Project

General

Profile

Actions

Feature #12329

open

Add optional floating firewall rules for IPv4 and IPv6

Added by Offstage Roller about 3 years ago. Updated almost 3 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Avahi
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:

Description

See this thread for reference:
https://forum.netgate.com/topic/166210/fe80-16-not-included-in-interface-networks

I think it would be helpful to include a checkbox, enabled by default, to the Avahi settings page which creates the necessary firewall rules to allow for Avahi to work out of the box.

If the user choses to disable the IPv4 or IPv6 support, the firewall rule for that protocol would not be generated.

Currently, no firewall rules are generated by the package, and it's up to the user to ensure mDNS firewall rules are created on each needed interface. It's more confusing with IPv6, because I originally assumed the "* net" source would include the link local ""fe80::/64" address, but it does not. Because of that, I end up needing to create a manual rule for each of my interfaces allowing the source to be "fe80::/64" and the destination to be "ff02::fb/128". Without that rule, mDNS for IPv6 does not work and gets rejected by the default reject rule.

For IPv4, a floating rule would be created for any allowed interface, allowing for:

Source: `* net`
Destination: `224.0.0.0/3`
Port: `5353`

For IPv6, a floating rule would be created for any allowed interface, allowing for:

Source: `fe80::/64`
Destination: `ff02::fb/128`
Port: `5353`

Actions #1

Updated by Offstage Roller about 3 years ago

Update to the original description, the destination for IPv4 would be better if it were set to a single address `224.0.0.251` instead of the entire multicast address space.

It was also suggested to change the IPv6 source subnet from a /64 to a /10.

Actions #2

Updated by Alan Wilson almost 3 years ago

Offstage Roller wrote in #note-1:

Update to the original description, the destination for IPv4 would be better if it were set to a single address `224.0.0.251` instead of the entire multicast address space.

It was also suggested to change the IPv6 source subnet from a /64 to a /10.

I completely agree, this should be an obvious default feature.

I did:

A IPv6 floating rule for:

Source: Network `fe80::/10`
Destination: Single host `ff02::fb`
Port: `5353`

To get my logs to STFU.

Actions

Also available in: Atom PDF