I’m trying to use hp-setup from package hplip. I noticed that discovering network printers doesn’t work if the systemd firwall.service is working. Upstream mentions here that ports 161, 162 & 9100 should be open for both TCP and UDP. but that doesn’t work. Is there a way to inspect a log buffer such as journalctl --follow or dmesg what connections are blocked by the firewall?
While trying to investigate this myself, I was wondering whether the experiencing of debugging this would be different depending on whether I use nftables of iptables… Getting an answer that would fit either cases would be superb!
Thanks for a quick reply, I also tried that option, and opened journalctl --unit nftables.service, but I don’t see anything there. Besides, the default value for networking.firewall.logRefusedConnections is true.
Thanks @markuskowa ! That helped, for my case I did the following:
Run hp-setup in 1 terminal
While the above is open, I run sudo netstat -ln --program --continuous | grep $(pgrep setup.py) in another terminal.
Where the pgrep setup.py of course is relevant only for this particular program. To complete the report, I got:
udp 0 0 0.0.0.0:60928 0.0.0.0:* 789754/python
Printed multiple times, and every time I launch hp-setup, I get a different port used there. According to a WiKipedia article, ports 49152–65535 are dynamic ports without specific purpose, and indeed in my case these were chosen randomly by the hp-setup program.
In anycase, I’m surprised that NixOS’ default firewall rules block these… Because I am capable of downloading torrents. Although I observed once hp-setup using a port lower then 42000, I ended up setting this:
networking.firewall.allowedUDPPortRanges = [
{ from = 49152; to = 65535; }
];
And since I only need it to work for 1 time, but in a more reproducible manner, this is good enough for me. I wonder what is the real range upstream allows itself to use.