Internet provider stepped in to restrict the internet connection due to a reachable mdns port

The internet provider stepped in to restrict the internet connection because they saw that mdns was reachable from the internet. I immediately cancelled the “exposed host” setting and also changed a setting in the internet account settings so that they temporarily filter some ports for us (including mdns). They were saying that mdns could be used for DDOS attacks.

Pioneer Freedombox has only 1 ethernet interface. eth0 is marked as external

mdns is listed under: sudo firewall-cmd --zone=internal --list-services
mdsn is NOT listed under: sudo firewall-cmd --zone=external --list-services

According to firewalld.service the firewall was running:

firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/lib/systemd/system/firewalld.service; enabled; vendor preset
Active: active (running) since Tue 2020-04-07 12:13:34 CEST; 2 days ago
Docs: man:firewalld(1)
Main PID: 292 (firewalld)
Tasks: 2 (limit: 2303)
Memory: 25.8M
CGroup: /system.slice/firewalld.service
└─292 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid

According to Plinth the firewall might not be running.

But clicking on diagnostics the firewall is reported as running.

Some general info:

  • The freedombox runs version 20.5
  • The freedombox was marked as exposed host in the router/modem configuration (ipv4 and ipv6)

Anyone any idea what happened ?

Hi @ubuntu_demon,
Although investigating something like this is not very trivial, assuming that firewalld service was running what makes you think that mDNS traffic was initiated from freedombox? If you have a single interface defined as external, it is highly unlikely that it s coming from your Freedombox.

You re not mentioning what hardware/software you re running as your router. Additionally you dont mention in what settings you have your router related to your Freedombox (is it in a DMZ mode or specific port forwards). Common home routers are usually more suspicious for behavior that you describe.

Unfortunately, being 100% sure from where the traffic is coming from you ll have to do packet captures on another device on your home network.


It was a strange and unexpected experience.

I’m not even sure whether there was any mdns traffic. The modem/router is a fritzbox with up-to-date firmware. I used the exposed host setting which I disabled (after the provider contacted us and restricted the internet connection).

Maybe the the provider did a port scan and decided these actions based on the results of their port scan ?

I don’t want to risk putting the exposed host setting back on so I can’t easily try to reproduce.

Any other ideas ?

By exposed host I suspect you mean DMZ feature that most routers have(?).
The mDNS service in Debian is provided from avahi-daemon service.

You can disable it in your Freedombox by running the commands below:

systemctl stop avahi-daemon
systemctl stop avahi-daemon.socket
systemctl mask avahi-daemon
systemctl mask avahi-daemon.socket

You need to run them as root user or with sudo.

In general, the mDNS is used to resolve a hostname in your local network. If your ISP insists that they detected such traffic from your network, you can email asking them for specifics of the traffic they received. You ll be able like that to recognize host names and ip addresses that were send.

Yeah as far as I know DMZ = exposed host.


You can also disable avahi-daemon through System > Service Discovery.

So is this a bug ?

Like I explained in the first post firewalld.service seems running and the diagnostics pass.

What OS version you are using and what does this command return:
sudo -u plinth sudo /usr/share/plinth/actions/firewall get-status

sudo -u plinth sudo /usr/share/plinth/actions/firewall get-status ====>>>
Sorry, user XXXXXXX is not allowed to execute ‘/usr/bin/sudo /usr/share/plinth/actions/firewall get-status’ as plinth on

sudo su plinth ===>
This account is currently not available.

sudo /usr/share/plinth/actions/firewall get-status ==>

FreedomBox has been updated to version 20.5

output of lsb_release -a ==>>>
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 10 (buster)
Release: 10
Codename: buster

sudo firewalld status
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2020-04-19 21:17:07 CEST; 21min ago
Docs: man:firewalld(1)
Main PID: 285 (firewalld)
Tasks: 2 (limit: 2303)
Memory: 25.2M
CGroup: /system.slice/firewalld.service
└─285 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid

Firewall was only running for about 21 minutes because that was the uptime of the freedombox. I’m currently not physically near the freedombox.

There might be some kind of network/internet problem that I can investigate when I get there physically. Hard to explain through text because I get my information from someone who isn’t technical who lives near the freedombox. On my end I can see that sometimes the freedombox isn’t reachable.

Try to run this command as a root user.