Title: Easily use your remote scanner on Linux (Qubes OS guide) | |
Author: Solène | |
Date: 11 July 2023 | |
Tags: qubesos scanner networking | |
Description: In this article, you will learn how to use your remote | |
scanner on a Linux system (with specific Qubes OS instructions) | |
# Introduction | |
Hi, this is a quick guide explaining how to use a network scanner on | |
Qubes OS (or Linux/BSD in general). | |
I'll be using a network printer / scanner Brother MFC-1910W in the | |
example. | |
# Setup | |
## Specific Qubes OS | |
For Qubes OS, the simplest way to proceed is to use the qube sys-net | |
(which is UNTRUSTED) to proceed with the scanner operations. Scanning | |
in it isn't less secure than having a dedicated qube as the network | |
traffic isn't encrypted toward the scanner, this also ease a lot the | |
network setup. | |
All the instructions below will be done in sys-net, with the root user. | |
Note that sys-net should be either an AppVM with persistent /home or a | |
fully disposable system, so you will have to do all the commands every | |
time you need your scanner. If you need it really often (I use mine | |
once in a while), you may want to automate this in the template used by | |
sys-net. | |
## Instructions | |
We need to install the program `sane-airscan` used to discover network | |
scanners, and also all the backends/drivers for devices. On Fedora, | |
this can be done using the following command, the package list may | |
differ for other systems. | |
``` | |
# dnf install sane-airscan sane-backends sane-backends-drivers-cameras sane-bac… | |
``` | |
Make sure the service `avahi-daemon` is installed and running, the | |
default Qubes OS templates have it, but not running. It is required | |
for network devices discovery. | |
``` | |
# systemctl start avahi-daemon | |
``` | |
An extra step is required, avahi requires the port UDP/5353 to be | |
opened on the system to receive discovery replies, if you don't do | |
that, you won't find your network scanner (this is also required for | |
printers). | |
You need to figure the network interface name of your network, open a | |
console and type `ip -4 -br a | grep UP`, the first column is the | |
interface name, the lines starting by vif can be discarded. Run the | |
following command, and make sure to replace INTERFACE_NAME by the real | |
name you just found. | |
For Qubes OS 4.1: | |
``` | |
# iptables -I INPUT 1 -i INTERFACE_NAME -p udp --dport 5353 -j ACCEPT | |
``` | |
For Qubes OS 4.2: | |
``` | |
# nft add rule qubes custom-input udp dport 5353 accept | |
``` | |
Now, we should be able to discover the scanner, the following command | |
should output a line with a device name and network address: | |
``` | |
# airscan-discover | |
``` | |
For me, the output looks like this: | |
``` | |
[devices] | |
Brother MFC-1910W series = http://10.42.42.133:80/WebServices/ScannerService,… | |
``` | |
If you have a similar output, this mean it's working, then you can use | |
airscan-discover output to configure the detected scanner: | |
``` | |
# airscan-discover | tee /etc/sane.d/home.conf | |
``` | |
Now, your scanner should be usable! | |
# Using the scanner | |
You can run the command `scanimage` as a regular user to use your | |
remote scanner, by default, it selects the first device available, so | |
if you have a single scanner, you don't need to specify its long and | |
complicated name/address. | |
You can scan and save as a PDF file using this command: | |
``` | |
$ scanimage --format pdf > my_document.pdf | |
``` | |
On Qubes OS, you can open a file manager in sys-net and right-click on | |
the file to move it to the qube where you want to keep the document. | |
# Disabling avahi | |
If you are done with your scanner, you can remove the firewall rule | |
allowing device discovery. | |
``` | |
iptables -D INPUT -i INTERFACE_NAME -p udp --dport 5353 -j ACCEPT | |
``` | |
# Conclusion | |
Using a network scanner is quite easy when it's supported by SANE, but | |
you need direct access to the network because of the avahi discovery | |
requirement, which is not practical when you have a firewall or use | |
virtual machines in sub networks. |