Using avahi to resolve hosts
-
It appears that using avahi on pfsense does not support the ability to resolve local hosts. Using the command line gets this error wiht avahi-browse or avahi-resolve.
Failed to create client object: Daemon not runningFor security reasons, it is highly desirable to disable IPv4 and IPv6 global addressing on untrustworthy IoT device and use some form of proxing to access them using the IPv6 link scope addresses. But this requires avahi to resolve these IP addresse.
-
@clauder said in Using avahi to resolve hosts:
But this requires avahi to resolve these IP addresse.
huh? I resolve all my local devices by name, they do not have global IPv4 address they are all on rfc1918 and sure not using avahi, so not sure exactly what your asking?
-
@johnpoz Actually, those private addresses still allow a device to reach the internet via a NAT service and leak anything a malicious actor wants. Using IPv6 link scope actually curtails that. It is one notch higher in term of security.
-
@clauder A simple firewall rule, you know since running a firewall ;) does that as well hehehe
-
@johnpoz Of course. I am just doing an analysis for an architecture that does not rely on removing capability (via a firewall rule here). In ultra secure setup, it is always better to have nothing and add the vry few things you need.
A firewall rule can disappear without notice!!!!
-
@clauder said in Using avahi to resolve hosts:
A firewall rule can disappear without notice!!!!
The default is deny, so how is it the default deny just disappears? Someone would have to on purpose create an allow..
-
@clauder I think the possibility that a security issue is introduced by adding a component such as Avahi to the mix is far greater than the possibility of a firewall rule randomly disappearing.
-
@dennypage avahi just doesn't work - there are multiple steps required to get it working with firewall rules, and all that would be would be discovery. It wouldn't allow access.. its mdns..