Bug 90946 - Printer browsing does not work...
Printer browsing does not work...
Product: Fedora
Classification: Fedora
Component: system-config-securitylevel (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Chris Lumens
Brock Organ
: 91162 115058 142549 145243 (view as bug list)
Depends On:
Blocks: 116998 FC5Target
  Show dependency treegraph
Reported: 2003-05-15 14:04 EDT by Jim Gettys
Modified: 2007-11-30 17:10 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-12-02 11:29:32 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
patch to add IPP checkbox (1.48 KB, patch)
2005-03-12 14:14 EST, keith adamson
no flags Details | Diff
gtk.FALSE is deprecated, use False instead patch (13.53 KB, patch)
2005-03-12 14:29 EST, keith adamson
no flags Details | Diff
cleanup, add better descriptions and set https manually (3.15 KB, patch)
2005-03-12 20:37 EST, keith adamson
no flags Details | Diff

  None (edit)
Description Jim Gettys 2003-05-15 14:04:27 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20030502

Description of problem:
Can't see printers being offered from CUPS servers; browsing isn't

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Install fresh redhat 9; enable firewall when requested
2. configure a printer and export it for public use.
3. Look for that printer from another machine.

Actual Results:  No printer is visible.

Expected Results:  Printer should be visible from another machine.

Additional info:

Best guess is that the firewall was inhibiting the browse
packets to/from cups, so no printers are seen.

I've since turned off the firewall "feature", and things work.

Services such as this need some way to enable the right ports.
Comment 1 Tim Waugh 2003-05-16 05:47:59 EDT
Perhaps anaconda ought to have a checkbox for that in the firewall screen.

It would be nice if there was some generic way for an app to (a) find out if the
firewall is blocking ports it might want to use, (b) prompt the user about it,
(c) optionally (at user control) punch a hole through.
Comment 2 Michael Fulbright 2003-05-16 12:11:54 EDT
This is problem that needs to be handled by the distribution post-install.  The
high level of firewall is intended to prevent any ports from being exposed. 
This is the default, intended behavior.

Perhaps lokkit needs to be modified to change the meaning of the 'medium'
setting if it does not let this transaction occur.
Comment 3 Tim Waugh 2003-05-19 13:33:12 EDT
*** Bug 91162 has been marked as a duplicate of this bug. ***
Comment 4 Tim Waugh 2004-02-06 05:15:15 EST
*** Bug 115058 has been marked as a duplicate of this bug. ***
Comment 5 Aleksey Nogin 2004-02-06 05:26:46 EST
In dup bug 115058 I suggested that r-c-p on "Activate" should ask user
whether the firewall rules should be updated.
Comment 6 Tim Waugh 2004-03-10 08:18:08 EST
Bill: so what's the solution to this?
Comment 7 Bill Nottingham 2004-03-10 11:38:58 EST
Ideally? Have the kernel understand that responses to such broadcast
requests fall into the 'RELATED' category so that the firewall will
let them through.
Comment 8 Tim Waugh 2004-03-10 11:41:28 EST
Broadcast requests?  There are none.  cupsd just listens for IPP
browse broadcasts.
Comment 9 Bill Nottingham 2004-03-10 12:39:00 EST
Ah, so it's unlike SMB in that respect; it does not actually send a query.

cups printers just occasionally broadcast their availability?
Comment 10 Tim Waugh 2004-03-10 12:42:51 EST
Yes, as I understand it.
Comment 11 Tim Waugh 2004-03-25 10:27:02 EST
So can we at the very least say something in the online anaconda help

 "put ipp:udp in this box if you want to print"

Comment 12 Bill Nottingham 2004-03-25 16:42:42 EST

In FC2 lokkit now reads and acts on the current firewall config. So,
you can just run:

lokkit --port=ipp:udp

and it will modify the currently running firewall.
Comment 13 Tim Waugh 2004-03-25 16:45:47 EST
Thanks, that ought to do it. :-)

Seriously, it shouldn't be something you can't do with the mouse at
install time.
Comment 14 Tim Waugh 2004-03-29 16:52:04 EST
Hmm, so actually that means that system-config-printer can request a
hole in the firewall?

Is there a way for it to ask if there is already such a hole?  If so
it makes an easy pop-up dialog.
Comment 15 Bill Nottingham 2004-03-29 16:59:15 EST
No, there's not a really *good* way to ask for the hole. It can read
through /etc/sysconfig/system-config-securitylevel. But that's sort of
a hack.
Comment 16 Bill Nottingham 2005-03-02 13:51:31 EST
THis is currently in FC3.
Comment 17 Tim Waugh 2005-03-12 08:42:45 EST
Doesn't fully work though.  See:

Comment 18 keith adamson 2005-03-12 14:14:09 EST
Created attachment 111922 [details]
patch to add IPP checkbox
Comment 19 keith adamson 2005-03-12 14:29:51 EST
Created attachment 111923 [details]
gtk.FALSE is deprecated, use False instead patch

gtk.FALSE is deprecated, use False instead patch
Comment 20 keith adamson 2005-03-12 20:37:42 EST
Created attachment 111929 [details]
cleanup, add better descriptions and set https manually

The last three patches go in sequence on:

Comment 21 keith adamson 2005-03-12 22:10:35 EST
RFE ... 

1.  Change "Trusted services" to "Hosted Servers\nOpen Portal".

2.  Add a new section "Network Discovery\nOpen Portal" for
setting/unsetting ports for various udp listening services:

IPP (Printer discovery) (Apple Rendezvous)

3.  Move "Trusted devices" to a new tab at top labeled "Network

4.  Change "Trusted devices" to "Network Interfaces" and add a column
showing the IP address.

5.  Change "Trusted" to "Firewall" and invert the logic.

6.  Change "Masquerade" to "Internet"

If you agree with these I'll workup some patchs.  I’m open for
comments or suggestions.
Comment 22 keith adamson 2005-03-12 22:34:44 EST
One more thing.  Change the format for entering "Other ports" to allow
the specification of port ranges.  Example:

"23:25, 34/tcp, 44:48/udp"

Would open ports 23 to 25 for all protocols, port 34 for tcp and 44 to
48 for udp.
Comment 24 Chris Lumens 2005-03-29 11:55:04 EST
*** Bug 142549 has been marked as a duplicate of this bug. ***
Comment 25 Chris Lumens 2005-03-29 11:59:36 EST
*** Bug 145243 has been marked as a duplicate of this bug. ***
Comment 26 Chris Lumens 2005-11-04 16:39:10 EST
Taking the easy fix and adding a hole for ipp:tcp as well.  I have bigger plans
for the firewalling in s-c-securitylevel along the lines of making it more
task-based and allowing programs to request ports opened temporarily/permanently
for post-FC5 so it's not worth doing a huge amount of work on this right now.
Comment 27 Chris Lumens 2005-11-07 10:29:40 EST
Please test tomorrow's s-c-securitylevel package in Rawhide.

Note You need to log in before you can comment on or make changes to this bug.