Jan Ritzerfeld wrote:
However, the strange part for me is that "avahi-resolve -n KY623B6B.local" works fine. The summary of nss-mdns tells me that it would use a running avahi deamon. I have a avahi deamon running, but nss-mdns tries to resolve the name via mdns by itself. And failes, because of the firewall.
try "echo mdns off >> /etc/host.conf". There is a patch in glibc that make glibc itself resolve the .local zone instead of using nss_mdns.
Put the interface into the INT Zone instead and get used to trusting your LAN. FW_ALLOW_INCOMING_HIGHPORTS_UDP just gives you a false sense of security.
Well, the LAN connected by the interface is connected to the Internet, too. Thus, I thought the EXT zone would be correct and I have to distinguish the internal traffic by the source IP address. Yes, I know, this is somewhat weak, too. However, the internet router should filter all packets with internal addresses that come from the internet.
You could use FW_TRUSTED_NETS or FW_SERVICES_ACCEPT_EXT to allow only the IP range of your LAN.
As /etc/sysconfig/SuSEfirewall2 tells me, I want to use something like FW_SERVICES_ACCEPT_RELATED_EXT="192.168.1.0/24,udp,,mdns" since the destination port is arbitrary. But there is no mdns conntrack module that could mark the answers to the multicast packets as related.
Exactly. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org