FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 11-14-2008, 06:41 PM
Christoph Höger
 
Default fedora 10 avahi & firewall weirdness

Hi,

I hope someone can clearify this for me.

I have avahi activated on my desktop and wanted to discover services
from my notebook (e.g. conduit). Both avahi servers use the default
configuration (local domain).
Running avahi-discover from my notebook worked with activated firewall
on the host.
On the host itself _no_ services were discovered while the fw was
activated - deactivating fixed it.
Why that? A normal fw configuration (my fw runs fedora default config)
should not deny any packets from the inside, that are accepted from the
outside. But obviously it does.

any thoughts?

Christoph
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 11-14-2008, 07:19 PM
"Peter Robinson"
 
Default fedora 10 avahi & firewall weirdness

> I hope someone can clearify this for me.
>
> I have avahi activated on my desktop and wanted to discover services
> from my notebook (e.g. conduit). Both avahi servers use the default
> configuration (local domain).
> Running avahi-discover from my notebook worked with activated firewall
> on the host.
> On the host itself _no_ services were discovered while the fw was
> activated - deactivating fixed it.
> Why that? A normal fw configuration (my fw runs fedora default config)
> should not deny any packets from the inside, that are accepted from the
> outside. But obviously it does.
>
> any thoughts?

I think Fedora 9 firewall would allow avahi discovery packets through
by default, Fedora 10 doesn't. You'd need to add the appropriate rules
back to allow the avahi traffic through.

Peter

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 11-14-2008, 08:49 PM
Christoph Höger
 
Default fedora 10 avahi & firewall weirdness

> I think Fedora 9 firewall would allow avahi discovery packets through
> by default, Fedora 10 doesn't. You'd need to add the appropriate rules
> back to allow the avahi traffic through.

That would be totally sane, and I would understand that, but why are
packets from the outside allowed and not from the inside? Looks pretty
useless in a security point of view to me.

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 11-14-2008, 10:18 PM
Ignacio Vazquez-Abrams
 
Default fedora 10 avahi & firewall weirdness

On Fri, 2008-11-14 at 22:49 +0100, Christoph Höger wrote:
> > I think Fedora 9 firewall would allow avahi discovery packets through
> > by default, Fedora 10 doesn't. You'd need to add the appropriate rules
> > back to allow the avahi traffic through.
>
> That would be totally sane, and I would understand that, but why are
> packets from the outside allowed and not from the inside? Looks pretty
> useless in a security point of view to me.

mDNS uses a "push" architecture, not a "pull" architecture. Systems
broadcast service availability instead of being polled for it. So when
you query your local mDNS resolver, it checks to see if any services
have been pushed for a given host/service. A non-firewalled system will
see all pushes; a firewalled system will see none.

--
Ignacio Vazquez-Abrams <ivazqueznet@gmail.com>

PLEASE don't CC me; I'm already subscribed
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 11-14-2008, 10:58 PM
Christoph Höger
 
Default fedora 10 avahi & firewall weirdness

> mDNS uses a "push" architecture, not a "pull" architecture. Systems
> broadcast service availability instead of being polled for it. So when
> you query your local mDNS resolver, it checks to see if any services
> have been pushed for a given host/service. A non-firewalled system will
> see all pushes; a firewalled system will see none.

Ok, that explains, why my non firewalled notebook saw all services, but
why did I not see any localhost services? A push from localhgost should
not be firewalled!
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 11-14-2008, 11:25 PM
Ignacio Vazquez-Abrams
 
Default fedora 10 avahi & firewall weirdness

On Sat, 2008-11-15 at 00:58 +0100, Christoph Höger wrote:
> > mDNS uses a "push" architecture, not a "pull" architecture. Systems
> > broadcast service availability instead of being polled for it. So when
> > you query your local mDNS resolver, it checks to see if any services
> > have been pushed for a given host/service. A non-firewalled system will
> > see all pushes; a firewalled system will see none.
>
> Ok, that explains, why my non firewalled notebook saw all services, but
> why did I not see any localhost services? A push from localhgost should
> not be firewalled!

Ah, but you see, the push isn't to localhost, it's to the broadcast
address, which *is* firewalled.

As to why avahi doesn't just enumerate them internally... that I don't
know.

--
Ignacio Vazquez-Abrams <ivazqueznet@gmail.com>

PLEASE don't CC me; I'm already subscribed
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 11-15-2008, 08:23 AM
Christoph Höger
 
Default fedora 10 avahi & firewall weirdness

Wait, a _broadcast_ push? Strange. Multicast would fit much better.

But ok, that means local avahi daemon is blind and dumb when it comes to
local services and waits for it's own broadcast push to fly in. Ok, that
solves the mystique.

thanks
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 11-15-2008, 09:45 AM
Ignacio Vazquez-Abrams
 
Default fedora 10 avahi & firewall weirdness

On Sat, 2008-11-15 at 10:23 +0100, Christoph Höger wrote:
> Wait, a _broadcast_ push? Strange. Multicast would fit much better.

Sorry, yes, I meant multicast. That's what the "m" in mDNS stands for.

--
Ignacio Vazquez-Abrams <ivazqueznet@gmail.com>

PLEASE don't CC me; I'm already subscribed
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 

Thread Tools




All times are GMT. The time now is 06:53 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org