Project

General

Profile

Bug #7755

Avahi package is not secure by default

Added by Roland Kletzing almost 2 years ago. Updated over 1 year ago.

Status:
New
Priority:
High
Assignee:
-
Category:
Avahi
Target version:
-
Start date:
08/04/2017
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.3.4_1
Affected Architecture:

Description

pfSense Avahi Plugin is insecure per default and may at least cause internal information leaking to wrong network zones.

We use Avahi as bonjour reflector on internal networks to enable OSX/bonjour printing across subnets.

After firewall interface reconfiguration we found that in our DMZ there was mDNS/bonjour traffic visible.

Apparently this is because Avahi plugin is using interface blacklisting instead of whitelisting.

I think it is bad default behaviour on a firwall to broadcast information to interfaces not yet known to the Avahi service at service installation/configuration time.

I`t can`t be up to the admin to know all the bells and whistles of very firewall component, such thing simply should not happen per default.

Please consider changing plugin configuration to use "allow-interfaces" option instead "deny-interfaces" or at least give a big warning on the dashboard that avahi plugin causing this insecurity

regards
Roland Kletzing

allow-interfaces= Set a comma seperated list of allowed network interfaces that should be used by the avahi-daemon. Other interfaces will be ignored. If set to the empty list all local interfaces except loopback and point-to-point will be used.

deny-interfaces= Set a comma seperated list of network interfaces that should be ignored by avahi-daemon. Other not specified interfaces will be used, unless allow-interfaces is set. This option takes precedence over deny-interfaces.

History

#1 Updated by Roland Kletzing over 1 year ago

Furthermore, today i sniffed on our branch office`s openvpn Interfaces just to find, that mDNS/bonjour traffic from the main office is appearing there, apparently that traffic is being sent from the fw/openvpn server in the main office and the apropriate openvpn interface is not even shown in the blacklisting dialogue for avahi - so apparently there currently is no way to stop this traffic !!!

While writing this, i found there is another ticket #8067 for this: https://redmine.pfsense.org/issues/8067

Also available in: Atom PDF