Linux

53752 readers

1295 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
No misinformation
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 6 years ago

MODERATORS

nooter692@lemmy.ml

MarcellusDrum@lemmy.ml

cypherpunks@lemmy.ml

cyclohexane@lemmy.ml

[solved] What ports do I need to open for mDNS? (lemmy.world)

submitted 2 weeks ago* (last edited 1 week ago) by TMP_NKcYUEoM7kXg4qYe@lemmy.world to c/linux@lemmy.ml

14 comments fedilink hide all child comments

EDIT: The bad solution is to unblock UDP port 5353 but the port has to be source port, not destination port. (--sport flag) See the now modified rules. The issue is that this is very insecure (see this stackexchange question and comments) but obviously better than no firewall at all because at least I'm blocking TCP traffic.

The proper solution (other than using glibc and installing nss-mdns package) is to open a port with netcat (nc) in the background (using &) and then listen with dig on that port using the -b flag.

port="42069"
nc -l -p "$port" > /dev/null || exit 1 &
dig somehostname.local @224.0.0.241 -p 5353 -b "0.0.0.0#${port}"

Then we need to remember to kill the background process. The DNS reply will now be sent to port 42069, so we can just open it with this iptables rule:

-A INPUT -p udp -m udp --dport 42069 -j ACCEPT

---->END OF EDIT.

I want to setup iptables firewall but if I do that, it blocks multicast DNS which I need. I am using command

dig "somehostname.local" @224.0.0.251 -p 5353

to get the IP through mDNS and these are my iptables rules (from superuser.com):

*filter

# drop forwarded traffic. you only need it of you are running a router
:FORWARD DROP [0:0]

# Accept all outgoing traffic
:OUTPUT ACCEPT [623107326:1392470726908]


# Block all incoming traffic, all protocols (tcp, udp, icmp, ...) everything.
# This is the base rule we can define exceptions from.
:INPUT DROP [11486:513044]

# do not block already running connections (important for outgoing)
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# do not block localhost
-A INPUT -i lo -j ACCEPT

# do not block icmp for ping and network diagnostics. Remove if you do not want this
# note that -p icmp has no effect on ipv6, so we need an extra ipv6 rule
-4 -A INPUT -p icmp -j ACCEPT
-6 -A INPUT -p ipv6-icmp -j ACCEPT

# allow some incoming ports for services that should be public available
# -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
# -A INPUT -p udp -m udp --dport 5353 -j ACCEPT # does not help
-A OUTPUT -p udp -m udp --sport 5353 -j ACCEPT # SOLVES THE ISSUE BUT IS INSECURE - not recommended


# commit changes
COMMIT

Any help is welcome :)

you are viewing a single comment's thread
view the rest of the comments

[–] gnuhaut@lemmy.ml 1 points 1 week ago (1 children)

Yeah no problem. I'd like to point out that this puts a hole in your firewall. If you have something exposed via udp, and an attacker knows about your --sport rule or figures this out, they can connect to it just by setting their source port to 5353. You can check what's listening on udp with ss -lun or sudo ss -lunp (for process info).

Also, I have looked up what @Eideen@lemmy.world said about dig not supporting mdns and I think they are correct. With mdns, because of the multicast nature, you can get replies from multiple computers, and that's a pretty big difference to regular dns. How could it even reliably know it has gotten all the replies or if it should wait for more? It just sort of happens to work correctly if you get a single reply.

Also, and I also looked this up, mdns lookups will to go through avahi-daemon on regular glibc distros. The libnss-mdns plugin description for glibc says this:

nss-mdns tries to contact a running avahi-daemon for resolving host names and addresses and making use of its superior record cacheing. If Avahi is not available at lookup time, the lookups will fail.

[–] TMP_NKcYUEoM7kXg4qYe@lemmy.world 2 points 1 week ago

this puts a hole in your firewall

Indeed, thanks, I realized that shortly after posting it.

dig not supporting mdns

Yep you both are correct. Looking at it now, the result does actually warn me that I'm trying to send a regular DNS request to mDNS multicast address.

It just sort of happens to work correctly if you get a single reply

Yeah I guess it's a hack. To me it does not really matter because I'm just using it for wireguard, so the worst thing that could happen is that I would try to connect to a wrong host and the key exchange would fail.

libnss-mdns

The reason for why I'm doing this whole hack is that nss-mdns package is only available on glibc version of Void but I'm using musl, so it's really just hacks on top of hacks. I found a final solution though so that's nice (see final edit of post). Thanks for all your replies!