Printing to a network print server
Sasa Stupar
sasa at stupar.homelinux.net
Tue Apr 26 18:13:05 UTC 2005
--On 26. april 2005 18:49 +0200 Alexander Dalloz <ad+lists at uni-x.org> wrote:
> Am Di, den 26.04.2005 schrieb Sasa Stupar um 18:22:
>
>> Finnaly it is working. I have setup firewall with Shorewall and now I
>> can print to printserver.
>>
>> Sasa
>
> Would you please be so kind and inform us about what now is different
> with your filtering? It may help others in future with a similar
> question.
>
> Alexander
Before I tried to setup firewall with Firestarter and with
RH-firewall-config. In either case I couldn't print from the firewalled
machine to the printserver.
Then I setup Shorewall 2.2.3 and setup firewall with it (via Webmin) and
now I can print from every firewalled machine (with Shorewall installed
and configured).
The only thing I found is an option in shorewall.conf called DROPINVALID
which has to be set to No othervise I can't print. From the shorewall.conf:
------------
# DROP INVALID PACKETS
#
# Netfilter classifies packets relative to its connection tracking table
into
# four states:
#
# NEW - thes packet initiates a new connection
# ESTABLISHED - thes packet is part of an established connection
# RELATED - thes packet is related to an established connection; it may
# establish a new connection
# INVALID - the packet does not related to the table in any sensible way.
#
# Recent 2.6 kernels include code that evaluates TCP packets based on TCP
# Window analysis. This can cause packets that were previously classified
as
# NEW or ESTABLISHED to be classified as INVALID.
#
# The new kernel code can be disabled by including this command in your
# /etc/shorewall/init file:
#
# echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
#
# Additional kernel logging about INVALID TCP packets may be obtained by
# adding this command to /etc/shorewall/init:
#
# echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid
#
# Traditionally, Shorewall has dropped INVALID TCP packets early. The
DROPINVALID
# option allows INVALID packets to be passed through the normal rules
chains by
# setting DROPINVALID=No.
#
# If not specified or if specified as empty (e.g., DROPINVALID="") then
# DROPINVALID=Yes is assumed.
DROPINVALID=No
-----------------------
Regards,
Sasa
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20050426/257538fe/attachment-0001.sig>
More information about the fedora-list
mailing list