Bug#631424: arno-iptables-firewall: Firewall blocks multicast traffic completely without any configuration option

Fri, 01 Jul 2011 05:42:23 -0700

(I think) I've fixed this issue in 2.0.0c-DEVEL. The upcoming 2.0.0c will have the fix which can be used downstream. 

-arno

On 6/23/2011 20:43, S. G. wrote:

Package: arno-iptables-firewall
Version: 2.0.0.a-2
Severity: important
Tags: upstream

After updating from arno-iptables-firewall 1.9.2.k-4 zeroconf (MDNS) does work
any more. Investigations brought up this set of rules

Chain EXT_MULTICAST_CHAIN (2 references)
     pkts      bytes target     prot opt in     out     source
destination
        0        0 LOG        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           tcp dpts:0:1023 limit: avg 6/min burst 2 LOG flags 0 level
6 prefix `AIF:PRIV TCP multicast: '
        0        0 LOG        udp  --  *      *       0.0.0.0/0
0.0.0.0/0           udp dpts:0:1023 limit: avg 6/min burst 2 LOG flags 0 level
6 prefix `AIF:PRIV UDP multicast: '
        0        0 LOG        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           tcp dpts:1024:65535 limit: avg 6/min burst 2 LOG flags 0
level 6 prefix `AIF:UNPRIV TCP multicast: '
        0        0 LOG        udp  --  *      *       0.0.0.0/0
0.0.0.0/0           udp dpt:1024 limit: avg 6/min burst 2 LOG flags 0 level 6
prefix `AIF:UNPRIV UDP multicast: '
        0        0 LOG        icmp --  *      *       0.0.0.0/0
0.0.0.0/0           icmp type 8 limit: avg 3/min burst 1 LOG flags 0 level 6
prefix `AIF:ICMP-multicast-request: '
        0        0 LOG        icmp --  *      *       0.0.0.0/0
0.0.0.0/0           icmp !type 8 limit: avg 12/hour burst 1 LOG flags 0 level 6
prefix `AIF:ICMP-multicast-other: '
        0        0 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0

which obviously blocks all multicast packets. The configuration files doesn't
offer a way to let in zeroconf traffic (MDNS, UDP Port 5353) again.

With the stable version of the packet it was sufficient to open UDP Port 5353
via debconf.cfg.

Zeroconf is installed and enabled by default on a freshly installed system. So
the firewall should not block it without a remedy to reenable it.



-- System Information:
Debian Release: wheezy/sid
   APT prefers testing
   APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.39-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages arno-iptables-firewall depends on:
ii  debconf [debconf-2.0]     1.5.39         Debian configuration management sy
ii  gawk                      1:3.1.7.dfsg-5 GNU awk, a pattern scanning and pr
ii  iproute                   20110315-1     networking and traffic control too
ii  iptables                  1.4.10-1       administration tools for packet fi

Versions of packages arno-iptables-firewall recommends:
ii  dnsutils               1:9.7.3.dfsg-1+b1 Clients provided with BIND
ii  lynx                   2.8.8dev.8-1      Text-mode WWW Browser (transitiona

arno-iptables-firewall suggests no packages.

-- debconf information:
   arno-iptables-firewall/config-int-nat-net:
   arno-iptables-firewall/dynamic-ip: true
   arno-iptables-firewall/config-int-net:
   arno-iptables-firewall/icmp-echo: false
* arno-iptables-firewall/services-udp: 631 5353
   arno-iptables-firewall/title:
* arno-iptables-firewall/config-ext-if: eth0 wlan0
* arno-iptables-firewall/services-tcp:
* arno-iptables-firewall/restart: true
* arno-iptables-firewall/config-int-if:
   arno-iptables-firewall/nat: false
* arno-iptables-firewall/debconf-wanted: true





--
Arno van Amersfoort
E-mail    : arn...@rocky.eld.leidenuniv.nl
Donations are welcome through Paypal!
---------------------------------------------------------------------------
Arno's (Linux IPTABLES Firewall) Homepage:
http://rocky.eld.leidenuniv.nl



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to