Topic: Airprint under SME 9?

[DanB35]

I've played around with using a Raspberry Pi to act as an Airprint server (Google Cloud Print as well) for my LAN, and it's worked reasonably well, but it's slow.  SME is supposed to act as a print server (though I've never used it in that application), and all the relevant software runs under Linux.  Has anyone worked on getting Airprint to work on SME 9?  The only thing I find on the forums dates back to SME 7 (http://forums.contribs.org/index.php?topic=47255.0), and I question how relevant it is any more.  If not, I can take a crack at it.

[Stefano]

I'd start searching the web for "airprint centos6", find how it works/is done and try to apply to SME

[DanB35]

Yep, that's what I'm working on.  Just wanted to see if someone had already done it on SME first.  Doesn't look like it should be too tough though.

Isn't CUPS installed by default?  I'd thought it was, and that it was used for the print server functions, but 'rpm -qa | grep cups' only shows cups-libs installed, not cups.

[Stefano]

no, cups is not a default package

search the wiki

[DanB35]

Surprise, surprise, it isn't quite as simple as I'd thought.  Installing cups is easy enough--just "yum install cups"; don't even need to enable any other repos.  A few edits to the config file and it's up and running, and I can configure my printer and print a test page.  Need to manually create the symlinks to start and stop the service, but that's easy enough.

Then it comes to trying to set up Airprint.  On the Raspberry Pi (using a Debian-based OS), "apt-get install avahi-discover" was all that was necessary, no further configuration was needed.  CentOS doesn't seem to have an avahi-discover package.  According to http://rpm.pbone.net/index.php3/stat/3/limit/3/srodzaj/1/dl/40/search/avahi-discover/field[]/1/field[]/2, avahi-discover can be found in avahi-ui-tools.  Installing that brings in a number of dependencies, which install without error, but with the services all started, neither my iPad nor my iPhone find an Airprint printer.

Next option, then, is to use a script to generate the Avahi service file for the printer; a script can be found at https://github.com/tjfontaine/airprint-generate.  That creates the file I'm supposed to need, but the devices still don't see the printer.

Stopped here for the moment, but I'll work on it further as I have time.

[mmccarn]

You'll probably need to open some ports in the firewall to make the avahi stuff accessible from the network:
http://wiki.contribs.org/Firewall#Additional_information_on_customizing_iptables

A quick search for avahi firewall ports produced this:
https://wiki.archlinux.org/index.php/Avahi

So maybe this will get your airprint working:

Code: [Select]

config set avahi service UDPPort 5353 status enabled access public
signal-event remoteaccess-update

If this works, you probably want to add an appropriate value for 'AllowHosts' to restrict access to your local network.

[DanB35]

Thanks for the pointer--I'd forgotten about the firewall configuration.  However, I'm still not able to get it to work.  The avahi daemon is listening on 5353, but when I scan that port with my phone, it isn't open.  The VM I'm using to test is running in server-only mode; not sure if that's relevant.  Here's the netstat and iptables output:

Code: [Select]

[root@sme-test ~]# netstat -nap | grep avahi
udp        0      0 0.0.0.0:52791               0.0.0.0:*                               2472/avahi-daemon   
udp        0      0 0.0.0.0:5353                0.0.0.0:*                               2472/avahi-daemon   
unix  2      [ ACC ]     STREAM     LISTENING     17610  2472/avahi-daemon   /var/run/avahi-daemon/socket
unix  3      [ ]         STREAM     CONNECTED     17612  2472/avahi-daemon   
unix  3      [ ]         STREAM     CONNECTED     17607  2473/avahi-daemon   
unix  3      [ ]         STREAM     CONNECTED     17606  2472/avahi-daemon   
unix  2      [ ]         DGRAM                    17604  2472/avahi-daemon   
[root@sme-test ~]# config set avahi service UDPPort 5353 status enabled access public
[root@sme-test ~]# signal-event remoteaccess-update
[root@sme-test ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
state_chk  all  --  anywhere             anywhere           
local_chk  all  --  anywhere             anywhere           
PPPconn    all  --  anywhere             anywhere           
denylog    all  --  base-address.mcast.net/4  anywhere           
denylog    all  --  anywhere             base-address.mcast.net/4
InboundICMP  icmp --  anywhere             anywhere           
denylog    icmp --  anywhere             anywhere           
InboundTCP  tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN
denylog    tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN
InboundUDP  udp  --  anywhere             anywhere           
denylog    udp  --  anywhere             anywhere           
gre-in     gre  --  anywhere             anywhere           
denylog    gre  --  anywhere             anywhere           
denylog    all  --  anywhere             anywhere           

Chain FORWARD (policy DROP)
target     prot opt source               destination         
state_chk  all  --  anywhere             anywhere           
SMTPProxy  tcp  --  anywhere             anywhere            tcp dpt:smtp
local_chk  all  --  anywhere             anywhere           
ForwardedTCP  tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN
ForwardedUDP  udp  --  anywhere             anywhere           
denylog    all  --  anywhere             anywhere           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
PPPconn    all  --  anywhere             anywhere           
denylog    all  --  base-address.mcast.net/4  anywhere           
denylog    all  --  anywhere             base-address.mcast.net/4
ACCEPT     all  --  anywhere             anywhere           

Chain ForwardedTCP (1 references)
target     prot opt source               destination         
ForwardedTCP_2505  all  --  anywhere             anywhere           
denylog    tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN

Chain ForwardedTCP_2505 (1 references)
target     prot opt source               destination         

Chain ForwardedUDP (1 references)
target     prot opt source               destination         
ForwardedUDP_2505  all  --  anywhere             anywhere           
denylog    udp  --  anywhere             anywhere           

Chain ForwardedUDP_2505 (1 references)
target     prot opt source               destination         

Chain InboundICMP (1 references)
target     prot opt source               destination         
InboundICMP_2505  all  --  anywhere             anywhere           
denylog    icmp --  anywhere             anywhere           

Chain InboundICMP_2505 (1 references)
target     prot opt source               destination         
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply
ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere            icmp source-quench
ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere            icmp parameter-problem
denylog    all  --  anywhere             anywhere           

Chain InboundTCP (1 references)
target     prot opt source               destination         
InboundTCP_2505  all  --  anywhere             anywhere           
denylog    tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN

Chain InboundTCP_2505 (1 references)
target     prot opt source               destination         
denylog    all  --  anywhere            !sme-test.familybrown.org
REJECT     tcp  --  anywhere             sme-test.familybrown.org tcp dpt:auth reject-with tcp-reset
SSH_Autoblock  tcp  --  anywhere             anywhere            tcp dpt:ssh state NEW
ACCEPT     tcp  --  anywhere             sme-test.familybrown.org tcp dpt:http
ACCEPT     tcp  --  anywhere             sme-test.familybrown.org tcp dpt:https
ACCEPT     tcp  --  anywhere             sme-test.familybrown.org tcp dpt:smtp
ACCEPT     tcp  --  anywhere             sme-test.familybrown.org tcp dpt:ssh
ACCEPT     tcp  --  anywhere             sme-test.familybrown.org tcp dpt:smtps

Chain InboundUDP (1 references)
target     prot opt source               destination         
InboundUDP_2505  all  --  anywhere             anywhere           
denylog    udp  --  anywhere             anywhere           

Chain InboundUDP_2505 (1 references)
target     prot opt source               destination         
denylog    all  --  anywhere            !sme-test.familybrown.org
ACCEPT     udp  --  anywhere             sme-test.familybrown.org udp dpt:5353

Chain PPPconn (2 references)
target     prot opt source               destination         
PPPconn_1  all  --  anywhere             anywhere           

Chain PPPconn_1 (1 references)
target     prot opt source               destination         

Chain SMTPProxy (1 references)
target     prot opt source               destination         
denylog    tcp  --  anywhere             anywhere            tcp dpt:smtp

Chain SSH_Autoblock (1 references)
target     prot opt source               destination         
           all  --  anywhere             anywhere            recent: SET name: SSH side: source
denylog    all  --  anywhere             anywhere            recent: CHECK seconds: 900 hit_count: 4 TTL-Match name: SSH side: source

Chain denylog (22 references)
target     prot opt source               destination         
DROP       udp  --  anywhere             anywhere            udp dpt:router
DROP       udp  --  anywhere             anywhere            udp dpts:netbios-ns:netbios-ssn
DROP       tcp  --  anywhere             anywhere            tcp dpts:netbios-ns:netbios-ssn
ULOG       all  --  anywhere             anywhere            ULOG copy_range 0 nlgroup 1 prefix `denylog:' queue_threshold 1
DROP       all  --  anywhere             anywhere           

Chain gre-in (1 references)
target     prot opt source               destination         
denylog    all  --  anywhere            !sme-test.familybrown.org
denylog    all  --  anywhere             anywhere           

Chain local_chk (2 references)
target     prot opt source               destination         
local_chk_2505  all  --  anywhere             anywhere           

Chain local_chk_2505 (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     all  --  192.168.1.0/24       anywhere           

Chain state_chk (2 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED


[mmccarn]

You'll need to open firewall ports for CUPs, too.

[DanB35]

Makes sense, but CUPS is responding without a problem--I can browse to http://serverip:631 and it comes up without any firewall changes, and the port scan from my phone shows that port as open.  Not so for 5353, though.

[DanB35]

/var/log/iptables/current has some entries for port 5353, but they look to me like they're attempted outbound traffic to port 5353 on a remote host:

Code: [Select]

@40000000558d6462259909c4 Jun 26 10:40:24 sme-test denylog: IN= OUT=eth0 MAC= SRC=192.168.1.25 DST=224.0.0.251 LEN=118 TOS=00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353 DPT=5353 LEN=98
@40000000558d64622d35e01c Jun 26 10:40:24 sme-test denylog: IN= OUT=eth0 MAC= SRC=192.168.1.25 DST=224.0.0.22 LEN=40 TOS=00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
@40000000558d6463256883e4 Jun 26 10:40:25 sme-test denylog: IN= OUT=eth0 MAC= SRC=192.168.1.25 DST=224.0.0.251 LEN=276 TOS=00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353 DPT=5353 LEN=256
@40000000558d6464342338ac Jun 26 10:40:26 sme-test denylog: IN= OUT=eth0 MAC= SRC=192.168.1.25 DST=224.0.0.251 LEN=134 TOS=00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353 DPT=5353 LEN=114
@40000000558d646533e73d34 Jun 26 10:40:27 sme-test denylog: IN= OUT=eth0 MAC= SRC=192.168.1.25 DST=224.0.0.251 LEN=276 TOS=00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353 DPT=5353 LEN=256

[DanB35]

I must be doing something wrong with the firewall setup.  Even when I also try to open TCP port 5353:

Code: [Select]

[root@sme-test ~]# config show avahi
avahi=service
    TCPPort=5353
    UDPPort=5353
    access=public
    status=enabled...and post-upgrade and reboot, it doesn't seem to open.  Nmap from another machine shows:

Code: [Select]

[root@e-smith ~]# nmap -p 5353 192.168.1.25

Starting Nmap 6.25 ( http://nmap.org ) at 2015-06-26 11:13 EDT
Nmap scan report for pc-00025.familybrown.org (192.168.1.25)
Host is up (0.095s latency).
PORT     STATE  SERVICE
5353/tcp closed mdns
MAC Address: 60:33:4B:1F:47:1E (Apple)

Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds
Edit: Well, I may have jumped the gun on that conclusion:

Code: [Select]

[root@e-smith ~]# nmap -sU 192.168.1.25

Starting Nmap 6.25 ( http://nmap.org ) at 2015-06-26 11:17 EDT
Nmap scan report for pc-00025.familybrown.org (192.168.1.25)
Host is up (0.039s latency).
Not shown: 992 closed ports
PORT     STATE         SERVICE
53/udp   open|filtered domain
123/udp  open          ntp
137/udp  open          netbios-ns
138/udp  open|filtered netbios-dgm
631/udp  open|filtered ipp
1812/udp open|filtered radius
1813/udp open|filtered radacct
5353/udp open          zeroconf
MAC Address: 60:33:4B:1F:47:1E (Apple)

Nmap done: 1 IP address (1 host up) scanned in 1082.60 secondsSo, 5353/udp is open.  Still not sure why 5353/tcp isn't, with the TCPPort setting above, but it's progress.

[DanB35]

It's amazing what you can find on Google...  The excerpt from my iptables logs above appears to show traffic from my server's IP to 224.0.0.251, which I believed to be a remote host.  Turns out I was mistaken; that's the multicast address reserved for the mDNS service.  It's also looking like that traffic was blocked, which could well be causing the failure of my devices to see the printer.

[Stefano]

I'm sorry I can't help you (no Apple devices here)

It's amazing what you can find on Google...

google knows almost everything.. you just need the right keywords and (sometimes) a good patience