Project

General

Profile

Actions

Bug #7755

closed

Avahi package is not secure by default

Added by Roland Kletzing over 7 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
High
Assignee:
-
Category:
Avahi
Target version:
-
Start date:
08/04/2017
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
2.3.4_1
Affected Plus Version:
Affected Architecture:

Description

pfSense Avahi Plugin is insecure per default and may at least cause internal information leaking to wrong network zones.

We use Avahi as bonjour reflector on internal networks to enable OSX/bonjour printing across subnets.

After firewall interface reconfiguration we found that in our DMZ there was mDNS/bonjour traffic visible.

Apparently this is because Avahi plugin is using interface blacklisting instead of whitelisting.

I think it is bad default behaviour on a firwall to broadcast information to interfaces not yet known to the Avahi service at service installation/configuration time.

I`t can`t be up to the admin to know all the bells and whistles of very firewall component, such thing simply should not happen per default.

Please consider changing plugin configuration to use "allow-interfaces" option instead "deny-interfaces" or at least give a big warning on the dashboard that avahi plugin causing this insecurity

regards
Roland Kletzing

allow-interfaces= Set a comma seperated list of allowed network interfaces that should be used by the avahi-daemon. Other interfaces will be ignored. If set to the empty list all local interfaces except loopback and point-to-point will be used.

deny-interfaces= Set a comma seperated list of network interfaces that should be ignored by avahi-daemon. Other not specified interfaces will be used, unless allow-interfaces is set. This option takes precedence over deny-interfaces.

Actions

Also available in: Atom PDF