postby kirmonkey » Jan 22nd, '18, 10:18

Hi all,

Thanks for the replies, it's really good to see 3 thoughtful responses so quickly!

xboxboy: I have no option in 'personal firewall' for Windows filesharing. Though... Navigating in Dolphin, I can find the scanner under smb - I've learned something there! I use Simple Scan to control the scanner, as it allows me to control settings such as photo/text/resolution more easily than using the tiny screen on the scanner.

Doktor5000: I have tried opening port 3289, both udp and tcp. I've restarted the firewall to ensure this was applied. Still no connection though. I also tried port 35578 - the 'epson-backend' (cbtd) port taken from /etc/services (written at the bottom of the file).

jiml8: I understand your ideas, it's useful for me to understand the client/server relationship here, I wasn't clear in my head about which is which. If the port that needs to be open is 3289 on the server (the scanner in this case) then should I be looking there? (Rick gazes at ceiling). No, I've not had to do that to connect my laptop to the scanner, I've just had to update the ufw rule with the ip address to 'allow'.


Just some final bits of information: Switching off the personal firewall does allow me to access and use the scanner. The scanner is an Epson Workforce WF-7610

Thanks for the suggestions so far.
kirmonkey
 
Posts: 22
Joined: Sep 26th, '11, 14:17
Location: United Kingdom

Re: Opening firewall for local network scanner

Postby doktor5000 » Jan 22nd, '18, 22:48

kirmonkey wrote:Doktor5000: I have tried opening port 3289, both udp and tcp. I've restarted the firewall to ensure this was applied. Still no connection though.

After adjusting the firewall, best post the output as root of
Code: Select all
iptables -L
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 17629
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany

Re: Opening firewall for local network scanner

Postby kirmonkey » Jan 22nd, '18, 23:14

Here we are:

Just a bit more information too:
enp2s0 is my wired network connection
wlp5s0 is my wireless connection (not usually enabled).
Looking in /var/log/shorewall-init.log, I see no mention of port 3289 being "Conntrack rule compiled - for example:

Code: Select all
Jan 22 20:56:10    Conntrack rule "CT:helper:ftp:PO - - tcp 21" Compiled


Code: Select all
sudo iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
Ifw        all  --  anywhere             anywhere           
wlp5s0_in  all  --  anywhere             anywhere           
enp2s0_in  all  --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere           
Reject     all  --  anywhere             anywhere           
LOG        all  --  anywhere             anywhere             LOG level info prefix "Shorewall:INPUT:REJECT:"
reject     all  --  anywhere             anywhere            [goto]

Chain FORWARD (policy DROP)
target     prot opt source               destination         
wlp5s0_fwd  all  --  anywhere             anywhere           
enp2s0_fwd  all  --  anywhere             anywhere           
Reject     all  --  anywhere             anywhere           
LOG        all  --  anywhere             anywhere             LOG level info prefix "Shorewall:FORWARD:REJECT:"
reject     all  --  anywhere             anywhere            [goto]

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
wlp5s0_out  all  --  anywhere             anywhere           
enp2s0_out  all  --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere           
Reject     all  --  anywhere             anywhere           
LOG        all  --  anywhere             anywhere             LOG level info prefix "Shorewall:OUTPUT:REJECT:"
reject     all  --  anywhere             anywhere            [goto]

Chain Broadcast (2 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST
DROP       all  --  anywhere             anywhere             ADDRTYPE match dst-type MULTICAST
DROP       all  --  anywhere             anywhere             ADDRTYPE match dst-type ANYCAST

Chain Drop (1 references)
target     prot opt source               destination         
           all  --  anywhere             anywhere           
ACCEPT     icmp --  anywhere             anywhere             icmp fragmentation-needed /* Needed ICMP types */
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded /* Needed ICMP types */
Broadcast  all  --  anywhere             anywhere           
DROP       all  --  anywhere             anywhere             ctstate INVALID
DROP       udp  --  anywhere             anywhere             multiport dports epmap,microsoft-ds /* SMB */
DROP       udp  --  anywhere             anywhere             udp dpts:netbios-ns:netbios-ssn /* SMB */
DROP       udp  --  anywhere             anywhere             udp spt:netbios-ns dpts:1024:65535 /* SMB */
DROP       tcp  --  anywhere             anywhere             multiport dports epmap,netbios-ssn,microsoft-ds /* SMB */
DROP       udp  --  anywhere             anywhere             udp dpt:ssdp /* UPnP */
DROP       tcp  --  anywhere             anywhere             tcp flags:!FIN,SYN,RST,ACK/SYN
DROP       udp  --  anywhere             anywhere             udp spt:domain /* Late DNS Replies */

Chain Ifw (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere             match-set ifw_wl src
DROP       all  --  anywhere             anywhere             match-set ifw_bl src
IFWLOG     all  --  anywhere             anywhere             ctstate INVALID,NEWpsd weight-threshold: 10 delay-threshold: 10000 lo-ports-weight: 2 hi-ports-weight: 1 IFWLOG prefix 'SCAN'
IFWLOG     udp  --  anywhere             anywhere             ctstate NEW multiport dports sesi-lm:cft-3IFWLOG prefix 'NEW'
IFWLOG     udp  --  anywhere             anywhere             ctstate NEW udp dpt:enpcIFWLOG prefix 'NEW'
IFWLOG     tcp  --  anywhere             anywhere             ctstate NEW multiport dports sesi-lm:cft-3IFWLOG prefix 'NEW'
IFWLOG     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:enpcIFWLOG prefix 'NEW'

Chain Reject (3 references)
target     prot opt source               destination         
           all  --  anywhere             anywhere           
ACCEPT     icmp --  anywhere             anywhere             icmp fragmentation-needed /* Needed ICMP types */
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded /* Needed ICMP types */
Broadcast  all  --  anywhere             anywhere           
DROP       all  --  anywhere             anywhere             ctstate INVALID
reject     udp  --  anywhere             anywhere            [goto]  multiport dports epmap,microsoft-ds /* SMB */
reject     udp  --  anywhere             anywhere            [goto]  udp dpts:netbios-ns:netbios-ssn /* SMB */
reject     udp  --  anywhere             anywhere            [goto]  udp spt:netbios-ns dpts:1024:65535 /* SMB */
reject     tcp  --  anywhere             anywhere            [goto]  multiport dports epmap,netbios-ssn,microsoft-ds /* SMB */
DROP       udp  --  anywhere             anywhere             udp dpt:ssdp /* UPnP */
DROP       tcp  --  anywhere             anywhere             tcp flags:!FIN,SYN,RST,ACK/SYN
DROP       udp  --  anywhere             anywhere             udp spt:domain /* Late DNS Replies */

Chain dynamic (4 references)
target     prot opt source               destination         

Chain enp2s0_fwd (1 references)
target     prot opt source               destination         
sfilter    all  --  anywhere             anywhere            [goto]
dynamic    all  --  anywhere             anywhere             ctstate INVALID,NEW,UNTRACKED
tcpflags   tcp  --  anywhere             anywhere           
net_frwd   all  --  anywhere             anywhere           

Chain enp2s0_in (1 references)
target     prot opt source               destination         
dynamic    all  --  anywhere             anywhere             ctstate INVALID,NEW,UNTRACKED
tcpflags   tcp  --  anywhere             anywhere           
net-fw     all  --  anywhere             anywhere           

Chain enp2s0_out (1 references)
target     prot opt source               destination         
fw-net     all  --  anywhere             anywhere           

Chain fw-net (2 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere           

Chain logdrop (0 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere           

Chain logflags (7 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             LOG level info ip-options prefix "Shorewall:logflags:DROP:"
DROP       all  --  anywhere             anywhere           

Chain logreject (0 references)
target     prot opt source               destination         
reject     all  --  anywhere             anywhere           

Chain net-fw (2 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             multiport dports sesi-lm:cft-3,enpc
ACCEPT     udp  --  anywhere             anywhere             multiport dports sesi-lm:cft-3,enpc
Drop       all  --  anywhere             anywhere           
LOG        all  --  anywhere             anywhere             LOG level info prefix "Shorewall:net-fw:DROP:"
DROP       all  --  anywhere             anywhere           

Chain net_frwd (2 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere           

Chain reject (8 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             ADDRTYPE match src-type BROADCAST
DROP       all  --  base-address.mcast.net/4  anywhere           
DROP       igmp --  anywhere             anywhere           
REJECT     tcp  --  anywhere             anywhere             reject-with tcp-reset
REJECT     udp  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     icmp --  anywhere             anywhere             reject-with icmp-host-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain sfilter (2 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             LOG level info prefix "Shorewall:sfilter:DROP:"
DROP       all  --  anywhere             anywhere           

Chain sha-lh-cb21761f4022ff6c7780 (0 references)
target     prot opt source               destination         

Chain sha-rh-3e2c9992d2839d135675 (0 references)
target     prot opt source               destination         

Chain shorewall (0 references)
target     prot opt source               destination         
           all  --  anywhere             anywhere             recent: SET name: %CURRENTTIME side: source mask: 255.255.255.255

Chain tcpflags (4 references)
target     prot opt source               destination         
logflags   tcp  --  anywhere             anywhere            [goto]  tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
logflags   tcp  --  anywhere             anywhere            [goto]  tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
logflags   tcp  --  anywhere             anywhere            [goto]  tcp flags:SYN,RST/SYN,RST
logflags   tcp  --  anywhere             anywhere            [goto]  tcp flags:FIN,RST/FIN,RST
logflags   tcp  --  anywhere             anywhere            [goto]  tcp flags:FIN,SYN/FIN,SYN
logflags   tcp  --  anywhere             anywhere            [goto]  tcp flags:FIN,PSH,ACK/FIN,PSH
logflags   tcp  --  anywhere             anywhere            [goto]  tcp spt:0 flags:FIN,SYN,RST,ACK/SYN

Chain wlp5s0_fwd (1 references)
target     prot opt source               destination         
sfilter    all  --  anywhere             anywhere            [goto]
dynamic    all  --  anywhere             anywhere             ctstate INVALID,NEW,UNTRACKED
tcpflags   tcp  --  anywhere             anywhere           
net_frwd   all  --  anywhere             anywhere           

Chain wlp5s0_in (1 references)
target     prot opt source               destination         
dynamic    all  --  anywhere             anywhere             ctstate INVALID,NEW,UNTRACKED
tcpflags   tcp  --  anywhere             anywhere           
net-fw     all  --  anywhere             anywhere           

Chain wlp5s0_out (1 references)
target     prot opt source               destination         
fw-net     all  --  anywhere             anywhere           
Last edited by isadora on Jan 23rd, '18, 12:09, edited 1 time in total.
Reason: Placed command-output in between [CODE]-tags for better readability ;)
kirmonkey
 
Posts: 22
Joined: Sep 26th, '11, 14:17
Location: United Kingdom

Re: Opening firewall for local network scanner

Postby xboxboy » Jan 23rd, '18, 00:06

Regarding window filesharing option in the firewall section, IIRC that gets added as an option only after creating a Samba share, so that probably explains why you don't have it as an option: So disregard my advice :-/
xboxboy
 
Posts: 391
Joined: Jun 2nd, '13, 06:41


Return to Networking

Who is online

Users browsing this forum: No registered users and 1 guest

cron