Bug 727327

Summary: mdns port rule too strict
Product: [Fedora] Fedora Reporter: Ferry Huberts <mailings>
Component: system-config-firewallAssignee: Thomas Woerner <twoerner>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 15CC: twoerner
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-07 20:06:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
mdns query of HP 2840 (unicast response) none

Description Ferry Huberts 2011-08-01 20:10:32 UTC 
Description of problem:
I cannot access my HP all-in-one networked scanner through xsane because the mdns firewall rule is too strict

Version-Release number of selected component (if applicable):


How reproducible:
use a fresh install, setup a HP jetdirect connected scanner, startup xsane, cannot connect to scanner

Steps to Reproduce:
1. see above
2.
3.
  
Actual results:
cannot connect

Expected results:
connect

Additional info:

the rule iptables -L -n -v --linenumbers:
4       52  3240 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.251         state NEW udp dpt:5353 

is too strict.

removing the mdns port rule in system-config-firewall and also adding the custom port 5353/udp makes it work.
this is because the printer/scanner answers on its unicast ip address, mdns port, so the mdns port must be allowed for all address (at least on the local LAN)

Aug  1 21:41:35 stinkpad kernel: [82379.884937] IN=wlan0 OUT= MAC=00:19:d2:97:60:4b:00:1a:4b:2e:18:17:08:00 SRC=192.168.163.1 DST=192.168.180.11 LEN=70 TOS=0x00 PREC=0x00 TTL=0 ID=13989 PROTO=UDP SPT=5353 DPT=5353 LEN=50
Comment 1 Ferry Huberts 2011-08-01 20:11:58 UTC 
> Version-Release number of selected component (if applicable):

system-config-firewall.noarch   1.2.29-3.fc15
Comment 2 Ferry Huberts 2011-09-23 14:14:59 UTC 
ping

this also prevents users from discovering/adding network printers....

please bump the severity
Comment 3 Thomas Woerner 2011-09-26 16:26:27 UTC 
Currently there is no way to specify that port 5353 is open for everyone on the local lan only. This will change as soon as firewalld with the zone model will be part of Fedora. But a second mDNS service entry is then needed to support bad devices.
Comment 4 Ferry Huberts 2011-09-26 17:17:38 UTC 
Created attachment 524947 [details]
mdns query of HP 2840 (unicast response)

you're right, this is a bad device: it sends a unicast response while it should have send a multicast response

I made a wireshark trace, attached.

I've submitted a bug to HP (which I expect they will never fix)

I would be nice though to be somehow able to allow this to work ;-)
Comment 5 Thomas Woerner 2011-09-27 10:23:07 UTC 
To make this work for now, please open 5353/udp using "Other Ports". This will open up the port for everyone.
Comment 6 Fedora End Of Life 2012-08-07 20:06:28 UTC 
This message is a notice that Fedora 15 is now at end of life. Fedora
has stopped maintaining and issuing updates for Fedora 15. It is
Fedora's policy to close all bug reports from releases that are no
longer maintained. At this time, all open bugs with a Fedora 'version'
of '15' have been closed as WONTFIX.

(Please note: Our normal process is to give advanced warning of this
occurring, but we forgot to do that. A thousand apologies.)

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, feel free to reopen
this bug and simply change the 'version' to a later Fedora version.

Bug Reporter: Thank you for reporting this issue and we are sorry that
we were unable to fix it before Fedora 15 reached end of life. If you
would still like to see this bug fixed and are able to reproduce it
against a later version of Fedora, you are encouraged to click on
"Clone This Bug" (top right of this page) and open it against that
version of Fedora.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.

The process we are following is described here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping