Matt Feifarek wrote: > On Jan 19, 2008 8:25 PM, Tom Eastep <[EMAIL PROTECTED]> wrote: > >> I don't see anything wrong. Multicast packets are leaving your firewall >> and you have a loc->fw ACCEPT policy so IGMP packets can reach the server. >> >> For the dump to be useful, the period of time covered by the dump must >> include failures. Apparently there were none in the >> 27 seconds covered by this dump. > > Thanks for the prompt reply! > > Yes, I was hoping to have a small slice of time, to help isolate the problem. > > Maybe this is a clue: if I do: > $ ping 224.0.0.1 > I get: > ping: sendmsg: Operation not permitted > > If I turn off shorwall, I don't get that message... I don't get > anything back from ping, but that's probably another question, > obviously unrelated to shorewall. > > I get the same thing when running the pulseaudio server... > # pulseaudio --system -C > E: sap.c: sendmsg() failed: Operation not permitted > > This last message repeats indefinitely, about once per second. The > "sap.c" gives me the clue that multicast is implicated. > > I did both of these things (ping and pulseaudio) in those 27 seconds. > I didn't see them in the DROP/REJECT tables either. > > Does shorewall flip any kernel switches that might turn off broadcast > or multicast in a way that doesn't show up in the iptables? In other > words, if my packets aren't getting caught in netfilter, what else > might happen in "shorewall start" that causes the change in results? > > P.S. Just to be sure, I tried looking in sap.c to see what address(es) > it uses, and found 224.0.0.56. Also, I looked at the RFC for SAP[1] > and found this: > > "IPv4 global scope sessions use multicast addresses in the range > 224.2.128.0 - 224.2.255.255 with SAP announcements being sent to > 224.2.127.254 (note that 224.2.127.255 is used by the obsolete SAPv0 > and MUST NOT be used)." > > But later in the same doc there is mention of using 239.x.y.z... which > I also allowed in rules, but no difference. > > Thanks! >
One think I think I can help you with. You report that ping 224.0.0.1 doesn't work with Shorewall started. That's because you don't have a route for 224.0.0.0/4 out of your local interface. So with Shorewall started, I suspect that the default route is used and the pings are being rejected out of your 'net' interface. Every HOWTO I've read about multicast talks about adding a route to 224.0.0.0/4 out of the interfaces that need multicast. Just a guess. I've never had a need for multicast[1] so I haven't experimented with it (and there is no article on the Shorewall site about it). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
