I'm having a dilemma if I should post this here or on superuser, finally I decided it's more security related so I post it here, if it's wrong please move.
The situation: There is an Epson all-in-one device in the home that is supposed to work over Wi-Fi. This is needed because there are two people, working in two rooms, who need to access it on a daily basis.
On Linux everything works fine...if and only if the firewall is disabled. While it is enabled, printing works fine, but scanning fails. The firewall is gufw set to the default settings, that is, Deny incoming, Allow outgoing. So I got into the habit of disabling the firewall to scan stuff and reenabling it as soon as the scanning is over. This is tedious and, I suppose, questionable from the security POV. So I asked on the forums of this distro what am I supposed to do - and while everyone agreed that disabling the firewall altogether or even just to scan was not a good idea and that I should add some relevant rules instead, the exact rules to add raised my eyebrow...
The (conflicting) pieces of advice I got:
- Allow everything on the local network – So I get it I should never connect my laptop to my academic WiFi from now on?
- Allow only the printer/scanner's local IP – but printing out the network information showed that, if I understand it correctly, the printer's local address (both IPv4 and IPv6) is being assigned dynamically
- Define some arcane rules, that is: in file
/etc/default/ufwfindIPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns"and replace it withIPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns nf_conntrack_sane"; also in file/etc/ufw/sysctl.conffindnet/ipv4/tcp_syncookies=0and replace it withnet/ipv4/tcp_syncookies=1– the fundamental problem is that I don't understand the meaning of these rules, and I don't like typing in firewall rules (or any commands in Linux, for that matter) which I don't understand; I presume that the intention of these rules is to allowsanedunrestricted access to the internet, BUT...
This is my most fundamental objection to all of the above three rules, but especially to the third one. From man 8 saned:
First and foremost: saned is not intended to be exposed to the internet or other non-trusted networks. Make sure that access is limited by tcpwrappers and/or a firewall setup. Don't depend only on saned's own authentication. Don't run saned as root if it's not necessary. And do not install saned as setuid root.
Ah. Here is when, I think, I sense some inconsistency of thinking. First, everyone argues I need a firewall even though I'm behind a home router. Then I am advised to make rules that make saned exempt from this firewall; even though, as I'm reading, if I need firewall for anything, it is saned! If I'm understanding the third rule correctly it does this in a most direct manner, though the first two rules have essentially the same effect, since they allow the printer and IP addresses are spoofable. (Allowing local network addressees can be argued to be safe, but again - what about the academic network - and more fundamentally, since I'm behind ISP's router, it handles protection from world, so if I supposedly still need firewall, it is for local addresses? Or do I get this wrong?)
One final remark: On Windows, there is a program from Epson which handles scanning. Curiously, this program closes automatically after a period of inactivity. (This is tedious when I scan a document, work on it, and then proceed to scan another.) Am I to suppose that what it really does is allowing the scanning through the Windows firewall in a manner similar to one of the three ways I was advised to do this on Linux; but since hey, this is dangerous, it limits this just to these few minutes this is needed for? This would suggest that making such holes is inescapable. Still, this blows my mind; why do something dangerous for a limited period of time? Isn't there a way to do this safely for prolonged periods of time?
I suppose there must be some fundamental flaw in my understanding, sorry but Internet security nor the details of networking have never been among my top interests. What am I misunderstanding and how should this be correctly done?
