Hi All. I have been a very satisfied user of Shorewall[6] for a long time. I use it on my hosts on my LAN simply as an added protection layer and to learn.
I am running Debian 11 with Shorewall Version: 5.2.3.4-1 on this desktop. Along with other devices I have several Roku devices that were added last year. In checking the logs I find a lot of entries where packets from these devices are dropped at this host's firewall. I guess it finally annoyed me enough that I started checking things and found that the Chromium Web browser is sending queries for SSDP and the Rokus are responding. I thought I just needed to add a rule (my needs are simple so all my rules are under ?SECTION NEW) and I found that adding a rule there did not open the firewall to the responses. After a bit of investigating with Wireshark, I see the following: Simple Service Discovery Protocol M-SEARCH * HTTP/1.1\r\n HOST: 239.255.255.250:1900\r\n MAN: "ssdp:discover"\r\n MX: 1\r\n ST: urn:dial-multiscreen-org:service:dial:1\r\n USER-AGENT: Chromium/98.0.4758.80 Linux\r\n \r\n [Full request URI: http://239.255.255.250:1900*] [HTTP request 1/4] [Next request in frame: 853] and in the system logs the response is as follows: Feb 08 13:36:09 host kernel: net-fw DROP IN=enp2s0 OUT= MAC= SRC=192.168.0.63 DST=192.168.0.3 LEN=308 TOS=0x00 PREC=0x00 TTL=64 ID=23664 DF PROTO=UDP SPT=1900 DPT=51822 LEN=288 As I understand it, the queries are sent on the LAN to the broadcast address of 239.255.255.250 and port 1900, but the responses are sent to 192.168.0.3 and all replies are to a high port that changes every two minutes as Chromium sends its requests which is the source of the queries. This caused me to place the rules under ?SECTION UNTRACKED. I first tried the SSDP macro: SSDP(ACCEPT) net:192.168.0.0/24 $FW then: SSDPserver(ACCEPT) net:192.168.0.0/24 $FW and finally: ACCEPT net:192.168.0.0/24 $FW udp - 1900 since the 'iptables -L' output indicated that the macro rules both set the DPT to 1900, I tried this custom rule to set the SPT to 1900 and still the packets were dropped. It seems like these packets must be processed as untracked. I'm not sure what I'm missing. I did some searches of this list at the mail archive site and also of the documentation but didn't find an exact match for this sequence. TIA - Nate -- "The optimist proclaims that we live in the best of all possible worlds. The pessimist fears this is true." Web: https://www.n0nb.us Projects: https://github.com/N0NB GPG fingerprint: 82D6 4F6B 0E67 CD41 F689 BBA6 FB2C 5130 D55A 8819
signature.asc
Description: PGP signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users