Archive

Archive for April 16th, 2016

Zeroconf on OpenSUSE

April 16th, 2016 Comments off

I have been struggling with my home network for long time, and I do not mean setting up the router, that’s easy. What I was struggling with is using names for machines. Of course you can set names in the router, but is it really what we want? In times of dynamic networks, where devices come and go only small subset of them is there to stay. So I have been doing binding of IP addresses to MAC addresses on the router level to ensure all computers can access the printer or backup… How antiquated is that?

Welcome to the age of zero-configuration networking(zeroconf). Zeroconf provides set of protocols that allows configuration less discovery of network. Well almost configuration less, we still need to setup each computer. Although zeroconf also specifies automatic IP addresses assignment I think it’s almost pointless when we get access to internet everywhere – with dynamic IP address provided by DHCP.

What exactly does us give this zeroconf? For me it is no need for DNS locally, all computers with properly configured zeroconf will be visible to each other. Additionally this also implies no more need to set up static addresses as the names are automatically recognized in the system. So we can skip hard codding IP for the printer – yes many networked devices are already zeroconf enabled and should be visible by default.

All the commands should be executed from konsole you can start it fast with pressing ALT+F2 and typing konsole followed by <ENTER>. Before we start anything we need to become root user, depending on your system configuration you might use sudo -s or su - to enter administrative mode.

The most important step in zeroconf is configuring our computer name, this is one time setup and from this point on whenever we go, out computer will have the same easy to use name. Using console we need to set the system name and update one file:

hostname mpapis-linux
hostname > /etc/hostname

With the system named properly we need to restart the zeroconfig service to use the new name, on OpenSUSE it is avahi-daemon and can be restarted with:

systemctl restart avahi-daemon

That should be it! Let’s test our configuration, we need to install/use extra tool:

zypper in avahi-utils
avahi-browse -at

Unfortunately the output in most cases will be empty.

Let’s do quick course in security. By default OpenSUSE comes with SuSEFirewall2 which by default opens all traffic on internal interfaces and closes all traffic on external interfaces. Did anyone configure your interfaces to be internal? Let’s drop it here, the default firewall has no integration with NetworkManager(NM) – which is enabled by default on laptop setups. We will have to switch to another firewall that has integration for NM – firewalld. This requires us to do few extra steps:

zypper    addrepo http://download.opensuse.org/repositories/security:/netfilter/openSUSE_Factory        security:netfilter
zypper    addrepo http://download.opensuse.org/repositories/devel:/languages:/python/openSUSE_Leap_42.1 devel:languages:python
zypper    refresh
zypper    remove  SuSEfirewall2
zypper    addlock SuSEfirewall2
zypper    install firewalld firewall-applet firewall-config
systemctl enable  firewalld
systemctl start   firewalld

The bad news is now it’s best to restart the system for all the changes to take effect… relogin might be enough but I haven’t tested that.

After the system is up and running we can now configure our firewall with firewall-config, open it, disable all services in public zone, enable mdns in internal zone. The public zone will be used as default when not set for network connections, we need to set the internal zone for connections we trust.

Let’s now configure connections, first we get the list:

nmcli connection

for each of the connections we trust we execute this line (replace "connection name" with the name of the connection):

nmcli connection modify "connection name" connection.zone internal

From now on when we connect to one of the trusted networks our firewall will switch to the internal zone and we should now get access to our zeroconf autodetection:

avahi-browse -at

The output will now show all the devices in the network that support zeroconf, some example output from my network:

+   eth0 IPv4 Brother DCP-J4110DW          Internet Printer     local
+   eth0 IPv4 mpapis-linux                 SSH Remote Terminal  local

That’s it, your computer will now use zeroconf when configured to (internal connections). Some extra commands that might be helpful:

avahi-browse -art

It will show the list of available services with all the available details – including hostname for use in our configurations or communication, for example I can type now:

ssh mpapis-linux.local

from any computer in my home and it just works!

Most of the presented steps are for console but they can be as well executed from graphical interface via Yast.

Categories: Development, Linux Tags: