How to Force avahi-daemon to Bind Only to localhost Instead of eth0 for Ports 5353/53791


4 views

When examining network services with netstat -nap, you might notice avahi-daemon binding to all interfaces (0.0.0.0) despite configuration attempts to restrict it to localhost. Here's what typically appears:

udp   0   0 0.0.0.0:53791   0.0.0.0:*   3145/avahi-daemon:
udp   0   0 0.0.0.0:5353    0.0.0.0:*   3145/avahi-daemon:

The common approach of modifying /etc/avahi/avahi-daemon.conf with interface restrictions often fails:

use-ipv4=yes
use-ipv6=no
allow-interfaces=lo
deny-interfaces=eth0

This configuration should theoretically work, but avahi-daemon sometimes ignores these directives for privileged ports.

Here are three effective methods to enforce localhost binding:

Method 1: Systemd Socket Modification

Create a drop-in directory for the avahi service:

sudo mkdir -p /etc/systemd/system/avahi-daemon.socket.d/

Create a custom socket configuration:

sudo tee /etc/systemd/system/avahi-daemon.socket.d/override.conf <<EOF
[Socket]
ListenDatagram=127.0.0.1:5353
ListenStream=127.0.0.1:5353
EOF

Method 2: Firewall Rules

Use iptables to redirect external traffic:

sudo iptables -t nat -A PREROUTING -i eth0 -p udp --dport 5353 -j REDIRECT --to-port 5353
sudo iptables -t nat -A PREROUTING -i eth0 -p udp --dport 53791 -j REDIRECT --to-port 53791

Method 3: Full Service Restriction

Modify the main service file:

sudo systemctl edit avahi-daemon.service

Add these directives:

[Service]
ExecStart=
ExecStart=/usr/sbin/avahi-daemon -i lo -I eth0 --no-drop-root --no-chroot

After implementing any solution, verify with:

sudo netstat -tulnp | grep avahi
sudo ss -ulnp | grep avahi

The output should show binding only to 127.0.0.1.

Avahi's default configuration tends to bind to all available network interfaces (0.0.0.0), which can be problematic for security-conscious deployments. Even when you specify allow-interfaces=lo and deny-interfaces=eth0 in /etc/avahi/avahi-daemon.conf, the service might still bind to physical interfaces.

Here's a more comprehensive configuration that should enforce localhost-only binding:


[server]
use-ipv4=yes
use-ipv6=no
allow-interfaces=lo
deny-interfaces=eth0,wlan0
enable-dbus=no
disable-user-service-publishing=yes
publish-addresses=no
publish-hinfo=no
publish-workstation=no

Sometimes the configuration file alone isn't sufficient. You may need to modify the systemd unit file:


sudo systemctl edit avahi-daemon.service

[Service]
ExecStart=
ExecStart=/usr/sbin/avahi-daemon --daemonize --syslog -r

After making changes, verify the binding with:


sudo ss -tulnp | grep avahi
sudo lsof -i -P -n | grep avahi

As a fallback, you can use firewall rules to block external access:


sudo iptables -A INPUT -i eth0 -p udp --dport 5353 -j DROP
sudo iptables -A INPUT -i eth0 -p udp --dport 53791 -j DROP

If issues persist, check the debug output:


sudo avahi-daemon --verbose --no-drop-root --no-chroot