Mailinglist Archive: opensuse (1355 mails)

< Previous Next >
Re: [opensuse] firewalld: how to allow these?
On 2018-06-21 15:11, Per Jessen wrote:
Carlos E. R. wrote:

on my small laptop freshly installed with Leap 15.0 I get messages
about blocking what I think are multicast from my router and my
printer:

2018-06-21T14:23:38.716460+02:00 Legolas kernel: [103133.028003]
FINAL_REJECT: IN=eth0 OUT=
MAC=01:00:5e:00:00:01:f8:8e:85:64:78:f2:08:00 SRC=192.168.1.1
DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=2

protocol 2 is IGMP, so probably from your router.

Yes, 192.168.1.1 is the router.


2018-06-21T14:23:39.335490+02:00 Legolas kernel: [103133.646980]
FINAL_REJECT: IN=eth0 OUT=
MAC=01:00:5e:00:00:fb:00:1e:0b:08:4c:cb:08:00 SRC=192.168.1.3
DST=224.0.0.251 LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=27960 PROTO=2

224.0.0.251 is used by mDNS, I believe. I think this might be your
printer saying "I want to use mDNS", but I don't know IGMP very well.

Yes, could be that.

The setting in SuSEfirewal2 is this:


# Type: string(yes,no)
#
# Suppress logging of dropped broadcast packets. Useful if you don't allow
# broadcasts on a LAN interface.
#
# This affects both broadcast and multicast packets for both IPv4 and IPv6
#
# This setting only affects packets that are not allowed according
# to FW_ALLOW_FW_BROADCAST_* <=====
#
# Format: either
# - "yes" or "no"
# - list of udp destination ports
#
# Examples: - "631 137" silently drop broadcast packets on port 631 and 137
# - "yes" do not log dropped broadcast packets
# - "no" log all dropped broadcast packets
#
#
# defaults to "yes"
FW_IGNORE_FW_BROADCAST_EXT=""



So they are simply not logged.


The setting to allow bcast or not is this:


#CER: allow samba broadcasts
FW_ALLOW_FW_BROADCAST_EXT="netbios-ns netbios-dgm"



On my computers running 42.3 I don't see similar messages, but also I
don't specificall open anything mentioning "224...".

Run a tcpdump, you'll see the same. Maybe the susefirewall opens for
those by default?

I'm not familiar at all with the new firewalld, so I don't know what I
should open. Or not.

What to open is a matter for you to decide :-)
How to open - I guess that is covered in the firewalld gui ?

That GUI is quite difficult to understand.

But I see a service named "mdns". I'll try. [...] Nope, no result.

--
Cheers / Saludos,

Carlos E. R.
(from 42.3 x86_64 "Malachite" at Telcontar)

< Previous Next >