Bug 90946 - Printer browsing does not work...
Summary: Printer browsing does not work...
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: system-config-securitylevel
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Chris Lumens
QA Contact: Brock Organ
URL:
Whiteboard:
Keywords:
: 91162 115058 142549 145243 (view as bug list)
Depends On:
Blocks: 116998 FC5Target
TreeView+ depends on / blocked
 
Reported: 2003-05-15 18:04 UTC by Jim Gettys
Modified: 2007-11-30 22:10 UTC (History)
6 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2005-12-02 16:29:32 UTC


Attachments (Terms of Use)
patch to add IPP checkbox (1.48 KB, patch)
2005-03-12 19:14 UTC, keith adamson
no flags Details | Diff
gtk.FALSE is deprecated, use False instead patch (13.53 KB, patch)
2005-03-12 19:29 UTC, keith adamson
no flags Details | Diff
cleanup, add better descriptions and set https manually (3.15 KB, patch)
2005-03-13 01:37 UTC, keith adamson
no flags Details | Diff

Description Jim Gettys 2003-05-15 18:04:27 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20030502
Debian/1.2.1-9woody3

Description of problem:
Can't see printers being offered from CUPS servers; browsing isn't
working.


Version-Release number of selected component (if applicable):
redhat-config-printer-0.6.53.1

How reproducible:
Always

Steps to Reproduce:
1. Install fresh redhat 9; enable firewall when requested
2. configure a printer and export it for public use.
3. Look for that printer from another machine.
    

Actual Results:  No printer is visible.

Expected Results:  Printer should be visible from another machine.

Additional info:

Best guess is that the firewall was inhibiting the browse
packets to/from cups, so no printers are seen.

I've since turned off the firewall "feature", and things work.

Services such as this need some way to enable the right ports.

Comment 1 Tim Waugh 2003-05-16 09:47:59 UTC
Perhaps anaconda ought to have a checkbox for that in the firewall screen.

It would be nice if there was some generic way for an app to (a) find out if the
firewall is blocking ports it might want to use, (b) prompt the user about it,
(c) optionally (at user control) punch a hole through.

Comment 2 Michael Fulbright 2003-05-16 16:11:54 UTC
This is problem that needs to be handled by the distribution post-install.  The
high level of firewall is intended to prevent any ports from being exposed. 
This is the default, intended behavior.

Perhaps lokkit needs to be modified to change the meaning of the 'medium'
setting if it does not let this transaction occur.

Comment 3 Tim Waugh 2003-05-19 17:33:12 UTC
*** Bug 91162 has been marked as a duplicate of this bug. ***

Comment 4 Tim Waugh 2004-02-06 10:15:15 UTC
*** Bug 115058 has been marked as a duplicate of this bug. ***

Comment 5 Aleksey Nogin 2004-02-06 10:26:46 UTC
In dup bug 115058 I suggested that r-c-p on "Activate" should ask user
whether the firewall rules should be updated.

Comment 6 Tim Waugh 2004-03-10 13:18:08 UTC
Bill: so what's the solution to this?

Comment 7 Bill Nottingham 2004-03-10 16:38:58 UTC
Ideally? Have the kernel understand that responses to such broadcast
requests fall into the 'RELATED' category so that the firewall will
let them through.

Comment 8 Tim Waugh 2004-03-10 16:41:28 UTC
Broadcast requests?  There are none.  cupsd just listens for IPP
browse broadcasts.

Comment 9 Bill Nottingham 2004-03-10 17:39:00 UTC
Ah, so it's unlike SMB in that respect; it does not actually send a query.

cups printers just occasionally broadcast their availability?


Comment 10 Tim Waugh 2004-03-10 17:42:51 UTC
Yes, as I understand it.

Comment 11 Tim Waugh 2004-03-25 15:27:02 UTC
So can we at the very least say something in the online anaconda help
about

 "put ipp:udp in this box if you want to print"

?

Comment 12 Bill Nottingham 2004-03-25 21:42:42 UTC
Well...

In FC2 lokkit now reads and acts on the current firewall config. So,
you can just run:

lokkit --port=ipp:udp

and it will modify the currently running firewall.


Comment 13 Tim Waugh 2004-03-25 21:45:47 UTC
Thanks, that ought to do it. :-)

Seriously, it shouldn't be something you can't do with the mouse at
install time.

Comment 14 Tim Waugh 2004-03-29 21:52:04 UTC
Hmm, so actually that means that system-config-printer can request a
hole in the firewall?

Is there a way for it to ask if there is already such a hole?  If so
it makes an easy pop-up dialog.

Comment 15 Bill Nottingham 2004-03-29 21:59:15 UTC
No, there's not a really *good* way to ask for the hole. It can read
through /etc/sysconfig/system-config-securitylevel. But that's sort of
a hack.

Comment 16 Bill Nottingham 2005-03-02 18:51:31 UTC
THis is currently in FC3.

Comment 17 Tim Waugh 2005-03-12 13:42:45 UTC
Doesn't fully work though.  See:

https://www.redhat.com/archives/fedora-test-list/2005-March/msg00156.html

Comment 18 keith adamson 2005-03-12 19:14:09 UTC
Created attachment 111922 [details]
patch to add IPP checkbox

Comment 19 keith adamson 2005-03-12 19:29:51 UTC
Created attachment 111923 [details]
gtk.FALSE is deprecated, use False instead patch

gtk.FALSE is deprecated, use False instead patch

Comment 20 keith adamson 2005-03-13 01:37:42 UTC
Created attachment 111929 [details]
cleanup, add better descriptions and set https manually

The last three patches go in sequence on:

system-config-securitylevel-1.5.1

Comment 21 keith adamson 2005-03-13 03:10:35 UTC
RFE ... 

1.  Change "Trusted services" to "Hosted Servers\nOpen Portal".

2.  Add a new section "Network Discovery\nOpen Portal" for
setting/unsetting ports for various udp listening services:

IPP (Printer discovery)
224.0.0.251:5353 (Apple Rendezvous)

3.  Move "Trusted devices" to a new tab at top labeled "Network
Interfaces".  

4.  Change "Trusted devices" to "Network Interfaces" and add a column
showing the IP address.

5.  Change "Trusted" to "Firewall" and invert the logic.

6.  Change "Masquerade" to "Internet"

If you agree with these I'll workup some patchs.  Iâm open for
comments or suggestions.


Comment 22 keith adamson 2005-03-13 03:34:44 UTC
One more thing.  Change the format for entering "Other ports" to allow
the specification of port ranges.  Example:

"23:25, 34/tcp, 44:48/udp"

Would open ports 23 to 25 for all protocols, port 34 for tcp and 44 to
48 for udp.

Comment 24 Chris Lumens 2005-03-29 16:55:04 UTC
*** Bug 142549 has been marked as a duplicate of this bug. ***

Comment 25 Chris Lumens 2005-03-29 16:59:36 UTC
*** Bug 145243 has been marked as a duplicate of this bug. ***

Comment 26 Chris Lumens 2005-11-04 21:39:10 UTC
Taking the easy fix and adding a hole for ipp:tcp as well.  I have bigger plans
for the firewalling in s-c-securitylevel along the lines of making it more
task-based and allowing programs to request ports opened temporarily/permanently
for post-FC5 so it's not worth doing a huge amount of work on this right now.

Comment 27 Chris Lumens 2005-11-07 15:29:40 UTC
Please test tomorrow's s-c-securitylevel package in Rawhide.


Note You need to log in before you can comment on or make changes to this bug.