On Monday, 22 October 2018 22:24:32 ACDT Carlos E. R. wrote:
On 22/10/2018 13.44, Rodney Baker wrote:
On Monday, 22 October 2018 18:34:13 ACDT Carlos E. R. wrote:
You need to allow IP traffic TO the multicast address. You need to know how how multicast traffic works in relation to unicast and broadcast traffic.
Unicast traffic is one-to-one; broadcast traffic is one-to-all; multicast traffic is one-to-many.
Multicast group addresses are defined as the 224.0.0.0/4 subnet (that is, 224.0.0.0 to 239.255.255.255). Any traffic TO an address in that range is defined as multicast traffic. Multicast traffic always comes FROM a unicast address, TO the multicast group. Devices that want to receive traffic sent to that group register with their local router using an igmp join message (so you may also need to allow IGMP traffic to/through the firewall). The multicast traffic to the group address is then forwarded on all ports that have a receiver registered for that group. If there are no registered receivers for a group, the multicast traffic won't be forwarded.
Note that multicast group addresses in teh 224.0.0.0/24 range are reserved or "well known" multicast addresses used by routing protocols etc. For example, OSPF uses 224.0.0.5 and 224.0.0.6, EIGRP uses 224.0.0.10, PIM uses 224.0.0.39 and 224.0.0.40.
It is 224.0.0.1
Ok, I understand, more or less, but then how do I do that on the firewalld GUI?
The suggestion is to do:
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -m pkttype --pkt-type multicast -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 0 -m pkttype --pkt-type multicast -j ACCEPT
which I will apply blindly this evening, without really understanding what they do or if they will do the trick or need other commands. Nor do I know how to undo. Maybe instead of --permanent I could use --runtime.
I see no mention on those rules of the 224.0.0.1 address.
SuSEfirewall2 was easy to understand.
224.0.0.1 is the "All hosts" multicast address - it is used by a router to address all hosts on the same network segment. This is used for host discovery. From https://www.tldp.org/HOWTO/Multicast-HOWTO-2.html; "There are some special multicast groups, say "well known multicast groups", you should not use in your particular applications due the special purpose they are destined to: - 224.0.0.1 is the all-hosts group. If you ping that group, all multicast capable hosts on the network should answer, as every multicast capable host must join that group at start-up on all it's multicast capable interfaces. - 224.0.0.2 is the all-routers group. All multicast routers must join that group on all it's multicast capable interfaces." The full Ipv4 multicast address space registry is here; https://www.iana.org/assignments/multicast-addresses/multicast-addresses.xht... Unless you are specifically wanting to receive multicast traffic (for example, to participate in dynamic routing protocols e.g. RIP, eigrp, ospf, bgp or is- is), or for receiving multicast video/audio traffic, you should not worry too much about it. If you want it to work, you'll need to permit traffic to 224.0.0.0/24 on all your firewall interfaces where multicast-capable hosts exist. The IPv6 equivalent addresses (link-local scope) are FF02::1 (for all hosts) and FF02::2 (for all routers). Node-local (or interface-local) equivalents are FF01::1 and FF01::2. The full list of well-known multicast addresses for IPv6 are here: https:// www.iana.org/assignments/ipv6-multicast-addresses/ipv6-multicast- addresses.xhtml -- ============================================================== Rodney Baker VK5ZTV rodney.baker@iinet.net.au CCNA #CSCO12880208 ============================================================== -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org