How to detect what firewall ports I need to open for a certain service?

I’m trying to use hp-setup from package hplip. I noticed that discovering network printers doesn’t work if the systemd firwall.service is working. Upstream mentions here that ports 161, 162 & 9100 should be open for both TCP and UDP. but that doesn’t work. Is there a way to inspect a log buffer such as journalctl --follow or dmesg what connections are blocked by the firewall?

While trying to investigate this myself, I was wondering whether the experiencing of debugging this would be different depending on whether I use nftables of iptables… Getting an answer that would fit either cases would be superb!


I believe that is the intention of the networking.firewall.logRefusedConnections option but I’d also be interested in a better method.

1 Like

Thanks for a quick reply, I also tried that option, and opened journalctl --unit nftables.service, but I don’t see anything there. Besides, the default value for networking.firewall.logRefusedConnections is true.

My quick and easy solution to identify which ports are relevant is netstat -lnp. This shows me which processes listens to which port.

1 Like

Weirdly, these messages get dumped into the kernel logs. You can inspect them using dmesg or journalctl -k.

Thanks @markuskowa ! That helped, for my case I did the following:

  1. Run hp-setup in 1 terminal
  2. While the above is open, I run sudo netstat -ln --program --continuous | grep $(pgrep in another terminal.

Where the pgrep of course is relevant only for this particular program. To complete the report, I got:

udp        0      0 *                           789754/python

Printed multiple times, and every time I launch hp-setup, I get a different port used there. According to a WiKipedia article, ports 49152–65535 are dynamic ports without specific purpose, and indeed in my case these were chosen randomly by the hp-setup program.

In anycase, I’m surprised that NixOS’ default firewall rules block these… Because I am capable of downloading torrents. Although I observed once hp-setup using a port lower then 42000, I ended up setting this:

networking.firewall.allowedUDPPortRanges = [
  { from = 49152; to = 65535; }

And since I only need it to work for 1 time, but in a more reproducible manner, this is good enough for me. I wonder what is the real range upstream allows itself to use.

1 Like