netfilter conntracker ?
Teddy Hogeborn
teddy at recompile.se
Thu Apr 21 23:00:27 CEST 2016
Jesse Norell <jesse at kci.net> writes:
> I'm setting up a first-time mandos deployment, and looking at
> iptables firewalling on the mandos server. It's easy enough to catch
> mDNS service discovery (in my case, just "ufw allow Bonjour"), but
> what about the avahi service port, randomly chosen? I've tried
> searching for a netfilter/conntracker helper for avahi/zeroconf, but
> haven't come up with anything, not even anyone discussing the idea
> .. maybe my search terms are bad. Any pointers on what is normally
> done here? Just pick a static port for mandos server and setup
> firewall rules to allow that?
That does seem to be the most straightforward solution.
> The conntracker approach seems interesting, as it could prevent a host
> from even talking to the mandos server without making a mDNS request
> first (we don't need routed/unicast at the moment). But maybe it's a
> case of simplicity (static port) would be a better overall solution?
If you want a more general solution, you might also have something
listen dynamically for DNS-SD announcements and open the firewall for
those ports where services are announced. But firewalls are not my area
of expertise - I suggest you take it up with some Zeroconf people.
/Teddy Hogeborn
--
The Mandos Project
https://www.recompile.se/mandos
More information about the Mandos-Dev
mailing list