Problem seeing network scanner thru firewall

Sherman Grunewagen sugarwagon at zoho.com
Sat Jan 11 20:37:53 UTC 2014 

On 01/11/2014 11:08 AM, Jorge Fábregas wrote:
> On 01/11/2014 02:45 PM, Sherman Grunewagen wrote:
>> [root at neuron ~]# firewall-cmd --list-all
>> public (default, active)
>>     interfaces: em1
>>     sources:
>>     services: mdns ssh
>>     ports:
>>     masquerade: no
>>     forward-ports:
>>     icmp-blocks:
>>     rich rules:
>
> All right.  This confirms that you're using the default zone called
> "public" and that indeed you have mdns enabled for that zone so I'm not
> sure why isn't working.    You could install tcpdump and try to capture
> a few seconds while you try to access the scanner.  This way you could
> see the traffic that is originating from your scanner (and that your
> firewall may be blocking).  You could do this by:
>
> yum install tcpdump
> tcpdump -i em1 src IP-OF-YOUR-PRINTER
>
> I recognize this is kind of advanced stuff if you're not familiar with
> networking protocols so perhaps an easier way would be to white-list the
> ip address of your printer/scanner so that, any traffic coming from it,
> your firewall would allow it.

I'm know almost nothing about network protocols, but I can follow instructions. :-)
I've posted the output of two invocations of tcpdump at:

  http://ur1.ca/ge1i9

In the 1st invocation I used the scanner IP number; in the 2nd the IP name.
(For some reason, the lines before C-c are different.) For each invocation,
I started tcpdump, then started vuescan (which failed to see the scanner),
then quit vuescan, then C-c-ed out of tcpdump.
I would enjoy learning what the output means.

>  If you trust your printer not to "hack" :) your computer you could do this:
>
> firewall-cmd --add-rich-rule 'rule family="ipv4" source address="IP-OF-YOUR-PRINTER" accept'
>
> Try it. If that works then make the above rule permanent with:
>
> firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="IP-OF-YOUR-RINTER" accept'
>
> Please let us know if it works.

I tried the temporary change and it worked. If you have the time I would
appreciate learning how to make the more fine-tuned changes in the firewall.
O'wise I'll make the change permanent.

Question: In my original message, I mentioned that I was seeing lines like

ACCEPT     udp  --  anywhere             224.0.0.251             udp dpt:mdns ctstate NEW

in the output of `iptables -L'.
One of these was in the "Chain IN_public_allow (1 references)"
By goofing around in the firewall-config interface I was able
to change the 224.0.0.251 to "anywhere". But that didn't
let the scanner through. Would you please explain why?  Thanks.

Sherman

More information about the users mailing list