fedora 10 avahi & firewall weirdness
Hi,
I hope someone can clearify this for me. I have avahi activated on my desktop and wanted to discover services from my notebook (e.g. conduit). Both avahi servers use the default configuration (local domain). Running avahi-discover from my notebook worked with activated firewall on the host. On the host itself _no_ services were discovered while the fw was activated - deactivating fixed it. Why that? A normal fw configuration (my fw runs fedora default config) should not deny any packets from the inside, that are accepted from the outside. But obviously it does. any thoughts? Christoph -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list |
fedora 10 avahi & firewall weirdness
> I hope someone can clearify this for me.
> > I have avahi activated on my desktop and wanted to discover services > from my notebook (e.g. conduit). Both avahi servers use the default > configuration (local domain). > Running avahi-discover from my notebook worked with activated firewall > on the host. > On the host itself _no_ services were discovered while the fw was > activated - deactivating fixed it. > Why that? A normal fw configuration (my fw runs fedora default config) > should not deny any packets from the inside, that are accepted from the > outside. But obviously it does. > > any thoughts? I think Fedora 9 firewall would allow avahi discovery packets through by default, Fedora 10 doesn't. You'd need to add the appropriate rules back to allow the avahi traffic through. Peter -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list |
fedora 10 avahi & firewall weirdness
> I think Fedora 9 firewall would allow avahi discovery packets through
> by default, Fedora 10 doesn't. You'd need to add the appropriate rules > back to allow the avahi traffic through. That would be totally sane, and I would understand that, but why are packets from the outside allowed and not from the inside? Looks pretty useless in a security point of view to me. -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list |
fedora 10 avahi & firewall weirdness
On Fri, 2008-11-14 at 22:49 +0100, Christoph Höger wrote:
> > I think Fedora 9 firewall would allow avahi discovery packets through > > by default, Fedora 10 doesn't. You'd need to add the appropriate rules > > back to allow the avahi traffic through. > > That would be totally sane, and I would understand that, but why are > packets from the outside allowed and not from the inside? Looks pretty > useless in a security point of view to me. mDNS uses a "push" architecture, not a "pull" architecture. Systems broadcast service availability instead of being polled for it. So when you query your local mDNS resolver, it checks to see if any services have been pushed for a given host/service. A non-firewalled system will see all pushes; a firewalled system will see none. -- Ignacio Vazquez-Abrams <ivazqueznet@gmail.com> PLEASE don't CC me; I'm already subscribed -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list |
fedora 10 avahi & firewall weirdness
> mDNS uses a "push" architecture, not a "pull" architecture. Systems
> broadcast service availability instead of being polled for it. So when > you query your local mDNS resolver, it checks to see if any services > have been pushed for a given host/service. A non-firewalled system will > see all pushes; a firewalled system will see none. Ok, that explains, why my non firewalled notebook saw all services, but why did I not see any localhost services? A push from localhgost should not be firewalled! -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list |
fedora 10 avahi & firewall weirdness
On Sat, 2008-11-15 at 00:58 +0100, Christoph Höger wrote:
> > mDNS uses a "push" architecture, not a "pull" architecture. Systems > > broadcast service availability instead of being polled for it. So when > > you query your local mDNS resolver, it checks to see if any services > > have been pushed for a given host/service. A non-firewalled system will > > see all pushes; a firewalled system will see none. > > Ok, that explains, why my non firewalled notebook saw all services, but > why did I not see any localhost services? A push from localhgost should > not be firewalled! Ah, but you see, the push isn't to localhost, it's to the broadcast address, which *is* firewalled. As to why avahi doesn't just enumerate them internally... that I don't know. -- Ignacio Vazquez-Abrams <ivazqueznet@gmail.com> PLEASE don't CC me; I'm already subscribed -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list |
fedora 10 avahi & firewall weirdness
Wait, a _broadcast_ push? Strange. Multicast would fit much better.
But ok, that means local avahi daemon is blind and dumb when it comes to local services and waits for it's own broadcast push to fly in. Ok, that solves the mystique. thanks -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list |
fedora 10 avahi & firewall weirdness
On Sat, 2008-11-15 at 10:23 +0100, Christoph Höger wrote:
> Wait, a _broadcast_ push? Strange. Multicast would fit much better. Sorry, yes, I meant multicast. That's what the "m" in mDNS stands for. -- Ignacio Vazquez-Abrams <ivazqueznet@gmail.com> PLEASE don't CC me; I'm already subscribed -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list |
| All times are GMT. The time now is 03:31 PM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.