netfilter conntracker ?
Jesse Norell
jesse at kci.net
Wed Apr 20 18:32:59 CEST 2016
Hello,
I'm setting up a first-time mandos deployment, and looking at iptables
firewalling on the mandos server. It's easy enough to catch mDNS
service discovery (in my case, just "ufw allow Bonjour"), but what about
the avahi service port, randomly chosen? I've tried searching for a
netfilter/conntracker helper for avahi/zeroconf, but haven't come up
with anything, not even anyone discussing the idea .. maybe my search
terms are bad. Any pointers on what is normally done here? Just pick a
static port for mandos server and setup firewall rules to allow that?
The conntracker approach seems interesting, as it could prevent a host
from even talking to the mandos server without making a mDNS request
first (we don't need routed/unicast at the moment). But maybe it's a
case of simplicity (static port) would be a better overall solution?
Thanks,
Jesse
--
Jesse Norell
Kentec Communications, Inc.
970-522-8107 - www.kci.net
More information about the Mandos-Dev
mailing list