Title: Easily use your remote scanner on Linux (Qubes OS guide)
Author: Solène
Date: 11 July 2023
Tags: qubesos scanner networking
Description: In this article, you will learn how to use your remote
scanner on a Linux system (with specific Qubes OS instructions)
# Introduction
Hi, this is a quick guide explaining how to use a network scanner on
Qubes OS (or Linux/BSD in general).
I'll be using a network printer / scanner Brother MFC-1910W in the
example.
# Setup
## Specific Qubes OS
For Qubes OS, the simplest way to proceed is to use the qube sys-net
(which is UNTRUSTED) to proceed with the scanner operations. Scanning
in it isn't less secure than having a dedicated qube as the network
traffic isn't encrypted toward the scanner, this also ease a lot the
network setup.
All the instructions below will be done in sys-net, with the root user.
Note that sys-net should be either an AppVM with persistent /home or a
fully disposable system, so you will have to do all the commands every
time you need your scanner. If you need it really often (I use mine
once in a while), you may want to automate this in the template used by
sys-net.
## Instructions
We need to install the program `sane-airscan` used to discover network
scanners, and also all the backends/drivers for devices. On Fedora,
this can be done using the following command, the package list may
differ for other systems.
```
# dnf install sane-airscan sane-backends sane-backends-drivers-cameras sane-backends-drivers-scanners
```
Make sure the service `avahi-daemon` is installed and running, the
default Qubes OS templates have it, but not running. It is required
for network devices discovery.
```
# systemctl start avahi-daemon
```
An extra step is required, avahi requires the port UDP/5353 to be
opened on the system to receive discovery replies, if you don't do
that, you won't find your network scanner (this is also required for
printers).
You need to figure the network interface name of your network, open a
console and type `ip -4 -br a | grep UP`, the first column is the
interface name, the lines starting by vif can be discarded. Run the
following command, and make sure to replace INTERFACE_NAME by the real
name you just found.
For Qubes OS 4.1:
```
# iptables -I INPUT 1 -i INTERFACE_NAME -p udp --dport 5353 -j ACCEPT
```
For Qubes OS 4.2:
```
# nft add rule qubes custom-input udp dport 5353 accept
```
Now, we should be able to discover the scanner, the following command
should output a line with a device name and network address:
```
# airscan-discover
```
For me, the output looks like this:
```
[devices]
Brother MFC-1910W series = http://10.42.42.133:80/WebServices/ScannerService, WSD
```
If you have a similar output, this mean it's working, then you can use
airscan-discover output to configure the detected scanner:
```
# airscan-discover | tee /etc/sane.d/home.conf
```
Now, your scanner should be usable!
# Using the scanner
You can run the command `scanimage` as a regular user to use your
remote scanner, by default, it selects the first device available, so
if you have a single scanner, you don't need to specify its long and
complicated name/address.
You can scan and save as a PDF file using this command:
```
$ scanimage --format pdf > my_document.pdf
```
On Qubes OS, you can open a file manager in sys-net and right-click on
the file to move it to the qube where you want to keep the document.
# Disabling avahi
If you are done with your scanner, you can remove the firewall rule
allowing device discovery.
```
iptables -D INPUT -i INTERFACE_NAME -p udp --dport 5353 -j ACCEPT
```
# Conclusion
Using a network scanner is quite easy when it's supported by SANE, but
you need direct access to the network because of the avahi discovery
requirement, which is not practical when you have a firewall or use
virtual machines in sub networks.