There have been multiple accounts created with the sole purpose of posting advertisement posts or replies containing unsolicited advertising.

Accounts which solely post advertisements, or persistently post them may be terminated.

Firewall preventing Printing/Scanning on OpenSUSE Tumbleweed

Hello, I’m trying to use my Epson XP-200 printer/scanner with OpenSUSE Tumblweed.

  • /etc/sane.d/dll.conf has the “epson2” line uncommented.
  • /etc/sane.d/epson2.conf has “net autodiscovery” as its last line
  • My user is part of the “lp” group, which seems to be required for finding printers/scanners

If I disable the firewall completely (using YaST2 firewall program), it works – the Skanlite software detects my scanner and connects to it. With the firewall enabled, however, Skanlite says SANE cannot find any scanners. I have tried allowing TCP and UDP ports 8610, 8612 (based on suggestions from wiki.debian.org/SaneOverNetwork), and 631 (for CUPS) in the “public” zone, and added the “sane” service to “Allowed” services (didn’t see a “cups” service option), but Skanlite still says SANE cannot find the scanner.

Is there a way for “net autodiscovery” to work without completely disabling my firewall? What ports/services should I allow? It seems the alternative is to manually specify the printer’s IP address in /etc/sane.d/epson2.conf instead of “net autodiscovery”, but I would prefer to not hardcode this.

Thank you in advance for any suggestions!

EDIT: Based on suggestions below, I turned on firewall logging with the instructions cyberciti.biz/…/enable-firewalld-logging-for-deni…):

  • sudo vi /etc/firewalld/firewalld.conf
  • Set LogDenied=all
  • sudo firewall-cmd --reload

To find lines related to my printer (known to be at 192.168.1.57):

  • dmseg | grep 192.168.1.57

Here is a sample of the output (192.168.1.105 is my OpenSUSE computer):

[30974.673679] filter_IN_public_REJECT: IN=wlp0s20f0u3 OUT= MAC= SRC=192.168.1.57 DST=192.168.1.105 LEN=104 TOS=0x00 PREC=0x00 TTL=30 ID=37923 PROTO=UDP SPT=3289 DPT=48375 LEN=84 MARK=0x3214

[30976.299712] filter_IN_public_REJECT: IN=wlp0s20f0u3 OUT= MAC= SRC=192.168.1.57 DST=192.168.1.105 LEN=104 TOS=0x00 PREC=0x00 TTL=30 ID=37924 PROTO=UDP SPT=3289 DPT=52415 LEN=84 MARK=0x3214

[31139.093164] filter_IN_public_REJECT: IN=wlp0s20f0u3 OUT= MAC= SRC=192.168.1.57 DST=192.168.1.105 LEN=104 TOS=0x00 PREC=0x00 TTL=30 ID=38084 PROTO=UDP SPT=3289 DPT=46833 LEN=84 MARK=0x3214

Looks like 3289 UDP is the port of interest, and it shows up on an EPSON website (epson.com/faq/SPT_C11CG18201~faq-0000525-shared?f…). I tried adding it to “public” and “home” zones and it still doesn’t work. Is there a different zone I should be using?

lemmyvore ,

Are you using Avahi for the auto discovery? If so you need to open port 5353 UDP.

iggames OP ,

No change with allowing 5353 UDP through the firewall, unfortunately. But thank you for the suggestion!

lemmyvore ,

You may also need to allow multicast. Look into it a bit more.

You can also enable debugging on the firewall and see what exactly gets blocked.

iggames OP ,

Added some info to the post. Firewall is blocking 3289 UDP from my printer, so I added 3289 UDP to open ports for “home”, “public”, and “internal” zones. However, I’m still seeing filter_IN_public_REJECT entries in dmesg, so it seems the firewall is still blocking these. Is there a different way I should be telling it to allow requests on this port?

Firewall also allows mdns service (again, in “home”, “public”, and “internal” zones), but I also see entries like this:

[41951.119486] filter_IN_public_REJECT: IN=wlp0s20f0u3 OUT= MAC= SRC=192.168.1.1 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=10725 DF PROTO=2 MARK=0x3214

It sounds like 224.0.0.1 is related to mdns broadcasts, so it seems firewall is also still blocking these (despite mdns being allowed service).

Am I specifying these in the wrong place? (Per Connections - System Settings, my wifi is in Firewall zone “home”).

MyNameIsRichard ,
@MyNameIsRichard@lemmy.ml avatar

Is mdns allowed?

iggames OP ,

Added “mdns” service to allowed list for public zone, still get the SANE error. (Previously added 5353 UDP per another suggestion – sounds like this is the port for mDNS)

MyNameIsRichard ,
@MyNameIsRichard@lemmy.ml avatar

A quick scan through the services in Yast firewall revealed that there is a sane service too. Is that enabled?

iggames OP ,

Yes, “sane” service is already in the “Allowed” list.

Petter1 ,

As I understand this article ( linuxconfig.org/how-to-monitor-network-activity-o… ), you can disable firewall and run “sudo netstat -tulpen” to get a list of all connections and find which ports need to be forwarded.

SheeEttin ,

Surely your firewall has an audit log for denied traffic.

Or, turn off the firewall and run Wireshark while you print something.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • [email protected]
  • random
  • lifeLocal
  • goranko
  • All magazines
    •