network printer probs in fc3 vs fc2

Alexander Dalloz ad+lists at uni-x.org
Mon Dec 13 01:32:03 UTC 2004 

Am Mo, den 13.12.2004 schrieb sola at doctor.com um 1:26:

> > > Fortunately my connection to the internet is thru a hardware router
> > > which does provide NAT, and allegedly a primative firewall.
> 
> So would terrible things happen to me if I marked eth0 as trusted in the gui?
> As this does stop the problem.

Depending on you whole environment setup making device eth0 trusted
(which means a general accept rule for this device). As less is needed
to make your print server working again, I suggest not going that route.

> > I don't have the default FC2 iptables ruleset, so I can't say what
> > changed. Maybe its an iptables change in the kernel implementation?
> 
> I went back and compared fc2 to fc3 both default settings, using 
> cat /etc/sysconfig/iptables :
> they are exactly the same except for 3 lines found only in fc3:
> 
> -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
> -A RH-Firewall-1-INPUT -p udp -m udp --deport 631 -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT

All 3 are accept rule and can't influence the iptables filtering badly.

> Now I'm only a newb but this reminds me of some things Matthew 
> Saltman said earlier in this thread:
> 
> "With only ipp:udp open, I could see the printers just fine on clients, but
> jobs would just queue without printing.  When I opened ipp:tcp, all the
> queued jobs flushed."

His bugzilla ticket #142015 is still in state new.

> So I attempted a little experiment -- I put the alleged offending 
> three troublemakers back into fc2:
> this generated an error message for line 2 above.

Certainly because line 2 has a misspelling error: "--deport" you write
there while it has to be "--dport". In the other 2 lines this is written
correct.

> So I took it out and put the other two in and restarted with
>  /etc/init.d/iptables restart
> which ran OK and which caused no discernable problems and I could still print.
> So I conclude that there might be something about
> -A RH-Firewall-1-INPUT -p udp -m udp --deport 631 -j ACCEPT
> which could cause a problem in fc2.
> The next logical step would be to try removing the potential culprits in fc3:
> but neither removing -A RH-Firewall-1-INPUT -p udp -m udp --deport 631 -j ACCEPT alone, 
> nor all three together restored printing.
> So much for that theory.

If the 3 iptables rule lines are the only difference in iptables between
FC2 and FC3, then there must be something different causing trouble with
the print server. Or one could even say: with FC3 all works well - see
my investigations below - while on FC2 the firewalling was "too open".

> > See too another list mail where someone with the same print server
> > reports too a firewalling problem. But in this case the problem seemed
> > to be an incorrect destination port the print server tries to reach:
> >
> > https://www.redhat.com/archives/fedora-list/2004-November/msg08530.html
> >
> > Printing, I see the print server wants to send to port 1023, which is
> > not correct:
> >
> > Dec 12 02:02:50 bartleby kernel: BLOCKED IN=eth0 OUT=
> > MAC=00:0c:29:ca:32:88:00:c0:02:57:90:77:08:00 SRC=192.168.0.99
> > DST=192.168.0.3 LEN=41 TOS=0x00 PREC=0x00 TTL=30 ID=5722 PROTO=TCP
> > SPT=515 DPT=1023 WINDOW=1024 RES=0x00 ACK PSH URGP=0
> >
> > This is another problem. You will need to allow more traffic from the
> > Netgear print server. Following rule should be sufficient:
> >
> > -A RH-Firewall-1-INPUT -s 192.168.0.99 -p tcp -m tcp -j ACCEPT
> >
> > Here 192.168.0.99 is the IP for my device, yours might be different. It
> > seems the firmware of the Netgear PS110 is broken / non standard
> > conform.

> Doing this gives me a complete cure!
> printing is functional and I can browse to the printserver.

This _must_ work, as with words from top, the rule makes the Netgear
print server a "trusted device" (by it's IP).

Btw. you could check your Netgear's serial number and maybe there is a
chance to upgrade it's firmware. See

http://kbserver.netgear.com/support_details.asp?dnldID=809

For the PS11F series there is a good chance to fix things by flashing
with a newer firmware. I have a PS11D model and will right now see whats
my print server's firmware state.

> This is simply wonderful
> and it gives me a warm feeling that the members of this list
> Alexander in particular
> would help a newb like me

This is all no question whether being a Linux starter or having quite
some experience. Of course newcomers get help.

> Steve

Alexander


-- 
Alexander Dalloz | Enger, Germany | new address - new key: 0xB366A773
legal statement: http://www.uni-x.org/legal.html
Fedora GNU/Linux Core 2 (Tettnang) on Athlon kernel 2.6.9-1.6_FC2smp 
Serendipity 02:02:18 up 2 days, 20:43, load average: 0.19, 0.45, 0.96 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20041213/7b3ca9fd/attachment-0001.sig>

More information about the fedora-list mailing list