Firewalled print server

Ian P. Thomas ipt at scraemon.org
Thu Feb 24 22:09:36 UTC 2005 

On Thu, 2005-02-24 at 16:22 -0500, Louis Garcia wrote:
> On Thu, 2005-02-24 at 11:02 -0500, Ian P. Thomas wrote:
> > On Wed, 2005-02-23 at 20:35 -0500, Louis Garcia wrote:
> > > I was trying to fix a printing problem and found out I can't print from
> > > a fc3 workstation to a fc3 server using cups and ipp if the server is
> > > firewalled. The server is using the default rh iptables script and a
> > > quick cat through the file shows port 631 open. I would like to keep the
> > > server firewalled and still have remote printing. I believe a simple
> > > tweak of the iptables script will do the trick. Any suggestions?
> > > 
> > > -Louis
> > 
> > Try to do the following:
> > 
> > Connect to the print server using a web browser by using the IP address
> > of the print server followed by :631.  This should give you the CUPS
> > Admin Page.  
> > 
> > Print a test page while running Ethereal on the network interface of the
> > server.  This will give you information as to what exactly the firewall
> > is blocking.  This solved a print server problem I was having.
> > 
> > If you are trying to print using UNIX legacy commands, then you need to
> > open port 515 on the server as well.
> > 
> > If you still have not solved the issue, post your iptables script.
> > 
> > 
> > Ian
> 
> This is my /etc/sysconfig/iptables script:
> 
> # Firewall configuration written by system-config-securitylevel
> # Manual customization of this file is not recommended.
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :RH-Firewall-1-INPUT - [0:0]
> -A INPUT -j RH-Firewall-1-INPUT
> -A FORWARD -j RH-Firewall-1-INPUT
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
> -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
> -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
> -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
> -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT

This is for udp only.  Try adding this line:

	-A RH-Firewall-1-INPUT -p tcp --dport 631 -j ACCEPT

This may be removed by the graphical tool, 'Security Level'.  I've
written my own script by hand using the excellent book Red Hat Linux
Firewalls by Bill McCarty.  I can't stress how good this book is.  If
you have some extra cash, buy it.

<snip>

> I can't print nor can I get to the cups admin page while the firewall is running.
> This is the default script fedora uses. Port 631 is there but does not let anything
> in.

With the addition of that line, that should change.

> 
> Trying to install ethereal but net-snmp is a dependency. net-snmp is dependent of
> libnetsnmp.so.5 which I can't find. Which package is this?
> 

	rpm -q --whatprovides libnetsnmp.so.5

Or to find out what all the dependencies are

	rpm -q -R ethereal-gnome | xargs rpm -q --whatprovides | 
	sort --unique

all on one line.  The rpm command is worth learning.  Check out this

	http://www.rpm.org/max-rpm/

I installed ethereal, along with its graphical front end using 
	
	System Setting-> Add/Remove Application
	Look under the 'System' category under 'System Tools'.

Another way is to do 

	up2date --install ethereal-gnome

Good luck, and let us know how it turns out.


Ian

More information about the fedora-list mailing list