Help with rules to allow network printer in UFW

All Gurus once were Newbies
Forum rules
There are no such things as "stupid" questions. However if you think your question is a bit stupid, then this is the right place for you to post it. Please stick to easy to-the-point questions that you feel people can answer fast. For long and complicated questions prefer the other forums within the support section.
Before you post please read how to get help
Post Reply
artifice
Level 1
Level 1
Posts: 6
Joined: Sun Mar 03, 2013 1:31 pm

Help with rules to allow network printer in UFW

Post by artifice » Thu May 01, 2014 1:04 pm

I've got a Canon networked printer connected to my router and it uses port 9100 which is standard, but I'm having trouble adding the rule to my firewall. I was reading this post: http://forums.linuxmint.com/viewtopic.p ... 71#p840471 where it says to add the following rule to UFW:

sudo ufw allow out proto tcp from port 9100 to 192.168.1.0/24

So I'm trying to modify that for my own scenario as follows:
sudo ufw allow out proto tcp from port 9100 to 192.168.100.15
which is the actual address of the printer, but it's giving an error as "ERROR: Wrong number of arguments", so I'm not sure what I'm doing wrong, and also I don't quite understand the syntax. Isn't the connection "from any port" on my machine "to port 9100" on the printer? The syntax seems counterintuitive to me... Can anyone help?

JeremyB
Level 20
Level 20
Posts: 11134
Joined: Fri Feb 21, 2014 8:17 am

Re: Help with rules to allow network printer in UFW

Post by JeremyB » Thu May 01, 2014 1:10 pm

Download gufw and see if that is easier

User avatar
martywd
Level 3
Level 3
Posts: 146
Joined: Sun May 08, 2011 10:35 am
Location: TX

Re: Help with rules to allow network printer in UFW

Post by martywd » Thu May 01, 2014 3:18 pm

artifice wrote:I've got a Canon networked printer connected to my router and it uses port 9100 which is standard, but I'm having trouble adding the rule to my firewall.
By default, UFW _allows_all_ outgoing traffic so you should not have to do any configuring of UFW inorder to print to your router connected printer?

Did you change something to restrict 'outgoing' in UFW? Doubtful since that would create more problems than just printing to networked printer?

In a Terminal window do the following at the commandline:

Code: Select all

sudo ufw status verbose
and show us the output.
.

User avatar
Reorx
Level 11
Level 11
Posts: 3934
Joined: Tue Jul 07, 2009 7:14 pm
Location: SE Florida, USA

Re: Help with rules to allow network printer in UFW

Post by Reorx » Thu May 01, 2014 4:04 pm

Since you are behind a router (that, presumably has a firewall running) you are pretty safe from attacks from the internet (and I hope you are not worried about attacks from other computers on your LAN)... Try turning off your firewall (temporarily) and setting up the printer...once you are up an running (or printing in this case), turn the firewall back on and see what happens...
Full time Linux Mint user since 2011 - Currently running LM19 Cinnamon.

Image Image

KirbySmith
Level 4
Level 4
Posts: 281
Joined: Sun Feb 03, 2013 10:25 pm

Re: Help with rules to allow network printer in UFW

Post by KirbySmith » Fri May 02, 2014 9:00 pm

Normally, the Linux firewall called IP_TABLES (and its IPv6 counterpart) are always on. They allow outgoing messages but restrict incoming messages that are not part of the states (sessions) of the outgoing messages. So normally one should be able to print without inconvenience to any other device on the same LAN (connected by unmanaged switches, say). Once a router is involved, then a few other issues arise.

If the printer and the client PC are not on the same LAN subnet as determined by the router, then the router may need a firewall rule or rules allowing messages between the relevant subnets, or tightened to relevant IP addresses, as such communications would normally be blocked by default.

GUFW (which MInt supplies as "Firewall Configuration" in the Administration menu for me) will allow you to tailor IP_TABLES to do your bidding in a somewhat more granular way, including blocking outgoing also. Essentially, rules set by GUFW become added rules in IP_TABLES.

When started, Firewall Configuration looks like it is off and has lost all its rules. You have to click 'unlock' and put in your sudo password to make its interface funcitonal. But even though it otherwise looks dead, the rules that you established on top of the internal rules of IP_TABLES are always functional until you deliberately change them.

Although sending a print file out to a printer can be done by default on a fresh installation, allowing incoming messages from printers may be useful to let them pass useful information back to the client printserver function, such as out of paper, or such.

kirby
Desktop 1: DFI Lanparty UT nF4 SLI-D/AMD Athlon 64 San Diego/BFG GeForce 7800 GT/Mint 17.3 MATE
Desktop 2: Gigabyte 770T-USB3/AMD Phenom II X4 965/EVGA GeForce 9800 GT/Mint 17.3 MATE
HTPC: Asus C6H/AMD Ryzen 7 1800X, Asus Geforce 1080 Ti/Mint 18.1 MATE

User avatar
patrice4419
Level 1
Level 1
Posts: 23
Joined: Wed Feb 05, 2014 10:12 am

Re: Help with rules to allow network printer in UFW

Post by patrice4419 » Sat May 03, 2014 4:38 pm

It depends what IP address the router gives out. The 192 range is common but NOT alone. There are others used.
When setting up ufw you need to be specific, allow out everything just negates the whole issue of a firewall. Or for that matter allow in items unless you need them.
sudo allow out proto tcp from port 9100 to 192.168.1.0/24 works well on my machine, because when I entered the actual address given for the printer by the router 192.168.1.9 it did not work, so I gave it a range to work with.
If you use CUPS, it might help to allow that out - sudo allow out CUPS.
Bear in mind that order of rules is rather important. Check them - sudo ufw status numbered, it will then be easier to delete or insert rules.
Also you need to switch off iPV6 - /etc/default/ufw - set iPV6 to No. (The reason of failure might be that when the rules were set up the program will make rules for iPV4 and iPV6 at the same time. I am not sure why but when I switched it off it all seemed to come alive.
Best of luck.
(Penguin PocketWee running Mint 17.1 Cinnamon, Intel Dual Core i5-4250U 1.3Ghz (2.6 Turbo), 8Gb DDR3, mSATA SSD 250Gb, wireless dual band.
The router (D-Link DS3580L) with USB slot.

User avatar
patrice4419
Level 1
Level 1
Posts: 23
Joined: Wed Feb 05, 2014 10:12 am

Re: Help with rules to allow network printer in UFW

Post by patrice4419 » Sun May 04, 2014 11:32 am

Sorry, I did a bit more testing on another machine, it seems that at least there, allow out CUPS and allow out 9100 suffice.
Perhaps it depends on the printer and operating system. I had a lot of trouble with Mint 16 and Samsung colour printer but Lubuntu was easy to set up and found the printer driver for the network within seconds and left out the proto tcp line. Also it seems iPV6 is not needed at present. That will be the next problem to sort out. All over though I am happy with UFW although I am now getting on with iptables properly.
One proviso here, if you are a newbie you ought to dismiss those that say 'You don't need anything, Linux is safe'. Well, yes Linux is SAFER but not safe! It is true that virus problems are minimal but not unknown, so perhaps Comodo or ClamAV will be of help. I think that 'man in the middle' and DDOS is or can be more of a problem. As time goes by, these problems can only increase. A warned man counts for two, as the Eskimos say. Cheers
(Penguin PocketWee running Mint 17.1 Cinnamon, Intel Dual Core i5-4250U 1.3Ghz (2.6 Turbo), 8Gb DDR3, mSATA SSD 250Gb, wireless dual band.
The router (D-Link DS3580L) with USB slot.

User avatar
patrice4419
Level 1
Level 1
Posts: 23
Joined: Wed Feb 05, 2014 10:12 am

Re: Help with rules to allow network printer in UFW

Post by patrice4419 » Sat May 10, 2014 7:29 am

Just for the fun of it I re-installed Mint 16 - and as expected after formatting UFW firewall the network printer had gone on holiday. Now, you can set up the rules in UFW in a number of different ways pending machine, software and printer and of course the router.
The first post referred to 'unable to connect' - I noticed that the 'arguments' had something missing. It should read sudo ufw allow from etc etc. to any port 9100 etc etc.
However, I have now modified the UFW firewall as follows:
First of all:
ufw default deny #set policy
next allow out various ports such as 53,123,137,138/udp; 80,443,465 etc (all pending what you will or want doing - google port uses).
allow out 9100/tcp # the port used for network printing (Sometimes software seems to expect - allow out from any port 9100)
The next two lines will allow printing using CUPS (port 631) to the IP address given out by the router. Check with ifconfig or ping <printername> (disable UFW first though).Or DHCP settings will show the IP address.
so, the next two lines before closing off:
ufw allow in from 192.168.x.x to any port 631 #the ip address of the printer and port 631 for CUPS allowing traffic into computer
ufw allow out from 192.168.x.x to any port 631 # allowing return traffic via the router.
Lastly close off everything else:
ufw deny out to any
And restart the firewall - ufw enable
This will work (it does on my home built machine) using CUPS and my Samsung Laserjet CLP325
You should also consider limiting SSH in - ufw limit ssh # this will be more secure against multiple connection attempts
I have assumed of course that CUPS is installed (with Mint 16 it comes with the package). If not, it will be in the Software Manager for downloading.

My next attempt will be to connect the scanner via the network and reinstall XAMPP or LAMPP (just wondering what is best).
(Penguin PocketWee running Mint 17.1 Cinnamon, Intel Dual Core i5-4250U 1.3Ghz (2.6 Turbo), 8Gb DDR3, mSATA SSD 250Gb, wireless dual band.
The router (D-Link DS3580L) with USB slot.

Mute Ant
Level 14
Level 14
Posts: 5135
Joined: Tue Sep 03, 2013 7:45 pm
Location: Norfolk UK

Re: Help with rules to allow network printer in UFW

Post by Mute Ant » Sat May 10, 2014 7:52 am

Please stick to easy to-the-point questions that you feel people can answer fast.
While you're waiting, read the free novel we sent you. It's a Spanish story about a guy named "manual".

Post Reply

Return to “Newbie Questions”