About me: My name is Solène Rapenne, pronouns she/her. I like learning and sharing knowledge. Hobbies: '(BSD OpenBSD Qubes OS Lisp cmdline gaming security QubesOS internet-stuff). I love percent and lambda characters. OpenBSD developer solene@. No AI is involved in this blog.

Contact me: solene at dataswamp dot org or @solene@bsd.network (mastodon).

I'm a freelance OpenBSD, FreeBSD, Linux and Qubes OS consultant, this includes DevOps, DevSecOps, technical writing or documentation work.

If you enjoy this blog, you can sponsor my open source work financially so I can write this blog and contribute to Free Software as my daily job.

Easily use your remote scanner on Linux (Qubes OS guide)

Written by Solène, on 11 July 2023.
Tags: #qubesos #scanner #networking

Comments on Fediverse/Mastodon

1. Introduction §

Hi, this is a quick guide explaining how to use a network scanner on Qubes OS (or Linux/BSD in general).

I'll be using a network printer / scanner Brother MFC-1910W in the example.

2. Setup §

2.1. Specific Qubes OS §

For Qubes OS, the simplest way to proceed is to use the qube sys-net (which is UNTRUSTED) to proceed with the scanner operations. Scanning in it isn't less secure than having a dedicated qube as the network traffic isn't encrypted toward the scanner, this also ease a lot the network setup.

All the instructions below will be done in sys-net, with the root user.

Note that sys-net should be either an AppVM with persistent /home or a fully disposable system, so you will have to do all the commands every time you need your scanner. If you need it really often (I use mine once in a while), you may want to automate this in the template used by sys-net.

2.2. Instructions §

We need to install the program sane-airscan used to discover network scanners, and also all the backends/drivers for devices. On Fedora, this can be done using the following command, the package list may differ for other systems.

# dnf install sane-airscan sane-backends sane-backends-drivers-cameras sane-backends-drivers-scanners

Make sure the service avahi-daemon is installed and running, the default Qubes OS templates have it, but not running. It is required for network devices discovery.

# systemctl start avahi-daemon

An extra step is required, avahi requires the port UDP/5353 to be opened on the system to receive discovery replies, if you don't do that, you won't find your network scanner (this is also required for printers).

You need to figure the network interface name of your network, open a console and type ip -4 -br a | grep UP, the first column is the interface name, the lines starting by vif can be discarded. Run the following command, and make sure to replace INTERFACE_NAME by the real name you just found.

For Qubes OS 4.1:

# iptables -I INPUT 1 -i INTERFACE_NAME -p udp --dport 5353 -j ACCEPT

For Qubes OS 4.2:

# nft add rule qubes custom-input udp dport 5353 accept

Now, we should be able to discover the scanner, the following command should output a line with a device name and network address:

# airscan-discover

For me, the output looks like this:

  Brother MFC-1910W series =, WSD

If you have a similar output, this mean it's working, then you can use airscan-discover output to configure the detected scanner:

# airscan-discover | tee /etc/sane.d/home.conf

Now, your scanner should be usable!

3. Using the scanner §

You can run the command scanimage as a regular user to use your remote scanner, by default, it selects the first device available, so if you have a single scanner, you don't need to specify its long and complicated name/address.

You can scan and save as a PDF file using this command:

$ scanimage --format pdf > my_document.pdf

On Qubes OS, you can open a file manager in sys-net and right-click on the file to move it to the qube where you want to keep the document.

4. Disabling avahi §

If you are done with your scanner, you can remove the firewall rule allowing device discovery.

iptables -D INPUT -i INTERFACE_NAME -p udp --dport 5353 -j ACCEPT

5. Conclusion §

Using a network scanner is quite easy when it's supported by SANE, but you need direct access to the network because of the avahi discovery requirement, which is not practical when you have a firewall or use virtual machines in sub networks.