Ok, got it. Here''s what it took (and I was just misreading the
Shorewall
docs, as usual):
zones:
mc ipv4
hosts:
mc eth0:224.0.0.0/4 destonly
policy:
mc all REJECT INFO
all mc REJECT INFO
rules:
ACCEPT $FW mc udp 45564
ACCEPT loc $FW udp 45564
shorewall.conf:
MULTICAST=Yes
routing table:
be sure there''s a route for net 224.0.0.0 netmask 240.0.0.0 dev eth0
As usual, get this working first before setting up Shorewall.
Easy. This was non-intuitive for me because in this case, the dest IP for
incoming packets is 228.0.0.4, not the IP address for eth0.
John
On Fri, Aug 1, 2008 at 1:50 PM, John Morris <johnnymo@gmail.com>
wrote:> Dear list,
>
> Our tomcat cluster is working on our DMZ, and we would like to protect the
> individual nodes with Shorewall.
>
> Tomcat clustering uses multicast on the LAN for nodes to advertise that
they> are running and to join a cluster. Here are two packets from two nodes at
> 192.168.200.11+17 captured by tcpdump:
>
> 19:53:00.695849 IP 192.168.200.11 > 224.0.0.22: igmp v3 report, 1 group
> record(s)
> 19:53:02.693806 IP 192.168.200.11.45564 > 228.0.0.4.45564: UDP, length
52
> 19:53:02.696124 IP 192.168.200.17.45564 > 228.0.0.4.45564: UDP, length
52
>
> The first type of packet is seemingly only transmitted for some time after
> tomcat is first started.
> The second type of packet is transmitted once a second from each node as
> long as the cluster is running.
>
> There''s a MULTICAST switch for shorewall.conf and a destonly flag
for the
> shorewall-hosts file. I understand these are for outgoing packets. What
> kind of configuration should there be to allow the above types of incoming
> packets?
>
> Thanks.
>
> John
>
>
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/