Bug 446828 - Firewall should not block Multicast DNS and CUPS by default
Summary: Firewall should not block Multicast DNS and CUPS by default
Keywords:
Status: CLOSED DUPLICATE of bug 442345
Alias: None
Product: Fedora
Classification: Fedora
Component: system-config-firewall
Version: 9
Hardware: All
OS: Linux
medium
high
Target Milestone: ---
Assignee: Thomas Woerner
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-05-16 11:06 UTC by Tim Niemueller
Modified: 2010-05-04 07:02 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2008-07-22 13:10:26 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Tim Niemueller 2008-05-16 11:06:34 UTC
Description of problem:
Currently the default firewall rules prevent Multicast DNS (and thus service
discovery via Avahi) and CUPS browsing from working. This ruins the "just works"
feeling.

Aunt Tilda wants to share files. She enables file sharing under Gnome. Uncle
Eddie looks on the network but cannot see the file share, the new firewall rules
prevent that from happening. He is likely to just shut if off rather than
bothering with enabling the required services (and Multicast DNS is really not
obvious for this). If course there still is the problem that the port used by
apache for opening webdav is not open by default, that's another thing that
hasn't been fixed an awful long time. But still multicast DNS is used for a lot
more these days: music sharing, easy access via VNC, SSH file access etc.),
plain simple host name lookups...

For CUPS it makes it pretty inconvenient now that printers do not just appear
but you first have to tweak your firewall or add it manually again (what a giant
leap backwards). For example guests at our university can no longer just use the
printers, they have to go and configure them.

Version-Release number of selected component (if applicable):
system-config-firewall-1.2.7-1.fc9.noarch


Proposal:
Open UDP/5353 and UDP/631 again for seemless "just works" networking experience.

Comment 1 Thomas Woerner 2008-05-19 10:06:00 UTC
I am sorry, but this is not a good example, because "Aunt Tilda" might not want
to share with the whole world.
Also sharing a printer over a ppp or isdn line might not be a good idea in
general. What if you want to share it in the intranet only and not anyone else
in the world?
Opening ports or services per default is a security risk.

Comment 2 Tim Niemueller 2008-05-19 10:59:11 UTC
Multicast DNS does not use any point-to-point connections by design unless
explicitly enabled in the config file, so PPP/ISDN/DSL/whatever connections are
not a problem. Also it is only enabled for link-local peers. I can understand
that for example in a cafe with a wifi hotspot you'd like this disabled. Maybe
this should be integrated with NetworkManager in that case to allow disabling
certain services for connections. This pretty quickly comes down to a FirewallKit...

Not providing a sensible and easy way (and s-c-f does not count as such) it just
gives a very bad experience. Especially since the requested ports are only
relevant on the local network they do not pose the classical "attack over the
internet" risk.

SSH is open by default, based on the recent events this is much more dangerous
than multicast service discover/name lookup and announcing printers I'd say.
Besides that I didn't see any related issues in Avahi, I think it has a pretty
good track record. I'm also not aware of a problem in CUPS that was related to
the browsing functionality. I'm not saying because there has been no problem
there will be no problem, but using these services over the last past years has
not been a problem.

Comment 3 Thomas Woerner 2008-05-26 16:37:02 UTC
The initial firewall configuration is done in anaconda, therefore this bug
should be assigned to anaconda, it should enable the desktop defaults
for the firewall.

Comment 4 Tim Niemueller 2008-05-26 17:10:01 UTC
Where are desktop defaults defined? Should we re-assign to anaconda then?
Especially if this is meant to be the desktop firewall I'd say to enable these
ports to make networking just work. An option to set a fixed port for file
sharing would be cool though to be able to allow this to work with the standard
firewall as well.

Comment 5 Thomas Woerner 2008-05-26 17:50:50 UTC
anaconda is using lokkit for the initial firewall configuration anyway to open
the ssh port.

It simply can use "lokkit --default=desktop" for a desktop and "lokkit
--default=server" for a server machine.

Comment 6 Thomas Woerner 2008-07-22 13:10:26 UTC

*** This bug has been marked as a duplicate of 442345 ***


Note You need to log in before you can comment on or make changes to this bug.