Project

General

Profile

Bug #11944

Gobby in Stretch generates UDP:137 broadcasts on the LAN

Added by anonym about 3 years ago. Updated almost 3 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
-
Target version:
Start date:
11/17/2016
Due date:
% Done:

100%

Feature Branch:
Type of work:
Code
Blueprint:
Starter:
Affected tool:

Description

Note: UDP on port 137 is "NETBIOS Name Service".

These tests:

cucumber features/tor_stream_isolation.feature:33 # Scenario: Gobby is using the default SocksPort
cucumber features/tor_stream_isolation.feature:52 # Scenario: Explicitly torify-wrapped applications are using the default SocksPort
cucumber features/tor_stream_isolation.feature:59 # Scenario: Explicitly torsocks-wrapped applications are using the default SocksPort

fail with something like this:
      Unexpected connections were made:
        #<OpenStruct mac_saddr="50:54:00:34:0d:63", mac_daddr="ff:ff:ff:ff:ff:ff", protocol="udp", saddr="10.2.1.103", daddr="10.2.1.255", sport=33601, dport=137>                                                                              
        #<OpenStruct mac_saddr="50:54:00:34:0d:63", mac_daddr="ff:ff:ff:ff:ff:ff", protocol="udp", saddr="10.2.1.103", daddr="10.2.1.255", sport=37802, dport=137>                                                                              
        #<OpenStruct mac_saddr="50:54:00:34:0d:63", mac_daddr="ff:ff:ff:ff:ff:ff", protocol="udp", saddr="10.2.1.103", daddr="10.2.1.255", sport=36172, dport=137>
        #<OpenStruct mac_saddr="50:54:00:34:0d:63", mac_daddr="ff:ff:ff:ff:ff:ff", protocol="udp", saddr="10.2.1.103", daddr="10.2.1.255", sport=42208, dport=137>
        #<OpenStruct mac_saddr="50:54:00:34:0d:63", mac_daddr="ff:ff:ff:ff:ff:ff", protocol="udp", saddr="10.2.1.103", daddr="10.2.1.255", sport=46939, dport=137>
        #<OpenStruct mac_saddr="50:54:00:34:0d:63", mac_daddr="ff:ff:ff:ff:ff:ff", protocol="udp", saddr="10.2.1.103", daddr="10.2.1.255", sport=54338, dport=137>.
[...]

Associated revisions

Revision b1099c14 (diff)
Added by intrigeri almost 3 years ago

Firewall: reject packets sent on the LAN to the NetBIOS name service.

This is about https://en.wikipedia.org/wiki/NetBIOS#Name_service, that allows
registering and looking up names on a LAN. Best case, it gives a very nice UX
for service discovery on the LAN (in this case: connecting to a local Gobby
server), which can be super cool for teams working from a single location.
Worst case, it leaks things like the hostname on the LAN.

We've never made any serious attempt at supporting zeroconf and
friends (although Tails Server might be a game changer), so for now let's
explicitly drop these packets. The only practical problem I can think of is that
it might cause is making discovery of some network printers harder. That's not
worth the risk of announcing our hostname, or worse, though.

Closes: #11944

History

#1 Updated by intrigeri almost 3 years ago

  • Status changed from Confirmed to In Progress
  • % Done changed from 0 to 10
  • Type of work changed from Research to Code

Jessie has gobby 0.5.0-4, Stretch has 0.5.0-8. I see nothing in its debian/changelog that could explain this. It's backend libraries (libinfinity-0.6-0 and libinfgtk3-0.6-0) have only been rebuilt without any source change. libavahi-client3 and libavahi-common3 were upgraded (0.6.31-5 to 0.6.32-1) though. I guess that's where the change comes from.

This is about https://en.wikipedia.org/wiki/NetBIOS#Name_service, that allows registering and looking up names on a LAN. Best case, it gives a very nice UX for service discovery on the LAN (in this case: connecting to a local Gobby server), which can be super cool for teams working from a single location. Worst case, it leaks things like the hostname on the LAN. We've never made any serious attempt at supporting zeroconf and friends, so for now I'm going to explicitly drop datagrams sent to UDP:137 on the LAN. The only practical problem it might cause is making discovery of some network printers harder. Whatever, that's not worth the risk of announcing our hostname, or worse.

#2 Updated by intrigeri almost 3 years ago

  • Status changed from In Progress to Resolved
  • % Done changed from 10 to 100

Also available in: Atom PDF