Cannot use scanner with firewall enabled

Connection sharing, Firewall, Samba..etc
Forum rules
Before you post please read how to get help
Post Reply
kmph
Level 3
Level 3
Posts: 118
Joined: Sun Oct 12, 2014 3:18 pm

Cannot use scanner with firewall enabled

Post by kmph » Thu Feb 08, 2018 9:30 am

I dunno, do I need firewall enabled for everyday work in my home?

Anyway, currently I have gufw set to Deny incoming, Allow outgoing. This causes no troubles for most part... except one thing.

I cannot use my scanner unless I connect it to my laptop with a USB cable.

Whenever gufw is enabled and the scanner is not connected to my laptop with a USB cable, SimpleScan gives me the error that "No scanners detected. Please check your scanner is connected and powered on.". However, whenever gufw is disabled, I can easily scan even if I don't connect the scanner to my laptop with a usb cable and Simple Scan gives me no errors.

As a result, whenever I need to scan something, I first open gufw, enter the administrator password, disable firewall, scan, enable firewall. This is tedious. Are all these steps really necessary?

Would it be a good idea to simply disable firewall at all and work without it enabled?

Would it be a better idea to add some rules to enable scanning without having to disable firewall each time? What rules should I add?

If this matters, the device is Epson L365 multi-function printer. I downloaded the necessary Linux drivers from here.

User avatar
JoeFootball
Level 7
Level 7
Posts: 1506
Joined: Tue Nov 24, 2009 1:52 pm
Location: /home/usa/mn/minneapolis/joe

Re: Cannot use scanner with firewall enabled

Post by JoeFootball » Thu Feb 08, 2018 9:43 am

kmph wrote:Would it be a better idea to add some rules to enable scanning without having to disable firewall each time?
Yes.

Joe

User avatar
kc1di
Level 13
Level 13
Posts: 4779
Joined: Mon Sep 08, 2008 8:44 pm
Location: Maine USA

Re: Cannot use scanner with firewall enabled

Post by kc1di » Thu Feb 08, 2018 9:53 am

Yes, you need to put a rule in allowing scanner access. You may need the IP address. I'm sort of surprised the printer works without a rule also.
Easy tips : https://sites.google.com/site/easylinuxtipsproject/
Linux Mint Installation Guide: http://linuxmint-installation-guide.rea ... en/latest/
Registered Linux User #462608

Arrababiski
Level 1
Level 1
Posts: 39
Joined: Wed Aug 24, 2016 3:21 pm
Location: España

Re: Cannot use scanner with firewall enabled

Post by Arrababiski » Thu Feb 08, 2018 11:15 am

I had some similar problems with my Epson scanner some months ago. You can read the workaround at the end of the post.

viewtopic.php?f=51&t=228387

kmph
Level 3
Level 3
Posts: 118
Joined: Sun Oct 12, 2014 3:18 pm

Re: Cannot use scanner with firewall enabled

Post by kmph » Thu Feb 08, 2018 11:29 am

And what rule should I put?

How do I know which port should I allow?

How do I know which IP address should I allow?

I made the printer print out its wireless network info. Let me post excerpts from what the printer spitted out:

Code: Select all

<TCP/IP IPv4>
IPV4                 Enable
Obtain IP Address    Auto(DHCP)
IP Address           192.168.blah.blah

<TCP/IP IPv6>
IPv6                 Enable
IP Address           blah:blah:blah:blah:blah:blah:blah:blah/64 (Stateless)
                     fe80::blah:blah:blah:blah (Link Local)
I don't understand all of this, but the way I get it (correct me if I'm wrong), this means that the router assigns IPv4 address to the printer dynamically (randomly?), and the printer asks the router to be assigned IPv6 address; but either way, I cannot trust that these addresses don't change in time and especially not in between nights, where both printer and router are being switched off.

Either address I configure ufw to allow it is likely to soon become obsolete, is this correct?

So could I kindly ask, how should I configure my firewall?

PS. As strange as it may be, printing works fine, whether firewall is on or off.

kmph
Level 3
Level 3
Posts: 118
Joined: Sun Oct 12, 2014 3:18 pm

Re: Cannot use scanner with firewall enabled

Post by kmph » Thu Feb 08, 2018 11:30 am

Oops, sorry arrababiski, you posted your answer while I was typing my reply, let me read what is under your link now.

User avatar
all41
Level 13
Level 13
Posts: 4987
Joined: Tue Dec 31, 2013 9:12 am
Location: Computer, Car, Cage

Re: Cannot use scanner with firewall enabled

Post by all41 » Thu Feb 08, 2018 11:36 am

These are the rules that works here

sudo ufw allow to 192.168.xxx.x
sudo ufw allow from 192.168.xxx.x
Proud to be a supporter and monthly contributor to Mint.

User avatar
Faust
Level 4
Level 4
Posts: 440
Joined: Thu Jul 14, 2016 3:40 am

Re: Cannot use scanner with firewall enabled

Post by Faust » Thu Feb 08, 2018 12:08 pm

kc1di wrote:
Thu Feb 08, 2018 9:53 am
...... I'm sort of surprised the printer works without a rule also.
Really ?

Looks to me like UFW is working exactly the way the OP set it up -
" .... I have gufw set to Deny incoming, Allow outgoing .... "
" And so it goes " - Kurt Vonnegut
The modern reality and the satirical parody are rapidly converging .

kmph
Level 3
Level 3
Posts: 118
Joined: Sun Oct 12, 2014 3:18 pm

Re: Cannot use scanner with firewall enabled

Post by kmph » Thu Feb 08, 2018 12:12 pm

Many thanks all41! I'll try your rules in a second.
all41 wrote:
Thu Feb 08, 2018 11:36 am
sudo ufw allow to 192.168.xxx.x
sudo ufw allow from 192.168.xxx.x
But, but... Does this mean that I'm essentially allowing everything on local network, so from now on I'll have to be very careful never to connect my laptop to any WiFi network other than the one of my home? In particular, it'll be a bad idea to connect to the WiFi network of my university?

Since arrababiski posted his link:
Arrababiski wrote:
Thu Feb 08, 2018 11:15 am
viewtopic.php?f=51&t=228387
May I have one more question? From the post arrababiski linked to:
chris2370 wrote:
Wed Jul 26, 2017 11:07 am
Step 1

sudo nano /etc/default/ufw

FIND:

IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns"

REPLACE WITH:

IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns nf_conntrack_sane"

Save file

Step 2

sudo nano /etc/ufw/sysctl.conf

FIND:

net/ipv4/tcp_syncookies=0

REPLACE WITH:

net/ipv4/tcp_syncookies=1
Is this better or worse than simply allowing everything on local network? Not sure if this is relevant here, but from man 8 saned:
First and foremost: saned is not intended to be exposed to the internet or other non-trusted networks. Make sure that access is limited by tcpwrappers
and/or a firewall setup. Don't depend only on saned's own authentication. Don't run saned as root if it's not necessary. And do not install saned as setuid
root.
I'm sorry for there questions, as it is obvious I'm pretty oblivious when it comes to basic security practices, on account on me not being an evil hacker... And for obvious reasons, when it comes to security, I prefer to first ask rather than try things and see if they work.

User avatar
all41
Level 13
Level 13
Posts: 4987
Joined: Tue Dec 31, 2013 9:12 am
Location: Computer, Car, Cage

Re: Cannot use scanner with firewall enabled

Post by all41 » Thu Feb 08, 2018 12:20 pm

@kmph
But, but... Does this mean that I'm essentially allowing everything on local network, so from now on I'll have to be very careful never to connect my laptop to any WiFi network other than the one of my home? In particular, it'll be a bad idea to connect to the WiFi network of my university?
Substitute for the xxx.x using your printers actual address.
Use the printer address listed on your router page for connected devices. Your router will have a unique address assigned to your printer,
such as for example only 192.168.256.1
Proud to be a supporter and monthly contributor to Mint.

User avatar
kc1di
Level 13
Level 13
Posts: 4779
Joined: Mon Sep 08, 2008 8:44 pm
Location: Maine USA

Re: Cannot use scanner with firewall enabled

Post by kc1di » Thu Feb 08, 2018 12:36 pm

One thing that you may also want to do is set a static ip address for your printer. Having a printer on DHCP is not good, because it may assign a new address any time you turn off or add a new piece of hardware to your network. This could be any other device. Set a static IP address out side the normal range say xxx.x.x.50 Where
x represent the ip address # used on your system such as 162.168.0.50 or as on mine it's 10.0.0.250. then write the rule with the new address.
The static address will have to be set on the printer in question. Look and the printer documentation to see how it's done on yours.
Easy tips : https://sites.google.com/site/easylinuxtipsproject/
Linux Mint Installation Guide: http://linuxmint-installation-guide.rea ... en/latest/
Registered Linux User #462608

Post Reply

Return to “Other networking topics”