WSD and Bonjour service block

Started by fox983, September 28, 2023, 04:42:05 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
September 28, 2023, 04:42:05 PM
Hi all!
I need to block printer discovery from VLAN to LAN. I've set a rule that blocks all traffic from VLAN5 net to LAN net that is working. But if I try to add a printer using wizard in Win10 PC from VLAN5, it shows a printer in LAN and I can print.
How can I do?
Thanks in advance!
September 28, 2023, 05:09:08 PM #1
Try to block from any to any UDP port 5353 in on VLAN5.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
September 29, 2023, 07:03:20 PM #2
Same problem, printer is still there
September 29, 2023, 08:25:22 PM #3
Please show the list of all rules on VLAN5.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
September 30, 2023, 06:23:53 PM #4
1.
Action: Block
Interface: VLAN5
Direction: in
TCP/IP version: IPv4+6
Protocol: any
Source: VLAN5 net
Destination: LAN net

2.
Action: Pass
Interface: VLAN5
Direction: in
TCP/IP version: IPv4+6
Protocol: any
Source: VLAN5 net
Destination: any
September 30, 2023, 06:32:04 PM #5
The mdns responder that "Patrick M. Hausen" is referring to runs on the VLAN5 interface itself. Your first block rule blocks traffic towards LAN segment, not the firewall interface in VLAN5 where the service is running (which you allow in the second rule). Add a rule between the two you have with source VLAN5 network and destination VLAN5 interface port 5353.
September 30, 2023, 07:07:58 PM #6
You need to block with destination any, because mDNS does not have destination LAN net.

I wrote what exactly to block in my last post.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 02, 2023, 02:25:15 PM #7
Added between them or as first rule, same problem.

1.
Action: Block
Interface: VLAN5
Direction: in
TCP/IP version: IPv4+6
Protocol: UDP
Source: any
Destination: any
Destination port range: 5353 - 5353
October 02, 2023, 02:59:00 PM #8 Last Edit: October 02, 2023, 03:13:23 PM by fox983
Packet capture:
IPv4, length 76: 192.168.110.116.5353 > 224.0.0.251.5353: UDP, length 34


Live view:
action: [pass]
dir: [out]
dst: 192.168.110.116
dstport: 5353
interface_name: VLAN5
ipversion: 4
label: let out anything from firewall host itself
protoname: udp
reason: match
src: 192.168.199.76
srcport: 5353


This is probably the reason why it doesn't apply the rule from my previous post, because a pass rule is already set among the "Automatically generated rules". How can I block it?
October 02, 2023, 03:50:46 PM #9
Are you running the UDP broadcast relay or the mDNS repeater on that VLAN5 interface?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 02, 2023, 04:42:24 PM #10
None of them, they are not installed...
October 02, 2023, 04:56:53 PM #11
Quote from: Patrick M. Hausen on September 30, 2023, 07:07:58 PM
You need to block with destination any, because mDNS does not have destination LAN net.

I'm sorry for the confusion, assumed OP was running a mdns responder, either way "my" rule would never match....

But, printer discovery is in most cases broadcast or mdns (multicast) based, the former will never leave the subnet, for the latter you need to have some multicast routing in place. So it's weird you see the printer in the first place, and even if you did magicly discovered it, actually printing to it would match the VLAN to LAN block rule.
October 03, 2023, 12:00:53 PM #12
But this could not be the default behavior... How can I block it?
October 03, 2023, 12:29:01 PM #13
Disable mDNS Repeater on the VLAN5 interface.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 03, 2023, 02:21:53 PM #14
mDNS repeater is not installed.
Print
Go Up Pages1 2
User actions