Red Hat Bugzilla – Bug 444427
Avahi blocked by Firewall
Last modified: 2013-08-20 02:19:55 EDT
The Fedora9 default firewall rules block all usage of the avahi deamon. This
includes the user-share feature but also advertised VNC and SSH servers. To
work, avahi needs port 5353 (udp) open.
I believe this is by design and not a bug.
Lennart is this correct?
We need smarter firewall handling, and allow applications to plug holes,
probably under PolicyKit control. This has been on the wishlist for a long time...
I can understand the "by design" part. But IIRC gnome-user-share was installed
by default when I installed Fedora9Pre from CD and shipping default apps which
do not work out of the box is a bad idea IMHO. At least, add a note to the
(In reply to comment #1)
> I believe this is by design and not a bug.
> Lennart is this correct?
It's not my design, to say the least.
Ubuntu opened up port 5353 by default. And I think we should do the same. The
whole idea of zeroconf ist "zero configuration", i.e. expecting the user to
toggle a few switches in the firewall configuration defeats the whole point I
I wasn't aware that we install a firewall by default (I certainly have none on
my machine). So I would recommend opening udp 5353 for mDNS.
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
IMHO opening up ports by default is no good idea. Especially for users who have
a direct connection to the internet. We certainly do not want to broadcast mdns
into the wild...
We try to make sure in Avahi that mDNS data does not leak onto the Internet and
no data from the Internet can poison our mDNS caches. We do this by checking
TTLs, ignoring all network interfaces that are not ethernet and all packets
where the source address is not on a local network and similar mechanisms. Of
course, there will always be a risk, but Avahi tries to make sure it is minimal.
If you want 100% security than you probably should not be connecting your
computer to a network anyway.
This is still an issue on Fedora 10 Snapshot 1. More interestingly, I believe it worked on the liveCD, and then failed when installed.
Since seen in Fedora 10 Snap1 changing version to "rawhide"
Reading the comments I still can't determine what the decision is to opening the firewall by default for Avahi. If we aren't going to open it by default, shouldn't this bug be closed?
If you aren't going to open the firewall, the DAAP plugin should be disabled in rhythmbox.
I really believe the firewall should allow udp 5353, but I guess I already explained that.
I am tempted to simply reassign this bug to the firewall package and leave this to its maintainer. However, I don't really know which package that would be. Anyone?
okay. changing component to system-config-firewall
That still leaves the solution half-broken, where the services offered on the computer and advertised through Avahi will be blocked by the firewall. Shares through gnome-user-share, music through Rhythmbox' DAAP, Vino's Desktop sharing etc.
Reassigning to Anaconda, since it's responsible for initial firewall setup. Leaving 5353/udp open by default doesn't solve all our mDNS issues (such as allowing advertised services to do something useful), but it does deal with the pretty typical home user cases of wanting to use a service on the local network that's being announced via DAAP such as any number of off the shelf NAS boxes. Avahi's security record is good, so I don't see any issue with doing this.
Decisions to open and close services really need to be made by the user themselves. anaconda defaults to opening only ssh by default, and we get enough complaints about even that. Extra services is just going to invite extra trouble. The user can quite easily use system-config-firewall which has a check box just for the Avahi service.
If avahi starts up by default in a default install, then the firewall should have a hole poked by default.
If avahi doesn't start up by default, then there is no risk in poking a hole in the firewall, since the system won't accept connections on a port that isn't bound to a running service.
Conclusion: we should open 5353 by default regardless. Then the decision can be whether we should run avahi by default or not.
We start a mail server by default in a default install. Should we also open a port for smtp by default as well?
No, that's different. The default mail server that runs only listens on 127.0.0.1 by default. No need to open a firewall for localhost.
Following up to myself, it is pretty stupid to run a service by default whose sole reason for existence is to announce to the local network available services running on the local box and then block those packets by the default firewall rules. Pick one--either run the service by default and open the firewall by default, or don't run the service by default. You could also say "don't poke the hole by default" if you don't run the service by default, and that would be okay too, but unnecessary.
*** Bug 555360 has been marked as a duplicate of this bug. ***
It is possible to make iptables to notify
the userspace about the filtered packets.
The userspace can then check what exactly packet
it was, and in case it belongs to some known
service, the user can be asked whether or
not does he want to unblock this service...
I mean, I spent the whole day today,
trying to figure out why the netbios
lookups do not work with the fresh
fedora install (it works in ubuntu).
The question like "netbios reply was
received, but is blocked by firewall,
do you want to unblock UDP port 137?" would
just save me. The user simply doesn't
know why something doesn't work, so
he must be hinted. The ability to open
specific ports is not enough.
This is still a problem in Fedora 16 folks. Avahi is started by default in a default install, but by default firewall is blocking it. That makes zero sense for a zero configuration service. Actually it makes negative sense, I'd consider the position on this to be user hostile.
I am with C Anderson and L Poettering. There absolutely should be a hole for zeroconf or it's not zero conf. At the absolute minimum there should be an Avahi or Zeroconf entry in Firewall so that all a user has to do is check a box and apply - but in fact I have to resort to the command line still to add an entry.
With https://fedoraproject.org/wiki/Features/firewalld-default, I am hoping this will be fixed up.
OK I just found the Multicast DNS (mDNS) entry in Firewall. I think this is a user hostile bug from beginning to end. We can't even decide WTF we are calling this service. Avahi, Zeroconf, mDNS, Bonjour. How many names does it take? The service is call Avahi on linux distros, I think the Firewall entry should be "Avahi (mDNS)" and it should be enabled by default or it most certainly is not zero configuration.
(In reply to comment #24)
> With https://fedoraproject.org/wiki/Features/firewalld-default, I am hoping
> this will be fixed up.