mdns-bridge one-way reflection

marcg

Can mdns-bridge be configured for "one-way" reflection?

I have a T(rusted) network and an U(ntrusted) network. I'd like

• T hosts to be able to see+query all services offered by U hosts, and
• U hosts to be unable to see any services offered by T hosts.

If I configure mdns-bridge on the U interface with an empty outbound Allow list and no other interface filters, will that have the desired effect? Thx.

dennypage

@marcg said in mdns-bridge one-way reflection:

Can mdns-bridge be configured for "one-way" reflection?

I have a T(rusted) network and an U(ntrusted) network. I'd like

• T hosts to be able to see+query all services offered by U hosts, and
• U hosts to be unable to see any services offered by T hosts.

If I configure mdns-bridge on the U interface with an empty outbound Allow list and no other interface filters, will that have the desired effect?

"Reflection" is particular to Avahi -- I've really never understood why they chose that term.

With regard to mdns-bridge, while you cannot have an empty filter list, you can have a filter list that will not match anything real, like

_nothing_

Using that as the Allow Outbound Filter on your untrusted network would effectively prevent any services from the trusted network being advertised in the untrusted network.

marcg

@dennypage Perfect, thanks.

Using Avahi presently, but I'd prefer that hosts on the untrusted network know as little as possible about hosts/services on the trusted network. Hosts on the untrusted network are ... untrusted :)

EDIT: Just tested with the suggested mdns-bridge config. Seems to work well. Connected to the T network, the mDNS "Service Browser" Android app shows a long list of advertised services, including ones from the U network. Connected to the U network, a much shorter list is shown (seems to be services only from the U network, but I haven't gone through them one by one).

Gertjan

@marcg said in mdns-bridge one-way reflection:

untrusted

I have a pfSense captive portal, so my hotel clients can 'do their thing'.
As they always forgot to bring along their own printers, I expose my company printers to them (Avahi ).
Btw : people in a hotel always want to plain boarding passes and thinks like that.

I took my printers out of my company LAN, and places them on a separate 'Printer only' LAN.
Ok, true, now they don't show up in the network neifggbnour anymore, but I don't care. They have host name, my LAN firewall rules allow a connection to these printers, so all is well.
Same thing for the portal user : I had to open up the printer ports .... so these printers are exposed to these 'untrusted' users. Imagine that they manage to take control over a printer because a printer exposes telnet port that I forgot to block.... they can now only 'see' the other two printers in that network segment, they won't have access to my LAN, they can't even go 'out' (to the net).

marcg

@Gertjan My understanding is that, in pfsense-world, mdns-bridge and Avahi (with reflection) provide essentially the same functions. The difference is that mdns-bridge provides granularity/filtering on mDNS queries/responses that Avahi does not. Firewall rules have to be configured for the associated inter-VLAN traffic -- after service discovery -- in both cases.

My use case is different from yours. The untrusted devices are largely media players of various sorts. I want to be able to control/access them from the trusted network. In limited cases, I want the untrusted devices to be able access content on the trusted network. If the trusted network were mapped via mDNS advertisements or, worse, breached based on the mapping and the limited trusted-network access from untrusted>trusted, my risk would be more significant than losing a few printers.

dennypage

@marcg said in mdns-bridge one-way reflection:

My understanding is that, in pfsense-world, mdns-bridge and Avahi (with reflection) provide essentially the same functions. The difference is that mdns-bridge provides granularity/filtering on mDNS queries/responses that Avahi does not. Firewall rules have to be configured for the associated inter-VLAN traffic -- after service discovery -- in both cases.

Avahi reflection and mdns-bridge provide the same functionality. FWIW, there are some additional benefits to mdns-bridge such as correct handling of various mDNS types (NSEC, OPT, SVCB and HTTPS), a much smaller footprint, and security improvements (simpler code, stateless, no dynamic memory allocation post initialization).

Gertjan

@marcg said in mdns-bridge one-way reflection:

I want the untrusted devices to be able access content on the trusted network

The untrusted device on the untrusted network has to contact a device on the trusted network.

This means you have to make a firewall rule on the untrusted network that allows untrusted devices to access the IP of the trusted devices on the trusted network. You should allow on a port level.
This won't be optionally - you have to do this.

When I scan my untrusted network, a captive portal, I see :

which is the list of info that printers (in another LAN) that can be accessed. Because I places a firewall rule that accepts only the IP of these printers, and the allowed 'printer ports'.

From my LAN, I could, in theory, access all untrusted devices, and it was not uncommon in the good old days that I could browse the holiday photos (everything actually) on a device that a hotel client used to access my hotel wifi (untrusted) network, as they've set up their sharing to 'everybody' (ancient windows system would allow that).

The fact that a device knows the 'address' (and more) details of a device not accessible isn't, for me, a big deal.
I - and everybody else - knows that (example) "core4.dns.ext.facebook.com" exists. It's on the biggest untrusted network that exists : the internet. I can't access it, though.