Arch Linux

thehungryturnip

Member

From: New York, NY

Registered: 2019-05-02

Posts: 15

[SOLVED] nftables configurations for mDNS

This is my first attempt at understanding and using firewalls on Linux, but I'm unfortunately finding documentation for both iptables and nftables utterly confusing

As a baby step towards understand how nftables works, I'm trying to allow mDNS traffic through nftables. (Which I thought would involve opening up some inbound and/or outbound ports and maybe some logging/monitoring if needed.)

My initial instinct is to add the following to /etc/nftables.conf on the target host:

table inet filter {
    chain input {
        ...
        # allow mDNS
        udp dport mdns accept
        ...
    }
    ...
}

But it doesn't seem like it's sufficient. Some context:

1. I have observed that when nftables (with the above configuration) is running, mDNS doesn't work in both directions. (i.e. mDNS resolution doesn't work when trying to access the host or when trying to access other LAN hosts from the host running nftables.)

2. I have verified that if I stop nftables.service, mDNS works in both directions.

3. I have tried to look into how to do logging in nftables but am completely confused. I'm surprised that super basic tutorials are not readily available. (e.g. Simple deny TCP/80, Accept TCP/443, and log/view traffic that's been denied/accepted would be a good start.)

Given that I have 2 questions:

1. Is there a way/what is the way for me to monitor/log the traffic passing through the firewall? I would like to see what kind of traffic is hitting and being filtered out by nftables to identify additional ports/traffic I missed for mDNS.

2. Anyone know what's the proper way to configure nftables to allow mDNS (both directions)?

Thanks in advance for your help!

Last edited by thehungryturnip (2019-08-29 20:51:37)

nl6720

The Evil Wiki Admin

Registered: 2016-07-02

Posts: 706

Re: [SOLVED] nftables configurations for mDNS

That firewall rule should work. Are you sure that some other rule before it is not interfering?

nftables supports logging, read https://wiki.nftables.org/wiki-nftables … ng_traffic .

thehungryturnip

Member

From: New York, NY

Registered: 2019-05-02

Posts: 15

Re: [SOLVED] nftables configurations for mDNS

I was building off of the default nftables "simple and safe firewall" that was provided. Here's the entire /etc/nftables.conf:

#!/usr/bin/nft -f
# ipv4/ipv6 Simple & Safe Firewall
# you can find examples in /usr/share/nftables/

table inet filter {
  chain input {
    type filter hook input priority 0;

    # allow established/related connections
    ct state {established, related} accept

    # early drop of invalid connections
    ct state invalid drop

    # allow from loopback
    iifname lo accept

    # allow icmp
    ip protocol icmp accept
    ip6 nexthdr icmpv6 accept

    # allow mDNS
    udp dport mdns accept

    # allow ssh
    tcp dport ssh accept

    # everything else
    reject with icmpx type port-unreachable
  }
  chain forward {
    type filter hook forward priority 0;
    drop
  }
  chain output {
    type filter hook output priority 0;
  }

}

# vim:set ts=2 sw=2 et:

From what I can see, only packets where the connection state is invalid gets dropped prior to my "udp dport mdns acacept" line. (I'm assuming that the mDNS packets are not considered invalid?)

I'll take a closer look at the link to logs you're referencing and let the forum know if I find anything.

thehungryturnip

Member

From: New York, NY

Registered: 2019-05-02

Posts: 15

Re: [SOLVED] nftables configurations for mDNS

I figured it out!

tl;dr This whole time I thought mDNS is being used for local network name resolution while it's actually LLMNR, which runs on UDP/5355.

In more detail (for the purpose of being useful information for other newbies):

I decided that nftables logs were too complex to figure out for what I need so I went with tcpdump instead. I disabled nftables.service and ran tcpdump on the destination host filtered by the source host:

sudo tcpdump -i <destination interface> host <source host> -vv -n

Then ping from the source host and noticed that the traffic comes in on port 5355 and not the port I expected (5353):

<source host ip>.5355

I modified my nftables.conf to open the LLMNR port instead of MDNS:

table inet filter {
  chain input {
    ...
    # allow llmnr
    udp dport llmnr accept
    ...
  }
  ...
}

After restarting nftables.service, local network hostname resolution is now working!

nl6720

The Evil Wiki Admin

Registered: 2016-07-02

Posts: 706

Re: [SOLVED] nftables configurations for mDNS

LLMNR also uses TCP port 5355, so you may want to open that too.