Scanner on MF Epson XP-241 only works with no firewall
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Scanner on MF Epson XP-241 only works with no firewall
Hi there,
On Ubuntu 18.04 it is possible to wireless scan a document on the Epson XP-241 only if the iptables rules is off.
With ufw rules in place, the Simple Scan app does not detect the network scanner.
How do I figure out what port is needed to be open to successfully scan a document with ufw in place ?
PS: There is another utility, epson-print-utility, that can show the ink levels and clean the printheads, that only detects the printer when ufw is not in place.
Thanks for point the document.
I've tried with 1865, 3829, and 2958 (all listed in the above mentioned document) and no luck !
However, this is not a surprise, since that document is for another printer: Epson WorkForce Pro WF-4640 as is stated in the title, and mine is XP-241
That should not matter - it is the underlying Epson protocol (supported by the applicable SANE driver) that determines this. The epkowa backend supports a number of Epson devices. I assume that the epkowa backend is in use here? I note that in the /etc/sane.d/epkowa.conf file port 1865 is mentioned as default, but this can be changed if desired...
Quote:
# Network attached devices may be made to work by first installing the
# (non-free) iscan-network-nt package and then adding configuration lines
# as per information below.
#
# For each network attached device, you must add an entry as follows:
#
# net <IP-address|hostname> [port-number]
#
# Ask your network administrator for the device's IP address or check
# for yourself on the panel (if it has one). The port-number is very
# optional and defaults to 1865.
# Note that network attached devices are not queried unless configured
# in this file.
#
# Examples:
#
#net 192.16.136.2 1865
#net 10.0.0.1
#net scanner.mydomain.com
I think it is not.
My system does not have that file.
Also, all files on /etc/sane.d are dated on Feb 3.
The network scanner/printer didn't work at first. Only after I've installed epson drivers from epson site they started to work (with ufw disabled). And none of theses were installed on /etc/sane.d.
Code:
ii epson-inkjet-printer-escpr 1.6.20-1lsb3.2 amd64 Epson Inkjet Printer Driver (ESC/P-R) for Linux
ii epson-printer-utility 1.0.2-1lsb3.2 amd64 Epson Printer Utility for Linux
ii imagescan 3.38.0-1epson4ubuntu17.10 amd64 next generation image acquisition utilities
ii imagescan-plugin-gt-s650 1.0.0-1epson4ubuntu17.10 amd64 Image Scan v3 GT-S650 Interpreter Plugin
ii imagescan-plugin-networkscan 1.1.1-1epson4ubuntu17.10 amd64 Network scan plugin
ii imagescan-plugin-ocr-engine 1.0.0-1epson4ubuntu17.10 amd64 Image Scan v3 OCR Engine Plugin
As far as I understand the relevant package is called iscan-bundle (eg iscan-bundle-1.0.4.x64.deb.tar.gz ), and that archive contains
iscan and iscan-network-nt DEB packages, as well as an installer (install.sh). The iscan package itself contains the epkowa driver and associated configuration file.
After a little bit more research, I now realise that an increasing number of Epson scanners are supported using Image Scan v3, with the utushi driver as mentioned here. I guess that's what you're likely using.
Here are some archlinux comments regarding user experiences with firewall configuration. In particular...
Quote:
@iyanmv, when i first created this package, i also had a firewall problem, as you can see in the issue below. I actually solved it by changing my firewall program from ufw to firewalld as ufw was blocking the scanner's reply. About the ports, 1865 is the port used by the scanner, the networkscan plugin uses a dynamic high port to start the connection. So you shouldn't have to open any extra doors, at least if your firewall program isn't blocking the reply. https://github.com/utsushi/utsushi/issues/28
A So you shouldn't have to open any extra doors, at least if your firewall program isn't blocking the reply.
I think is the case, since the ufw default policy for output is "allow", and the port 1865 (and all ports mentioned in the previous document) is on destination, on the printer/scanner;
What I think that is really happening is ufw is blocking the replies. I don't know how to fix it.
Enabling the logging:
Code:
ufw logging on
didn't help; I didn't see any blocks from the printer/scanner IP:
Code:
tailf -f /var/log/ufw.log
However, there are several blocks from multicast address (224.0.0.251 and 224.0.0.1) as soon I started the simple scanner program, but I don't know if it is related to or just a coincidence.
What I did, and I know it is not the perfect solution, was allow all incoming packets from the scanner IP:
Code:
ufw allow from 192.168.1.47
and that worked both for the scanner as the printer utility thing. It is a internal IP so I think is not a big deal.
However, I am still curious about this, how to allow the replies packets from any source.
May be I should change the default output policy to "deny" and explicit open the desired port, i.e. DST=192.168.1.47 DSTP=1865 and ufw will allow the replies. If it is the case, is too much trouble. I mean, manually creating rules for every output I may need.
What I did, and I know it is not the perfect solution, was allow all incoming packets from the scanner IP
Based on the page I linked to, this problems seems to be specific to UFW. As mentioned one user switched to using firewalld instead. In general terms, the firewall is usually configured to allow ESTABLISHED and RELATED inbound traffic. That's how most external traffic is permitted by way of having being solicited via initial requests the first place. The underlying rules can be viewed using something like
Code:
sudo iptables -L -v
In particular the INPUT chain rules relevant here...
Code:
sudo iptables -S INPUT
Quote:
However, there are several blocks from multicast address (224.0.0.251 and 224.0.0.1) as soon I started the simple scanner program, but I don't know if it is related to or just a coincidence.
Is your scanner IP explicitly configured in /etc/utsushi/utsushi.conf?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.