Problem seeing network scanner thru firewall

Jorge Fábregas jorge.fabregas at gmail.com
Sat Jan 11 21:21:56 UTC 2014 

On 01/11/2014 04:37 PM, Sherman Grunewagen wrote:

> I'm know almost nothing about network protocols, but I can follow instructions. :-)
> I've posted the output of two invocations of tcpdump at:
> 
>   http://ur1.ca/ge1i9
> 
> In the 1st invocation I used the scanner IP number; in the 2nd the IP name.

It really doesn't matter if you use the ip or the name.  Tcpdump will
resolve the name to its ip.

> (For some reason, the lines before C-c are different.) For each invocation,

I see traffic from the printer coming from its mDNS port (5353 If I
remember) and the traffic is destined to your machine at some random
port (which is an ephemeral port, a random port above 1,024).  I guess
this is the VueScan software originating the transaction from port
36,247 on your first try and on port 41,354 on the next try.  The
default firewall rule should allow any response from traffic initiated
from your machine so I'm not sure what's going on.  But then, I really
don't know how mDNS works...

You could try it again without limiting the capture to source address.
Try it with:

tcpdump -i em1 -n net 192.168.1.0/24

...so we can see the whole transaction.


> I started tcpdump, then started vuescan (which failed to see the scanner),
> then quit vuescan, then C-c-ed out of tcpdump.
> I would enjoy learning what the output means.

Try some tcpdump tutorial or better yet, learn how to use WireShark (a
graphical tool).  However, you should first learn networking principles
in order to use these tool so you can make sense out of them.  You could
learn the tool by itself but it will do you no good if you don't know
what's going on.


> I tried the temporary change and it worked. If you have the time I would
> appreciate learning how to make the more fine-tuned changes in the firewall.
> O'wise I'll make the change permanent.

Well let's try another tcpdump capture and see if I can come up with
something.  If not we'll have to see if there's anyone out there who
knows better.


> Question: In my original message, I mentioned that I was seeing lines like
> 
> ACCEPT     udp  --  anywhere             224.0.0.251             udp dpt:mdns ctstate NEW
> 
> in the output of `iptables -L'.
> One of these was in the "Chain IN_public_allow (1 references)"
> By goofing around in the firewall-config interface I was able
> to change the 224.0.0.251 to "anywhere". But that didn't
> let the scanner through. Would you please explain why?  Thanks.

The 224.0.0.251 is a multicast address and it makes sense in the mDNS
context so you don't need to change it.   You can read more about it here:

http://en.wikipedia.org/wiki/Multicast_DNS

I personally haven't worked with it so I know nothing about it.

-- 
Jorge

More information about the users mailing list