Bug 26912 - Network scanner not recognized by simple-scan and when firewall (shorewall4/6) activated
Summary: Network scanner not recognized by simple-scan and when firewall (shorewall4/6...
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: Normal major
Target Milestone: Mageia 8
Assignee: Mageia tools maintainers
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-07-07 14:02 CEST by Aurelien Oudelet
Modified: 2020-11-22 21:31 CET (History)
2 users (show)

See Also:
Source RPM: simple-scan-3.37.2-1.mga8.src.rpm, shorewall-5.2.3.4-3.mga8.src.rpm
CVE:
Status comment:


Attachments

Description Aurelien Oudelet 2020-07-07 14:02:50 CEST
Description of problem:
Default installation of shorewall (ipv4 and ipv6) drops all network communications between network scanner like mine Canon MG7751 and Simple-scan resulting simple-scan reports there is no scanner available.

Non technical user will incorrectly reports disfunction in simple-scan program.
Tech-savvy user will see in logs:

juil. 06 22:42:01 mageia.localdomain kernel: net-fw DROP IN=enp0s31f6 OUT= MAC=1c:1b:0d:66:1d:12:84:ba:3b:10:a1:7c:08:00 SRC=192.168.1.49 DST=192.168.1.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=34944 PROTO=UDP SPT=8612 DPT=8612 LEN=40 

My scanner is 192.168.1.49 and computer is 192.168.1.8.
UDP packet is drop from server port 8612.

So, to restore functionality, workaround is to open 8612/UDP in firewall, both in ipv4 and ipv6.

How reproducible: Always.

Steps to Reproduce:
1. Default installation (Classic ISO mga8a1)
2. Install and run simple-scan
3. No network scanner available even if DNSSD (avahi) is running.

Workaround:
Look for dropped network packets related to network scanner IP.
Open related ports in shorewall configuration.

So, is upstream always use 8162/UDP ? If so, could be there a check box in shorewall MCC-GUI to configure it for final user?
Regards,
Comment 1 Lewis Smith 2020-07-26 11:03:43 CEST
Apologies for leaving this so long. Thank you for the report. I am unsure where to place it, so CC'ing Dave Hodgins for his view about what should happen.
Clearly this problem is larger than Simplescan.

Perhaps you know already, that to probe for scanners one can try (possibly more effective as root, but does not have to be):
 $ scanimage -L
 $ sane-find-scanner
both in package 'sane-backends'. Doubtless Dave will add to that.

CC: (none) => davidwhodgins, lewyssmith

Comment 2 Aurelien Oudelet 2020-07-26 11:16:21 CEST
@Lewis,
In facts, I can configure networked scanner if shorewall is off.
If shorewall is On and even if dnssd is checked as authorized service, networked scanner are unavailable.
But if I look at log files, andc corrobored by this web page specifically for my network multi functions Canon printer, 
https://support.usa.canon.com/kb/index?page=content&id=ART109227
I see udp packets dropped by shorewallat port 8612.

How Shorewall could be configured to not drop packets from my local network (with IP address 192.168.1.1/254)?
Comment 3 Dave Hodgins 2020-07-26 11:49:01 CEST
To accept connections from any possible local network address, manually add the
following lines to the top of ...
# head -n 4 /etc/shorewall/rules.drakx
ACCEPT  net:10.0.0.0/8 fw
ACCEPT  net:169.254.0.0/16 fw
ACCEPT  net:172.16.0.0/12 fw
ACCEPT  net:192.168.0.0/16 fw

Don't use drakfirewall after that to modify anything in shorewall's rules.
Make sure you have drakfirewall set up the way you want before making the
change. Keep the lines documented somewhere just in case you forget and
use drakfirewall to modify the file again.
Aurelien Oudelet 2020-07-29 21:56:53 CEST

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=26695

Comment 4 Aurelien Oudelet 2020-07-29 22:08:19 CEST
@ Dave,
I added proposed lines to /etc/shorewall/rules.drakx
It is now OK to communicate with my local network scanner without needing opening special tcp or udp ports.

Therefore, security point of view, could be there a "home" profile for shorewall be added in GUI in order to avoid this confusing misbehavior?

I also think that manafirewall will use firewalld which supports this functionality. Should we wait for it?
Comment 5 Lewis Smith 2020-08-01 20:52:23 CEST
If either Dave or Aurelien could clarify:
Where is the problem? Can & should either fix[#] be included in some Mageia pkg? Can this be assigned to the packagers to change something?
Or does it warrant an item in forthcoming 'Release Notes'?
Or is it that if you use Shorewall, it is up to you to open any necessary ports?
Does it apply just to networked scanners? Webcams?

[#]
1. workaround is to open 8612/UDP in firewall, both in ipv4 and ipv6.
2. /etc/shorewall/rules.drakx as per comment 3
Comment 6 Aurelien Oudelet 2020-08-01 21:13:09 CEST
@Lewis, you have pinpointed the problem.

If somebody uses a networked scanner (even a Multifonctions Printer) with Shorewall (default firewall setuped by Drakfirewall), default policy in Shorewall result of drop all network Packers coming from thé scanner.

I think the best fix should be a setting in Drakfirewall allowing incoming traffic from local network address, even more in home networks. Shorewall is capable of drop packets from Internet but if should not drop packets from local home networks.

Therefore, near future, ManaTools use firewalld which is default firewall il Fedora.
Comment 7 Dave Hodgins 2020-08-01 23:13:13 CEST
Two enhancements, but for the same products, so keeping on one report for now.

An enhancement for drak and mana firewall to add an option for network printing
and scanning devices.

An enhancement for drak and mana firewall to add an option for allowing all
local network traffic. Somewhat risky depending on the environment being used
(internet cafe for example), but safer than allowing everything from everywhere.

Assigning to mageiatools group.

Severity: major => enhancement
Assignee: bugsquad => mageiatools

Comment 8 Aurelien Oudelet 2020-08-01 23:35:15 CEST
Dave is right.

I must pinpoint that the 8612/udp port fix proposés above works only for Canon Multifonctions printers. Other networked Multifonction printers could use other port.

Also, I propose adding a ckeckbox to allow local network traffic with a Warning for user that it should be disabled on WiFi Hotspot or if computer is not on home or office network.
Comment 9 Aurelien Oudelet 2020-08-24 20:52:37 CEST
This affects other users with other Multi-Functions-Printers (HP, Canon,...)

Could I raise severity of this bug as it prevent these printers to functioning?
We really need a check box somewhere in firewall to accept local network traffic as it is impossible to know which particular UDP or TCP port to open specifically.

This could be accompanied by a warning: "Only on home network", for example.

Severity: enhancement => major
Target Milestone: --- => Mageia 8

Lewis Smith 2020-08-24 21:16:16 CEST

CC: lewyssmith => (none)

Comment 10 Martin Whitaker 2020-09-18 00:39:01 CEST
From reading

  https://wiki.debian.org/SaneOverNetwork#Network_Scanner_Configurations

it seems to me that this only affects Canon scanners and opening ports 8610/udp and 8612/udp is enough. I guess this could be added as an additional category in drakfirewall, but given that users are still going to need to be told to do that, wouldn't a Wiki page giving instructions on how to use the existing functionality be enough?

I don't like the idea of adding a "local network" option - it seems too risky to me.

CC: (none) => mageia

Comment 11 Dave Hodgins 2020-09-18 03:27:20 CEST
(In reply to Martin Whitaker from comment #10)
> I don't like the idea of adding a "local network" option - it seems too
> risky to me.

I mainly suggested opening up the firewall to all devices on the lan to
confirm it was the firewall blocking the printer/scanner and was going
to suggest using wireshark to find out which ports actually needed to be
opened.

I actually do like the idea of adding the option to open the lan to
drakfirewall, provided their is a warning that it should only be done
if all devices allowed to connect to that lan are trusted.

I.E. never to be done if using a lan shared with unknown people such
as public wifi spots.

Regards, Dave Hodgins
Comment 12 Martin Whitaker 2020-09-18 10:15:43 CEST
(In reply to Dave Hodgins from comment #11)
> I actually do like the idea of adding the option to open the lan to
> drakfirewall, provided their is a warning that it should only be done
> if all devices allowed to connect to that lan are trusted.

The problem I have with that is that a user may do that on a laptop connected to their home network and then forget about it, so they are not protected if they subsequently connect to a public wifi spot.

If someone else thinks this is a good idea and wants to add it, then OK, but I won't.
Comment 13 Aurelien Oudelet 2020-09-18 11:23:57 CEST
I think best way to catch this bug is make Drakfirewall to have a check box letting open 8160/udp and 8162/udp port. Also adding a release note about it for M8.

Opening all Lan traffic for home users could be Pandora box for security.
Comment 14 Martin Whitaker 2020-09-18 12:23:06 CEST
OK, I have added a new check box labelled "Network printer/scanner autodiscovery". Currently this just opens UDP port 8612 ('man sane-pixma' tells me port 8160 is only used for outgoing messages), but I've chosen a generic label so that we can easily add other ports if we find they are needed.

I'll wait for translations before releasing an update.
Comment 15 Aurelien Oudelet 2020-11-22 16:03:20 CET
This has been translated in French, German, Spanish and other languages in Drakx-net on Transifex. Youri has already pushed that.

Can we release this piece of code to Cauldron?
Comment 16 Martin Whitaker 2020-11-22 21:31:58 CET
The change described in comment 14 has been released in drakx-net 2.52.

Leaving this bug open in case anyone wants to implement Dave's other suggestion.

Note You need to log in before you can comment on or make changes to this bug.