Bug #7755
closedAvahi package is not secure by default
0%
Description
pfSense Avahi Plugin is insecure per default and may at least cause internal information leaking to wrong network zones.
We use Avahi as bonjour reflector on internal networks to enable OSX/bonjour printing across subnets.
After firewall interface reconfiguration we found that in our DMZ there was mDNS/bonjour traffic visible.
Apparently this is because Avahi plugin is using interface blacklisting instead of whitelisting.
I think it is bad default behaviour on a firwall to broadcast information to interfaces not yet known to the Avahi service at service installation/configuration time.
I`t can`t be up to the admin to know all the bells and whistles of very firewall component, such thing simply should not happen per default.
Please consider changing plugin configuration to use "allow-interfaces" option instead "deny-interfaces" or at least give a big warning on the dashboard that avahi plugin causing this insecurity
regards
Roland Kletzing
allow-interfaces= Set a comma seperated list of allowed network interfaces that should be used by the avahi-daemon. Other interfaces will be ignored. If set to the empty list all local interfaces except loopback and point-to-point will be used.
deny-interfaces= Set a comma seperated list of network interfaces that should be ignored by avahi-daemon. Other not specified interfaces will be used, unless allow-interfaces is set. This option takes precedence over deny-interfaces.
Updated by Roland Kletzing almost 7 years ago
Furthermore, today i sniffed on our branch office`s openvpn Interfaces just to find, that mDNS/bonjour traffic from the main office is appearing there, apparently that traffic is being sent from the fw/openvpn server in the main office and the apropriate openvpn interface is not even shown in the blacklisting dialogue for avahi - so apparently there currently is no way to stop this traffic !!!
While writing this, i found there is another ticket #8067 for this: https://redmine.pfsense.org/issues/8067
Updated by Jim Pingle about 5 years ago
- Status changed from New to Closed
Since Avahi pkg version 2.0.x, it switched to using whitelisting, so this is no longer relevant.