Am Mo, den 13.12.2004 schrieb sola@xxxxxxxxxx um 1:26: > > > Fortunately my connection to the internet is thru a hardware router > > > which does provide NAT, and allegedly a primative firewall. > > So would terrible things happen to me if I marked eth0 as trusted in the gui? > As this does stop the problem. Depending on you whole environment setup making device eth0 trusted (which means a general accept rule for this device). As less is needed to make your print server working again, I suggest not going that route. > > I don't have the default FC2 iptables ruleset, so I can't say what > > changed. Maybe its an iptables change in the kernel implementation? > > I went back and compared fc2 to fc3 both default settings, using > cat /etc/sysconfig/iptables : > they are exactly the same except for 3 lines found only in fc3: > > -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT > -A RH-Firewall-1-INPUT -p udp -m udp --deport 631 -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT All 3 are accept rule and can't influence the iptables filtering badly. > Now I'm only a newb but this reminds me of some things Matthew > Saltman said earlier in this thread: > > "With only ipp:udp open, I could see the printers just fine on clients, but > jobs would just queue without printing. When I opened ipp:tcp, all the > queued jobs flushed." His bugzilla ticket #142015 is still in state new. > So I attempted a little experiment -- I put the alleged offending > three troublemakers back into fc2: > this generated an error message for line 2 above. Certainly because line 2 has a misspelling error: "--deport" you write there while it has to be "--dport". In the other 2 lines this is written correct. > So I took it out and put the other two in and restarted with > /etc/init.d/iptables restart > which ran OK and which caused no discernable problems and I could still print. > So I conclude that there might be something about > -A RH-Firewall-1-INPUT -p udp -m udp --deport 631 -j ACCEPT > which could cause a problem in fc2. > The next logical step would be to try removing the potential culprits in fc3: > but neither removing -A RH-Firewall-1-INPUT -p udp -m udp --deport 631 -j ACCEPT alone, > nor all three together restored printing. > So much for that theory. If the 3 iptables rule lines are the only difference in iptables between FC2 and FC3, then there must be something different causing trouble with the print server. Or one could even say: with FC3 all works well - see my investigations below - while on FC2 the firewalling was "too open". > > See too another list mail where someone with the same print server > > reports too a firewalling problem. But in this case the problem seemed > > to be an incorrect destination port the print server tries to reach: > > > > https://www.redhat.com/archives/fedora-list/2004-November/msg08530.html > > > > Printing, I see the print server wants to send to port 1023, which is > > not correct: > > > > Dec 12 02:02:50 bartleby kernel: BLOCKED IN=eth0 OUT= > > MAC=00:0c:29:ca:32:88:00:c0:02:57:90:77:08:00 SRC=192.168.0.99 > > DST=192.168.0.3 LEN=41 TOS=0x00 PREC=0x00 TTL=30 ID=5722 PROTO=TCP > > SPT=515 DPT=1023 WINDOW=1024 RES=0x00 ACK PSH URGP=0 > > > > This is another problem. You will need to allow more traffic from the > > Netgear print server. Following rule should be sufficient: > > > > -A RH-Firewall-1-INPUT -s 192.168.0.99 -p tcp -m tcp -j ACCEPT > > > > Here 192.168.0.99 is the IP for my device, yours might be different. It > > seems the firmware of the Netgear PS110 is broken / non standard > > conform. > Doing this gives me a complete cure! > printing is functional and I can browse to the printserver. This _must_ work, as with words from top, the rule makes the Netgear print server a "trusted device" (by it's IP). Btw. you could check your Netgear's serial number and maybe there is a chance to upgrade it's firmware. See http://kbserver.netgear.com/support_details.asp?dnldID=809 For the PS11F series there is a good chance to fix things by flashing with a newer firmware. I have a PS11D model and will right now see whats my print server's firmware state. > This is simply wonderful > and it gives me a warm feeling that the members of this list > Alexander in particular > would help a newb like me This is all no question whether being a Linux starter or having quite some experience. Of course newcomers get help. > Steve Alexander -- Alexander Dalloz | Enger, Germany | new address - new key: 0xB366A773 legal statement: http://www.uni-x.org/legal.html Fedora GNU/Linux Core 2 (Tettnang) on Athlon kernel 2.6.9-1.6_FC2smp Serendipity 02:02:18 up 2 days, 20:43, load average: 0.19, 0.45, 0.96
Attachment:
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil
