I sent this a couple of days ago, and don't see it in the archive, so I'm
assuming it didn't go through. If it did (or does) please excuse the
duplicate message.
I've improved this a bit since then, based on some new discoveries and I've
included a "shorewall dump" in hopes that one of you generous folks might
find it useful.
---------- Forwarded message ----------
Date: Jan 17, 2008 4:31 PM
Subject: Allow multicast in Shorewall 3.4.4
To: shorewall-users@lists.sourceforge.net
Hello.
I'm trying to allow multicast between zone $FW and zone loc. I have verified
that loc <--> loc is working, and I have verified that with shorewall
stopped, the machine that is $FW works with multicast, so everything should
be good with the kernel and modules needed for multicast.
I'm using shorewall 3.4.4 on Ubuntu Gutsy x64, (the shell version not the
perl version). FWIW, I'm trying to run PulseAudio on the $FW machine and
have it use RTP audio sinks.
Note that I do NOT need to route between interfaces; I just want the
internet subnet 10.0.0.0/24 to have RTP support, and have verified that it
works when shorewall is stopped when the $FW machine is part of
10.0.0.0/24with no firewalling.
Looking through the archives, I see some very old (2002, 2005) instructions
for enabling multicast. I tried these instructions to no avail.
I've tried this in policy:
loc $FW ACCEPT:allowBcast
$FW loc ACCEPT:allowBcast
and this in rules:
ACCEPT:allowBcast $FW $FW: 224.0.0.0/4
ACCEPT:allowBcast $FW loc:224.0.0.0/4
ACCEPT:allowBcast loc $FW: 224.0.0.0/4
and this in rules:
allowBcast $FW $FW
allowBcast $FW loc
allowBcast loc $FW
and this in rules:
ACCEPT $FW loc:224.0.0.0/4
ACCEPT loc $FW: 224.0.0.0/4
But no luck.
Interestingly, I had to explicitly block 224.0.0.0/4 from going out my net
zone, or my connection got saturated and became useless. Still, I'm not
seeing anything in my logs about loc <--> $FW being dropped or rejected.
I'd appreciate a tip; I'm sure it's something obvious that I'm overlooking.
Thanks; Shorewall has served me and my company very well with more
conventional configurations for more than 5 years! It's excellent software!
-- Matt
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
