Results 1 to 4 of 4

Thread: Should I configure a firewall to allow multicast?

  1. #1
    Dave
    Guest

    Should I configure a firewall to allow multicast?

    I'm using IP filter on a Sun workstation (IP 192.168.1.9) and see the
    firewall is blocking various hosts to 192.168.1.255 port 138. Note this
    machine is not a router, so really no machine on the network should rely
    on this one even being running.

    Anyway, this is my ipfilter log, showing data from 192.168.1.101 (a PC)
    port 138 and 192.168.1.128 (another PC) going to 192.168.1.255 (this is
    not any machine as such).

    I think there was


    the following in the log from various local hosts


    23/03/2009 12:58:44.000795 eri0 @0:15 b 192.168.1.101,138 ->
    192.168.1.255,138 PR udp len 20 229 IN multicast
    23/03/2009 13:04:16.665658 eri0 @0:15 b 192.168.1.128,138 ->
    192.168.1.255,138 PR udp len 20 240 IN multicast
    23/03/2009 13:14:16.667128 eri0 @0:15 b 192.168.1.128,138 ->
    192.168.1.255,138 PR udp len 20 240 IN multicast
    23/03/2009 13:17:28.791530 eri0 @0:15 b 192.168.1.101,138 ->
    192.168.1.255,138 PR udp len 20 244 IN multicast
    23/03/2009 13:18:18.926805 eri0 @0:15 b 192.168.1.128,138 ->
    192.168.1.255,138 PR udp len 20 229 IN multicast
    23/03/2009 13:22:43.225333 eri0 @0:15 b 192.168.1.101,138 ->
    192.168.1.255,138 PR udp len 20 229 IN multicast

    I tried creating some rules to allow this, but for some reason it is
    still being blocked.


    pass out quick on eri0 proto udp from 192.168.1.9 to 192.168.1.255
    pass out quick on eri0 proto udp from 192.168.1.0/24 to 192.168.1.255
    port = 137
    pass in quick on eri0 proto udp from 192.168.1.0/24 to 192.168.1.255
    port = 137

    So I'm not sure if it's best to allow these packets or stop them. If its
    better to allow them, which is a suitable firewall rule for ipfilter?


    --
    I respectfully request that this message is not archived by companies as
    unscrupulous as 'Experts Exchange' . In case you are unaware,
    'Experts Exchange' take questions posted on the web and try to find
    idiots stupid enough to pay for the answers, which were posted freely
    by others. They are leeches.

  2. #2
    Moe Trin
    Guest

    Re: Should I configure a firewall to allow multicast?

    On Mon, 23 Mar 2009, in the Usenet newsgroup comp.security.firewalls, in article
    <49c78ef7@212.67.96.135>, Dave wrote:

    >I'm using IP filter on a Sun workstation (IP 192.168.1.9) and see the
    >firewall is blocking various hosts to 192.168.1.255 port 138. Note
    >this machine is not a router, so really no machine on the network
    >should rely on this one even being running.


    Let's have a look at the output of '/sbin/ifconfig -a' and
    '/sbin/route -n'. This smells like a bit of confusion on your part
    related to addresses used in IP.

    >Anyway, this is my ipfilter log, showing data from 192.168.1.101 (a
    >PC) port 138 and 192.168.1.128 (another PC) going to 192.168.1.255
    >(this is not any machine as such).


    Are 192.168.1.101 and 192.168.1.128 running Samba, or windoze?
    Both RFC0791 and RFC1122 were written long before "Classless
    Inter-Domain Routing" (CIDR) (RFC1519), but this sounds like normal
    _broadcast_ activity.

    >pass out quick on eri0 proto udp from 192.168.1.0/24 to 192.168.1.255
    >port = 137
    >pass in quick on eri0 proto udp from 192.168.1.0/24 to 192.168.1.255
    >port = 137


    You're implying that /sbin/ifconfig and /sbin/route would show a local
    network running from 192.168.1.0 through 192.168.1.255 which would
    show up as a network mask of 255.255.255.0 or FFFFFF00. In that case,
    192.168.1.0 would be the "network address" which in SOME operating
    systems can also be used as a host address, and 192.168.1.255 os the
    broadcast address - received by every host on the subnet. Broadcasts
    are normally used when the sending system doesn't know the correct
    address of the destination, or in packets destined for all systems.
    This is quite normal.

    >So I'm not sure if it's best to allow these packets or stop them. If
    >its better to allow them, which is a suitable firewall rule for
    >ipfilter?


    Is everything working OK? Are you simply worried that having packets
    sent to this "unknown" (to you) address is/maybe harmful? I don't use
    windoze or Samba, but understand that packets to the local broadcast
    address are normal for that protocol.

    Old guy

  3. #3
    Dave
    Guest

    Re: Should I configure a firewall to allow multicast?

    Moe Trin wrote:
    > On Mon, 23 Mar 2009, in the Usenet newsgroup comp.security.firewalls, in article
    > <49c78ef7@212.67.96.135>, Dave wrote:
    >
    >> I'm using IP filter on a Sun workstation (IP 192.168.1.9) and see the
    >> firewall is blocking various hosts to 192.168.1.255 port 138. Note
    >> this machine is not a router, so really no machine on the network
    >> should rely on this one even being running.

    >
    > Let's have a look at the output of '/sbin/ifconfig -a' and
    > '/sbin/route -n'. This smells like a bit of confusion on your part
    > related to addresses used in IP.


    I suspect it is confusion, but I know for certain there are no hosts
    with an address of 192.168.1.255.

    # /sbin/ifconfig -a
    lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu
    8232 index 1
    inet 127.0.0.1 netmask ff000000
    eri0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
    inet 192.168.1.9 netmask ffffff00 broadcast 192.168.1.255
    ether 0:3:ba:16:e4:55


    # /sbin/route -n
    usage: route [ -fnpqv ] [ -R <root-dir> ] cmd [[ -<qualifers> ] args ]

    Not sure what you want there. -n does not appear to be supported in
    Solaris.

    I dont know if theis is any use. The IP of the Sun on which this is run
    is 192.168.1.9.

    # netstat -rn

    Routing Table: IPv4
    Destination Gateway Flags Ref Use Interface
    -------------------- -------------------- ----- ----- ---------- ---------
    default 192.168.1.1 UG 1 409
    192.168.1.0 192.168.1.9 U 1 1031 eri0
    224.0.0.0 192.168.1.9 U 1 0 eri0


    >
    >> Anyway, this is my ipfilter log, showing data from 192.168.1.101 (a
    >> PC) port 138 and 192.168.1.128 (another PC) going to 192.168.1.255
    >> (this is not any machine as such).

    >
    > Are 192.168.1.101 and 192.168.1.128 running Samba, or windoze?


    Yes, both are Windows PCs which use Samba shares. Samba runs on the Sun
    where I see these messages.

    > Both RFC0791 and RFC1122 were written long before "Classless
    > Inter-Domain Routing" (CIDR) (RFC1519), but this sounds like normal
    > _broadcast_ activity.


    You don't surprise me. So would it be sensible for the firwall not to
    block it?

    It would be useful if I could pass it, and so not logged it being
    blocked. I like to keep an eye on the blocked packets, to see if they
    should have been permitted, and so I need to add a rule to permit them.
    Hence blocking unnecessary thing is not ideal.


    >> pass out quick on eri0 proto udp from 192.168.1.0/24 to 192.168.1.255
    >> port = 137
    >> pass in quick on eri0 proto udp from 192.168.1.0/24 to 192.168.1.255
    >> port = 137

    >
    > You're implying that /sbin/ifconfig and /sbin/route would show a local
    > network running from 192.168.1.0 through 192.168.1.255 which would
    > show up as a network mask of 255.255.255.0 or FFFFFF00. In that case,
    > 192.168.1.0 would be the "network address" which in SOME operating
    > systems can also be used as a host address, and 192.168.1.255 os the
    > broadcast address - received by every host on the subnet. Broadcasts
    > are normally used when the sending system doesn't know the correct
    > address of the destination, or in packets destined for all systems.
    > This is quite normal.
    >
    >> So I'm not sure if it's best to allow these packets or stop them. If
    >> its better to allow them, which is a suitable firewall rule for
    >> ipfilter?

    >
    > Is everything working OK? Are you simply worried that having packets
    > sent to this "unknown" (to you) address is/maybe harmful? I don't use
    > windoze or Samba, but understand that packets to the local broadcast
    > address are normal for that protocol.
    >
    > Old guy


    Somethings seem rather slow since I changed the router, and needed to
    change firewall rules. I have not had time to determine what is amis. It
    is possible it is just the internet as a whole, but I'm sligtly
    concerned maybe data is getting lost which would help speed up internal
    traffic. Not sure if that is possible or not.

    As I said above, I'd like stop these messages being logged, but I can't
    seem to find a rule that stops it. Hence I have lines like:

    23/03/2009 21:32:32.527497 eri0 @0:17 b 192.168.1.101,138 ->
    192.168.1.255,138 PR udp len 20 244 IN multicast


    despite having these two rules now.

    pass out quick on eri0 proto udp from 192.168.1.0/24 to 192.168.1.255
    port 137 <> 138
    pass in quick on eri0 proto udp from 192.168.1.0/24 to 192.168.1.255
    port 137 <> 138 keep state



    --
    I respectfully request that this message is not archived by companies as
    unscrupulous as 'Experts Exchange' . In case you are unaware,
    'Experts Exchange' take questions posted on the web and try to find
    idiots stupid enough to pay for the answers, which were posted freely
    by others. They are leeches.

  4. #4
    Moe Trin
    Guest

    Re: Should I configure a firewall to allow multicast?

    On Mon, 23 Mar 2009, in the Usenet newsgroup comp.security.firewalls, in article
    <49c8079b@212.67.96.135>, Dave wrote:

    Moe Trin wrote:

    >> This smells like a bit of confusion on your part related to
    >> addresses used in IP.


    >I suspect it is confusion, but I know for certain there are no hosts
    >with an address of 192.168.1.255.


    Yes but

    >eri0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
    > inet 192.168.1.9 netmask ffffff00 broadcast 192.168.1.255


    Even says so right here - 192.168.1.255 is the broadcast address.

    >Not sure what you want there. -n does not appear to be supported in
    >Solaris.


    The -n option tells the system not to try to resolve the address to a
    name. No big deal, as the ifconfig provided the data needed. I haven't
    used Solaris in several years, hence the confusion on my part. I don't
    see that many Solaris posts to this group, and you _may_ have better
    luck over in 'comp.unix.solaris' or possibly 'comp.sys.sun.admin'.

    >Routing Table: IPv4
    > Destination Gateway Flags Ref Use Interface
    >-------------------- -------------------- ----- ----- ---------- ---------
    >default 192.168.1.1 UG 1 409
    >192.168.1.0 192.168.1.9 U 1 1031 eri0
    >224.0.0.0 192.168.1.9 U 1 0 eri0


    You speak about 'multicast' - the IP address range of 224.0.0.0 to
    239.255.255.255 (network mask 240.0.0.0 or f0000000 or /4) is where
    multicast lives. This service (RFC1301, RFC1458, RFC2365) is directing
    packets to multiple clients who have _requested_ to receive them. One
    example of this might be Internet Radio. This differs from 'broadcast'
    which sends packets to the network broadcast address (192.168.1.255 in
    this case) for everyone. Another difference about broadcast is that
    the packets _tend_ to be small.

    >> Are 192.168.1.101 and 192.168.1.128 running Samba, or windoze?


    >Yes, both are Windows PCs which use Samba shares. Samba runs on the
    >Sun where I see these messages.


    OK - that's what is causing this traffic. No, you don't want to filter
    this, and you _probably can't. Windoze networking uses the broadcast
    address for short but critical messages - advertising the existence of
    shares, locating a domain controller, and the like.

    >You don't surprise me. So would it be sensible for the firwall not to
    >block it?


    Correct. Obviously the entire network address range would be blocked
    at the perimeter (RFC2827 and/or RFC3704), but that's an entirely
    different problem.

    >It would be useful if I could pass it, and so not logged it being
    >blocked. I like to keep an eye on the blocked packets, to see if they
    >should have been permitted, and so I need to add a rule to permit
    >them. Hence blocking unnecessary thing is not ideal.


    My guess is that you've got some other "blanket" rule that is causing
    the logging.

    >Somethings seem rather slow since I changed the router, and needed to
    >change firewall rules. I have not had time to determine what is amis.
    >It is possible it is just the internet as a whole, but I'm sligtly
    >concerned maybe data is getting lost which would help speed up
    >internal traffic. Not sure if that is possible or not.


    Not enough details. "Slow" is usually used to describe a situation
    where the initiation of a connection is slow - using telnet as an
    example, the client program starts, but the login prompt takes up to a
    minute to appear. Once you log in, everything runs at normal speed.
    That particular problem is a name resolution problem - the _server_ is
    attempting to look up the name of the _client_ for the logs. A common
    solution is to fix the DNS, _OR_ add all of the client hostname/IP data
    to the /etc/hosts file on the server.

    The method to troubleshoot that problem is to use a packet sniffer to
    see what traffic is going where. The classic tool is 'tcpdump', but I
    believe 'Snoop' or 'GreedyDog' are more common for Solaris. There are
    at least twenty such tools, not all of which run/compile on all O/S.

    Old guy

Similar Threads

  1. Azureus tells me my firewall blocks Azureus
    By Zonked223 in forum Wireless Networks & Routers
    Replies: 3
    Last Post: 12-01-08, 08:16 PM
  2. No firewall home network setup
    By SRO_dude in forum Wireless Networks & Routers
    Replies: 3
    Last Post: 10-13-07, 06:30 AM
  3. Nokia IP 260 Firewall configuration
    By mishahulhameed in forum Network Security
    Replies: 0
    Last Post: 05-27-07, 08:16 AM
  4. Router: Software firewall not Hardware firewall.
    By JMedley1 in forum Broadband Tweaks Help
    Replies: 1
    Last Post: 01-10-07, 06:49 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •