[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: network printer probs in fc3 vs fc2

Alexander Dalloz wrote:
> Am Sa, den 11.12.2004 schrieb sola doctor com um 3:26:
> > > Later on the day I will check with the default FC3 iptables rules what
> > > the cause for your trouble could be. I guess you didn't customize the
> > > iptables rules.
> >
> > Correct-- no customization.
> >
> > Fortunately my connection to the internet is thru a hardware router
> > which does provide NAT, and allegedly a primative firewall.

So would terrible things happen to me if I marked eth0 as trusted in the gui?
As this does stop the problem.
> > Steve
> Ok, I found out what's happening.
> What the Netgear print server sends back when Fedora connects it on port
> 515 for LPD is a TCP sequence which is not recognised as TCP state
> Dec 12 01:27:24 bartleby kernel: BLOCKED IN=eth0 OUT=
> MAC=00:0c:29:ca:32:88:00:c0:02:57:90:77:08:00 SRC=
> DST= LEN=44 TOS=0x00 PREC=0x00 TTL=30 ID=4476 PROTO=TCP
> SPT=515 DPT=44069 WINDOW=1024 RES=0x00 ACK PSH SYN URGP=0 OPT (02040400)
> In the iptables logging is my Netgear print server PS110
> who sends back "ACK PSH SYN". So with the default FC3 iptables setting
> it gets rejected. "nmap -sT -P0 -p 515" shows it as closed:
> 515/tcp closed  printer
> So I added following rule to accept this sequence from my printer server
> IP with source port 515:
> -A RH-Firewall-1-INPUT -p tcp -m tcp --tcp-flags ACK,PSH,SYN ACK,PSH,SYN
> -s --sport 515 -j ACCEPT
> With that above nmap run reports
> 515/tcp open  printer
> That should work for your too. Though it takes ages until the page is
> printed.
> I don't have the default FC2 iptables ruleset, so I can't say what
> changed. Maybe its an iptables change in the kernel implementation?

I went back and compared fc2 to fc3 both default settings, using 
cat /etc/sysconfig/iptables :
they are exactly the same except for 3 lines found only in fc3:

-A RH-Firewall-1-INPUT -p udp --dport 5353 -d -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --deport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT

Now I'm only a newb but this reminds me of some things Matthew 
Saltman said earlier in this thread:

"With only ipp:udp open, I could see the printers just fine on clients, but
jobs would just queue without printing.  When I opened ipp:tcp, all the
queued jobs flushed."

So I attempted a little experiment -- I put the alleged offending 
three troublemakers back into fc2:
this generated an error message for line 2 above.
So I took it out and put the other two in and restarted with
 /etc/init.d/iptables restart
which ran OK and which caused no discernable problems and I could still print.
So I conclude that there might be something about
-A RH-Firewall-1-INPUT -p udp -m udp --deport 631 -j ACCEPT
which could cause a problem in fc2.
The next logical step would be to try removing the potential culprits in fc3:
but neither removing -A RH-Firewall-1-INPUT -p udp -m udp --deport 631 -j ACCEPT alone, 
nor all three together restored printing.
So much for that theory.

> See too another list mail where someone with the same print server
> reports too a firewalling problem. But in this case the problem seemed
> to be an incorrect destination port the print server tries to reach:
> https://www.redhat.com/archives/fedora-list/2004-November/msg08530.html
> Printing, I see the print server wants to send to port 1023, which is
> not correct:
> Dec 12 02:02:50 bartleby kernel: BLOCKED IN=eth0 OUT=
> MAC=00:0c:29:ca:32:88:00:c0:02:57:90:77:08:00 SRC=
> DST= LEN=41 TOS=0x00 PREC=0x00 TTL=30 ID=5722 PROTO=TCP
> SPT=515 DPT=1023 WINDOW=1024 RES=0x00 ACK PSH URGP=0
> This is another problem. You will need to allow more traffic from the
> Netgear print server. Following rule should be sufficient:
> -A RH-Firewall-1-INPUT -s -p tcp -m tcp -j ACCEPT
> Here is the IP for my device, yours might be different. It
> seems the firmware of the Netgear PS110 is broken / non standard
> conform.
> Hope this will help you.
> Alexander

Doing this gives me a complete cure!
printing is functional and I can browse to the printserver.

This is simply wonderful
and it gives me a warm feeling that the members of this list
Alexander in particular
would help a newb like me
Thank You
   sola doctor com

Sign-up for Ads Free at Mail.com

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]