Hey all
I upgraded from 9 to 10 and everything except mDNS is working.
Firewall shows my laptop is wide open (iptables and ufw).
Any .local lookup fails.
And avahi-browse -a doesn’t return anything. Even after purging the avahi-daemon and re-installing it.
Oddly enough, tcpdump on the laptop shows mdns broadcasts from other machines.
Anyone have any pointers?
firewalld / change zone as by default you are in public
note firewalld does not use iptables.
also , have you added mdns record in nsswitch.conf?
I don’t know but what’s in
/etc/avahi/avahi-daemon.conf
and what does
sudo netstat -anup | grep 5353
give?
What does
resolvectl status
give?
You may/will note from the last command that configuration is per-interface as well as global (if you have multiple network interfaces e.g. wired and wireless or e.g. multiple wired).
To be honest, I disable mDNS (and can resolve local DNS names via my local DNS server, but that won’t be for everyone).
I stuck with avahi because I’m using a chromecast and I’ve got two networks, one guest and one regular
my NAS is reachable on both networks, so having the same hostname resolve on each network is very handy
$ grep -vE '^(#|$)' avahi-daemon.conf
[server]
use-ipv4=yes
use-ipv6=yes
ratelimit-interval-usec=1000000
ratelimit-burst=1000
[wide-area]
enable-wide-area=yes
[publish]
publish-hinfo=no
publish-workstation=no
[reflector]
[rlimits]
$ sudo netstat -anup | grep 5353
udp 0 0 0.0.0.0:5353 0.0.0.0:* 4448/avahi-daemon:
udp6 0 0 :::5353 :::* 4448/avahi-daemon:
$ grep -vE '^(#|$)' ../nsswitch.conf
passwd: files systemd
group: files systemd
shadow: files
gshadow: files
hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
$ resolvectl status
Failed to get global data: Unit dbus-org.freedesktop.resolve1.service not found.
$ resolvectl -i wlp1s0 status
Failed to get global data: Unit dbus-org.freedesktop.resolve1.service not found.
$ cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 192.168.100.1
firewalld was erroring, though strangely it was due to iptables and docker… i’ve uninstalled docker, just to simply networking, while debugging this… so these errors do not appear any longer
Mar 07 15:57:05 HOST firewalld[758]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D OUTPUT -m addrtype --dst-type LOCAL -j DOCKER' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Mar 07 15:57:05 HOST firewalld[758]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D PREROUTING' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Mar 07 15:57:05 HOST firewalld[758]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D OUTPUT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Mar 07 15:57:05 HOST firewalld[758]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER' failed: iptables v1.8.7 (nf_tables): CHAIN_USER_DEL failed (Device or resource busy): chain DOCKER
Mar 07 15:57:05 HOST firewalld[758]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION-STAGE-1' failed: iptables v1.8.7 (nf_tables): CHAIN_USER_DEL failed (Device or resource busy): chain DOCKER-ISOLATION-STAGE-1
Mar 07 15:57:05 HOST firewalld[758]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -F DOCKER-ISOLATION' failed: iptables: No chain/target/match by that name.
Mar 07 15:57:05 HOST firewalld[758]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION' failed: iptables: No chain/target/match by that name.
Mar 07 15:57:05 HOST firewalld[758]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Mar 07 15:57:06 HOST firewalld[758]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).
-- Boot a435a7e5b1ab43bb906e7c4443e25a2c --
Mar 08 17:14:51 HOST systemd[1]: Starting firewalld - dynamic firewall daemon...
Mar 08 17:14:51 HOST systemd[1]: Started firewalld - dynamic firewall daemon.
mdns configs were added when I installed avahi-daemon
$ grep -vE '^(#|$)' ../nsswitch.conf
passwd: files systemd
group: files systemd
shadow: files
gshadow: files
hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
Sorry, my bad. That works on Ubuntu but for some reason does not work on Debian. I guess PureOS is sticking with Debian in that regard.
So is the laptop multi-homed and/or what interfaces are allow/deny in avahi-daemon.conf ?
allow/deny interfaces for avahi-daemon are commented out, so I assume that means it’s using the default, which is permit all?
# grep interface /etc/avahi/avahi-daemon.conf
#allow-interfaces=eth0
#deny-interfaces=eth1
Is that .conf file specifying host-name? Are there any weird (invalid for DNS) characters in the explicit or implicit host name?
(I had underscore characters in some of my host names and that worked fine for years and then suddenly that started generating boot time complaints. This doesn’t directly relate to mDNS. As I said, I have intentionally made mDNS not working. The point is to illustrate a potential point of failure.)
You know what they say about “assume”. The documentation is not crystal clear but it suggests that the default could be “all minus loopback minus point-to-point”.
The default .conf file is not consistent with normal Linux standards then because usually the default setting is shown commented out.
You didn’t say whether the laptop has multiple interfaces but perhaps it wouldn’t hurt to specify allow-interfaces explicitly as the one or more interfaces that you want to use. Note also the comments about add-service-cookie and the implications thereof if a single host has more than one interface on the same subnet.
My laptop isn’t using multiple interfaces. I switch between networks. The NAS is available on both networks. Therefore it’s handy to be able to rely on zeroconf, in my configs (ie automounting), and hardcode a hostname rather than IP.
No host-name specified in the conf. The hostname itself is ascii alpha chars only.
You know what they say about “assume”
I agree, not terribly clear in the man pages. The allow-interfaces option isn’t set, I would’ve thought lo would be ignored. But avahi-daemon picks up lo and my wifi device, according to logs.
I tried setting the allow-interfaces to various values.
After each config file change, I tried to ping HOST.local from a remote machine, it never resolved.
# allow-interfaces =
# check the local machines hostname
$ avahi-resolve-host-name HOST.local
HOST.local ::1
$ avahi-resolve-host-name REMOTE.local
Failed to resolve host name 'REMOTE.local': Timeout reached
allow-interfaces = wlp1s0
# check the local machines hostname
$ avahi-resolve-host-name HOST.local
Failed to resolve host name 'HOST.local': Timeout reached
$ avahi-resolve-host-name REMOTE.local
Failed to resolve host name 'REMOTE.local': Timeout reached
allow-interfaces = wlp1s0,lo
# check the local machines hostname
$ avahi-resolve-host-name HOST.local
HOST.local 127.0.0.1
$ avahi-resolve-host-name REMOTE.local
Failed to resolve host name 'REMOTE.local': Timeout reached
I found the issue…
During the upgrade firewalld was installed …
Sooo, iptables reported permit all across the board, but netfilter was preventing packets
Once I enabled mdns firewalld service and port 5000/tcp I could cast again
All you need to do is to set the network zone to home, as it’s public by default which prevents mDNS from working. In fact, the first answer in this thread already pointed to that: 
ZOMG
Completely thrown off by this change in network filtering …
Even with firewalld running, I could see packets coming from the chromecast over the wireless network, using tcpdump. That suggested to me that a firewall couldn’t be blocking the packets. Grumble.
well with tcpdump there is a problem that it hooks on raw interface, so you can see blocked even packets here.
I had the same problem for using my network printer and scanner.
Since firewall-cmd cannot bind connections to zones but interfaces to zones, I installed Firewall Configuration from PureOS store (firewall-config if from command line), so that I can choose which WiFi connections are in public or home zone.
It was simple: I set Configuration as Permanent, I changed zone of my WiFi connection to home, from Options menu I clicked Reload Firewalld.