netfilter conntracker ?

[Teddy Hogeborn]

Jesse Norell <jesse at kci.net> writes:

>   I'm setting up a first-time mandos deployment, and looking at
> iptables firewalling on the mandos server.  It's easy enough to catch
> mDNS service discovery (in my case, just "ufw allow Bonjour"), but
> what about the avahi service port, randomly chosen?  I've tried
> searching for a netfilter/conntracker helper for avahi/zeroconf, but
> haven't come up with anything, not even anyone discussing the idea
> .. maybe my search terms are bad.  Any pointers on what is normally
> done here?  Just pick a static port for mandos server and setup
> firewall rules to allow that?

That does seem to be the most straightforward solution.

> The conntracker approach seems interesting, as it could prevent a host
> from even talking to the mandos server without making a mDNS request
> first (we don't need routed/unicast at the moment).  But maybe it's a
> case of simplicity (static port) would be a better overall solution?

If you want a more general solution, you might also have something
listen dynamically for DNS-SD announcements and open the firewall for
those ports where services are announced.  But firewalls are not my area
of expertise - I suggest you take it up with some Zeroconf people.

/Teddy Hogeborn

-- 
The Mandos Project
https://www.recompile.se/mandos