network printer probs in fc3 vs fc2
Alexander Dalloz
ad+lists at uni-x.org
Sun Dec 12 01:26:11 UTC 2004
Am Sa, den 11.12.2004 schrieb sola at doctor.com um 3:26:
> > Later on the day I will check with the default FC3 iptables rules what
> > the cause for your trouble could be. I guess you didn't customize the
> > iptables rules.
>
> Correct-- no customization.
>
> Fortunately my connection to the internet is thru a hardware router
> which does provide NAT, and allegedly a primative firewall.
> Steve
Ok, I found out what's happening.
What the Netgear print server sends back when Fedora connects it on port
515 for LPD is a TCP sequence which is not recognised as TCP state
RELATED.
Dec 12 01:27:24 bartleby kernel: BLOCKED IN=eth0 OUT=
MAC=00:0c:29:ca:32:88:00:c0:02:57:90:77:08:00 SRC=192.168.0.99
DST=192.168.0.3 LEN=44 TOS=0x00 PREC=0x00 TTL=30 ID=4476 PROTO=TCP
SPT=515 DPT=44069 WINDOW=1024 RES=0x00 ACK PSH SYN URGP=0 OPT (02040400)
In the iptables logging 192.168.0.99 is my Netgear print server PS110
who sends back "ACK PSH SYN". So with the default FC3 iptables setting
it gets rejected. "nmap -sT -P0 -p 515 192.168.0.99" shows it as closed:
PORT STATE SERVICE
515/tcp closed printer
So I added following rule to accept this sequence from my printer server
IP with source port 515:
-A RH-Firewall-1-INPUT -p tcp -m tcp --tcp-flags ACK,PSH,SYN ACK,PSH,SYN
-s 192.168.0.99 --sport 515 -j ACCEPT
With that above nmap run reports
PORT STATE SERVICE
515/tcp open printer
That should work for your too. Though it takes ages until the page is
printed.
I don't have the default FC2 iptables ruleset, so I can't say what
changed. Maybe its an iptables change in the kernel implementation?
See too another list mail where someone with the same print server
reports too a firewalling problem. But in this case the problem seemed
to be an incorrect destination port the print server tries to reach:
https://www.redhat.com/archives/fedora-list/2004-November/msg08530.html
Printing, I see the print server wants to send to port 1023, which is
not correct:
Dec 12 02:02:50 bartleby kernel: BLOCKED IN=eth0 OUT=
MAC=00:0c:29:ca:32:88:00:c0:02:57:90:77:08:00 SRC=192.168.0.99
DST=192.168.0.3 LEN=41 TOS=0x00 PREC=0x00 TTL=30 ID=5722 PROTO=TCP
SPT=515 DPT=1023 WINDOW=1024 RES=0x00 ACK PSH URGP=0
This is another problem. You will need to allow more traffic from the
Netgear print server. Following rule should be sufficient:
-A RH-Firewall-1-INPUT -s 192.168.0.99 -p tcp -m tcp -j ACCEPT
Here 192.168.0.99 is the IP for my device, yours might be different. It
seems the firmware of the Netgear PS110 is broken / non standard
conform.
Hope this will help you.
Alexander
--
Alexander Dalloz | Enger, Germany | new address - new key: 0xB366A773
legal statement: http://www.uni-x.org/legal.html
Fedora GNU/Linux Core 2 (Tettnang) on Athlon kernel 2.6.9-1.6_FC2smp
Serendipity 02:26:03 up 1 day, 21:06, load average: 0.59, 0.66, 0.71
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20041212/383b6e59/attachment-0001.sig>
More information about the fedora-list
mailing list