UFW and saned... not working togheter...

Hi I also tryed :

edit saned.conf

data_portrange = 40000 - 40100

and added more ufw rules :

- ------ --
6566/tcp ALLOW 192.168.0.0/24
40000:40100/tcp ALLOW 192.168.0.0/24
6566/tcp ALLOW Anywhere
Anywhere ALLOW 192.168.0.8
6566 ALLOW Anywhere
6566/udp ALLOW Anywhere
6566 ALLOW 192.168.0.0/24
6566/udp ALLOW 192.168.0.0/24
40000:40100/udp ALLOW 192.168.0.0/24
40000:40100/udp ALLOW 192.168.0.8
6566/udp ALLOW 192.168.0.8
6566/tcp ALLOW 192.168.0.8
40000:40100/tcp ALLOW 192.168.0.8
Anywhere ALLOW 192.168.0.255
Anywhere ALLOW 192.168.0.255/udp
Anywhere ALLOW 192.168.0.255/tcp
6566/tcp (v6) ALLOW Anywhere (v6)
6566 (v6) ALLOW Anywhere (v6)
6566/udp (v6) ALLOW Anywhere (v6)

but nothing...

i have to disable ufw and reboot to see it working (see network printer/scanner)

Hi, I was also using 0.35 ufw on Xubuntu 16.04.1 and ran into the same problem as Roberto. I tried opening all the same ports and troubleshooting steps as the user listed above and was not able to run the scanner, no access errors. And as above the only way to get a working scanner was to turn off ufw and reboot. I finally uninstalled ufw and replaced with firewalld. Its a bit more challenging to work with initially but I have a working firewall and can use the scanner (Epson DS-560).

@Roberto-- what messages do you see in /var/log/syslog (or /var/log/ufw.log if you've configured ufw to log there) when you use 'scanimage -L'?

Hi,
please see attachments.

text file is filled whit information that you asked me
picture is about rules

tell me if I can help more

thank you

sorry here the attachment with rules

Based on your jpeg, it appears you have egress filtering in effect (ie, outgoing rules are deny). If that is the case, I suspect if you turn that off, scanimage will work (I was able to confirm that here). Otherwise, you are going to need to look at your logs for outgoing denials. Looking at scanimage -L tcpdump output, it seems these are the ports: 8612, 8610. Alternatively, you can allow egress rules to your firewall. Based on your jpeg, your might just use:

$ sudo ufw allow out to 192.168.0.0/24

Tryed :

sudo ufw allow out to 192.168.0.0/24
reboot

scanimage -L

No scanners were identified. If you were expecting something different,
check that the scanner is plugged in, turned on and detected by the
sane-find-scanner tool (if appropriate). Please read the documentation
which came with this software (README, FAQ, manpages).

scanimage -L tcpdump output

No scanners were identified. If you were expecting something different,
check that the scanner is plugged in, turned on and detected by the
sane-find-scanner tool (if appropriate). Please read the documentation
which came with this software (README, FAQ, manpages).

Can you paste the UFW denials from /var/log/syslog right after you ran scanimage -L?

I did :

scanimage -L

when it finished

sudo grep UFW /var/log/syslog > UFW.txt

is it correct?

sorry if I misunderstood... I am not a pro Linux Hacker, but I would like to be, to help...

bye

scanimage tries a lot of different ports. Locally I see:
57621
15600
8612
8610
5353
3289
1124

Your logs also have '[UFW AUDIT]' and no '[UFW BLOCK]' entries for these ports so ufw doesn't seem to be blocking the traffic.

I did some googling and it seems you need to use the 'nf_conntrack_sane' connection tracking module. Try adjusting /etc/default/ufw so have:

IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns nf_conntrack_sane"

(ie, just add nf_conntrack_sane to the end) of the list of whatever you have). Then do:

$ sudo ufw reload

You might want to reboot just to flush everything from the connection tracking tables.

Hello,
before open the bug I have already tryed the google way

I have already edited the ufw conf file (see my first post) with that line

However as you asked I re-did it.

edited the ufw file
rebooted

scanimage -L
device `epkowa:net:192.168.0.8' is a Epson XP-950 Series flatbed scanner

now I turn on ufw (now I am under 16.10 distro)

tryed :
scanimage -L

No scanners were identified. If you were expecting something different,
check that the scanner is plugged in, turned on and detected by the
sane-find-scanner tool (if appropriate). Please read the documentation
which came with this software (README, FAQ, manpages).

I will try UFW on and reboot and post result and ufw conf file in the next comment

Rebooted (UFW on from startup) :
scanimage -L

No scanners were identified. If you were expecting something different,
check that the scanner is plugged in, turned on and detected by the
sane-find-scanner tool (if appropriate). Please read the documentation
which came with this software (README, FAQ, manpages).

here my ufw conf (also tryed from google
FW_TRUSTED_NETS="192.168.0.0/24,tcp,6566,192.168.0.0/24,tcp,40000:40100"
FW_SERVICES_ACCEPT_RELATED_EXT="192.168.0.0/24,tcp,,40000:40100""):

# /etc/default/ufw
#

# Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback
# accepted). You will need to 'disable' and then 'enable' the firewall for
# the changes to take affect.
IPV6=yes

# Set the default input policy to ACCEPT, DROP, or REJECT. Please note that if
# you change this you will most likely want to adjust your rules.
DEFAULT_INPUT_POLICY="ACCEPT"

# Set the default output policy to ACCEPT, DROP, or REJECT. Please note that if
# you change this you will most likely want to adjust your rules.
DEFAULT_OUTPUT_POLICY="ACCEPT"

# Set the default forward policy to ACCEPT, DROP or REJECT. Please note that
# if you change this you will most likely want to adjust your rules
DEFAULT_FORWARD_POLICY="DROP"

# Set the default application policy to ACCEPT, DROP, REJECT or SKIP. Please
# note that setting this to ACCEPT may be a security risk. See 'man ufw' for
# details
DEFAULT_APPLICATION_POLICY="SKIP"

# By default, ufw only touches its own chains. Set this to 'yes' to have ufw
# manage the built-in chains too. Warning: setting this to 'yes' will break
# non-ufw managed firewall rules
MANAGE_BUILTINS=no

#
# IPT backend
#
# only enable if using iptables backend
IPT_SYSCTL=/etc/ufw/sysctl.conf

# Extra connection tracking modules to load. Complete list can be found in
# net/netfilter/Kconfig of your kernel source. Some common modules:
# nf_conntrack_irc, nf_nat_irc: DCC (Direct Client to Client) support
# nf_conntrack_netbios_ns: NetBIOS (samba) client support
# nf_conntrack_pptp, nf_nat_pptp: PPTP over stateful firewall/NAT
# nf_conntrack_ftp, nf_nat_ftp: active FTP support
# nf_conntrack_tftp, nf_nat_tftp: TFTP support (server side)

#OLD
#IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns"

#WORKROUND FROM GOOGLE, BUT NO SUCCEESS
IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns nf_conntrack_sane"
FW_TRUSTED_NETS="192.168.0.0/24,tcp,6566,192.168.0.0/24,tcp,40000:40100"
FW_SERVICES_ACCEPT_RELATED_EXT="192.168.0.0/24,tcp,,40000:40100""

I am very sorry there was an error in the last line of the ufw file

wrong
FW_SERVICES_ACCEPT_RELATED_EXT="192.168.0.0/24,tcp,,40000:40100""

correct
FW_SERVICES_ACCEPT_RELATED_EXT="192.168.0.0/24,tcp,40000:40100"

rebooted with also /etc/ufw/ufw.conf with ENABLED=yes

systemctl status ufw
● ufw.service - Uncomplicated firewall
   Loaded: loaded (/lib/systemd/system/ufw.service; enabled; vendor preset: enabled)
   Active: active (exited) since mer 2016-10-26 11:45:19 CEST; 2min 35s ago
 Main PID: 331 (code=exited, status=0/SUCCESS)
    Tasks: 0 (limit: 4915)
   CGroup: /system.slice/ufw.service

ott 26 11:45:19 LinuxBoxRoby systemd[1]: Started Uncomplicated firewall.
Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.

scanimage -L

No scanners were identified. If you were expecting something different,
check that the scanner is plugged in, turned on and detected by the
sane-find-scanner tool (if appropriate). Please read the documentation
which came with this software (README, FAQ, manpages).

I have to change to no in ufw.conf file and turn it off... googled didn't helped

maybe can be usefull to "print" the rules that UFW create for iptables and post them here, but I have no idea how to do it, and I am not a pro linux user, I am not good with iptables command

any help?

Ok, locally I tested this and found a ruleset that doesn't log any blocked packets with scanimage:

Adjust /etc/default/ufw to have:
IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns nf_conntrack_sane"

$ sudo ufw reload # to load nf_conntrack_sane
$ sudo ufw logging low
$ sudo ufw default deny outgoing
$ sudo ufw allow out to 192.168.0.0/16
$ sudo ufw allow out to 224.0.0.251 port 5353
$ sudo ufw allow out 1124,1900,3289,5353,8610,8612/udp
$ sudo ufw allow to ff02::1 port 8610,8612 proto udp

(note, this ruleset may not be appropriate for your site)

As such, this is not a bug in ufw but rather an incomplete ruleset for your site. I will add to /etc/default/ufw a note about nf_conntrack_sane, but keep in mind that egress filtering takes effort and a lot of fine-tuning. The basic procedure is:

Disable kernel rate limiting:
$ sudo sysctl -w kernel.printk_ratelimit=0

Then tail /var/log/kern.log (or /var/log/ufw.log if configured to log there):
$ sudo tail -f /var/log/kern.log

Then run programs and see what is logged as blocked. Eg, with scanimage I saw:

kernel: [169710.804877] [UFW BLOCK] IN= OUT=wlp58s0 SRC=192.168.2.110 DST=255.255.255.255 LEN=43 TOS=0x00 PREC=0x00 TTL=64 ID=12830 DF PROTO=UDP SPT=47684 DPT=3289 LEN=23

At this point you would need to investigate port 3289 and decide if you want to allow and decide the destination you want to use. Google shows 3289 is for Epson printers, so this would allow it:

$ sudo ufw allow out to any port 3289

or this if your site requirements dictate a more fine-grained policy:
$ sudo ufw allow out to 255.255.255.255 port 3289
$ sudo ufw allow out to 192.168.0.8 port 3289

Because many programs run concurrently, you may have unrelated blocked packets showing up in your logs when you are exercising your policy, so keep that in mind. Also, I found that if the logs weren't logging and I expected them to, 'sudo ufw reload' would get things logging again. I suspect this had something to do with kernel rate limiting (something outside of ufw's control) so if you are using the sysctl above, hopefully that isn't needed.

I'm using Ubuntu 16.10 'Gnome' the only way my scanner get recognized while ufw is enabled is to enable TCP SYN Flood Protection.
$ sudo sysctl -w net.ipv4.tcp_syncookies=1

You can check it status by
$ sudo sysctl -n net.ipv4.tcp_syncookies

perdigueiro, I checked and ufw is overriding the value for syncookies in its sysctl file. I've updated that just now in trunk to use the system default. Thanks for this info!

Hello, thank you, at perdigueiro and Jamie, I didn't try anything till now, I had some urgent problems to solve, when I can I will try perdigueiro workaround, if it works, I will keep you too updated, else I will follow Jamie instruction to log all firewall activity and understand what port/s I need to open.

So to try this workaround, I have to:
1) enable UFW
2) sudo sysctl -w net.ipv4.tcp_syncookies=1
3) scanimage -L

???? correct ???

Sorry for my late response and bad/worst english

Roberto,

When ufw is enabled, do:
1) adjust /etc/ufw/systctl.conf to change this:
net/ipv4/tcp_syncookies=0

to:
#net/ipv4/tcp_syncookies=0

2. run: sudo sysctl -w net.ipv4.tcp_syncookies=1

3. try to use your scanner. You might want to try after a reboot.

Thank you Jamie,
I solved it! and also thanks to perdigueiro!

If I can say just a thing about your istructions

"
1) adjust /etc/ufw/systctl.conf to change this:

net/ipv4/tcp_syncookies=0

to:
#net/ipv4/tcp_syncookies=0
"

correct file to adjust is /etc/ufw/sysctl.conf maybe a typing error "t"... just for other noobs like me ;-) that maybe have same problem and find this page

again thank you thousand guys!

Yes, Roberto, that was a typo. Sorry.

FYI, I updated ufw trunk:

revno: 972
committer: Jamie Strandboge <email address hidden>
branch nick: trunk
timestamp: Sun 2017-01-08 10:50:19 -0600
message:
  don't disable syncookies and instead use the system defined value by default

This will be in Ubuntu 17.04 and Debian unstable soon.