Title: Easily use your remote scanner on Linux (Qubes OS guide)

	Title: Easily use your remote scanner on Linux (Qubes OS guide)
	Author: Solène
	Date: 11 July 2023
	Tags: qubesos scanner networking
	Description: In this article, you will learn how to use your remote
	scanner on a Linux system (with specific Qubes OS instructions)

	# Introduction

	Hi, this is a quick guide explaining how to use a network scanner on
	Qubes OS (or Linux/BSD in general).

	I'll be using a network printer / scanner Brother MFC-1910W in the
	example.

	# Setup

	## Specific Qubes OS

	For Qubes OS, the simplest way to proceed is to use the qube sys-net
	(which is UNTRUSTED) to proceed with the scanner operations. Scanning
	in it isn't less secure than having a dedicated qube as the network
	traffic isn't encrypted toward the scanner, this also ease a lot the
	network setup.

	All the instructions below will be done in sys-net, with the root user.

	Note that sys-net should be either an AppVM with persistent /home or a
	fully disposable system, so you will have to do all the commands every
	time you need your scanner. If you need it really often (I use mine
	once in a while), you may want to automate this in the template used by
	sys-net.

	## Instructions

	We need to install the program `sane-airscan` used to discover network
	scanners, and also all the backends/drivers for devices. On Fedora,
	this can be done using the following command, the package list may
	differ for other systems.

	```
	# dnf install sane-airscan sane-backends sane-backends-drivers-cameras sane-bac…
	```

	Make sure the service `avahi-daemon` is installed and running, the
	default Qubes OS templates have it, but not running. It is required
	for network devices discovery.

	```
	# systemctl start avahi-daemon
	```

	An extra step is required, avahi requires the port UDP/5353 to be
	opened on the system to receive discovery replies, if you don't do
	that, you won't find your network scanner (this is also required for
	printers).

	You need to figure the network interface name of your network, open a
	console and type `ip -4 -br a \| grep UP`, the first column is the
	interface name, the lines starting by vif can be discarded. Run the
	following command, and make sure to replace INTERFACE_NAME by the real
	name you just found.

	For Qubes OS 4.1:

	```
	# iptables -I INPUT 1 -i INTERFACE_NAME -p udp --dport 5353 -j ACCEPT
	```

	For Qubes OS 4.2:

	```
	# nft add rule qubes custom-input udp dport 5353 accept
	```

	Now, we should be able to discover the scanner, the following command
	should output a line with a device name and network address:

	```
	# airscan-discover
	```

	For me, the output looks like this:

	```
	[devices]
	Brother MFC-1910W series = http://10.42.42.133:80/WebServices/ScannerService,…
	```

	If you have a similar output, this mean it's working, then you can use
	airscan-discover output to configure the detected scanner:

	```
	# airscan-discover \| tee /etc/sane.d/home.conf
	```

	Now, your scanner should be usable!

	# Using the scanner

	You can run the command `scanimage` as a regular user to use your
	remote scanner, by default, it selects the first device available, so
	if you have a single scanner, you don't need to specify its long and
	complicated name/address.

	You can scan and save as a PDF file using this command:

	```
	$ scanimage --format pdf > my_document.pdf
	```

	On Qubes OS, you can open a file manager in sys-net and right-click on
	the file to move it to the qube where you want to keep the document.

	# Disabling avahi

	If you are done with your scanner, you can remove the firewall rule
	allowing device discovery.

	```
	iptables -D INPUT -i INTERFACE_NAME -p udp --dport 5353 -j ACCEPT
	```

	# Conclusion

	Using a network scanner is quite easy when it's supported by SANE, but
	you need direct access to the network because of the avahi discovery
	requirement, which is not practical when you have a firewall or use
	virtual machines in sub networks.