Shorewall users - Oct 2012 - Drop multicast on wifi interface of bridge

Hello,
I have a Dreamplug computer with 2 ethernet interfaces(eth0,eth1) and a
wifi interface(uap0).
I have it configured so that eth1 is the outbound interface (internet) and
eth0 & uap0 are bridged to create a wired/wireless LAN (bridge is called
wifi-dream).
Anything connected to wifi-dream can also access the internet through eth1.

I am multicasting some video on the LAN but I would like this traffic to
only be available on the wired part of the network (eth1) and not also the
wifi part (uap0) as is currently the case.
This is my first experience with shorewall and I followed the instructions
at http://blog.bertelsen.co/2011/06/setting-up-guruplug-as-router-with.html to
get started.
Can you help please?

Shorewall version: 4.4.11.6 on Linux debian 2.6.38.8 #7 PREEMPT Sat Jun 25
18:13:16 MDT 2011 armv5tel GNU/Linux

output from ip addr show:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen
1000
    link/ether f0:ad:4e:00:b1:68 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::f2ad:4eff:fe00:b168/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen
1000
    link/ether f0:ad:4e:00:b1:69 brd ff:ff:ff:ff:ff:ff
    inet 10.42.243.90/23 brd 10.42.243.255 scope global eth1
    inet6 fe80::f2ad:4eff:fe00:b169/64 scope link
       valid_lft forever preferred_lft forever
4: uap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UP qlen 1000
    link/ether 00:24:23:45:06:6e brd ff:ff:ff:ff:ff:ff
    inet6 fe80::224:23ff:fe45:66e/64 scope link
       valid_lft forever preferred_lft forever
5: wifi-dream: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
state UNKNOWN
    link/ether 00:24:23:45:06:6e brd ff:ff:ff:ff:ff:ff
    inet 192.168.5.1/24 brd 192.168.5.255 scope global wifi-dream
    inet6 fe80::224:23ff:fe45:66e/64 scope link
       valid_lft forever preferred_lft forever
6: pan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN
    link/ether 4e:81:bb:2e:5e:70 brd ff:ff:ff:ff:ff:ff

root@debian:/etc/shorewall# ip route show
192.168.5.0/24 dev wifi-dream  proto kernel  scope link  src 192.168.5.1
10.42.242.0/23 dev eth1  proto kernel  scope link  src 10.42.243.90
224.0.0.0/4 dev wifi-dream  scope link
default via 10.42.243.111 dev eth1

root@debian:/etc/shorewall# cat interfaces
loc wifi-dream 192.168.5.255 routeback
net eth1 detect dhcp

root@debian:/etc/shorewall# cat masq
eth1 wifi-dream

root@debian:/etc/shorewall# cat policy
fw all ACCEPT
loc all ACCEPT
net all DROP info
all all REJECT info

root@debian:/etc/shorewall# cat routestopped
wifi-dream

root@debian:/etc/shorewall# cat rules
ACCEPT all all tcp
ACCEPT all all udp
ACCEPT all all udp 123 123
ACCEPT all all tcp 80
ACCEPT all all tcp 8080
ACCEPT all all tcp 21
ACCEPT all all tcp 22
ACCEPT all all tcp 25
ACCEPT all all tcp 4212
ACCEPT all all udp 1234 1234

root@debian:/etc/shorewall# cat zones
net ipv4
loc ipv4
fw firewall

The only mods to the default shorewall.conf are:
IP_FORWARDING=On
MULTICAST=Yes

-- 
Kind regards,
Darragh


------------------------------------------------------------------------------
Don''t let slow site performance ruin your business. Deploy New Relic
APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev

On 10/10/2012 08:33 AM, Darragh O''Brien wrote:
> Hello,
> I have a Dreamplug computer with 2 ethernet interfaces(eth0,eth1) and a
> wifi interface(uap0).
> I have it configured so that eth1 is the outbound interface (internet)
> and eth0 & uap0 are bridged to create a wired/wireless LAN (bridge is
> called wifi-dream).
> Anything connected to wifi-dream can also access the internet through eth1.
>
> I am multicasting some video on the LAN but I would like this traffic to
> only be available on the wired part of the network (eth1) and not also
> the wifi part (uap0) as is currently the case.
Where does the video multicast originate from? A host on the wired LAN?

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Don''t let slow site performance ruin your business. Deploy New Relic
APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev

Hi Tom.
It is originating (via VLC/VLM) from this same machine as Shorewall, the
Dreamplug.
The multicast traffic should be (and is currently) available to other wired
clients on the LAN - there is no multicast aware switch or anything like
that. This is a portable demo environment.
I just want the multicast traffic not to go out over the secured wifi as it
will kill the dreamplug with all the encryption it has to do etc.
Regards,
Darragh

On Wed, Oct 10, 2012 at 8:48 PM, Tom Eastep <teastep@shorewall.net> wrote:
> On 10/10/2012 08:33 AM, Darragh O''Brien wrote:
> > Hello,
> > I have a Dreamplug computer with 2 ethernet interfaces(eth0,eth1) and
a
> > wifi interface(uap0).
> > I have it configured so that eth1 is the outbound interface (internet)
> > and eth0 & uap0 are bridged to create a wired/wireless LAN (bridge
is
> > called wifi-dream).
> > Anything connected to wifi-dream can also access the internet through
> eth1.
> >
> > I am multicasting some video on the LAN but I would like this traffic
to
> > only be available on the wired part of the network (eth1) and not also
> > the wifi part (uap0) as is currently the case.
>
> Where does the video multicast originate from? A host on the wired LAN?
>
> -Tom
> --
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
>
------------------------------------------------------------------------------
> Don''t let slow site performance ruin your business. Deploy New
Relic APM
> Deploy New Relic app performance management and know exactly
> what is happening inside your Ruby, Python, PHP, Java, and .NET app
> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> http://p.sf.net/sfu/newrelic-dev2dev
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>


-- 
Kind regards,
Darragh

Darragh O''Brien
Senior Solutions Consultant
Digisoft.tv Limited
Building 4200 C
Cork Airport Business Park
Kinsale Road
Cork
Ireland

Web: www.digisoft.tv
Tel: + 353 (0)21 4917272
Fax: + 353 (0)21 4917271


------------------------------------------------------------------------------
Don''t let slow site performance ruin your business. Deploy New Relic
APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev

On 10/10/2012 01:03 PM, Darragh O''Brien wrote:
> Hi Tom.
> It is originating (via VLC/VLM) from this same machine as Shorewall, the
> Dreamplug.
> The multicast traffic should be (and is currently) available to other
> wired clients on the LAN - there is no multicast aware switch or
> anything like that. This is a portable demo environment.
> I just want the multicast traffic not to go out over the secured wifi as
> it will kill the dreamplug with all the encryption it has to do etc.
Hi Darragh,

I''m afraid that you are out of luck. Beginning with kernel 2.6.20, 
Netfilter (iptables) can no longer filter traffic sent to a bridge based 
on which port the traffic will leave on. It can only do that on traffic 
between bridge ports.

You will have to install and use brtables to accomplish your goal. You 
can use Shorewall Extension scripts to integrate your brtables commands 
with Shorewall start/stop/restart operations.

Sorry,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Don''t let slow site performance ruin your business. Deploy New Relic
APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev

Thanks Tom,
Good to know whats possible and what is not.
Maybe i will look into removing the bridge and setting up a static route
between the wifi port and wired internal port - would this allow me to
accomplish what I need to do?
There is no necessity for the wireless clients and LAN clients to have the
same subnet as long as they can communicate with each other - sorry, gone a
bit off topic here.
Regards,
Darragh


On Wed, Oct 10, 2012 at 9:59 PM, Tom Eastep <teastep@shorewall.net> wrote:
> On 10/10/2012 01:03 PM, Darragh O''Brien wrote:
> > Hi Tom.
> > It is originating (via VLC/VLM) from this same machine as Shorewall,
the
> > Dreamplug.
> > The multicast traffic should be (and is currently) available to other
> > wired clients on the LAN - there is no multicast aware switch or
> > anything like that. This is a portable demo environment.
> > I just want the multicast traffic not to go out over the secured wifi
as
> > it will kill the dreamplug with all the encryption it has to do etc.
>
> Hi Darragh,
>
> I''m afraid that you are out of luck. Beginning with kernel 2.6.20,
> Netfilter (iptables) can no longer filter traffic sent to a bridge based
> on which port the traffic will leave on. It can only do that on traffic
> between bridge ports.
>
> You will have to install and use brtables to accomplish your goal. You
> can use Shorewall Extension scripts to integrate your brtables commands
> with Shorewall start/stop/restart operations.
>
> Sorry,
> -Tom
> --
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
>
------------------------------------------------------------------------------
> Don''t let slow site performance ruin your business. Deploy New
Relic APM
> Deploy New Relic app performance management and know exactly
> what is happening inside your Ruby, Python, PHP, Java, and .NET app
> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> http://p.sf.net/sfu/newrelic-dev2dev
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>


-- 
Kind regards,
Darragh

Darragh O''Brien
Senior Solutions Consultant
Digisoft.tv Limited
Building 4200 C
Cork Airport Business Park
Kinsale Road
Cork
Ireland

Web: www.digisoft.tv
Tel: + 353 (0)21 4917272
Fax: + 353 (0)21 4917271


------------------------------------------------------------------------------
Don''t let slow site performance ruin your business. Deploy New Relic
APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev

On 10/10/2012 02:15 PM, Darragh O''Brien wrote:
> Thanks Tom,
> Good to know whats possible and what is not.
> Maybe i will look into removing the bridge and setting up a static route
> between the wifi port and wired internal port - would this allow me to
> accomplish what I need to do?
> There is no necessity for the wireless clients and LAN clients to have
> the same subnet as long as they can communicate with each other - sorry,
> gone a bit off topic here.
No problem. This article should get you going.

	http://www.shorewall.net/two-interface.htm#Wireless

Regards,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Don''t let slow site performance ruin your business. Deploy New Relic
APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev