Bug 444427 - Avahi blocked by Firewall
Avahi blocked by Firewall
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: anaconda (Show other bugs)
rawhide
All Linux
low Severity low
: ---
: ---
Assigned To: Anaconda Maintenance Team
Fedora Extras Quality Assurance
:
: 555360 (view as bug list)
Depends On:
Blocks: F10Target F10DesktopTarget
  Show dependency treegraph
 
Reported: 2008-04-28 07:29 EDT by Michael Monreal
Modified: 2013-08-20 02:19 EDT (History)
13 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-11-04 10:16:10 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Michael Monreal 2008-04-28 07:29:32 EDT
The Fedora9 default firewall rules block all usage of the avahi deamon. This
includes the user-share feature but also advertised VNC and SSH servers. To
work, avahi needs port 5353 (udp) open.
Comment 1 John Poelstra 2008-04-28 08:41:33 EDT
I believe this is by design and not a bug.

Lennart is this correct?
Comment 2 Matthias Clasen 2008-04-28 09:30:37 EDT
We need smarter firewall handling, and allow applications to plug holes,
probably under PolicyKit control. This has been on the wishlist for a long time...
Comment 3 Michael Monreal 2008-04-28 09:44:12 EDT
I can understand the "by design" part. But IIRC gnome-user-share was installed
by default when I installed Fedora9Pre from CD and shipping default apps which
do not work out of the box is a bad idea IMHO. At least, add a note to the
release notes.
Comment 4 Lennart Poettering 2008-05-02 10:24:10 EDT
(In reply to comment #1)
> I believe this is by design and not a bug.
> 
> Lennart is this correct?

It's not my design, to say the least.

Ubuntu opened up port 5353 by default. And I think we should do the same. The
whole idea of zeroconf ist "zero configuration", i.e. expecting the user to
toggle a few switches in the firewall configuration defeats the whole point I
would say.

I wasn't aware that we install a firewall by default (I certainly have none on
my machine). So I would recommend opening udp 5353 for mDNS.
Comment 5 Bug Zapper 2008-05-14 06:17:51 EDT
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 6 Christian Nolte 2008-06-17 17:30:59 EDT
IMHO opening up ports by default is no good idea. Especially for users who have
a direct connection to the internet. We certainly do not want to broadcast mdns
into the wild...
Comment 7 Lennart Poettering 2008-06-18 14:39:48 EDT
We try to make sure in Avahi that mDNS data does not leak onto the Internet and
no data from the Internet can poison our mDNS caches. We do this by checking
TTLs, ignoring all network interfaces that are not ethernet and all packets
where the source address is not on a local network and similar mechanisms. Of
course, there will always be a risk, but Avahi tries to make sure it is minimal.
If you want 100% security than you probably should not be connecting your
computer to a network anyway.
Comment 8 Bryan Quigley 2008-10-14 23:49:27 EDT
This is still an issue on Fedora 10 Snapshot 1.  More interestingly, I believe it worked on the liveCD, and then failed when installed.
Comment 9 John Poelstra 2008-10-16 12:56:00 EDT
Since seen in Fedora 10 Snap1 changing version to "rawhide"

Reading the comments I still can't determine what the decision is to opening the firewall by default for Avahi.  If we aren't going to open it by default, shouldn't this bug be closed?
Comment 10 Bryan Quigley 2008-10-16 12:59:36 EDT
If you aren't going to open the firewall, the DAAP plugin should be disabled in rhythmbox.
Comment 11 Lennart Poettering 2008-10-21 14:44:48 EDT
I really believe the firewall should allow udp 5353, but I guess I already explained that. 

I am tempted to simply reassign this bug to the firewall package and leave this to its maintainer. However, I don't really know which package that would be. Anyone?
Comment 12 John Poelstra 2008-10-28 18:39:59 EDT
okay. changing component to system-config-firewall
Comment 13 Bastien Nocera 2008-10-28 20:24:52 EDT
That still leaves the solution half-broken, where the services offered on the computer and advertised through Avahi will be blocked by the firewall. Shares through gnome-user-share, music through Rhythmbox' DAAP, Vino's Desktop sharing etc.
Comment 14 Matthew Garrett 2008-11-03 13:07:40 EST
Reassigning to Anaconda, since it's responsible for initial firewall setup. Leaving 5353/udp open by default doesn't solve all our mDNS issues (such as allowing advertised services to do something useful), but it does deal with the pretty typical home user cases of wanting to use a service on the local network that's being announced via DAAP such as any number of off the shelf NAS boxes. Avahi's security record is good, so I don't see any issue with doing this.
Comment 15 Chris Lumens 2008-11-04 10:16:10 EST
Decisions to open and close services really need to be made by the user themselves.  anaconda defaults to opening only ssh by default, and we get enough complaints about even that.  Extra services is just going to invite extra trouble.  The user can quite easily use system-config-firewall which has a check box just for the Avahi service.
Comment 16 Charles R. Anderson 2008-11-04 10:27:39 EST
If avahi starts up by default in a default install, then the firewall should have a hole poked by default.

If avahi doesn't start up by default, then there is no risk in poking a hole in the firewall, since the system won't accept connections on a port that isn't bound to a running service.

Conclusion: we should open 5353 by default regardless.  Then the decision can be whether we should run avahi by default or not.
Comment 17 Chris Lumens 2008-11-04 10:33:00 EST
We start a mail server by default in a default install.  Should we also open a port for smtp by default as well?
Comment 18 Charles R. Anderson 2008-11-04 10:39:35 EST
No, that's different.  The default mail server that runs only listens on 127.0.0.1 by default.  No need to open a firewall for localhost.
Comment 19 Charles R. Anderson 2008-11-04 10:42:12 EST
Following up to myself, it is pretty stupid to run a service by default whose sole reason for existence is to announce to the local network available services running on the local box and then block those packets by the default firewall rules.  Pick one--either run the service by default and open the firewall by default, or don't run the service by default.  You could also say "don't poke the hole by default" if you don't run the service by default, and that would be okay too, but unnecessary.
Comment 20 Chris Lumens 2010-01-14 10:21:06 EST
*** Bug 555360 has been marked as a duplicate of this bug. ***
Comment 21 Stas Sergeev 2010-01-14 11:08:07 EST
Just out-of-the-blue...
It is possible to make iptables to notify
the userspace about the filtered packets.
The userspace can then check what exactly packet
it was, and in case it belongs to some known
service, the user can be asked whether or
not does he want to unblock this service...
Thoughts?
Comment 22 Stas Sergeev 2010-01-14 11:13:35 EST
I mean, I spent the whole day today,
trying to figure out why the netbios
lookups do not work with the fresh
fedora install (it works in ubuntu).
The question like "netbios reply was
received, but is blocked by firewall,
do you want to unblock UDP port 137?" would
just save me. The user simply doesn't
know why something doesn't work, so
he must be hinted. The ability to open
specific ports is not enough.
Comment 23 Chris Murphy 2011-11-04 16:55:40 EDT
This is still a problem in Fedora 16 folks. Avahi is started by default in a default install, but by default firewall is blocking it. That makes zero sense for a zero configuration service. Actually it makes negative sense, I'd consider the position on this to be user hostile.

I am with C Anderson and L Poettering. There absolutely should be a hole for zeroconf or it's not zero conf. At the absolute minimum there should be an Avahi or Zeroconf entry in Firewall so that all a user has to do is check a box and apply - but in fact I have to resort to the command line still to add an entry.
Comment 24 Chris Lumens 2011-11-04 17:03:39 EDT
With https://fedoraproject.org/wiki/Features/firewalld-default, I am hoping this will be fixed up.
Comment 25 Chris Murphy 2011-11-04 17:04:57 EDT
OK I just found the Multicast DNS (mDNS) entry in Firewall. I think this is a user hostile bug from beginning to end. We can't even decide WTF we are calling this service. Avahi, Zeroconf, mDNS, Bonjour. How many names does it take? The service is call Avahi on linux distros, I think the Firewall entry should be "Avahi (mDNS)" and it should be enabled by default or it most certainly is not zero configuration.
Comment 26 Chris Murphy 2011-11-04 17:07:39 EDT
(In reply to comment #24)
> With https://fedoraproject.org/wiki/Features/firewalld-default, I am hoping
> this will be fixed up.

Thanks.

Note You need to log in before you can comment on or make changes to this bug.