topic Re: Which ports need to be open through firewall?? in Operating System - Linux

Which ports need to be open through firewall??

Eddy Chan_1 — Sun, 02 Jun 2002 17:40:48 GMT

I have a external hosts which located in Data Centre protected by Checkpoint firewall, I am examine this external host can print to my printer inside my company firewall (use iptables) , I open port 515 of Checkpoint can print to my HP jetdirect with real IP address ,but can't print when the printer is inside my firewall, I do with post-route and preroute rule and open port 515 as well, but still can't print, Do you know any echo port or others port need to be open when external host printing through firwall (iptables)??

Thanks in advance

Re: Which ports need to be open through firewall??

Kodjo Agbenu — Sun, 02 Jun 2002 18:43:26 GMT

Hello,

HP Jetdirect adapters use the following ports to communicate with hosts :

-> 515 when emulating LPD/LPR printing system

-> 9100 for native HP Network Printing (HPNP) protocol

In some circumstances, you may need to open also 9101 and 9102 ports (for example if you have a multi-port Jetdirect box).

Good luck.

Kodjo

Re: Which ports need to be open through firewall??

Eddy Chan_1 — Sun, 02 Jun 2002 20:27:19 GMT

I opened port 515 and 9100 , but stil can't print, maybe my rules have some problem,
202.X.Y.Z is external host ip
printer ip is 192.168.3.198, pls give comment

Re: Which ports need to be open through firewall??

Kodjo Agbenu — Mon, 03 Jun 2002 08:58:31 GMT

Hello,

If I were you, I would accept also the traffic from 192.168.3.198:9100/515 to 202.X.Y.Z.

I think that the JetDirect box tries to communicate with the host (for example : True End-Of-Job and Job Recovery features).

If you still have problems, try open all the traffic to and from 515/9100 ports, and log the traffic using iptables. After that, you can have a good idea of what packets go to where.

Good luck.

Re: Which ports need to be open through firewall??

Eddy Chan_1 — Mon, 03 Jun 2002 09:31:08 GMT

In my firewall rule ,all output chain is set to allow from internal, I tried to log the ip of external host and printer , but nothing can be caputured or maybe I can't found the log file, is it in /var/log/ ?? By the way, I am weak in reading tcp/udp dump log file, anyone can help me examine which ports must be open come in and out firewall??

Re: Which ports need to be open through firewall??

D. Jackson_1 — Mon, 03 Jun 2002 14:05:44 GMT

Can you telnet to the HP printer port:

telnet ip_addy_of_printer 9100

echo port = 7

HTH

Re: Which ports need to be open through firewall??

Kodjo Agbenu — Mon, 03 Jun 2002 15:04:20 GMT

Hello,

To log packets with iptables, insert the following rules at the beginning of your script, just after the line "iptables -P FORWARD DROP" :

iptables -N log_packets
iptables -A log_packets -j LOG --log-prefix FIREWALL

iptables -A INPUT -s 202.X.Y.Z/32 --dport 515 -j log_packets

iptables -A INPUT -s 202.X.Y.Z/32 --dport 9100 -j log_packets

iptables -A INPUT -s 192.168.3.198/32 --sport 515 -j log_packets

iptables -A INPUT -s 192.168.3.198/32 --sport 9100 -j log_packets

Have a look in /var/log/messages, and try to analyse what happens.

Good luck.

Kodjo

Re: Which ports need to be open through firewall??

Eddy Chan_1 — Mon, 03 Jun 2002 17:36:56 GMT

I can telnet from external host to my printer thr' firewall , so I think the pre-routing nad post-routing rules for NAT is no problem, but still can't print thr' firewall, I need to log the messsage to see what happen but I am weekless in reading TCP/UDP packet, I need more help...Thanks

Re: Which ports need to be open through firewall??

Eddy Chan_1 — Tue, 04 Jun 2002 08:24:20 GMT

Sorry for previous wrong post,
I can telnet IP only to my printer through firewall,
but cannot telnet ip with port 9100 to my printer.
Here is my firewall with NAT
"External_Host_Real_ip" is the real ip of external host .
"Printer_Real_ip" is my assign to my JetDirect 's real ip.
After NAT of printer's ip is "Virtual_Printer_ip".

Re: Which ports need to be open through firewall??

shpshftr — Sun, 21 Mar 2004 22:42:50 GMT

I have the same problem.
Destination port is 9100. This works as a charm if I telnet from the router-box, but not from the outside.
I am forwarding port 9100 9101 and 9102 into the printer.

I am using "Arno's iptables" script on the routerbox to administer the iptables rules.

I am also "weak" with iptables, therefore I use this script to ease the administration.

Any input on this issue would be greatly appreciated. The branch office I am setting this up for needs this to work for a new economy system that needs print-access.