Problem seeing network scanner thru firewall
Sherman Grunewagen
sugarwagon at zoho.com
Sat Jan 11 20:37:53 UTC 2014
On 01/11/2014 11:08 AM, Jorge Fábregas wrote:
> On 01/11/2014 02:45 PM, Sherman Grunewagen wrote:
>> [root at neuron ~]# firewall-cmd --list-all
>> public (default, active)
>> interfaces: em1
>> sources:
>> services: mdns ssh
>> ports:
>> masquerade: no
>> forward-ports:
>> icmp-blocks:
>> rich rules:
>
> All right. This confirms that you're using the default zone called
> "public" and that indeed you have mdns enabled for that zone so I'm not
> sure why isn't working. You could install tcpdump and try to capture
> a few seconds while you try to access the scanner. This way you could
> see the traffic that is originating from your scanner (and that your
> firewall may be blocking). You could do this by:
>
> yum install tcpdump
> tcpdump -i em1 src IP-OF-YOUR-PRINTER
>
> I recognize this is kind of advanced stuff if you're not familiar with
> networking protocols so perhaps an easier way would be to white-list the
> ip address of your printer/scanner so that, any traffic coming from it,
> your firewall would allow it.
I'm know almost nothing about network protocols, but I can follow instructions. :-)
I've posted the output of two invocations of tcpdump at:
http://ur1.ca/ge1i9
In the 1st invocation I used the scanner IP number; in the 2nd the IP name.
(For some reason, the lines before C-c are different.) For each invocation,
I started tcpdump, then started vuescan (which failed to see the scanner),
then quit vuescan, then C-c-ed out of tcpdump.
I would enjoy learning what the output means.
> If you trust your printer not to "hack" :) your computer you could do this:
>
> firewall-cmd --add-rich-rule 'rule family="ipv4" source address="IP-OF-YOUR-PRINTER" accept'
>
> Try it. If that works then make the above rule permanent with:
>
> firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="IP-OF-YOUR-RINTER" accept'
>
> Please let us know if it works.
I tried the temporary change and it worked. If you have the time I would
appreciate learning how to make the more fine-tuned changes in the firewall.
O'wise I'll make the change permanent.
Question: In my original message, I mentioned that I was seeing lines like
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns ctstate NEW
in the output of `iptables -L'.
One of these was in the "Chain IN_public_allow (1 references)"
By goofing around in the firewall-config interface I was able
to change the 224.0.0.251 to "anywhere". But that didn't
let the scanner through. Would you please explain why? Thanks.
Sherman
More information about the users
mailing list