[cups.bugs] CUPS and Shorewall firewall interfering with each

Helge Blischke h.blischke at srz.de
Tue Jan 4 07:51:43 PST 2005


What does show up if you use a network tracer (don't know how it is
called under
Linux; the Solaris utility is snoop)?

Helge

Erik Reuter wrote:
> 
> I should clarify what I wrote in my email: the policy file of shorewall
> will apply after all of the normal rules. So, when I say that I modified
> the policy to accept fw<->loc, I mean that the firewall opened ALL the
> ports, both ways, between the firewall machine and the local network.
> 
> So 721 and 732 will be open.
> 
> Even if they weren't open, and they were needed, I should see rejected
> packets logged by iptables. But iptables is NOT logging any rejected
> packets.
> 
> On Mon, Jan 03, 2005 at 08:36:52AM -0500, Helge Blischke wrote:
> 
> > I don't know how you rfirewall really works, but keep in mind that -
> > with LPD printing -
> > the port 515 is the DESTINATION port, whereas the source port lies
> > between
> > 721 and 732 (if "reserve=yes" is defined as an option in the device URL)
> > or is even
> > a port above 1024.
> >
> > Helge
> >
> >
> > Erik Reuter wrote:
> > >
> > > I'm having a problem with CUPS and the Shorewall firewall interfering
> > > with each other.
> > >
> > >    Linux kernel 2.6.9
> > >    CUPS 1.1.22-2
> > >    Shorewall 2.0.13
> > >
> > > CUPS was working fine to print to my Epson C84 (network connected via a
> > > Netgear PS101 print server using lpd://PS101.IP.address/raw ) until I
> > > installed the Shorewall firewall on the machine running CUPS.
> > >
> > > When I installed Shorewall, I opened up port 515 for lpd printing from
> > > the firewall to the local network
> > >
> > >    ACCEPT          fw              loc             tcp     515  # LPD
> > >
> > > so I didn't anticipate any problems with CUPS printing.
> > >
> > > However, as soon as I started the Shorewall firewall, I found that I
> > > could no longer print from the firewall machine using CUPS.
> > >
> > > Okay, my first thought was that I had to open more ports in the
> > > firewall. So I checked the Shorewall packet reject log to see which
> > > ports I would need to open. Surprisingly, NO PACKETS RELATED TO PRINTING
> > > HAD BEEN REJECTED. It was not a logging problem, because there were
> > > packets occasionally being rejected, but not during the times when I was
> > > trying to print.
> > >
> > > Just to make sure, I put a couple lines in my Shorewall policy file to
> > > open ALL ports between fw<->loc , and I still could not print.
> > >
> > > So, with the exception of printing with CUPS, the Shorewall firewall
> > > is working with all of my other programs. And with the exceptions of
> > > Shorewall, the CUPS printing works with all of my other programs. But I
> > > cannot use CUPS and Shorewall together, since they seem to interfere.
> > >
> > > How can I find out the source of the interference? What is the best way
> > > to troubleshoot this?
> > >
> > > Here's some output from the end of the CUPS log from when I try a print
> > > job:
> > >
> > > D [28/Dec/2004:12:05:40 -0500] [Job 9] GIMP-PRINT tossing right 0
> > > I [28/Dec/2004:12:05:40 -0500] [Job 9] Finished page 1...
> > > d [28/Dec/2004:12:05:40 -0500] PID 7522 exited with no errors.
> > > D [28/Dec/2004:12:05:40 -0500] [Job 9] GIMP-PRINT: Image_height 3915
> > > D [28/Dec/2004:12:05:40 -0500] [Job 9] GIMP-PRINT: Image_width 3060
> > > D [28/Dec/2004:12:05:40 -0500] [Job 9] GIMP-PRINT: Image_width 3060
> > > D [28/Dec/2004:12:05:40 -0500] [Job 9] GIMP-PRINT: Image_height 3915
> > > D [28/Dec/2004:12:05:40 -0500] [Job 9] GIMP-PRINT: Image_height 3915
> > > D [28/Dec/2004:12:05:40 -0500] [Job 9] GIMP-PRINT: Image_width 3060
> > > I [28/Dec/2004:12:05:40 -0500] [Job 9] Ready to print.
> > > I [28/Dec/2004:12:05:40 -0500] [Job 9] Attempting to connect to host
> > > 192.168.0.1
> > > 9 for printer raw
> > > d [28/Dec/2004:12:05:40 -0500] PID 7523 exited with no errors.
> > > d [28/Dec/2004:12:05:41 -0500] select_timeout: 11 seconds to process
> > > active jobs
> >
> > --

> --
> Erik Reuter   http://www.erikreuter.net/

-- 
Helge Blischke
Softwareentwicklung
SRZ Berlin | Firmengruppe besscom
http://www.srz.de
tel: +49 30 75301-360




More information about the cups mailing list