-
Notifications
You must be signed in to change notification settings - Fork 446
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add mDNS support for local networks #326
Comments
If the LAN Control checkbox is selected in preferences, apps should not have access to 224.0.0.251:5353(UDP) unless they have their LAN checkbox selected. I think a few valid reasons for changing this are:
Many users think that when they enable the LAN checkbox for an app, that it will be able to access anything that doesn't need to be routed (anything on the Local Area Network). I think that a request (and response) to 224.0.0.251:5353(UDP) should be included in that. Conversely, I think that apps, which do not have the LAN checkbox enabled, should not be able to access this address. Apps are regularly found in the appstore that do unwanted data collection on unsuspecting users. Why does Angry Birds need to know that a user has a Samsung printer, an iPhone and a wireless webcam on their network? It wouldn't know if it could just be granted internet permissions (WiFi) while being forbidden from accessing info about the local network (other than the default gateway). I have an HP printing app that I use. If the internet cable on my DSL is plugged in, the app will attempt to send the print job to HP for 'processing' first. However, if I unplug my DSL modem, and enable the WiFI and LAN checkboxes, it prints fine. But, if I disable the WiFi checkbox, which would allow me to use it without unplugging the DSL modem, and without HP learning my recipe for pineapple-upside down cake :-) , it ceases to work. All communications are happening within the LAN, but it fails to work because a "LAN" address, the mDNS broadcast address, is actually identified as being in the WiFi "security group". Also, there is no reason to setup another 'option' in the settings menu. When you check the "LAN Control" option, that is already there, 224.0.0.251:5353(UDP) should be allowed only for apps that have their LAN checkbox selected. I hope this helps to explain my thoughts and concerns. Please let me know if I can further clarify things. Communicating about this over the internet is very tedious. I hope I come across clearly. There is all kind of potential for misunderstanding. Thank you for your time considering this. |
Another use case is apps that only have LAN enabled are unable to discover dlna media servers on the LAN. I assume most users regardless of their technical abililities would expect enabling LAN access for an app would allow that app to find their media server on tje LAN. I use a custom script to allow multicast but not all users would be able to figure that out. |
http://en.m.wikipedia.org/wiki/Multicast_address Example script: |
From a cursory exploration of http://en.m.wikipedia.org/wiki/Multicast_address it seems that the following: 224.0.0.1 - all hosts on this subnet are the main addresses to be concerned with. |
I thought 224.0.0.1-255 was local subnet only: "Addresses in the range of 224.0.0.0 to 224.0.0.255 are individually assigned by IANA and designated for multicasting on the local subnetwork only. Routers must not forward these messages outside the subnet in which they originate." But that was just from Wikipedia which I wouldn't rely on. |
I get lots of toats about AFWall blocking mDNS requests in some circumstances on CM12.1 2015-11-02. The requests originate from mdnsd (from mdnsresolver), which is started from NsdService. What do you suggest? |
Unfortunately, I don't see how to debug which app is causing the NsdService to enable. |
I'm on CM12.1.1-20151106 (Xposed+Xprivacy) and AFWall+ 2.1.1. and lately I get tons of toasts like
AppID -11 is the Linux Kernel and everything is whitelisted for this process. So is there a workaround or a possible fix, or an fault on my side? |
That is why we use firewalls, right? But it still bugs me that I whitelisted everything for the process but these packets get blocked anyways. I don't get why the CM team should be asked (except why they implemented it). The main problem here as I see it is that AFWall doesn't comply with the rules that have been set. /Update: I tried the AFWall Notification Filter and even ticking ALL apps and processes, the mentioned notification still pops up. This is another indicator that something is wrong with AFWall or my local installation. Link to afwall_rules.log.txt on dropbox |
Thank you @CHEF-KOCH for the explanation. Unfortunately I'm not experienced enough to "play with the configuration". Maybe I'm not capable enough to understand your explanation but does it actually explain, why I can't control the blocking of mdns via AFWall GUI? |
I'm having this issue too, "Linux kernel" is whitelisted and LAN control is disabled. The notifications are really annoying. |
On 2015-11-24 17:27, CHEF-KOCH wrote:
|
Added support for localnet multicast adresses (ipv4 and ipv6) #620 |
Why is UID 1020 (AID_MDNSR 1020 /* MulticastDNSResponder (service discovery) */) not available in the app list to allow/deny explicitly? I'm trying to get the Android TV remote app to work which uses mDNS without much luck. |
I'm also seeing a lot of alerts for mDns being blocked but it doesn't show up in the afwall list of processes |
I'm seeing these notifications as well. It appears to be the Facebook app triggering these mdns packets. While I am quite content to have the traffic denied, without an entry on the app list, it makes blocking the notification spam impossible without disabling all notifications. Getting an entry for UID 1020 onto the app list would be useful in suppressing the noise, as well as a benefit for the users who are using mdns in their networks that wold like to permit the traffic. |
Why is the Facebook app triggering these mDNS packets? |
I have no idea why the Facebook app is causing the Android to generate mDNS traffic under UID 1020. Searches for Facebook Androidp app and mDNS were fruitless. I don't currently use mDNS from my Android, so I am content to let AWFall+ block it, but it would be nice to be able to disable the barrage of notifications AFWall+ is generating without resorting to disabling all AFWall+ block notifications. Until UID 1020 appears in the application list, or more specifically, the notification suppression list, I'm left with only two unsatisfactory options. |
I'm also looking for a solution to suppress the blocked mdns package notifications. |
Not really, I was expecting issues since all the devices/iptables are not same. That's the reason I wanted to separate it from core. already reported failure. I might revert the change and work on my alternate approach |
I have the same issue @hackel has. I get toasts about 1020 mdns but mdns is not listed in the appss nor 1020 process. |
Also seeing this... same destination 224.0.0.251:5353. This is (on my side) caused by the Beoplay app, which is trying to find and connect to the speaker (connected via bluetooth). |
fe80 should never be blocked really, I think I will examine the rules created by afwall to see what standards are been broken. Right now with all boxes ticked on kernel, and mdns also allowed on both wifi and lan I get mdns been blocked as well as icmp, icmp is a nasty one as well as icmp is important for mtu discovery. The solution to this problem is allow rules for the following. (bypass app restrictions). Allow icmp6 types timex, toobig, unreach, paramprob globally I will make a custom script for this which maybe could be added to the wiki. |
Please paste it here when you have a working one. |
You can add mDNS from list of apps to whitelist (LAN access should be least) in 3.2.0 |
I do not have mdns listed, on LIneageOs 7.1 using 3.1 from Fdroid |
When I enable "LAN control" on my Android device I cannot send out mDNS requests. mDNS broadcasts go to 224.0.0.251 on UDP port 5353. This request stays within the local network and, I believe, should be allowed. It's useful for printer and device discovery.
My request is that this address range would be allowed/whitelisted when I enable 'LAN communication' for one of my apps.
More info on mDNS can be found at: https://en.wikipedia.org/wiki/Multicast_DNS
Thanks for your time developing this program.
The text was updated successfully, but these errors were encountered: