I've got a Canon networked printer connected to my router and it uses port 9100 which is standard, but I'm having trouble adding the rule to my firewall. I was reading this post: http://forums.linuxmint.com/viewtopic.p ... 71#p840471 where it says to add the following rule to UFW:
sudo ufw allow out proto tcp from port 9100 to 192.168.1.0/24
So I'm trying to modify that for my own scenario as follows:
sudo ufw allow out proto tcp from port 9100 to 192.168.100.15
which is the actual address of the printer, but it's giving an error as "ERROR: Wrong number of arguments", so I'm not sure what I'm doing wrong, and also I don't quite understand the syntax. Isn't the connection "from any port" on my machine "to port 9100" on the printer? The syntax seems counterintuitive to me... Can anyone help?
Help with rules to allow network printer in UFW
Forum rules
There are no such things as "stupid" questions. However if you think your question is a bit stupid, then this is the right place for you to post it. Stick to easy to-the-point questions that you feel people can answer fast. For long and complicated questions use the other forums in the support section.
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
There are no such things as "stupid" questions. However if you think your question is a bit stupid, then this is the right place for you to post it. Stick to easy to-the-point questions that you feel people can answer fast. For long and complicated questions use the other forums in the support section.
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
-
artifice
Help with rules to allow network printer in UFW
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 1 time in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Re: Help with rules to allow network printer in UFW
Download gufw and see if that is easier
Re: Help with rules to allow network printer in UFW
By default, UFW _allows_all_ outgoing traffic so you should not have to do any configuring of UFW inorder to print to your router connected printer?artifice wrote:I've got a Canon networked printer connected to my router and it uses port 9100 which is standard, but I'm having trouble adding the rule to my firewall.
Did you change something to restrict 'outgoing' in UFW? Doubtful since that would create more problems than just printing to networked printer?
In a Terminal window do the following at the commandline:
Code: Select all
sudo ufw status verbose.
Re: Help with rules to allow network printer in UFW
Since you are behind a router (that, presumably has a firewall running) you are pretty safe from attacks from the internet (and I hope you are not worried about attacks from other computers on your LAN)... Try turning off your firewall (temporarily) and setting up the printer...once you are up an running (or printing in this case), turn the firewall back on and see what happens...
Full time Linux Mint user since 2011 - Currently running LM21C on multiple Dell laptops - mostly Vostro models.
-
KirbySmith
Re: Help with rules to allow network printer in UFW
Normally, the Linux firewall called IP_TABLES (and its IPv6 counterpart) are always on. They allow outgoing messages but restrict incoming messages that are not part of the states (sessions) of the outgoing messages. So normally one should be able to print without inconvenience to any other device on the same LAN (connected by unmanaged switches, say). Once a router is involved, then a few other issues arise.
If the printer and the client PC are not on the same LAN subnet as determined by the router, then the router may need a firewall rule or rules allowing messages between the relevant subnets, or tightened to relevant IP addresses, as such communications would normally be blocked by default.
GUFW (which MInt supplies as "Firewall Configuration" in the Administration menu for me) will allow you to tailor IP_TABLES to do your bidding in a somewhat more granular way, including blocking outgoing also. Essentially, rules set by GUFW become added rules in IP_TABLES.
When started, Firewall Configuration looks like it is off and has lost all its rules. You have to click 'unlock' and put in your sudo password to make its interface funcitonal. But even though it otherwise looks dead, the rules that you established on top of the internal rules of IP_TABLES are always functional until you deliberately change them.
Although sending a print file out to a printer can be done by default on a fresh installation, allowing incoming messages from printers may be useful to let them pass useful information back to the client printserver function, such as out of paper, or such.
kirby
If the printer and the client PC are not on the same LAN subnet as determined by the router, then the router may need a firewall rule or rules allowing messages between the relevant subnets, or tightened to relevant IP addresses, as such communications would normally be blocked by default.
GUFW (which MInt supplies as "Firewall Configuration" in the Administration menu for me) will allow you to tailor IP_TABLES to do your bidding in a somewhat more granular way, including blocking outgoing also. Essentially, rules set by GUFW become added rules in IP_TABLES.
When started, Firewall Configuration looks like it is off and has lost all its rules. You have to click 'unlock' and put in your sudo password to make its interface funcitonal. But even though it otherwise looks dead, the rules that you established on top of the internal rules of IP_TABLES are always functional until you deliberately change them.
Although sending a print file out to a printer can be done by default on a fresh installation, allowing incoming messages from printers may be useful to let them pass useful information back to the client printserver function, such as out of paper, or such.
kirby
-
patrice4419
Re: Help with rules to allow network printer in UFW
It depends what IP address the router gives out. The 192 range is common but NOT alone. There are others used.
When setting up ufw you need to be specific, allow out everything just negates the whole issue of a firewall. Or for that matter allow in items unless you need them.
sudo allow out proto tcp from port 9100 to 192.168.1.0/24 works well on my machine, because when I entered the actual address given for the printer by the router 192.168.1.9 it did not work, so I gave it a range to work with.
If you use CUPS, it might help to allow that out - sudo allow out CUPS.
Bear in mind that order of rules is rather important. Check them - sudo ufw status numbered, it will then be easier to delete or insert rules.
Also you need to switch off iPV6 - /etc/default/ufw - set iPV6 to No. (The reason of failure might be that when the rules were set up the program will make rules for iPV4 and iPV6 at the same time. I am not sure why but when I switched it off it all seemed to come alive.
Best of luck.
When setting up ufw you need to be specific, allow out everything just negates the whole issue of a firewall. Or for that matter allow in items unless you need them.
sudo allow out proto tcp from port 9100 to 192.168.1.0/24 works well on my machine, because when I entered the actual address given for the printer by the router 192.168.1.9 it did not work, so I gave it a range to work with.
If you use CUPS, it might help to allow that out - sudo allow out CUPS.
Bear in mind that order of rules is rather important. Check them - sudo ufw status numbered, it will then be easier to delete or insert rules.
Also you need to switch off iPV6 - /etc/default/ufw - set iPV6 to No. (The reason of failure might be that when the rules were set up the program will make rules for iPV4 and iPV6 at the same time. I am not sure why but when I switched it off it all seemed to come alive.
Best of luck.
-
patrice4419
Re: Help with rules to allow network printer in UFW
Sorry, I did a bit more testing on another machine, it seems that at least there, allow out CUPS and allow out 9100 suffice.
Perhaps it depends on the printer and operating system. I had a lot of trouble with Mint 16 and Samsung colour printer but Lubuntu was easy to set up and found the printer driver for the network within seconds and left out the proto tcp line. Also it seems iPV6 is not needed at present. That will be the next problem to sort out. All over though I am happy with UFW although I am now getting on with iptables properly.
One proviso here, if you are a newbie you ought to dismiss those that say 'You don't need anything, Linux is safe'. Well, yes Linux is SAFER but not safe! It is true that virus problems are minimal but not unknown, so perhaps Comodo or ClamAV will be of help. I think that 'man in the middle' and DDOS is or can be more of a problem. As time goes by, these problems can only increase. A warned man counts for two, as the Eskimos say. Cheers
Perhaps it depends on the printer and operating system. I had a lot of trouble with Mint 16 and Samsung colour printer but Lubuntu was easy to set up and found the printer driver for the network within seconds and left out the proto tcp line. Also it seems iPV6 is not needed at present. That will be the next problem to sort out. All over though I am happy with UFW although I am now getting on with iptables properly.
One proviso here, if you are a newbie you ought to dismiss those that say 'You don't need anything, Linux is safe'. Well, yes Linux is SAFER but not safe! It is true that virus problems are minimal but not unknown, so perhaps Comodo or ClamAV will be of help. I think that 'man in the middle' and DDOS is or can be more of a problem. As time goes by, these problems can only increase. A warned man counts for two, as the Eskimos say. Cheers
-
patrice4419
Re: Help with rules to allow network printer in UFW
Just for the fun of it I re-installed Mint 16 - and as expected after formatting UFW firewall the network printer had gone on holiday. Now, you can set up the rules in UFW in a number of different ways pending machine, software and printer and of course the router.
The first post referred to 'unable to connect' - I noticed that the 'arguments' had something missing. It should read sudo ufw allow from etc etc. to any port 9100 etc etc.
However, I have now modified the UFW firewall as follows:
First of all:
ufw default deny #set policy
next allow out various ports such as 53,123,137,138/udp; 80,443,465 etc (all pending what you will or want doing - google port uses).
allow out 9100/tcp # the port used for network printing (Sometimes software seems to expect - allow out from any port 9100)
The next two lines will allow printing using CUPS (port 631) to the IP address given out by the router. Check with ifconfig or ping <printername> (disable UFW first though).Or DHCP settings will show the IP address.
so, the next two lines before closing off:
ufw allow in from 192.168.x.x to any port 631 #the ip address of the printer and port 631 for CUPS allowing traffic into computer
ufw allow out from 192.168.x.x to any port 631 # allowing return traffic via the router.
Lastly close off everything else:
ufw deny out to any
And restart the firewall - ufw enable
This will work (it does on my home built machine) using CUPS and my Samsung Laserjet CLP325
You should also consider limiting SSH in - ufw limit ssh # this will be more secure against multiple connection attempts
I have assumed of course that CUPS is installed (with Mint 16 it comes with the package). If not, it will be in the Software Manager for downloading.
My next attempt will be to connect the scanner via the network and reinstall XAMPP or LAMPP (just wondering what is best).
The first post referred to 'unable to connect' - I noticed that the 'arguments' had something missing. It should read sudo ufw allow from etc etc. to any port 9100 etc etc.
However, I have now modified the UFW firewall as follows:
First of all:
ufw default deny #set policy
next allow out various ports such as 53,123,137,138/udp; 80,443,465 etc (all pending what you will or want doing - google port uses).
allow out 9100/tcp # the port used for network printing (Sometimes software seems to expect - allow out from any port 9100)
The next two lines will allow printing using CUPS (port 631) to the IP address given out by the router. Check with ifconfig or ping <printername> (disable UFW first though).Or DHCP settings will show the IP address.
so, the next two lines before closing off:
ufw allow in from 192.168.x.x to any port 631 #the ip address of the printer and port 631 for CUPS allowing traffic into computer
ufw allow out from 192.168.x.x to any port 631 # allowing return traffic via the router.
Lastly close off everything else:
ufw deny out to any
And restart the firewall - ufw enable
This will work (it does on my home built machine) using CUPS and my Samsung Laserjet CLP325
You should also consider limiting SSH in - ufw limit ssh # this will be more secure against multiple connection attempts
I have assumed of course that CUPS is installed (with Mint 16 it comes with the package). If not, it will be in the Software Manager for downloading.
My next attempt will be to connect the scanner via the network and reinstall XAMPP or LAMPP (just wondering what is best).
-
Mute Ant
Re: Help with rules to allow network printer in UFW
Please stick to easy to-the-point questions that you feel people can answer fast.