Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora Development (http://www.linux-archive.org/fedora-development/)
-   -   fedora 10 avahi & firewall weirdness (http://www.linux-archive.org/fedora-development/193545-fedora-10-avahi-firewall-weirdness.html)

Christoph Höger 11-14-2008 06:41 PM

fedora 10 avahi & firewall weirdness
 
Hi,

I hope someone can clearify this for me.

I have avahi activated on my desktop and wanted to discover services
from my notebook (e.g. conduit). Both avahi servers use the default
configuration (local domain).
Running avahi-discover from my notebook worked with activated firewall
on the host.
On the host itself _no_ services were discovered while the fw was
activated - deactivating fixed it.
Why that? A normal fw configuration (my fw runs fedora default config)
should not deny any packets from the inside, that are accepted from the
outside. But obviously it does.

any thoughts?

Christoph
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

"Peter Robinson" 11-14-2008 07:19 PM

fedora 10 avahi & firewall weirdness
 
> I hope someone can clearify this for me.
>
> I have avahi activated on my desktop and wanted to discover services
> from my notebook (e.g. conduit). Both avahi servers use the default
> configuration (local domain).
> Running avahi-discover from my notebook worked with activated firewall
> on the host.
> On the host itself _no_ services were discovered while the fw was
> activated - deactivating fixed it.
> Why that? A normal fw configuration (my fw runs fedora default config)
> should not deny any packets from the inside, that are accepted from the
> outside. But obviously it does.
>
> any thoughts?

I think Fedora 9 firewall would allow avahi discovery packets through
by default, Fedora 10 doesn't. You'd need to add the appropriate rules
back to allow the avahi traffic through.

Peter

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Christoph Höger 11-14-2008 08:49 PM

fedora 10 avahi & firewall weirdness
 
> I think Fedora 9 firewall would allow avahi discovery packets through
> by default, Fedora 10 doesn't. You'd need to add the appropriate rules
> back to allow the avahi traffic through.

That would be totally sane, and I would understand that, but why are
packets from the outside allowed and not from the inside? Looks pretty
useless in a security point of view to me.

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Ignacio Vazquez-Abrams 11-14-2008 10:18 PM

fedora 10 avahi & firewall weirdness
 
On Fri, 2008-11-14 at 22:49 +0100, Christoph Höger wrote:
> > I think Fedora 9 firewall would allow avahi discovery packets through
> > by default, Fedora 10 doesn't. You'd need to add the appropriate rules
> > back to allow the avahi traffic through.
>
> That would be totally sane, and I would understand that, but why are
> packets from the outside allowed and not from the inside? Looks pretty
> useless in a security point of view to me.

mDNS uses a "push" architecture, not a "pull" architecture. Systems
broadcast service availability instead of being polled for it. So when
you query your local mDNS resolver, it checks to see if any services
have been pushed for a given host/service. A non-firewalled system will
see all pushes; a firewalled system will see none.

--
Ignacio Vazquez-Abrams <ivazqueznet@gmail.com>

PLEASE don't CC me; I'm already subscribed
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Christoph Höger 11-14-2008 10:58 PM

fedora 10 avahi & firewall weirdness
 
> mDNS uses a "push" architecture, not a "pull" architecture. Systems
> broadcast service availability instead of being polled for it. So when
> you query your local mDNS resolver, it checks to see if any services
> have been pushed for a given host/service. A non-firewalled system will
> see all pushes; a firewalled system will see none.

Ok, that explains, why my non firewalled notebook saw all services, but
why did I not see any localhost services? A push from localhgost should
not be firewalled!
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Ignacio Vazquez-Abrams 11-14-2008 11:25 PM

fedora 10 avahi & firewall weirdness
 
On Sat, 2008-11-15 at 00:58 +0100, Christoph Höger wrote:
> > mDNS uses a "push" architecture, not a "pull" architecture. Systems
> > broadcast service availability instead of being polled for it. So when
> > you query your local mDNS resolver, it checks to see if any services
> > have been pushed for a given host/service. A non-firewalled system will
> > see all pushes; a firewalled system will see none.
>
> Ok, that explains, why my non firewalled notebook saw all services, but
> why did I not see any localhost services? A push from localhgost should
> not be firewalled!

Ah, but you see, the push isn't to localhost, it's to the broadcast
address, which *is* firewalled.

As to why avahi doesn't just enumerate them internally... that I don't
know.

--
Ignacio Vazquez-Abrams <ivazqueznet@gmail.com>

PLEASE don't CC me; I'm already subscribed
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Christoph Höger 11-15-2008 08:23 AM

fedora 10 avahi & firewall weirdness
 
Wait, a _broadcast_ push? Strange. Multicast would fit much better.

But ok, that means local avahi daemon is blind and dumb when it comes to
local services and waits for it's own broadcast push to fly in. Ok, that
solves the mystique.

thanks
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Ignacio Vazquez-Abrams 11-15-2008 09:45 AM

fedora 10 avahi & firewall weirdness
 
On Sat, 2008-11-15 at 10:23 +0100, Christoph Höger wrote:
> Wait, a _broadcast_ push? Strange. Multicast would fit much better.

Sorry, yes, I meant multicast. That's what the "m" in mDNS stands for.

--
Ignacio Vazquez-Abrams <ivazqueznet@gmail.com>

PLEASE don't CC me; I'm already subscribed
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list


All times are GMT. The time now is 12:36 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.