diff --git a/README.md b/README.md index b4775ff..0e4e98a 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,65 @@ -# VueScan-Mint-Firewall-Fix +✅ Fixed: VueScan Can't Detect Brother Network Scanners on Linux Mint 22.1 — "ICMP admin prohibited filter" Solved -How I solved VueScan not detecting Brother network scanners behind firewalld (Linux Mint 22.1) \ No newline at end of file +Body: + +# Solved: VueScan Cannot Detect Brother Network Scanners on Linux Mint 22.1 / Ubuntu 24.04 + +## ✅ TL;DR +If VueScan doesn’t detect your Brother network scanners unless your firewall is disabled, the issue is likely caused by firewalld zone policies silently rejecting traffic. + +**Fix:** Move your network interface into the `trusted` zone. + +--- + +## 🔧 Background + +- **OS:** Linux Mint 22.1 “Xia” (Ubuntu 24.04 base) +- **Scanner:** Brother MFC and similar network models +- **Software:** VueScan +- **Firewall:** firewalld (nftables backend) + +--- + +## 🐛 The Problem + +Even with the correct ports open and Brother drivers installed, VueScan couldn’t see the scanner. + +Running `tcpdump` showed: + +ICMP host unreachable - admin prohibited filter + + +Despite: +- Opening all documented Brother ports (UDP 54925, TCP 54926) +- Adding direct rules, rich rules, and nftables manual rules + +VueScan still couldn’t discover any scanners. + +--- + +## 🧠 Root Cause + +Firewalld’s zone chain system (e.g., `filter_OUTPUT_POLICIES`, `filter_OUT_home`) overrides direct rules unless placed in the exact right spot. Traffic was still being rejected in a deep subchain. + +--- + +## ✅ The Fix + +Move your interface to the trusted zone to allow discovery without disabling the firewall. + +```bash +sudo firewall-cmd --zone=trusted --change-interface=eno1 --permanent +sudo firewall-cmd --reload + + Replace eno1 with your actual network interface (use ip a to check) + +Then verify: + +sudo firewall-cmd --get-active-zones + +🎉 Result + +VueScan now detects all Brother scanners on the network — no reboots required. +🔐 Security Note + +This is safe if you're on a trusted home network behind a router. If you need more fine-grained access, you can create a custom firewalld zone to only allow specific IPs and ports. \ No newline at end of file