Firewall - OUTPUT rule
Roberto Ragusa
mail at robertoragusa.it
Sat Sep 25 09:33:47 UTC 2010
JD wrote:
>
> On 09/23/2010 08:20 PM, Kevin J. Cummings wrote:
>> On 09/23/2010 10:34 PM, JD wrote:
>>> The firewall is belching these messages:
>>>
>>> Sep 23 19:22:39 vger kernel: Dropped by firewall: IN=wlan0 OUT= MAC=
>>> SRC=192.168.0.8 DST=192.168.0.255 LEN=223 TOS=0x00 PREC=0x00 TTL=64 ID=0
>>> DF PROTO=UDP SPT=631 DPT=631 LEN=203
>>>
>>> Thing is, 192.168.0.8 is my wlan0 ip address.
>>>
>>> Since port 631 is the internet printing protocol, the packet must be
>>> getting sent by the cups daemon
>>> because I configured to print on a network wireless printer.
>> 192.168.0.255 looks like a BROADCAST address. The packet in question is
>> being sent to every machine on the 192.168.0/24 network.
>>
>> Port 631 is indeed the CUPS port. It looks like CUPS to CUPS communication.
>>
>> CUPS is probably looking to "discover" other printers on your network.
>>
>>> What should an OUTPUT rule look like to allow these packets to be sent?
>>> Or is it a problem with my INPUT filters?
>> Probably a problem with your INPUT filters.
> I have this input rule:
> -A INPUT -m state --state NEW -m tcp -p tcp --dport 631 -s
> 192.168.0.0/24 -j ACCEPT
> -A INPUT -m state --state NEW -m udp -p udp --dport 631 -s
> 192.168.0.0/24 -j ACCEPT
These rules say "accept any new connection from anyone on port 631".
The rejected packets are your packets, which you are sending to everyone,
including yourself. Maybe they are not considered NEW but ESTABLISHED.
In this case, you should try adding rules like these and see if something
changes:
-A INPUT -m tcp -p tcp --dport 631 -s 192.168.0.0/24 -j ACCEPT
-A INPUT -m udp -p udp --dport 631 -s 192.168.0.0/24 -j ACCEPT
--
Roberto Ragusa mail at robertoragusa.it
More information about the users
mailing list