Hi All. I have been a very satisfied user of Shorewall[6] for a long time. I use it on my hosts on my LAN simply as an added protection layer and to learn.
I am running Debian 11 with Shorewall Version: 5.2.3.4-1 on this
desktop. Along with other devices I have several Roku devices that were
added last year. In checking the logs I find a lot of entries where
packets from these devices are dropped at this host's firewall. I guess
it finally annoyed me enough that I started checking things and found
that the Chromium Web browser is sending queries for SSDP and the Rokus
are responding. I thought I just needed to add a rule (my needs are
simple so all my rules are under ?SECTION NEW) and I found that adding a
rule there did not open the firewall to the responses.
After a bit of investigating with Wireshark, I see the following:
Simple Service Discovery Protocol
M-SEARCH * HTTP/1.1\r\n
HOST: 239.255.255.250:1900\r\n
MAN: "ssdp:discover"\r\n
MX: 1\r\n
ST: urn:dial-multiscreen-org:service:dial:1\r\n
USER-AGENT: Chromium/98.0.4758.80 Linux\r\n
\r\n
[Full request URI: http://239.255.255.250:1900*]
[HTTP request 1/4]
[Next request in frame: 853]
and in the system logs the response is as follows:
Feb 08 13:36:09 host kernel: net-fw DROP IN=enp2s0 OUT= MAC= SRC=192.168.0.63
DST=192.168.0.3 LEN=308 TOS=0x00 PREC=0x00 TTL=64 ID=23664 DF PROTO=UDP
SPT=1900 DPT=51822 LEN=288
As I understand it, the queries are sent on the LAN to the broadcast
address of 239.255.255.250 and port 1900, but the responses are sent to
192.168.0.3 and all replies are to a high port that changes every two
minutes as Chromium sends its requests which is the source of the
queries. This caused me to place the rules under ?SECTION UNTRACKED.
I first tried the SSDP macro:
SSDP(ACCEPT) net:192.168.0.0/24 $FW
then:
SSDPserver(ACCEPT) net:192.168.0.0/24 $FW
and finally:
ACCEPT net:192.168.0.0/24 $FW udp - 1900
since the 'iptables -L' output indicated that the macro rules both set
the DPT to 1900, I tried this custom rule to set the SPT to 1900 and
still the packets were dropped.
It seems like these packets must be processed as untracked.
I'm not sure what I'm missing. I did some searches of this list at the
mail archive site and also of the documentation but didn't find an exact
match for this sequence.
TIA
- Nate
--
"The optimist proclaims that we live in the best of all
possible worlds. The pessimist fears this is true."
Web: https://www.n0nb.us
Projects: https://github.com/N0NB
GPG fingerprint: 82D6 4F6B 0E67 CD41 F689 BBA6 FB2C 5130 D55A 8819
signature.asc
Description: PGP signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
