Comments (9)
a4lg
commented on May 20, 2024
1
I think this is expected since it only allows SSH and DHCPv6 client by default (default configuration / default zone). You can do either:
- Add MDNS service to allow list
- Configure zones (other than default one)
Fortunately, firewalld has mdns service definition by default.
If you need to add MDNS service to "allow" list (in the default zone public), run following commands as root. I think this method works well for you (there is a GUI for firewalld but I haven't used yet).
firewall-cmd --permanent --add-service=mdns; firewall-cmd --reload
Note that this allows MDNS on all connected networks (unless you configure zones) and you may need to configure zones to separate specific networks.
For more information (to configure firewalld), see firewalld documentation (e.g. manpage) and a Wiki page on the Fedora Project (https://fedoraproject.org/wiki/FirewallD).
from firewalld.
badgernaut
commented on May 20, 2024
Thanks; that makes sense.
I think this is an issue for the Gnome/Fedora people, to ensure they properly configure firewalld for the services they want to enable out of the box.
I'll take it to them.
Cheers,
badgernaut
from firewalld.
t-woerner
commented on May 20, 2024
@badgernaut
mdns is enabled by default in the public and work zones in Fedora. Additionally there is a very open firewall configuration in the Workstation product since Fedora-21.
Since Fedora-22 there are no product specific firewalld-config- sub packages anymore, but the product specific config file is linked to /etc/firewalld/firewalld.conf.
Which product are you using and which config file is linked to /etc/firewalld/firewalld.conf?
@a4lg
Instead of reloading, you could easily enable mdns in runtime and permanent:
firewall-cmd --add-service=mdns; firewall-cmd --permanent --add-service=mdns
One call without --permanent in the runtime environment and one with.
from firewalld.
badgernaut
commented on May 20, 2024
@t-woerner
I see 'mdns' service is indeed specified in the FedoraWorkstation.xml zone (/etc/firewalld/firewalld.con is linked to firewalld-workstation.conf, as expected).
I am trying to use Empathy which utilises the telepathy-salut stack underneath (for the Bonjour protocol).
Please see RH bug report for more detail: https://bugzilla.redhat.com/show_bug.cgi?id=1222469
Even though I can see this is defined in the zone, it still seems to block mDNS/Bonjour packets...
from firewalld.
erig0
commented on May 20, 2024
@badgernaut, Is this still an issue? The report is very old and the bugzilla issue is closed.
from firewalld.
jpeter01
commented on May 20, 2024
In openSUSE 15.0 this is still an issue. I have the following configuration:
firewall-cmd --list-all
home (active)
target: default
icmp-block-inversion: no
interfaces: br0 eth0 tap0
sources:
services: ssh mdns samba-client dhcpv6-client apache2 apache2-ssl http https kdeconnect-kde minidlna nfs nfs3 openvpn pulseaudio samba sane upnp-client vnc-server tigervnc ipp ipp-client tigervnc-https apcupsd mountd rpc-bind
ports: 6566/tcp 6566/udp 8200/tcp 1900/udp 10000-10100/tcp 10000-10100/udp 631/tcp 631/udp 8080/tcp 1194/tcp 30000-65535/udp 30000-65535/tcp 10000-60000/tcp 10000-60000/udp
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
The corresponding iptables rules are in the following:
`Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
INPUT_direct all -- anywhere anywhere
INPUT_ZONES_SOURCE all -- anywhere anywhere
INPUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
FORWARD_direct all -- anywhere anywhere
FORWARD_IN_ZONES_SOURCE all -- anywhere anywhere
FORWARD_IN_ZONES all -- anywhere anywhere
FORWARD_OUT_ZONES_SOURCE all -- anywhere anywhere
FORWARD_OUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
OUTPUT_direct all -- anywhere anywhere
Chain FORWARD_IN_ZONES (1 references)
target prot opt source destination
FWDI_home all -- anywhere anywhere [goto]
FWDI_home all -- anywhere anywhere [goto]
FWDI_home all -- anywhere anywhere [goto]
FWDI_home all -- anywhere anywhere [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
target prot opt source destination
Chain FORWARD_OUT_ZONES (1 references)
target prot opt source destination
FWDO_home all -- anywhere anywhere [goto]
FWDO_home all -- anywhere anywhere [goto]
FWDO_home all -- anywhere anywhere [goto]
FWDO_home all -- anywhere anywhere [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target prot opt source destination
Chain FORWARD_direct (1 references)
target prot opt source destination
Chain FWDI_home (4 references)
target prot opt source destination
FWDI_home_log all -- anywhere anywhere
FWDI_home_deny all -- anywhere anywhere
FWDI_home_allow all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
Chain FWDI_home_allow (1 references)
target prot opt source destination
Chain FWDI_home_deny (1 references)
target prot opt source destination
Chain FWDI_home_log (1 references)
target prot opt source destination
Chain FWDO_home (4 references)
target prot opt source destination
FWDO_home_log all -- anywhere anywhere
FWDO_home_deny all -- anywhere anywhere
FWDO_home_allow all -- anywhere anywhere
Chain FWDO_home_allow (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate NEW
Chain FWDO_home_deny (1 references)
target prot opt source destination
Chain FWDO_home_log (1 references)
target prot opt source destination
Chain INPUT_ZONES (1 references)
target prot opt source destination
IN_home all -- anywhere anywhere [goto]
IN_home all -- anywhere anywhere [goto]
IN_home all -- anywhere anywhere [goto]
IN_home all -- anywhere anywhere [goto]
Chain INPUT_ZONES_SOURCE (1 references)
target prot opt source destination
Chain INPUT_direct (1 references)
target prot opt source destination
Chain IN_home (4 references)
target prot opt source destination
IN_home_log all -- anywhere anywhere
IN_home_deny all -- anywhere anywhere
IN_home_allow all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
Chain IN_home_allow (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ctstate NEW
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns ctstate NEW
ACCEPT udp -- anywhere anywhere udp dpt:netbios-ns ctstate NEW
ACCEPT udp -- anywhere anywhere udp dpt:netbios-dgm ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:http ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:https ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:http ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:https ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpts:sesi-lm:cft-3 ctstate NEW
ACCEPT udp -- anywhere anywhere udp dpts:sesi-lm:cft-3 ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:trivnet1 ctstate NEW
ACCEPT udp -- anywhere anywhere udp dpt:ssdp ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:nfs ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:nfs ctstate NEW
ACCEPT udp -- anywhere anywhere udp dpt:nfs ctstate NEW
ACCEPT udp -- anywhere anywhere udp dpt:openvpn ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:4713 ctstate NEW
ACCEPT udp -- anywhere anywhere udp dpt:netbios-ns ctstate NEW
ACCEPT udp -- anywhere anywhere udp dpt:netbios-dgm ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:netbios-ssn ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:microsoft-ds ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:sane-port ctstate NEW
ACCEPT udp -- anywhere anywhere udp spt:ssdp ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpts:rfb:5903 ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:5901 ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp ctstate NEW
ACCEPT udp -- anywhere anywhere udp dpt:ipp ctstate NEW
ACCEPT udp -- anywhere anywhere udp dpt:ipp ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:5801 ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:apcupsd ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:mountd ctstate NEW
ACCEPT udp -- anywhere anywhere udp dpt:mountd ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:sunrpc ctstate NEW
ACCEPT udp -- anywhere anywhere udp dpt:sunrpc ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:sane-port ctstate NEW
ACCEPT udp -- anywhere anywhere udp dpt:sane-port ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:trivnet1 ctstate NEW
ACCEPT udp -- anywhere anywhere udp dpt:ssdp ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpts:ndmp:itap-ddtp ctstate NEW
ACCEPT udp -- anywhere anywhere udp dpts:ndmp:itap-ddtp ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp ctstate NEW
ACCEPT udp -- anywhere anywhere udp dpt:ipp ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:http-alt ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:openvpn ctstate NEW
ACCEPT udp -- anywhere anywhere udp dpts:30000:65535 ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpts:ndmps:65535 ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpts:ndmp:60000 ctstate NEW
ACCEPT udp -- anywhere anywhere udp dpts:ndmp:60000 ctstate NEW
ACCEPT tcp -- anywhere anywhere ctstate NEW
ACCEPT udp -- anywhere anywhere ctstate NEW
ACCEPT igmp -- anywhere anywhere ctstate NEW
Chain IN_home_deny (1 references)
target prot opt source destination
Chain IN_home_log (1 references)
target prot opt source destination
Chain OUTPUT_direct (1 references)
target prot opt source destination `
The miniDLNA upnp doesn't shows up when using a VPN connection, until the firewalld is running. Sometimes it disappears from the LAN too. If firewalld is not running, the upnp show up when I'm using the VPN.
from firewalld.
erig0
commented on May 20, 2024
If symptoms occur while the VPN is active then it may be a routing issue. Can you verify that mdns packets are actually sent out to the LAN and not through the VPN?
Does mdns work while the VPN is NOT active?
from firewalld.
erig0
commented on May 20, 2024
Closing this super old bug with no feedback. If you provide feedback then it can be reopened.
from firewalld.
slewsys
commented on May 20, 2024
It appears that the local firewalld blocks mdns responses from the remote:
this-system$ sudo firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eno1
sources:
services: cockpit dhcpv6-client dns mdns ssh
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
this-system$ ssh that-system.local sudo firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eno1
sources:
services: cockpit dhcpv6-client dns mdns ssh
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
this-system$ systemctl is-active firewalld
active
this-system$ ssh that-system.local systemctl is-active firewalld
active
this-system$ dig +short +noedns -p 5353 @224.0.0.251 this-system.local
192.168.0.187
this-system$ dig +short +noedns -p 5353 @224.0.0.251 that-system.local
;; connection timed out; no servers could be reached
this-system$ sudo systemctl stop firewalld
this-system$ dig +short +noedns -p 5353 @224.0.0.251 that-system.local
192.168.0.162
from firewalld.
Related Issues (20)
- ipset: config checks should verify that the number of elements does not exceed ipset size
- firewall-config doesn't show policy objects
- Render, but don't apply, rules - for debugging
- In rocky8, I have a question about firewall. Can't iptables command see firewall rules? HOT 4
- Preserve source IP when using masquerade + rich-rule port-forwading
- Policy and IPv6 HOT 3
- Add port forwarding to firewalld doesn't take effect actually HOT 4
- Applet icon missing in the tray but randomly appears after relog HOT 3
- Add SCTP for DLM
- --runtime-to-permanent removing public zone from active zones HOT 2
- Should `https.xml` include `http3.xml`? HOT 1
- Bug in `wrong_args_for_callable()` causes firewall-applet to crash (regression introduced in 2.1.0) HOT 1
- rework D-Bus bindings and move away from deprecated python-dbus
- Disruptive remnants of firewalld.service remain after removal HOT 3
- Non compacted IPv6 address conflict after reload HOT 1
- Unfriendly error message with `firewall-cmd --load-zone-defaults` without customization.
- Feature request: Add a functionality for services/ports/protocols to be filtered first and then source IP HOT 2
- PolicyKit authentication attempt on startup of firewall-config times out after 25 seconds HOT 10
- Ceph highest port number is outdated
- usability: default target is not shown on zone-info HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from firewalld.