Hi List, I recently got an Android Gadget to play with and put an DLNA-Server on my Shorewall Box. The following entries in the "rules" file will make it work instantly, if I use "tcpdump" to check the traffic. This is the case because the interface will be in promiscuous mode, I believe, when "tcpdump" is be stopped, it is not working anymore. SECTION NEW ACCEPT lan $FW udp 1900 ACCEPT $FW lan udp - 1900 ACCEPT lan $FW tcp 8200 I tried "allowinUPnP lan $FW" and vice versa, also "allowBcast", still no luck. Also "MULTICAST=Yes" in shorewall.conf has no effect, nor setting a route like this: ip route add 224.0.0.0/4 dev br0 (interface "lan" is a bridge). What I am missing? Thanks for your suggestions, -Tarqi ------------------------------------------------------------------------------ Try New Relic Now & We''ll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
On 04/27/2013 04:50 PM, Tarqi Kazan wrote:> Hi List, > > I recently got an Android Gadget to play with and put an DLNA-Server on my > Shorewall Box. > > The following entries in the "rules" file will make it work instantly, if I > use "tcpdump" to check the traffic. This is the case because the interface > will be in promiscuous mode, I believe, when "tcpdump" is be stopped, it is > not working anymore. > > SECTION NEW > ACCEPT lan $FW udp 1900 > ACCEPT $FW lan udp - 1900 > ACCEPT lan $FW tcp 8200 > > I tried "allowinUPnP lan $FW" and vice versa, also "allowBcast", still no > luck. > Also "MULTICAST=Yes" in shorewall.conf has no effect, nor setting a route > like this: > > ip route add 224.0.0.0/4 dev br0 (interface "lan" is a bridge). > > What I am missing?Temporarily set the lan->fw and fw->lan policy default action to ''None'': /etc/shorewall/policy: #SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: # LEVEL BURST MASK lan fw REJECT:None info fw lan REJECT:None info Now try to connect; the Netfilter log will show you what is being rejected or dropped. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Try New Relic Now & We''ll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
Thanks Tom, It tried you suggestion, unfortunately nothing shows up in the log. With tcpdump: root@arch/0:~# tcpdump -i br0 -n udp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on br0, link-type EN10MB (Ethernet), capture size 65535 bytes 20:09:03.759139 IP 192.168.10.15.8008 > 239.255.255.250.1900: UDP, length 101 20:09:03.761098 IP 192.168.10.1.1900 > 192.168.10.15.8008: UDP, length 311 20:09:03.958368 IP 192.168.10.15.8008 > 239.255.255.250.1900: UDP, length 102 20:09:03.959499 IP 192.168.10.1.1900 > 192.168.10.15.8008: UDP, length 311 20:09:04.162749 IP 192.168.10.15.8008 > 239.255.255.250.1900: UDP, length 101 20:09:04.163516 IP 192.168.10.1.1900 > 192.168.10.15.8008: UDP, length 311 20:09:04.370630 IP 192.168.10.15.8008 > 239.255.255.250.1900: UDP, length 102 20:09:04.372723 IP 192.168.10.1.1900 > 192.168.10.15.8008: UDP, length 311 Without tcpdump: Nothing. I attached a dump with my original config (MULTICAST = No, no route to 224.0.0.0/4) and would be very pleased if you could help me further. (Taking the dump complains about that SW could not find "arp" and "netstat", hope it helps anyway.) -Tarqi -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Monday, April 29, 2013 5:39 PM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Multicast / Broadcast in Shorewall On 04/27/2013 04:50 PM, Tarqi Kazan wrote:> Hi List, > > I recently got an Android Gadget to play with and put an DLNA-Server > on my Shorewall Box. > > The following entries in the "rules" file will make it work instantly, > if I use "tcpdump" to check the traffic. This is the case because the > interface will be in promiscuous mode, I believe, when "tcpdump" is be > stopped, it is not working anymore. > > SECTION NEW > ACCEPT lan $FW udp 1900 > ACCEPT $FW lan udp - 1900 > ACCEPT lan $FW tcp 8200 > > I tried "allowinUPnP lan $FW" and vice versa, also "allowBcast", > still no luck. > Also "MULTICAST=Yes" in shorewall.conf has no effect, nor setting a > route like this: > > ip route add 224.0.0.0/4 dev br0 (interface "lan" is a bridge). > > What I am missing?Temporarily set the lan->fw and fw->lan policy default action to ''None'': /etc/shorewall/policy: #SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: # LEVEL BURST MASK lan fw REJECT:None info fw lan REJECT:None info Now try to connect; the Netfilter log will show you what is being rejected or dropped. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Try New Relic Now & We''ll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
On 4/29/13 11:31 AM, "Tarqi Kazan" <tarqi@cfs.dyndns.biz> wrote:>Thanks Tom, > >It tried you suggestion, unfortunately nothing shows up in the log. > >With tcpdump: > >root@arch/0:~# tcpdump -i br0 -n udp >tcpdump: verbose output suppressed, use -v or -vv for full protocol decode >listening on br0, link-type EN10MB (Ethernet), capture size 65535 bytes >20:09:03.759139 IP 192.168.10.15.8008 > 239.255.255.250.1900: UDP, length >101 >20:09:03.761098 IP 192.168.10.1.1900 > 192.168.10.15.8008: UDP, length 311 >20:09:03.958368 IP 192.168.10.15.8008 > 239.255.255.250.1900: UDP, length >102 >20:09:03.959499 IP 192.168.10.1.1900 > 192.168.10.15.8008: UDP, length 311 >20:09:04.162749 IP 192.168.10.15.8008 > 239.255.255.250.1900: UDP, length >101 >20:09:04.163516 IP 192.168.10.1.1900 > 192.168.10.15.8008: UDP, length 311 >20:09:04.370630 IP 192.168.10.15.8008 > 239.255.255.250.1900: UDP, length >102 >20:09:04.372723 IP 192.168.10.1.1900 > 192.168.10.15.8008: UDP, length 311 > >Without tcpdump: Nothing. > >I attached a dump with my original config (MULTICAST = No, no route to >224.0.0.0/4) and would be very pleased if you could help me further. >(Taking >the dump complains about that SW could not find "arp" and "netstat", hope >it >helps anyway.)If it works with tcpdump running, it''s not a Shorewall problem. -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Try New Relic Now & We''ll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr