The internet provider stepped in to restrict the internet connection because they saw that mdns was reachable from the internet. I immediately cancelled the “exposed host” setting and also changed a setting in the internet account settings so that they temporarily filter some ports for us (including mdns). They were saying that mdns could be used for DDOS attacks.
Pioneer Freedombox has only 1 ethernet interface. eth0 is marked as external
mdns is listed under: sudo firewall-cmd --zone=internal --list-services
mdsn is NOT listed under: sudo firewall-cmd --zone=external --list-services
According to firewalld.service the firewall was running:
firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/lib/systemd/system/firewalld.service; enabled; vendor preset
Active: active (running) since Tue 2020-04-07 12:13:34 CEST; 2 days ago
Docs: man:firewalld(1)
Main PID: 292 (firewalld)
Tasks: 2 (limit: 2303)
Memory: 25.8M
CGroup: /system.slice/firewalld.service
└─292 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid
According to Plinth the firewall might not be running.
Hi @ubuntu_demon,
Although investigating something like this is not very trivial, assuming that firewalld service was running what makes you think that mDNS traffic was initiated from freedombox? If you have a single interface defined as external, it is highly unlikely that it s coming from your Freedombox.
You re not mentioning what hardware/software you re running as your router. Additionally you dont mention in what settings you have your router related to your Freedombox (is it in a DMZ mode or specific port forwards). Common home routers are usually more suspicious for behavior that you describe.
Unfortunately, being 100% sure from where the traffic is coming from you ll have to do packet captures on another device on your home network.
I’m not even sure whether there was any mdns traffic. The modem/router is a fritzbox with up-to-date firmware. I used the exposed host setting which I disabled (after the provider contacted us and restricted the internet connection).
Maybe the the provider did a port scan and decided these actions based on the results of their port scan ?
I don’t want to risk putting the exposed host setting back on so I can’t easily try to reproduce.
In general, the mDNS is used to resolve a hostname in your local network. If your ISP insists that they detected such traffic from your network, you can email asking them for specifics of the traffic they received. You ll be able like that to recognize host names and ip addresses that were send.
sudo -u plinth sudo /usr/share/plinth/actions/firewall get-status ====>>>
Sorry, user XXXXXXX is not allowed to execute ‘/usr/bin/sudo /usr/share/plinth/actions/firewall get-status’ as plinth on freedombox.ubuntudigilab.freedombox.rocks.
sudo su plinth ===>
This account is currently not available.
output of lsb_release -a ==>>>
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 10 (buster)
Release: 10
Codename: buster
sudo firewalld status
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2020-04-19 21:17:07 CEST; 21min ago
Docs: man:firewalld(1)
Main PID: 285 (firewalld)
Tasks: 2 (limit: 2303)
Memory: 25.2M
CGroup: /system.slice/firewalld.service
└─285 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid
Firewall was only running for about 21 minutes because that was the uptime of the freedombox. I’m currently not physically near the freedombox.
There might be some kind of network/internet problem that I can investigate when I get there physically. Hard to explain through text because I get my information from someone who isn’t technical who lives near the freedombox. On my end I can see that sometimes the freedombox isn’t reachable.
