Requests from the neighboring subnet are blocked with firewall.

Izorkin commented 3 years ago

Firewall configuration:

Chain SAMBA-WSDD (1 references)
target     prot opt source               destination
ACCEPT     udp  --  192.168.10.0/22     0.0.0.0/0            state NEW udp dpt:3702
ACCEPT     udp  --  192.168.10.0/22     0.0.0.0/0            state NEW udp spt:3702
ACCEPT     udp  --  192.168.11.0/24     0.0.0.0/0            state NEW udp dpt:3702
ACCEPT     udp  --  192.168.11.0/24     0.0.0.0/0            state NEW udp spt:3702
ACCEPT     tcp  --  192.168.10.0/22     0.0.0.0/0            state NEW tcp dpt:5357
ACCEPT     tcp  --  192.168.10.0/22     0.0.0.0/0            state NEW tcp spt:5357
ACCEPT     tcp  --  192.168.11.0/24     0.0.0.0/0            state NEW tcp dpt:5357
ACCEPT     tcp  --  192.168.11.0/24     0.0.0.0/0            state NEW tcp spt:5357
ACCEPT     2    --  0.0.0.0/0            239.255.255.250      state NEW PKTTYPE = multicast
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Firewall log:

refused connection: IN=eno1 OUT= MAC=00:1e:... SRC=192.168.11.211 DST=192.168.10.100 LEN=1275 TOS=0x00 PREC=0x00 TTL=63 ID=15733 DF PROTO=UDP SPT=2142 DPT=52855 LEN=1255
refused connection: IN=eno1 OUT= MAC=00:1e:... SRC=192.168.11.225 DST=192.168.10.100 LEN=1275 TOS=0x00 PREC=0x00 TTL=63 ID=53158 DF PROTO=UDP SPT=60788 DPT=52855 LEN=1255
refused connection: IN=eno1 OUT= MAC=00:1e:... SRC=192.168.11.211 DST=192.168.10.100 LEN=1275 TOS=0x00 PREC=0x00 TTL=63 ID=15885 DF PROTO=UDP SPT=2142 DPT=52855 LEN=1255
refused connection: IN=eno1 OUT= MAC=00:1e:... SRC=192.168.11.225 DST=192.168.10.100 LEN=1275 TOS=0x00 PREC=0x00 TTL=63 ID=53170 DF PROTO=UDP SPT=60788 DPT=52855 LEN=1255

Opened ports on computers:

PC01
udp   UNCONN 0      0      239.255.255.250:3702       0.0.0.0:*    users:((".wsdd-wrapped",pid=33058,fd=6))
udp   UNCONN 0      0              0.0.0.0:52855      0.0.0.0:*    users:((".wsdd-wrapped",pid=33058,fd=7))
tcp   LISTEN 0      0      192.168.10.100:5357       0.0.0.0:*    users:((".wsdd-wrapped",pid=33058,fd=8))

PC02
udp   UNCONN 0      0      239.255.255.250:3702       0.0.0.0:*    users:((".wsdd-wrapped",pid=20885,fd=6))
udp   UNCONN 0      0              0.0.0.0:2142       0.0.0.0:*    users:((".wsdd-wrapped",pid=20885,fd=7))
tcp   LISTEN 0      0      192.168.11.211:5357       0.0.0.0:*    users:((".wsdd-wrapped",pid=20885,fd=8))

PC03
udp  UNCONN 0      0                        239.255.255.250:3702        0.0.0.0:*                     users:(("python3",pid=15259,fd=6))                      
udp  UNCONN 0      0                                0.0.0.0:60788       0.0.0.0:*                     users:(("python3",pid=15259,fd=7))                      
tcp  LISTEN 0      5                        192.168.11.225:5357        0.0.0.0:*                     users:(("python3",pid=15259,fd=8))

Network scheme:

LAN1 - 192.168.10.0/24 -  PC01 192.168.10.100

LAN2 - 192.168.11.0/24 -  PC02 192.168.11.211
                        \
                         - PC03 192.168.11.225

WSDD creates a random UDP port on each computer and sends requests to a random UDP port of the neighboring SSDP service. As a result, it is impossible to create a working rule for the firewall. If allow all UDP traffic from 192.168.11.0/24 subnet, then WSDD working.

christgau commented 3 years ago

You made a valid point. A bind call is missing for the sending socket. I'll fix that...

christgau commented 3 years ago

It turned out, a call to bind wasn't missing, but messages need to be sent via the correct one out of two sockets which are created internally. This is what the latest commit does. I tested it on Linux and FreeBSD. The outgoing replies for multicast requests now originate from the local UDP port 3702 as described in https://docs.microsoft.com/en-us/windows/win32/wsdapi/discovery-and-metadata-exchange-message-patterns If there is still something wrong, please let me know.

christgau / wsdd

Requests from the neighboring subnet are blocked with firewall. #72