Wednesday, February 28, 2007

Scanner Darkley

Getting remote scanning to work seemed easy enough at first...
  1. Install the sane network daemon (and other stuff):
    # apt-get install sane-utils
  2. Follow the instructions outlined in the man page, namely:
    • add a line for saned in /etc/inetd.conf
      sane-port stream tcp nowait saned.saned /usr/sbin/saned /usr/sbin/saned
    • specify a list of allowed clients in /etc/sane.d/saned.conf
    • restart inetd with
      # /etc/init.d/openbsd-inetd restart
  3. Install SaneTwain on my wife's laptop and configure it to connect to my laptop
  4. Add a line to /etc/shorewall/rules to accept connections on the saned control port 6566, and restart the firewall with
    # /etc/init.d/shorewall restart

But it didn't work. Specifically, SaneTwain was able to query the type of the scanner and its parameters, but failed to acquire a preview.

It turns out that the scanned data isn't transferred thru the saned control port, but rather thru a different, dynamically set port. This is actually mentioned in the man page under the restrictions section, and their suggestion is
"If you must use a packet filter, make sure that all ports > 1024 are open on the server for connections from the client"
which seems like a bad idea.

The interim solution to the problem, until proper saned connection tracking is available, is outlined on the Gentoo-Wiki, and here is how I implemented it with shorewall:
  1. create an empty file /etc/shorewall/action.SaneConntrack
  2. create a file /etc/shorewall/SaneConntrack

    # track SANE control connections
    run_iptables -A $CHAIN -m recent --update --seconds 600 --name SANE
    # related traffic (ACK, FIN, DNS UDP responses etc.)
    run_iptables -A $CHAIN -m state --state ESTABLISHED,RELATED -j ACCEPT
    # SANE server uses a dynamic data port above 1024
    run_iptables -A $CHAIN -p tcp -m tcp --dport 6566 --syn -m recent --set --rsource --name SANE -j ACCEPT
    run_iptables -A $CHAIN -p tcp -m tcp --dport 1024: --syn -m recent --rcheck --rsource --seconds 3 --name SANE -j ACCEPT

  3. Add a line to /etc/shorewall/actions (create the file if it does not exist):
    SaneConntrack
  4. Add the following lines to /etc/shorewall/rules
    # saned
    SaneConntrack loc $FW tcp 6566
    SaneConntrack loc $FW tcp 1024:
  5. Restart shorewall.
Simple, right?

Hello World!

Welcome to my on-line system administration diary.

The system at hand consists of the following components:
  • My laptop: a Compaq Presario 900 (with a non-original 80GB hard disk) running Debian GNU/Linux "Etch"
  • My wife's laptop: an HP Pavilion dv6000 running Windows XP Home
  • an ethernet crossover cable connecting the two laptops
  • a Thomson DCM245 cable modem used to connect my laptop to the Internet
  • an HP OfficeJet 5510 printer/copier/scanner/fax machine connected to my laptop
  • a Gigapod III external HDD case containing a 60GB IDE hard disk, connected to my laptop via a PCMCIA USB 2.0 adapter.
My wife uses her laptop primarily for writing Word documents, and surfing the Web.

My laptop is meant to host our family's on-line photo gallery website and serve as gateway for the Internet and the multi-function printer. It also hosts a backup system (Bacula) and a firewall (shorewall). I also use it as my personal desktop (mostly for surfing the Web).

Hope you'll find some of the stuff here useful.