Package: ipmasq
Version: 4.0.8-5
Severity: normal
I've the following dropping packets log:
Aug 22 04:33:17 My kernel: [330025.308200] IN=eth0 OUT= MAC= SRC=192.168.1.13
DST=224.0.0.251 LEN=93 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353
DPT=5353 LEN=73
with the following configuration:
[EMAIL PROTECTED]:~# ipmasq -d
#: Interfaces found:
#: eth0 192.168.1.5/255.255.255.192
#: eth0:0 192.168.1.13/255.255.255.192
#: eth0 192.168.1.5/255.255.255.192
#: eth0:0 192.168.1.13/255.255.255.192
...
#: Accept dumb broadcast packets on external interfaces
/sbin/iptables -A INPUT -j ACCEPT -i eth0 -d 255.255.255.255/32
/sbin/iptables -A INPUT -j ACCEPT -i eth0 -d 255.255.255.255/32
#: Accept incoming packets from external networks on external interfaces
/sbin/iptables -A INPUT -j ACCEPT -i eth0 -d 192.168.1.5/32
/sbin/iptables -A INPUT -j ACCEPT -i eth0 -d 192.168.1.63/32
/sbin/iptables -A INPUT -j ACCEPT -i eth0 -d 192.168.1.13/32
/sbin/iptables -A INPUT -j ACCEPT -i eth0 -d 192.168.1.63/32
[EMAIL PROTECTED]:~# dpkg -l avahi-daemon
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Cfg-files/Unpacked/Failed-cfg/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Nome Versione Descrizione
+++-==============-==============-============================================
ii avahi-daemon 0.6.23-2 Avahi mDNS/DNS-SD daemon
Obviously the problem is with multicast-dns outgoing packets from
virtual external interface eth0:0 incoming into external interface
eth0.
These packets are generated by avahi-daemon. The following command
evidence the problem:
[EMAIL PROTECTED]:# /etc/init.d/avahi-daemon restart
Restarting Avahi mDNS/DNS-SD Daemon: avahi-daemon.
I've more than 1 external IP address in the pubblic interface.
A solution is to accept packets generated from the system itself.
I suggest to add to O90extbcast.def or to a new rule
(D90extmcast.def) something to mark local outgoing mdns packets:
for i in $EXTERNAL_OUT; do
ipnm_cache $i
$IPTABLES -t mangle -A OUTPUT -j MARK --set-mark 5353 -o ${i%%:*} \
-s $IPOFIF/32 -d 224.0.0.251 -p udp --sport 5353 --dport 5353
done
and accept them in the INPUT filter rules. I suggest to add into
I90extbcast.def or in a new rule (I90mcast.def) something like:
for i in $EXTERNAL_IN; do
[ "$i" != "${i%%:*}" ] && continue
$IPTABLES -A INPUT -j ACCEPT -i ${i%%:*} -m mark --mark 5353
done
I don't know avahi-daemon or Mulicast DNS so I don't know if it's
a good solution or there are other solutions.
Thank you, Guido Bozzetto.
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (560, 'testing'), (550, 'testing'), (545,
'testing-proposed-updates'), (460, 'stable'), (445, 'proposed-updates'), (440,
'stable'), (50, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
Versions of packages ipmasq depends on:
ii debconf [debconf-2.0] 1.5.22 Debian configuration management sy
ii iptables 1.4.1.1-2 administration tools for packet fi
ipmasq recommends no packages.
Versions of packages ipmasq suggests:
pn bridge-utils <none> (no description available)
ii mc 2:4.6.2~git20080311-3 midnight commander - a powerful fi
ii oidentd 2.0.8-1.2 replacement ident daemon
-- debconf information:
ipmasq/external-rules-moved: true
* ipmasq/start-location: After network interfaces are brought up
ipmasq/dpkg-conffiles:
* ipmasq/ppp-turn-off:
ipmasq/old-ipmasq.conf: true
ipmasq/old-rc.boot-file: true
* ipmasq/start: true
ipmasq/ppp-turn-on:
ipmasq/move-ipmasq.rules: true
* ipmasq/ppp-recompute: true
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
