[cups.bugs] CUPS and Shorewall firewall interfering with each

Erik Reuter cups at erikreuter.net
Mon Jan 3 06:50:27 PST 2005


I should clarify what I wrote in my email: the policy file of shorewall
will apply after all of the normal rules. So, when I say that I modified
the policy to accept fw<->loc, I mean that the firewall opened ALL the
ports, both ways, between the firewall machine and the local network.

So 721 and 732 will be open.

Even if they weren't open, and they were needed, I should see rejected
packets logged by iptables. But iptables is NOT logging any rejected
packets.

On Mon, Jan 03, 2005 at 08:36:52AM -0500, Helge Blischke wrote:

> I don't know how you rfirewall really works, but keep in mind that -
> with LPD printing -
> the port 515 is the DESTINATION port, whereas the source port lies
> between 
> 721 and 732 (if "reserve=yes" is defined as an option in the device URL)
> or is even
> a port above 1024.
> 
> Helge
> 
> 
> Erik Reuter wrote:
> > 
> > I'm having a problem with CUPS and the Shorewall firewall interfering
> > with each other.
> > 
> >    Linux kernel 2.6.9
> >    CUPS 1.1.22-2
> >    Shorewall 2.0.13
> > 
> > CUPS was working fine to print to my Epson C84 (network connected via a
> > Netgear PS101 print server using lpd://PS101.IP.address/raw ) until I
> > installed the Shorewall firewall on the machine running CUPS.
> > 
> > When I installed Shorewall, I opened up port 515 for lpd printing from
> > the firewall to the local network
> > 
> >    ACCEPT          fw              loc             tcp     515  # LPD
> > 
> > so I didn't anticipate any problems with CUPS printing.
> > 
> > However, as soon as I started the Shorewall firewall, I found that I
> > could no longer print from the firewall machine using CUPS.
> > 
> > Okay, my first thought was that I had to open more ports in the
> > firewall. So I checked the Shorewall packet reject log to see which
> > ports I would need to open. Surprisingly, NO PACKETS RELATED TO PRINTING
> > HAD BEEN REJECTED. It was not a logging problem, because there were
> > packets occasionally being rejected, but not during the times when I was
> > trying to print.
> > 
> > Just to make sure, I put a couple lines in my Shorewall policy file to
> > open ALL ports between fw<->loc , and I still could not print.
> > 
> > So, with the exception of printing with CUPS, the Shorewall firewall
> > is working with all of my other programs. And with the exceptions of
> > Shorewall, the CUPS printing works with all of my other programs. But I
> > cannot use CUPS and Shorewall together, since they seem to interfere.
> > 
> > How can I find out the source of the interference? What is the best way
> > to troubleshoot this?
> > 
> > Here's some output from the end of the CUPS log from when I try a print
> > job:
> > 
> > D [28/Dec/2004:12:05:40 -0500] [Job 9] GIMP-PRINT tossing right 0
> > I [28/Dec/2004:12:05:40 -0500] [Job 9] Finished page 1...
> > d [28/Dec/2004:12:05:40 -0500] PID 7522 exited with no errors.
> > D [28/Dec/2004:12:05:40 -0500] [Job 9] GIMP-PRINT: Image_height 3915
> > D [28/Dec/2004:12:05:40 -0500] [Job 9] GIMP-PRINT: Image_width 3060
> > D [28/Dec/2004:12:05:40 -0500] [Job 9] GIMP-PRINT: Image_width 3060
> > D [28/Dec/2004:12:05:40 -0500] [Job 9] GIMP-PRINT: Image_height 3915
> > D [28/Dec/2004:12:05:40 -0500] [Job 9] GIMP-PRINT: Image_height 3915
> > D [28/Dec/2004:12:05:40 -0500] [Job 9] GIMP-PRINT: Image_width 3060
> > I [28/Dec/2004:12:05:40 -0500] [Job 9] Ready to print.
> > I [28/Dec/2004:12:05:40 -0500] [Job 9] Attempting to connect to host
> > 192.168.0.1
> > 9 for printer raw
> > d [28/Dec/2004:12:05:40 -0500] PID 7523 exited with no errors.
> > d [28/Dec/2004:12:05:41 -0500] select_timeout: 11 seconds to process
> > active jobs
> 
> -- 
> Helge Blischke
> Softwareentwicklung
> SRZ Berlin | Firmengruppe besscom
> http://www.srz.de
> tel: +49 30 75301-360
> _______________________________________________
> cups-bugs mailing list
> cups-bugs at easysw.com
> http://lists.easysw.com/mailman/listinfo/cups-bugs

-- 
Erik Reuter   http://www.erikreuter.net/





More information about the cups mailing list