I am trying to set up my Shorewall box to forward multicast packets to my local net. I do have some problems with mrouted (see below), but I can join and add routes using smcroute. Multicast works when shorewall is disabled. I got a lot of help from the following. http://lists.shorewall.net/pipermail/shorewall-users/2005-January/016674.html I cannot get the multicast packets to pass the fw when Shorewall is enabled. I have tried a number of combinations, but no success. The multicast packets are dropped. How can I specify that multicast packets should be forwarded to loc?>From rules (not working):DNAT net loc:239.1.1.103 #ACCEPT net fw:239.1.1.103 Non Shorewall problem following, included here for reference. (At least I tend to search Shorewall archive for firewall related problems even if not shorewall is the problem.) Thanks Tom for the help you supply and of course for shorewall. mrouted will by default not forward requests from ''loc'' to ''net''. If I configure the internal ifc in mrouted to ''passive'', IGMP membership reports are forwarded. However, the source address is the private address 192.168.1.1 on the internal interface so at least not my IP becomess member of the multicast group. I plan to try zebra or any pimd related multicast routing sw. I would prefer not to run a daemon for static routing, but as I understand it, this is not possible the way multicast works: There has to be dynamic routing. It is not possible to bridge just multicast and route unicast. Of course, the multicast dynamic routing could be built in to the kernel, but that would still be kind of a daemon. A better alternative is like to use a firewall bridge, but I cannot use that currently in my CD based fw. Why all this hassle? My ISP uses multicast to transmitt a few TV channnels that is not included in my cable "PC-TV". My wife want something useful(?) from the setup. root@fw:~ # shorewall version 2.0.6 root@fw:~ # root@fw:~ # ip route show 255.255.255.255 dev eth1 scope link 83.227.190.128/25 dev eth0 proto kernel scope link src 83.227.190.245 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.1 224.0.0.0/4 dev eth1 scope link default via 83.227.190.129 dev eth0 root@fw:~ # ip mroute show (195.54.109.38, 239.1.1.103) Iif: eth0 Oifs: eth1 root@fw:~ # Shorewall messages when I changed the default actions: Shorewall:net2all:DROP:IN=eth0 OUTMAC=01:00:5e:01:01:67:00:d0:52:0b:3a:f9:08:00 SRC=195.54.109.38 DST=239.1.1.103 LEN=1412 TOS=0x10 PREC=0x80 TTL=52 ID=41142 PROTO=UDP SPT=1027 DPT=31858 LEN=1392 Shorewall:all2all:REJECT:IN=eth1 OUT= MAC= SRC=195.54.109.38 DST=239.1.1.103 LEN=1412 TOS=0x10 PREC=0x80 TTL=51 ID=41142 PROTO=UDP SPT=1027 DPT=31858 LEN=1392 -- Gerhard To reply, remove the first nospam but not the second.
I remember having to delete 224.0.0.0/4(?) from /usr/share/shorewall/bogons (I mean editing it and placing in /etc/shorewall of course :), but I don''t see that prefix in 2.2.0-rc5 now. Maybe you could try an upgrade? I''m using multicast for OSPF (Quagga) and it works, I have not set up anything special for it to work. Jan Gerhard Olsson wrote:> I am trying to set up my Shorewall box to forward multicast packets to > my local net. I do have some problems with mrouted (see below), but I > can join and add routes using smcroute. Multicast works when shorewall > is disabled. I got a lot of help from the following. > http://lists.shorewall.net/pipermail/shorewall-users/2005-January/016674.html > > I cannot get the multicast packets to pass the fw when Shorewall is > enabled. I have tried a number of combinations, but no success. The > multicast packets are dropped. > How can I specify that multicast packets should be forwarded to loc? > >>From rules (not working): > DNAT net loc:239.1.1.103 > #ACCEPT net fw:239.1.1.103 > > > Non Shorewall problem following, included here for reference. (At > least I tend to search Shorewall archive for firewall related problems > even if not shorewall is the problem.) Thanks Tom for the help you > supply and of course for shorewall. > > mrouted will by default not forward requests from ''loc'' to ''net''. If I > configure the internal ifc in mrouted to ''passive'', IGMP membership > reports are forwarded. However, the source address is the private > address 192.168.1.1 on the internal interface so at least not my IP > becomess member of the multicast group. > > I plan to try zebra or any pimd related multicast routing sw. I would > prefer not to run a daemon for static routing, but as I understand it, > this is not possible the way multicast works: There has to be dynamic > routing. It is not possible to bridge just multicast and route > unicast. Of course, the multicast dynamic routing could be built in to > the kernel, but that would still be kind of a daemon. > A better alternative is like to use a firewall bridge, but I cannot > use that currently in my CD based fw. > > Why all this hassle? My ISP uses multicast to transmitt a few TV > channnels that is not included in my cable "PC-TV". My wife want > something useful(?) from the setup. > > root@fw:~ # shorewall version > 2.0.6 > root@fw:~ # > > root@fw:~ # ip route show > 255.255.255.255 dev eth1 scope link > 83.227.190.128/25 dev eth0 proto kernel scope link src 83.227.190.245 > 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.1 > 224.0.0.0/4 dev eth1 scope link > default via 83.227.190.129 dev eth0 > root@fw:~ # ip mroute show > (195.54.109.38, 239.1.1.103) Iif: eth0 Oifs: eth1 > root@fw:~ # > > Shorewall messages when I changed the default actions: > Shorewall:net2all:DROP:IN=eth0 OUT> MAC=01:00:5e:01:01:67:00:d0:52:0b:3a:f9:08:00 SRC=195.54.109.38 > DST=239.1.1.103 LEN=1412 TOS=0x10 PREC=0x80 TTL=52 ID=41142 PROTO=UDP > SPT=1027 DPT=31858 LEN=1392 > Shorewall:all2all:REJECT:IN=eth1 OUT= MAC= SRC=195.54.109.38 > DST=239.1.1.103 LEN=1412 TOS=0x10 PREC=0x80 TTL=51 ID=41142 PROTO=UDP > SPT=1027 DPT=31858 LEN=1392 >
Gerhard Olsson wrote:> root@fw:~ # > > root@fw:~ # ip route show > 255.255.255.255 dev eth1 scope link > 83.227.190.128/25 dev eth0 proto kernel scope link src 83.227.190.245 > 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.1 > 224.0.0.0/4 dev eth1 scope link > default via 83.227.190.129 dev eth0 > root@fw:~ # ip mroute show > (195.54.109.38, 239.1.1.103) Iif: eth0 Oifs: eth1 > root@fw:~ # > > Shorewall messages when I changed the default actions: > Shorewall:net2all:DROP:IN=eth0 OUT> MAC=01:00:5e:01:01:67:00:d0:52:0b:3a:f9:08:00 SRC=195.54.109.38 > DST=239.1.1.103 LEN=1412 TOS=0x10 PREC=0x80 TTL=52 ID=41142 PROTO=UDP > SPT=1027 DPT=31858 LEN=1392 > Shorewall:all2all:REJECT:IN=eth1 OUT= MAC= SRC=195.54.109.38 > DST=239.1.1.103 LEN=1412 TOS=0x10 PREC=0x80 TTL=51 ID=41142 PROTO=UDP > SPT=1027 DPT=31858 LEN=1392 >Please try: ACCEPT net fw:224.0.0.0/4 ACCEPT net loc:224.0.0.0/4 ACCEPT fw loc:224.0.0.0/4 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Tue, 25 Jan 2005 15:51:15 -0800, Tom Eastep <teastep@shorewall.net> wrote:> Please try: > > ACCEPT net fw:224.0.0.0/4 > ACCEPT net loc:224.0.0.0/4 > ACCEPT fw loc:224.0.0.0/4Thanks Tom, this worked. None Shorewall: quagga also used my private address on the ''net'' interface. I will take this discussion somewhere else. -- Gerhard To reply, remove the first nospam but not the second.