💾 Archived View for perso.pw › blog › articles › qubes-os-network-scanner.gmi captured on 2024-08-18 at 17:25:44. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2023-11-04)
-=-=-=-=-=-=-
Hi, this is a quick guide explaining how to use a network scanner on Qubes OS (or Linux/BSD in general).
I'll be using a network printer / scanner Brother MFC-1910W in the example.
For Qubes OS, the simplest way to proceed is to use the qube sys-net (which is UNTRUSTED) to proceed with the scanner operations. Scanning in it isn't less secure than having a dedicated qube as the network traffic isn't encrypted toward the scanner, this also ease a lot the network setup.
All the instructions below will be done in sys-net, with the root user.
Note that sys-net should be either an AppVM with persistent /home or a fully disposable system, so you will have to do all the commands every time you need your scanner. If you need it really often (I use mine once in a while), you may want to automate this in the template used by sys-net.
We need to install the program `sane-airscan` used to discover network scanners, and also all the backends/drivers for devices. On Fedora, this can be done using the following command, the package list may differ for other systems.
# dnf install sane-airscan sane-backends sane-backends-drivers-cameras sane-backends-drivers-scanners
Make sure the service `avahi-daemon` is installed and running, the default Qubes OS templates have it, but not running. It is required for network devices discovery.
# systemctl start avahi-daemon
An extra step is required, avahi requires the port UDP/5353 to be opened on the system to receive discovery replies, if you don't do that, you won't find your network scanner (this is also required for printers).
You need to figure the network interface name of your network, open a console and type `ip -4 -br a | grep UP`, the first column is the interface name, the lines starting by vif can be discarded. Run the following command, and make sure to replace INTERFACE_NAME by the real name you just found.
For Qubes OS 4.1:
# iptables -I INPUT 1 -i INTERFACE_NAME -p udp --dport 5353 -j ACCEPT
For Qubes OS 4.2:
# nft add rule qubes custom-input udp dport 5353 accept
Now, we should be able to discover the scanner, the following command should output a line with a device name and network address:
# airscan-discover
For me, the output looks like this:
[devices] Brother MFC-1910W series = http://10.42.42.133:80/WebServices/ScannerService, WSD
If you have a similar output, this mean it's working, then you can use airscan-discover output to configure the detected scanner:
# airscan-discover | tee /etc/sane.d/home.conf
Now, your scanner should be usable!
You can run the command `scanimage` as a regular user to use your remote scanner, by default, it selects the first device available, so if you have a single scanner, you don't need to specify its long and complicated name/address.
You can scan and save as a PDF file using this command:
$ scanimage --format pdf > my_document.pdf
On Qubes OS, you can open a file manager in sys-net and right-click on the file to move it to the qube where you want to keep the document.
If you are done with your scanner, you can remove the firewall rule allowing device discovery.
iptables -D INPUT -i INTERFACE_NAME -p udp --dport 5353 -j ACCEPT
Using a network scanner is quite easy when it's supported by SANE, but you need direct access to the network because of the avahi discovery requirement, which is not practical when you have a firewall or use virtual machines in sub networks.