Alexander Dalloz wrote: > > Am Sa, den 11.12.2004 schrieb sola@xxxxxxxxxx um 3:26: > > > > Later on the day I will check with the default FC3 iptables rules what > > > the cause for your trouble could be. I guess you didn't customize the > > > iptables rules. > > > > Correct-- no customization. > > > > Fortunately my connection to the internet is thru a hardware router > > which does provide NAT, and allegedly a primative firewall. So would terrible things happen to me if I marked eth0 as trusted in the gui? As this does stop the problem. > > > Steve > > Ok, I found out what's happening. > > What the Netgear print server sends back when Fedora connects it on port > 515 for LPD is a TCP sequence which is not recognised as TCP state > RELATED. > > Dec 12 01:27:24 bartleby kernel: BLOCKED IN=eth0 OUT= > MAC=00:0c:29:ca:32:88:00:c0:02:57:90:77:08:00 SRC=192.168.0.99 > DST=192.168.0.3 LEN=44 TOS=0x00 PREC=0x00 TTL=30 ID=4476 PROTO=TCP > SPT=515 DPT=44069 WINDOW=1024 RES=0x00 ACK PSH SYN URGP=0 OPT (02040400) > > In the iptables logging 192.168.0.99 is my Netgear print server PS110 > who sends back "ACK PSH SYN". So with the default FC3 iptables setting > it gets rejected. "nmap -sT -P0 -p 515 192.168.0.99" shows it as closed: > > PORT STATE SERVICE > 515/tcp closed printer > > So I added following rule to accept this sequence from my printer server > IP with source port 515: > > -A RH-Firewall-1-INPUT -p tcp -m tcp --tcp-flags ACK,PSH,SYN ACK,PSH,SYN > -s 192.168.0.99 --sport 515 -j ACCEPT > > With that above nmap run reports > > PORT STATE SERVICE > 515/tcp open printer > > That should work for your too. Though it takes ages until the page is > printed. > > I don't have the default FC2 iptables ruleset, so I can't say what > changed. Maybe its an iptables change in the kernel implementation? I went back and compared fc2 to fc3 both default settings, using cat /etc/sysconfig/iptables : they are exactly the same except for 3 lines found only in fc3: -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --deport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT Now I'm only a newb but this reminds me of some things Matthew Saltman said earlier in this thread: "With only ipp:udp open, I could see the printers just fine on clients, but jobs would just queue without printing. When I opened ipp:tcp, all the queued jobs flushed." So I attempted a little experiment -- I put the alleged offending three troublemakers back into fc2: this generated an error message for line 2 above. So I took it out and put the other two in and restarted with /etc/init.d/iptables restart which ran OK and which caused no discernable problems and I could still print. So I conclude that there might be something about -A RH-Firewall-1-INPUT -p udp -m udp --deport 631 -j ACCEPT which could cause a problem in fc2. The next logical step would be to try removing the potential culprits in fc3: but neither removing -A RH-Firewall-1-INPUT -p udp -m udp --deport 631 -j ACCEPT alone, nor all three together restored printing. So much for that theory. > See too another list mail where someone with the same print server > reports too a firewalling problem. But in this case the problem seemed > to be an incorrect destination port the print server tries to reach: > > https://www.redhat.com/archives/fedora-list/2004-November/msg08530.html > > Printing, I see the print server wants to send to port 1023, which is > not correct: > > Dec 12 02:02:50 bartleby kernel: BLOCKED IN=eth0 OUT= > MAC=00:0c:29:ca:32:88:00:c0:02:57:90:77:08:00 SRC=192.168.0.99 > DST=192.168.0.3 LEN=41 TOS=0x00 PREC=0x00 TTL=30 ID=5722 PROTO=TCP > SPT=515 DPT=1023 WINDOW=1024 RES=0x00 ACK PSH URGP=0 > > This is another problem. You will need to allow more traffic from the > Netgear print server. Following rule should be sufficient: > > -A RH-Firewall-1-INPUT -s 192.168.0.99 -p tcp -m tcp -j ACCEPT > > Here 192.168.0.99 is the IP for my device, yours might be different. It > seems the firmware of the Netgear PS110 is broken / non standard > conform. > > Hope this will help you. > > Alexander Doing this gives me a complete cure! printing is functional and I can browse to the printserver. This is simply wonderful and it gives me a warm feeling that the members of this list Alexander in particular would help a newb like me Thank You Steve sola doctor com -- ___________________________________________________________ Sign-up for Ads Free at Mail.com http://promo.mail.com/adsfreejump.htm
