You are not logged in.
So I got rid of firewalld and I think I have set up nftables directly to use the /etc/nftables.conf file. After this, sudo nft list table inet filter gives out
chain input {
type filter hook input priority filter; policy accept;
ct state { established, related } accept
ct state invalid drop
iifname "lo" accept
ip protocol icmp accept
meta l4proto ipv6-icmp accept
tcp dport 22 accept
reject
}
chain forward {
type filter hook forward priority filter; policy accept;
drop
}
chain output {
type filter hook output priority filter; policy accept;
}
}
Okay, so then I run
sudo nft add rule inet filter input tcp dport 8612 accept
sudo nft add rule inet filter input tcp dport 8610 accept
sudo nft add rule inet filter input udp dport 8612 accept
and I see the changes are reflected in sudo nft list table inet filter yet I am still receiving the 'ole
[22:11:27.690129] [bjnp] udp_command: ERROR - no data received (timeout = 10000)
[22:11:27.690192] [bjnp] bjnp_init_device_structure: Cannot read mac address, skipping this scanner
I'm still seeing those "Destination Unreachable (Port Unreachable)" packets over ICMP Port 8612. However, I think this port should be open as because of the line that says "ip protocol icmp accept" in the above command output, and also I opened them (right?). Perhaps its not my port that is unreachable, maybe its the printer's port 56639... Windows users on my network have no problem with scanning.
Also, I'm seeing an ARP packet "Who has 192.168.0.44? Tell 192.168.0.50" (Printer's ip and my ip respectively). I think that this ARP packet might be being blocked? I don't think that is so, because the very next packet says "192.168.0.44 is at f4:a9:97:4f:e1:a1". I don't know, maybe I need to configure something (table or chain set to accept, maybe) with the ARP family.
Another concern I have is that this firewall be somewhat secure, but it seems too simple to accomplish this. Perhaps I have a misconception that I need so many rules.
Also, is it possible for wireshark to capture ALL incoming and outgoing packets, or only ones permitted by the firewall? It is running locally on my machine.
Is there a command to make the changes permanent or is it needed everytime to follow https://wiki.archlinux.org/index.php/Nf … t_rule_set?
P.S. I have learned that when simple scan is open on my computer, the windows computers on the network can't use the scanner, maybe that is an indicator of a connection thats been established.
Offline
I thought ufw had switched to nftables, but seems that's not the case. Their last release was in 2018, which is not a good sign.
Several of the questions you ask are beyond my skill level and this thread has changed from a printer support issue to a highly technical network/firewall issue.
As both printing & scanning work, I think it is time to start a new topic in Networking, Server, and Protection.
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
(A works at time B) && (time C > time B ) ≠ (A works at time C)
Offline
Ok, as you suggest I will create a new post there. Thank you so much for your help in figuring this out, I wouldn't have gotten even my printer working without it . I will edit this comment with a link to the new post after its made.
Heres the post: https://bbs.archlinux.org/viewtopic.php … 8#p1903358
Last edited by kinru (2020-05-07 13:59:56)
Offline