Problem opening port 515

daromi · November 12, 2020, 7:09pm

I am new to this the query is as follows.

I have to open port 515, I already installed cups and did

config set printer service status enabled TCPPort 515 access red, green
signal-event firewall-adjust
-signal-event runlevel-adjust

i see nmap and:
Starting Nmap 6.40 ( http://nmap.org ) at 2020-11-12 14:01 -04
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000039s latency).
Not shown: 989 closed ports
PORT STATE SERVICE
21/tcp open ftp
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
631/tcp open ipp
3128/tcp open squid-http
9090/tcp open zeus-admin

But still the port 515 is blocked, any ideas?

I hace installed
System version
NethServer release 7.8.2003 (final)
Kernel release
3.10.0-1127.19.1.el7.x86_64

hector · November 12, 2020, 7:30pm

CUPS is in the 631, not in 515…

¿Can You explain what are You trying to do?

So we can give a better help.

pike · November 12, 2020, 8:05pm

515 is for LPD…

hector · November 12, 2020, 8:20pm

Sorry, don’t remeber… so the CUPS is running on 515 so you need to install cups-lpd and check the service.

daromi · November 12, 2020, 9:24pm

is to use lpd port 515
already install cups-lpd
But it does not work

root] #  cat /etc/shorewall/rules | grep -5 515
#       Service: fail2ban Access: NONE
#
#       Service: printer Access: red,green
#
?COMMENT printer
ACCEPT  net     $FW     tcp     515
ACCEPT  loc     $FW     tcp     515
#
#       Service: httpd Access: green,red
#
?COMMENT httpd
ACCEPT  loc     $FW     tcp     80
[root@tja ~]#

dnutan · November 12, 2020, 9:40pm

I don’t know how cups-lpd needs to be configured with the ports, but for port 515 you can try creating a local firewall rule for the printer service (take care when opening ports to RED interface):

You may need to remove the service you created earlier:

config show printer
config delete printer

But if cups-lpd service needs to be associated with a port, you can recreate the service with the proper service name (I guess either printer or cups-lpd) and enable/activate the service (if it is a systemd service, if it uses xinetd or init the service might not show up on the server-manager).

daromi · November 13, 2020, 3:42am

I already made the change, it still does not open the port

filippo_carletti · November 13, 2020, 1:44pm

You focused on the firewall but you didn’t show us that there’s a service listening on port 515.
What does fuser -vn tcp 515 report?

daromi · November 13, 2020, 1:47pm

any result

[root@ta ~]# fuser -vn tcp 515
[root@ta ~]#

filippo_carletti · November 13, 2020, 2:13pm

You need to discover why cups is not listening on port 515. This has nothing to do with the firewall or nethserver. I’m no expert, a quick search found this, but it may be not relevant for your system.

daromi · November 13, 2020, 2:49pm

As a comment, I already did this same installation and it worked on or 2 servers, however with this version, it does not work, that puzzles me

dnutan · November 13, 2020, 11:15pm

Can you share the steps that worked?
By “this version” do you refer to NethServer release 7.8.2003 (final) or to something else like a specific package/kernel version?

Some security notes from cups-lpd manual

cups-lpd currently does not perform any access control based on the settings in cupsd.conf(5) or in the hosts.allow(5) or hosts.deny(5) files used by TCP wrappers. Therefore, running cups-lpd on your server will allow any computer on your network (and perhaps the entire Internet) to print to your server.

You should use configure the firewall to limit TCP port 515 access to only those computers that should be able to print through your server.

Some configuration notes from cups-lpd manual

cups-lpd is not enabled by the standard CUPS distribution. Please consult with your operating system vendor to determine whether it is enabled on your system.

CUPS includes configuration files for systemd(8). Simply enable the cups-lpd socket using the corresponding control program.
systemctl enable cups-lpd.socket
systemctl start cups-lpd.socket

I did some tests just to help figure out the problem, but have no printer to test if it works:

# yum install cups-lpd
# systemctl list-unit-files cups-lpd\*
UNIT FILE         STATE   
cups-lpd@.service static  
cups-lpd.socket   disabled

# systemctl enable cups-lpd.socket
Created symlink from /etc/systemd/system/sockets.target.wants/cups-lpd.socket to /usr/lib/systemd/system/cups-lpd.socket.

# systemctl start cups-lpd.socket
# systemctl is-active cups-lpd.socket    # or `systemctl status cups-lpd.socket`
active

Port status

# fuser -vn tcp 515
                     USER        PID ACCESS COMMAND
515/tcp:             root          1 F.... systemd

# netstat -putan |grep 515
tcp6       0      0 :::515                  :::*                    LISTEN      1/systemd  

# nmap -p 515 localhost

Starting Nmap 6.40 ( http://nmap.org ) at 2020-11-13 22:11 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000057s latency).
PORT    STATE SERVICE
515/tcp open  printer

~$ nmap -p 515 192.168.0.11  # external scan to RED interface
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-13 22:11 CET
Nmap scan report for server.domain.tld (192.168.0.11)
Host is up (0.00037s latency).

PORT    STATE    SERVICE
515/tcp filtered printer

~$ nmap -p 515 10.0.0.1   # from LAN to GREEN interface

Starting Nmap 7.60 ( https://nmap.org ) at 2020-11-13 22:12 CET
Nmap scan report for homepage.home.intern (10.0.0.1)
Host is up (0.00043s latency).

PORT    STATE  SERVICE
515/tcp closed printer

Creating a custom service by your example:

config set printer service status enabled TCPPort 515 access red,green
signal-event firewall-adjust

On the server-manager the service is shown, but from what I recall the running status is not represented correctly due to custom service not matching the corresponding systemd service name.

Port status

~$ nmap -p 515 10.0.0.1    # from LAN to GREEN interface

Starting Nmap 7.60 ( https://nmap.org ) at 2020-11-13 22:15 CET
Nmap scan report for homepage.home.intern (10.0.0.1)
Host is up (0.00050s latency).

PORT    STATE SERVICE
515/tcp open  printer

~$ nmap -p 515 192.168.0.11    # external scan to RED interface
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-13 22:15 CET
Nmap scan report for server.domain.tld (192.168.0.11)
Host is up (0.00028s latency).

PORT    STATE SERVICE
515/tcp open  printer

# netstat -tunap |grep 515
tcp6       0      0 :::515                  :::*                    LISTEN      1/systemd

michelandre · November 14, 2020, 3:11am

Hi Marc,

Very nice layout,

Michel-André

dnutan · November 14, 2020, 8:38am

To make the post seem not too long used the Hide details option:

[details="Summary"]
This text will be hidden
[/details]

dnutan · November 19, 2020, 9:55pm

Hello @daromi, have you been able to make it work?