HPLIP

make hp-probe network discovery work with firewall

Bug #1776464 reported by Esokrates
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
HPLIP
New
Undecided
Unassigned
ufw
Won't Fix
Undecided
Unassigned

Bug Description

When running "hp-probe -bnet -mmdns" I do not get my network printer listed and I find the following in syslog:

Jun 12 12:55:32 debian kernel: [185040.988483] [UFW BLOCK] IN=wlp58s0 OUT= MAC=f4:96:34:83:44:42:c8:d3:ff:87:1f:cc:08:00 SRC=10.0.0.8 DST=10.0.0.11 LEN=604 TOS=0x00 PREC=0x00 TTL=64 ID=212 PROTO=UDP SPT=5353 DPT=59249 LEN=584
Jun 12 12:55:35 debian /hp-probe: hp-probe[6646]: warning: No devices found on the 'net' bus. If this isn't the result you are expecting,
Jun 12 12:55:35 debian /hp-probe: hp-probe[6646]: warning: check your network connections and make sure your internet
Jun 12 12:55:35 debian /hp-probe: hp-probe[6646]: warning: firewall software is disabled.

I think hp-probe should be able to detect network devices passively without having to allow "from 10.0.0.0/24 port 5353 proto udp".

See original description
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

The way the traffic is coming into the system, ufw is doing the right thing. You should be able to make discovery work on your network with:

$ sudo ufw allow from 10.0.0.0/24 port 5353 proto udp

Changed in ufw:
status: New → Won't Fix
Revision history for this message
Esokrates (esokrarkose) wrote :

@Jamie, thanks very much for having a look.
Do you think there could be a way to do the discovery without weakening the firewall?
What are the security implications of allowing "from 10.0.0.0/24 port 5353 proto udp"?

Esokrates (esokrarkose)
summary: - hp-setup fails to detect network-printer due to ufw
+ hp-setup requires allowing incoming connections for network discovery
description: updated
Revision history for this message
Esokrates (esokrarkose) wrote : Re: hp-setup requires allowing incoming connections for network discovery

@Jamie, I stumbled upon https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/764933 where an exception was added to ufw.
Could you explain what has changed in the meantime and why this is not possible anymore?

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

"Do you think there could be a way to do the discovery without weakening the firewall?"

I do not. This issue is that the destination port (the one to your machine) is random and the source port is the mDNS port (5353). We cannot add a rule in the default policy that says 'allow traffic from udp port 5353 to this machine)' because that would allow an attacker to bypass the firewall by simply initiating connections from UDP port 5353. A connection tracking helper could make this work more easily but AFAICS one is only available when using conntrackd (http://patchwork.ozlabs.org/patch/665600/) which is non-standard and not currently supported by ufw.

Revision history for this message
Esokrates (esokrarkose) wrote :

avahi-browse finds the printer, even without firewall exceptions, so I do not understand why hp-setup simply fails to work?

Revision history for this message
Esokrates (esokrarkose) wrote :

@hplip devs: Setting up a printer should work without opening a port on the machine. avahi-browse provides enough information for generating the DeviceURI for cups.

For example "avahi-browse -a -t -r" finds:

+ wlp58s0 IPv6 HP OfficeJet Pro 8710 [871FCB] Internet Printer local
...
= wlp58s0 IPv4 HP OfficeJet Pro 8710 [871FCB] UNIX Printer local
   hostname = [HPC8D3FF871FCB.local]
   address = [10.0.0.8]
   port = [515]
   txt = ["Scan=T" "Duplex=T" "Color=T" "UUID=[REMOVED FROM OUTPUT]" "note=" "adminurl=http://HPC8D3FF871FCB.local." "mac=[REMOVED FROM OUTPUT]" "priority=52" "usb_MDL=OfficeJet Pro 8710" "usb_MFG=HP" "product=(HP OfficeJet Pro 8710)" "ty=HP OfficeJet Pro 8710" "kind=document,envelope,photo,postcard" "PaperMax=legal-A4" "pdl=application/vnd.hp-PCL,image/jpeg,application/PCLm,image/urf,image/pwg-raster" "rp=RAW" "qtotal=1" "txtvers=1"]

which contains all of the info needed for hp-makeuri:

user@debian:~$ hp-makeuri HPC8D3FF871FCB.local

HP Linux Imaging and Printing System (ver. 3.17.10)
Device URI Creation Utility ver. 5.0

Copyright (c) 2001-15 HP Development Company, LP
This software comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to distribute it
under certain conditions. See COPYING file for more details.

CUPS URI: hp:/net/HP_OfficeJet_Pro_8710?hostname=HPC8D3FF871FCB.local
SANE URI: hpaio:/net/HP_OfficeJet_Pro_8710?hostname=HPC8D3FF871FCB.local
HP Fax URI: hpfax:/net/HP_OfficeJet_Pro_8710?hostname=HPC8D3FF871FCB.local

Done.

summary: - hp-setup requires allowing incoming connections for network discovery
+ make hp-setup discovery work with firewall
summary: - make hp-setup discovery work with firewall
+ make hp-setup network discovery work with firewall
Esokrates (esokrarkose)
summary: - make hp-setup network discovery work with firewall
+ make hp-probe network discovery work with firewall
Revision history for this message
Esokrates (esokrarkose) wrote :

@hplip-dev's ping?

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.