On 22/10/2018 13.44, Rodney Baker wrote:
On Monday, 22 October 2018 18:34:13 ACDT Carlos E. R. wrote:
You need to allow IP traffic TO the multicast address. You need to know how how multicast traffic works in relation to unicast and broadcast traffic.
Unicast traffic is one-to-one; broadcast traffic is one-to-all; multicast traffic is one-to-many.
Multicast group addresses are defined as the 224.0.0.0/4 subnet (that is, 224.0.0.0 to 239.255.255.255). Any traffic TO an address in that range is defined as multicast traffic. Multicast traffic always comes FROM a unicast address, TO the multicast group. Devices that want to receive traffic sent to that group register with their local router using an igmp join message (so you may also need to allow IGMP traffic to/through the firewall). The multicast traffic to the group address is then forwarded on all ports that have a receiver registered for that group. If there are no registered receivers for a group, the multicast traffic won't be forwarded.
Note that multicast group addresses in teh 224.0.0.0/24 range are reserved or "well known" multicast addresses used by routing protocols etc. For example, OSPF uses 224.0.0.5 and 224.0.0.6, EIGRP uses 224.0.0.10, PIM uses 224.0.0.39 and 224.0.0.40.
It is 224.0.0.1 Ok, I understand, more or less, but then how do I do that on the firewalld GUI? The suggestion is to do: firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -m pkttype --pkt-type multicast -j ACCEPT firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 0 -m pkttype --pkt-type multicast -j ACCEPT which I will apply blindly this evening, without really understanding what they do or if they will do the trick or need other commands. Nor do I know how to undo. Maybe instead of --permanent I could use --runtime. I see no mention on those rules of the 224.0.0.1 address. SuSEfirewall2 was easy to understand. -- Cheers / Saludos, Carlos E. R. (from openSUSE 15.0 (Legolas))