You are not logged in.

#1 2020-05-07 13:56:55

kinru
Member
From: East Coast USA
Registered: 2019-03-23
Posts: 99

[Solved] Firewall Continually Preventing Scanner Detection and Usage

I created a post in Applications and Desktop Environments some days ago, but the discussion there has evolved and Lone_Wolf suggested to create a topic here.

What we have determined is that the firewall (nftables) is preventing the scanner being used and detected. When it was disabled, the scanner has 3 protocols available for just the one scanner (Canon PIXMA TS6120 All-in-One).

I really suggest reading through the post I linked since it has a lot of context about what is going wrong and what has been tried. The main thing is that xsane returns

[10:34:11.947104]
 [bjnp] udp_command: ERROR - no data received (timeout = 10000)
[10:34:11.947222] [bjnp] bjnp_init_device_structure: Cannot read mac address, skipping this scanner 

The output of sudo nft list table inet filter is

table inet filter {
	chain input {
		type filter hook input priority filter; policy accept;
		ct state { established, related } accept
		ct state invalid drop
		iifname "lo" accept
		ip protocol icmp accept
		meta l4proto ipv6-icmp accept
		tcp dport 22 accept
		reject
		tcp dport 8610 accept
		tcp dport 8612 accept
		udp dport 8612 accept
	}

	chain forward {
		type filter hook forward priority filter; policy accept;
		drop
	}

	chain output {
		type filter hook output priority filter; policy accept;
	}
}

The 3 ports that are opened manually are supposed to allow access to the scanner but I think its insufficient. I can post wireshark captures, but I need to know the best way to send .pcapng file, as I don't think a pastebin works for this.

Last edited by kinru (2020-05-09 17:26:59)

Offline

#2 2020-05-07 14:13:29

loqs
Member
Registered: 2014-03-06
Posts: 17,192

Re: [Solved] Firewall Continually Preventing Scanner Detection and Usage

		reject
		tcp dport 8610 accept
		tcp dport 8612 accept
		udp dport 8612 accept

Would the reject entry not prevent the following entries from being reached?

Offline

#3 2020-05-07 14:50:06

Zod
Member
From: Hoosiertucky
Registered: 2019-03-10
Posts: 629

Re: [Solved] Firewall Continually Preventing Scanner Detection and Usage

I think you're right loqs, the firewall will process rules from top to bottom.

The first rule that it reaches that fills the bill, it will act and stop processing rules.

It's important that firewall rules be in the correct order.

Offline

#4 2020-05-07 15:04:49

kinru
Member
From: East Coast USA
Registered: 2019-03-23
Posts: 99

Re: [Solved] Firewall Continually Preventing Scanner Detection and Usage

Ok, so I did

sudo nft delete rule inet filter input handle 11

sudo nft add rule inet filter input reject

so now the output of sudo nft list table inet filter is

table inet filter {
	chain input {
		type filter hook input priority filter; policy accept;
		ct state { established, related } accept
		ct state invalid drop
		iifname "lo" accept
		ip protocol icmp accept
		meta l4proto ipv6-icmp accept
		tcp dport 22 accept
		tcp dport 8610 accept
		tcp dport 8612 accept
		udp dport 8612 accept
		reject
	}

	chain forward {
		type filter hook forward priority filter; policy accept;
		drop
	}

	chain output {
		type filter hook output priority filter; policy accept;
	}
}

I believe that's the correct order then. Is it need to do this every time I want to add a rule or is there a way to insert the rule above 'reject'?
Still, when I run xsane the return is

[11:00:47.556355] [bjnp] udp_command: ERROR - no data received (timeout = 10000)
[11:00:47.556424] [bjnp] bjnp_init_device_structure: Cannot read mac address, skipping this scanner

Offline

#5 2020-05-07 20:58:08

loqs
Member
Registered: 2014-03-06
Posts: 17,192

Re: [Solved] Firewall Continually Preventing Scanner Detection and Usage

kinru wrote:

I believe that's the correct order then. Is it need to do this every time I want to add a rule or is there a way to insert the rule above 'reject'?

See Simple_rule_management#Adding_a_rule_at_a_given_position.

kinru wrote:

Still, when I run xsane the return is

[11:00:47.556355] [bjnp] udp_command: ERROR - no data received (timeout = 10000)
[11:00:47.556424] [bjnp] bjnp_init_device_structure: Cannot read mac address, skipping this scanner

I think you could change the drop line to

log drop

Offline

#6 2020-05-08 00:31:00

kinru
Member
From: East Coast USA
Registered: 2019-03-23
Posts: 99

Re: [Solved] Firewall Continually Preventing Scanner Detection and Usage

Ok, I changed "drop" to be "log drop". Now sudo nft list table inet filter outputs

table inet filter {
	chain input {
		type filter hook input priority filter; policy accept;
		ct state { established, related } accept
		ct state invalid drop
		iifname "lo" accept
		ip protocol icmp accept
		meta l4proto ipv6-icmp accept
		tcp dport 22 accept
		tcp dport 8610 accept
		tcp dport 8612 accept
		udp dport 8612 accept
		reject
	}

	chain forward {
		type filter hook forward priority filter; policy accept;
		log drop
	}

	chain output {
		type filter hook output priority filter; policy accept;
	}
}

Where are the logs for this located?

Offline

#7 2020-05-08 12:57:20

loqs
Member
Registered: 2014-03-06
Posts: 17,192

Re: [Solved] Firewall Continually Preventing Scanner Detection and Usage

kernel ring buffer so check dmesg / journalctl.

Offline

#8 2020-05-09 14:09:23

kinru
Member
From: East Coast USA
Registered: 2019-03-23
Posts: 99

Re: [Solved] Firewall Continually Preventing Scanner Detection and Usage

Ok, checked dmesg and journalctl directly after running xsane, there were no changes since taking the machine out of suspend. I guess that shows no packets are dropped at the forward chain?

Last edited by kinru (2020-05-09 15:07:31)

Offline

#9 2020-05-09 14:55:23

loqs
Member
Registered: 2014-03-06
Posts: 17,192

Re: [Solved] Firewall Continually Preventing Scanner Detection and Usage

My mistake I wanted you to change the terminal command in the input chain so I should have specified:

log reject

Offline

#10 2020-05-09 15:34:07

kinru
Member
From: East Coast USA
Registered: 2019-03-23
Posts: 99

Re: [Solved] Firewall Continually Preventing Scanner Detection and Usage

Here is the journalctl output https://hastebin.com/decanigore and the dmesg output https://hastebin.com/yuyoxofosi from around the time of running xsane. Let me know if the full logs are needed.
EDIT: Yes, I added the log reject line.

Last edited by kinru (2020-05-09 16:05:50)

Offline

#11 2020-05-09 15:56:28

Zod
Member
From: Hoosiertucky
Registered: 2019-03-10
Posts: 629

Re: [Solved] Firewall Continually Preventing Scanner Detection and Usage

IN     incoming interface
OUT    outgoing interface
MAC    hardware address
SRC    IP address in the source field in the IP header
DST    IP address in the destination field of the IP header
LEN    Length of the IP packet
TOS    originally called Type of service, these days it is the Differentiated Services Code Point
TTL    Time to live
PROTO  name of protocol tcp/udp are most common
SPT    Source port from tcp/udp header
DPT    Destination port from tcp/udp header
DF     TCP don't fragment flag
SYN    TCP Syn Flag
ACK    TCP Ack flag
WINDOW TCP Window
SEQ    Sequency number

I don't see anything being dropped and I don't see anything that looks tied to your scanner.

What version of sane are you using?

Offline

#12 2020-05-09 16:04:24

kinru
Member
From: East Coast USA
Registered: 2019-03-23
Posts: 99

Re: [Solved] Firewall Continually Preventing Scanner Detection and Usage

pacman -Qi sane

Name            : sane
Version         : 1.0.29-1
Description     : Scanner Access Now Easy
Architecture    : x86_64
URL             : http://www.sane-project.org/
Licenses        : GPL
Groups          : None
Provides        : None
Depends On      : libtiff>=4.0.0  libgphoto2  libjpeg>=8  libusbx  libieee1284  v4l-utils  avahi  bash  net-snmp
Optional Deps   : None
Required By     : colord-sane  masterpdfeditor  python-sane  python2-sane  sane-airscan  simple-scan  xsane
Optional For    : libreoffice-fresh  wine
Conflicts With  : None
Replaces        : None
Installed Size  : 19.11 MiB
Packager        : Antonio Rojas <arojas@archlinux.org>
Build Date      : Mon 03 Feb 2020 04:14:56 PM EST
Install Date    : Fri 14 Feb 2020 09:30:54 AM EST
Install Reason  : Explicitly installed
Install Script  : No
Validated By    : Signature

So, that would be Version 1.0.29-1
Shouldn't this only be logging rejected packets since the the log is only on lines with "reject" or "drop"? To clarify here is the latest sudo nft --handle --numeric list table inet filter

table inet filter { # handle 9
	chain input { # handle 1
		type filter hook input priority 0; policy accept;
		ct state { 0x2, 0x4 } accept # handle 5
		ct state 0x1 drop # handle 6
		iifname "lo" accept # handle 7
		ip protocol 1 accept # handle 8
		meta l4proto 58 accept # handle 9
		tcp dport 22 accept # handle 10
		tcp dport 8610 accept # handle 18
		tcp dport 8612 accept # handle 19
		udp dport 8612 accept # handle 20
		log reject # handle 25
	}

	chain forward { # handle 2
		type filter hook forward priority 0; policy accept;
		log drop # handle 24
	}

	chain output { # handle 3
		type filter hook output priority 0; policy accept;
	}
}

Also, my scanner's ip is 192.168.0.44 and that ip is found in the logs.

Last edited by kinru (2020-05-09 16:09:50)

Offline

#13 2020-05-09 16:33:02

Zod
Member
From: Hoosiertucky
Registered: 2019-03-10
Posts: 629

Re: [Solved] Firewall Continually Preventing Scanner Detection and Usage

I'm not inclined to back over that other post, but I have to ask.

Have you considered ditching the firewall (and by ditching, I mean disabling/uninstalling) until you get the scanner working?

Offline

#14 2020-05-09 16:38:19

Lone_Wolf
Member
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 11,866

Re: [Solved] Firewall Continually Preventing Scanner Detection and Usage

[122048.509996] IN=enp2s0 OUT= MAC=01:00:5e:00:00:fb:f4:a9:97:4f:e1:a1:08:00 SRC=192.168.0.44 DST=224.0.0.251 LEN=902 TOS=0x00 PREC=0x00 TTL=255 ID=50924 PROTO=UDP SPT=5353 DPT=5353 LEN=882

224.0.0251 and 5353 appear to be related to mDNS / bonjour .


Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.


(A works at time B)  && (time C > time B ) ≠  (A works at time C)

Offline

#15 2020-05-09 16:46:13

kinru
Member
From: East Coast USA
Registered: 2019-03-23
Posts: 99

Re: [Solved] Firewall Continually Preventing Scanner Detection and Usage

If you're asking if I tried it without the firewall, yes, I did. It worked very good, but I want to avoid disabling the firewall as much as I can because the admin is not really concerned with security. I would prefer to get the issue hammered out, I think it would help forum-searchers in the future to resolve their issues.

Offline

#16 2020-05-09 16:52:06

Zod
Member
From: Hoosiertucky
Registered: 2019-03-10
Posts: 629

Re: [Solved] Firewall Continually Preventing Scanner Detection and Usage

In that case, I would probably try to poke a hole in the firewall for 192.168.0.44/All Traffic.

See that it still works and then begin to tighten it down further. The problem I see, now that I understand your logs a bit more, is the traffic that is being blocked that is not on the 3 or so ports that you have opened up.

Offline

#17 2020-05-09 17:01:00

kinru
Member
From: East Coast USA
Registered: 2019-03-23
Posts: 99

Re: [Solved] Firewall Continually Preventing Scanner Detection and Usage

Ok, so I added a rule ip daddr 192.168.0.44 accept. Is this sufficient to allow that IP?
Here is the new sudo nft --handle --numeric list table inet filter

table inet filter { # handle 9
	chain input { # handle 1
		type filter hook input priority 0; policy accept;
		ct state { 0x2, 0x4 } accept # handle 5
		ct state 0x1 drop # handle 6
		iifname "lo" accept # handle 7
		ip protocol 1 accept # handle 8
		meta l4proto 58 accept # handle 9
		tcp dport 22 accept # handle 10
		tcp dport 8610 accept # handle 18
		tcp dport 8612 accept # handle 19
		udp dport 8612 accept # handle 20
		ip daddr 192.168.0.44 accept # handle 26
		log reject # handle 25
	}

	chain forward { # handle 2
		type filter hook forward priority 0; policy accept;
		log drop # handle 24
	}

	chain output { # handle 3
		type filter hook output priority 0; policy accept;
	}
}

Sadly still getting the same xsane output.

[12:59:21.198195] [bjnp] udp_command: ERROR - no data received (timeout = 10000)
[12:59:21.198282] [bjnp] bjnp_init_device_structure: Cannot read mac address, skipping this scanne

Maybe there's some other ip (broadcast??) that is required for the communication.

I'm going to look into port 5353.

Last edited by kinru (2020-05-09 17:03:09)

Offline

#18 2020-05-09 17:12:33

Zod
Member
From: Hoosiertucky
Registered: 2019-03-10
Posts: 629

Re: [Solved] Firewall Continually Preventing Scanner Detection and Usage

That should work when the destination IP is 192.168.0.44 but what about when the source is 192.168.0.44?

Edit: actually, if the firewall is state-full and the conversation is started by the workstation, all responding traffic should be allowed.

Edit1: Also, something to keep in mind, it looks as though your firewall isn't really considering the direction of the traffic. It just looks at fields in the packet header, compares that to the rules, and makes its decision.

Last edited by Zod (2020-05-09 17:27:16)

Offline

#19 2020-05-09 17:25:59

kinru
Member
From: East Coast USA
Registered: 2019-03-23
Posts: 99

Re: [Solved] Firewall Continually Preventing Scanner Detection and Usage

big_smile big_smile big_smile
Opened UDP port 5353 (as it said in https://wiki.archlinux.org/index.php/Avahi#Firewall)and now the scanner is detected as 3 ways:
ESCL     Canon TS6100 ser flatbed scanner     [escl:https://192.168.0.44:443]
ESCL     Canon TS6100 ser flatbed scanner     [escl:https://192.168.0.44:80]
AirScan     Canon TS6100 ser eSCL network scanne [airscan:Canon TS6100 series]

My current sudo nft --handle --numeric list table inet filter is this:

table inet filter { # handle 9
	chain input { # handle 1
		type filter hook input priority 0; policy accept;
		ct state { 0x2, 0x4 } accept # handle 5
		ct state 0x1 drop # handle 6
		iifname "lo" accept # handle 7
		ip protocol 1 accept # handle 8
		meta l4proto 58 accept # handle 9
		tcp dport 22 accept # handle 10
		tcp dport 8610 accept # handle 18
		tcp dport 8612 accept # handle 19
		udp dport 8612 accept # handle 20
		udp dport 5353 accept # handle 27
		log reject # handle 25
	}

	chain forward { # handle 2
		type filter hook forward priority 0; policy accept;
		log drop # handle 24
	}

	chain output { # handle 3
		type filter hook output priority 0; policy accept;
	}
}

How do I make the nftables changes persistent? If I'm right, I need to sudo nft -s list ruleset | tee myfirewall.conf but how do I ensure that file is loaded automatically every boot?

Offline

#20 2020-05-09 17:31:38

Zod
Member
From: Hoosiertucky
Registered: 2019-03-10
Posts: 629

Re: [Solved] Firewall Continually Preventing Scanner Detection and Usage

I am not running a firewall so I don't have any input in that regard.

BUT

The rules, as they now stand, will allow any traffic from..
        tcp dport 22 accept # handle 10
        tcp dport 8610 accept # handle 18
        tcp dport 8612 accept # handle 19
        udp dport 8612 accept # handle 20
        udp dport 5353 accept # handle 27

Any source, through. You should consider tying the port #'s to the IP address.
Or better yet, a mac address.

Last edited by Zod (2020-05-09 17:43:14)

Offline

#21 2020-05-09 18:12:47

kinru
Member
From: East Coast USA
Registered: 2019-03-23
Posts: 99

Re: [Solved] Firewall Continually Preventing Scanner Detection and Usage

I changed the rules to look like this

table inet filter { # handle 9
	chain input { # handle 1
		type filter hook input priority 0; policy accept;
		ct state { 0x2, 0x4 } accept # handle 5
		ct state 0x1 drop # handle 6
		iifname "lo" accept # handle 7
		ip protocol 1 accept # handle 8
		meta l4proto 58 accept # handle 9
		ip saddr 192.168.0.44 udp dport 5353 accept # handle 29
		ip saddr 192.168.0.44 tcp dport 8612 accept # handle 31
		ip saddr 192.168.0.44 udp dport 8612 accept # handle 30
		ip saddr 192.168.0.44 tcp dport 22 accept # handle 32
		reject # handle 25
	}

	chain forward { # handle 2
		type filter hook forward priority 0; policy accept;
		drop # handle 24
	}

	chain output { # handle 3
		type filter hook output priority 0; policy accept;
	}
}

It works great. Not sure how to tie to a MAC though. I also learned that TCP port 22 is needed to use AirScan.
Thank you all so much, now I can turn my work in. big_smile

Offline

Board footer

Powered by FluxBB