Bug 130540

Summary: mdns is blocked by firewall (was: open mdns port by default)
Product: [openSUSE] SUSE LINUX 10.0 Reporter: Martin Vidner <mvidner>
Component: NetworkAssignee: Michael Schröder <mls>
Status: RESOLVED WONTFIX QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: adrian.schroeter, lnussel, locilka, mls, security-team
Version: Final   
Target Milestone: ---   
Hardware: x86-64   
OS: Other   
Whiteboard:
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 130561    

Description Martin Vidner 2005-10-25 17:15:24 UTC 
We have multicast DNS resolving enabled in libc, but it is of little use if the mdns port (UDP 5353) is blocked by the firewall.

I therefore propose to open that port by default.
Comment 1 Martin Vidner 2005-10-25 17:29:36 UTC 
There is a related problem to that. Even if the port is open, by default mdns name resolution does not succeed.
(Try opening UDP 5353 on host foo and pinging bar.local where bar has the firewall  turned off)
That is because foo sends the mdns packets from a random port X to port 5353 and bar returns them from 5353 to X. I don't know if SuSEfirewall2 can be set up to let such traffic through.
But it can be overcome in a different way - adding "mdns" to hosts in /etc/nsswitch.conf. Then both the source and destination ports are 5353 in both cases.

(Don't forget to restart nscd when testing)

Or what did you guys do to make it work?
Comment 2 Lukas Ocilka 2005-10-25 19:28:22 UTC 
If this port should be open by default that is it rather an enhancement for SuSEfirewall2 than the yast2-firewall.
Comment 3 Ludwig Nussel 2005-10-26 07:26:36 UTC 
in the external zone no port is open by default, period. => WONTFIX.

However, if we redesign the installation workflow in a way so that users have to specify a class for their network interfaces there is a chance that LAN interfaces get classed as such instead of the default which is external. Note that with a "don't ask questions"-policy mdns is pointless anyways as all hosts end up with the name 'linux'.
Comment 4 Martin Vidner 2005-10-26 09:28:22 UTC 
So let me restate the problem.
We have mdns installed by default.
We have firewall turned on by default.
We assign the network interfaces to the external zone by default.
Therefore, mdns does not work by default.
Adrian, Michael, how do you think it should work? How did you make it work for yourselves?
Comment 5 Lukas Ocilka 2005-11-01 09:03:21 UTC 
Reassigning to the security-team...
Comment 6 Martin Vidner 2005-11-02 10:01:58 UTC 
Ludwig says the security-team's position is don't open a port unless the user explicitly requests it.
Michael, can you comment on mdns and firewalling?
Comment 7 Marcus Meissner 2006-03-29 14:27:06 UTC 
mls? any input/comments here?
Comment 8 Michael Schröder 2006-03-29 14:55:35 UTC 
No.
Comment 9 Thomas Biege 2006-06-01 04:07:45 UTC 
Ok, I close this now. Reopen if needed.