Multicast UDP packets (MDNS/Bonjour protocol) blocked by default?

[badgernaut]

Hi,

Fedora 22 x86_64 (latest Beta): firewalld (v0.3.13-7.fc22) seems to be blocking the aforementioned packets, preventing the auto-discovery of local contacts in Empathy (default Fedora IM client), and also Gnome's "People Nearby" functionality (through control-centre->Online Accounts).

Is this expected? are there some settings/config I can play with to get this to work?

Thanks,

[a4lg]

I think this is expected since it only allows SSH and DHCPv6 client by default (default configuration / default zone). You can do either:

• Add MDNS service to allow list
• Configure zones (other than default one)

Fortunately, firewalld has mdns service definition by default.

If you need to add MDNS service to "allow" list (in the default zone public), run following commands as root. I think this method works well for you (there is a GUI for firewalld but I haven't used yet).
firewall-cmd --permanent --add-service=mdns; firewall-cmd --reload
Note that this allows MDNS on all connected networks (unless you configure zones) and you may need to configure zones to separate specific networks.

For more information (to configure firewalld), see firewalld documentation (e.g. manpage) and a Wiki page on the Fedora Project (https://fedoraproject.org/wiki/FirewallD).

[badgernaut]

Thanks; that makes sense.

I think this is an issue for the Gnome/Fedora people, to ensure they properly configure firewalld for the services they want to enable out of the box.

I'll take it to them.

Cheers,

badgernaut

[t-woerner]

@badgernaut
mdns is enabled by default in the public and work zones in Fedora. Additionally there is a very open firewall configuration in the Workstation product since Fedora-21.

Since Fedora-22 there are no product specific firewalld-config- sub packages anymore, but the product specific config file is linked to /etc/firewalld/firewalld.conf.

Which product are you using and which config file is linked to /etc/firewalld/firewalld.conf?

@a4lg
Instead of reloading, you could easily enable mdns in runtime and permanent:
firewall-cmd --add-service=mdns; firewall-cmd --permanent --add-service=mdns
One call without --permanent in the runtime environment and one with.

[badgernaut]

@t-woerner
I see 'mdns' service is indeed specified in the FedoraWorkstation.xml zone (/etc/firewalld/firewalld.con is linked to firewalld-workstation.conf, as expected).

I am trying to use Empathy which utilises the telepathy-salut stack underneath (for the Bonjour protocol).

Please see RH bug report for more detail: https://bugzilla.redhat.com/show_bug.cgi?id=1222469

Even though I can see this is defined in the zone, it still seems to block mDNS/Bonjour packets...

[erig0]

@badgernaut, Is this still an issue? The report is very old and the bugzilla issue is closed.

[jpeter01]

In openSUSE 15.0 this is still an issue. I have the following configuration:

firewall-cmd --list-all
home (active)
  target: default
  icmp-block-inversion: no
  interfaces: br0 eth0 tap0
  sources: 
  services: ssh mdns samba-client dhcpv6-client apache2 apache2-ssl http https kdeconnect-kde minidlna nfs nfs3 openvpn pulseaudio samba sane upnp-client vnc-server tigervnc ipp ipp-client tigervnc-https apcupsd mountd rpc-bind
  ports: 6566/tcp 6566/udp 8200/tcp 1900/udp 10000-10100/tcp 10000-10100/udp 631/tcp 631/udp 8080/tcp 1194/tcp 30000-65535/udp 30000-65535/tcp 10000-60000/tcp 10000-60000/udp
  protocols: 
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

The corresponding iptables rules are in the following:

`Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
INPUT_direct  all  --  anywhere             anywhere            
INPUT_ZONES_SOURCE  all  --  anywhere             anywhere            
INPUT_ZONES  all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere             ctstate INVALID
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
FORWARD_direct  all  --  anywhere             anywhere            
FORWARD_IN_ZONES_SOURCE  all  --  anywhere             anywhere            
FORWARD_IN_ZONES  all  --  anywhere             anywhere            
FORWARD_OUT_ZONES_SOURCE  all  --  anywhere             anywhere            
FORWARD_OUT_ZONES  all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere             ctstate INVALID
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
OUTPUT_direct  all  --  anywhere             anywhere            

Chain FORWARD_IN_ZONES (1 references)
target     prot opt source               destination         
FWDI_home  all  --  anywhere             anywhere            [goto] 
FWDI_home  all  --  anywhere             anywhere            [goto] 
FWDI_home  all  --  anywhere             anywhere            [goto] 
FWDI_home  all  --  anywhere             anywhere            [goto] 

Chain FORWARD_IN_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain FORWARD_OUT_ZONES (1 references)
target     prot opt source               destination         
FWDO_home  all  --  anywhere             anywhere            [goto] 
FWDO_home  all  --  anywhere             anywhere            [goto] 
FWDO_home  all  --  anywhere             anywhere            [goto] 
FWDO_home  all  --  anywhere             anywhere            [goto] 

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain FORWARD_direct (1 references)
target     prot opt source               destination         

Chain FWDI_home (4 references)
target     prot opt source               destination         
FWDI_home_log  all  --  anywhere             anywhere            
FWDI_home_deny  all  --  anywhere             anywhere            
FWDI_home_allow  all  --  anywhere             anywhere            
ACCEPT     icmp --  anywhere             anywhere            

Chain FWDI_home_allow (1 references)
target     prot opt source               destination         

Chain FWDI_home_deny (1 references)
target     prot opt source               destination         

Chain FWDI_home_log (1 references)
target     prot opt source               destination         

Chain FWDO_home (4 references)
target     prot opt source               destination         
FWDO_home_log  all  --  anywhere             anywhere            
FWDO_home_deny  all  --  anywhere             anywhere            
FWDO_home_allow  all  --  anywhere             anywhere            

Chain FWDO_home_allow (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate NEW

Chain FWDO_home_deny (1 references)
target     prot opt source               destination         

Chain FWDO_home_log (1 references)
target     prot opt source               destination         

Chain INPUT_ZONES (1 references)
target     prot opt source               destination         
IN_home    all  --  anywhere             anywhere            [goto] 
IN_home    all  --  anywhere             anywhere            [goto] 
IN_home    all  --  anywhere             anywhere            [goto] 
IN_home    all  --  anywhere             anywhere            [goto] 

Chain INPUT_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain INPUT_direct (1 references)
target     prot opt source               destination         

Chain IN_home (4 references)
target     prot opt source               destination         
IN_home_log  all  --  anywhere             anywhere            
IN_home_deny  all  --  anywhere             anywhere            
IN_home_allow  all  --  anywhere             anywhere            
ACCEPT     icmp --  anywhere             anywhere            

Chain IN_home_allow (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh ctstate NEW
ACCEPT     udp  --  anywhere             224.0.0.251          udp dpt:mdns ctstate NEW
ACCEPT     udp  --  anywhere             anywhere             udp dpt:netbios-ns ctstate NEW
ACCEPT     udp  --  anywhere             anywhere             udp dpt:netbios-dgm ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpts:sesi-lm:cft-3 ctstate NEW
ACCEPT     udp  --  anywhere             anywhere             udp dpts:sesi-lm:cft-3 ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:trivnet1 ctstate NEW
ACCEPT     udp  --  anywhere             anywhere             udp dpt:ssdp ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:nfs ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:nfs ctstate NEW
ACCEPT     udp  --  anywhere             anywhere             udp dpt:nfs ctstate NEW
ACCEPT     udp  --  anywhere             anywhere             udp dpt:openvpn ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:4713 ctstate NEW
ACCEPT     udp  --  anywhere             anywhere             udp dpt:netbios-ns ctstate NEW
ACCEPT     udp  --  anywhere             anywhere             udp dpt:netbios-dgm ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:netbios-ssn ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:microsoft-ds ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:sane-port ctstate NEW
ACCEPT     udp  --  anywhere             anywhere             udp spt:ssdp ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpts:rfb:5903 ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:5901 ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ipp ctstate NEW
ACCEPT     udp  --  anywhere             anywhere             udp dpt:ipp ctstate NEW
ACCEPT     udp  --  anywhere             anywhere             udp dpt:ipp ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:5801 ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:apcupsd ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:mountd ctstate NEW
ACCEPT     udp  --  anywhere             anywhere             udp dpt:mountd ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:sunrpc ctstate NEW
ACCEPT     udp  --  anywhere             anywhere             udp dpt:sunrpc ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:sane-port ctstate NEW
ACCEPT     udp  --  anywhere             anywhere             udp dpt:sane-port ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:trivnet1 ctstate NEW
ACCEPT     udp  --  anywhere             anywhere             udp dpt:ssdp ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpts:ndmp:itap-ddtp ctstate NEW
ACCEPT     udp  --  anywhere             anywhere             udp dpts:ndmp:itap-ddtp ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ipp ctstate NEW
ACCEPT     udp  --  anywhere             anywhere             udp dpt:ipp ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http-alt ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:openvpn ctstate NEW
ACCEPT     udp  --  anywhere             anywhere             udp dpts:30000:65535 ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpts:ndmps:65535 ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpts:ndmp:60000 ctstate NEW
ACCEPT     udp  --  anywhere             anywhere             udp dpts:ndmp:60000 ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW
ACCEPT     udp  --  anywhere             anywhere             ctstate NEW
ACCEPT     igmp --  anywhere             anywhere             ctstate NEW

Chain IN_home_deny (1 references)
target     prot opt source               destination         

Chain IN_home_log (1 references)
target     prot opt source               destination         

Chain OUTPUT_direct (1 references)
target     prot opt source               destination       `

The miniDLNA upnp doesn't shows up when using a VPN connection, until the firewalld is running. Sometimes it disappears from the LAN too. If firewalld is not running, the upnp show up when I'm using the VPN.

[erig0]

If symptoms occur while the VPN is active then it may be a routing issue. Can you verify that mdns packets are actually sent out to the LAN and not through the VPN?

Does mdns work while the VPN is NOT active?

[erig0]

Closing this super old bug with no feedback. If you provide feedback then it can be reopened.

[slewsys]

It appears that the local firewalld blocks mdns responses from the remote:

this-system$ sudo firewall-cmd --list-all

public (active)
target: default
icmp-block-inversion: no
interfaces: eno1
sources:
services: cockpit dhcpv6-client dns mdns ssh
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

this-system$ ssh that-system.local sudo firewall-cmd --list-all

public (active)
target: default
icmp-block-inversion: no
interfaces: eno1
sources:
services: cockpit dhcpv6-client dns mdns ssh
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

this-system$ systemctl is-active firewalld

active

this-system$ ssh that-system.local systemctl is-active firewalld

active

this-system$ dig +short +noedns -p 5353 @224.0.0.251 this-system.local

192.168.0.187

this-system$ dig +short +noedns -p 5353 @224.0.0.251 that-system.local

;; connection timed out; no servers could be reached

this-system$ sudo systemctl stop firewalld
this-system$ dig +short +noedns -p 5353 @224.0.0.251 that-system.local

192.168.0.162