Printing to a network print server

Sasa Stupar sasa at stupar.homelinux.net
Tue Apr 26 18:13:05 UTC 2005 


--On 26. april 2005 18:49 +0200 Alexander Dalloz <ad+lists at uni-x.org> wrote:

> Am Di, den 26.04.2005 schrieb Sasa Stupar um 18:22:
>
>> Finnaly it is working. I have setup firewall with Shorewall and now I
>> can  print to printserver.
>>
>> Sasa
>
> Would you please be so kind and inform us about what now is different
> with your filtering? It may help others in future with a similar
> question.
>
> Alexander

Before I tried to setup firewall with Firestarter and with 
RH-firewall-config. In either case I couldn't print from the firewalled 
machine to the printserver.
Then I setup Shorewall 2.2.3 and setup firewall with it (via Webmin) and 
now  I can print from every firewalled machine (with Shorewall installed 
and configured).
The only thing I found is an option in shorewall.conf called DROPINVALID 
which has to be set to No othervise I can't print. From the shorewall.conf:
------------
# DROP INVALID PACKETS
#
# Netfilter classifies packets relative to its connection tracking table 
into
# four states:
#
#	NEW - thes packet initiates a new connection
#	ESTABLISHED - thes packet is part of an established connection
#	RELATED - thes packet is related to an established connection; it may
#	          establish a new connection
#	INVALID - the packet does not related to the table in any sensible way.
#
# Recent 2.6 kernels include code that evaluates TCP packets based on TCP
# Window analysis. This can cause packets that were previously classified 
as
# NEW or ESTABLISHED to be classified as INVALID.
#
# The new kernel code can be disabled by including this command in your
# /etc/shorewall/init file:
#
# echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
#
# Additional kernel logging about INVALID TCP packets may be obtained by
# adding this command to /etc/shorewall/init:
#
#  echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid
#
# Traditionally, Shorewall has dropped INVALID TCP packets early. The 
DROPINVALID
# option allows INVALID packets to be passed through the normal rules 
chains by
# setting DROPINVALID=No.
#
# If not specified or if specified as empty (e.g., DROPINVALID="") then
# DROPINVALID=Yes is assumed.

DROPINVALID=No
-----------------------

Regards,
Sasa

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20050426/257538fe/attachment-0001.sig>

More information about the fedora-list mailing list