From owner-freebsd-multimedia Mon Mar 3 12:02:13 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id MAA24211 for multimedia-outgoing; Mon, 3 Mar 1997 12:02:13 -0800 (PST) Received: from whistle.com (s205m131.whistle.com [207.76.205.131]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id MAA24206 for ; Mon, 3 Mar 1997 12:02:08 -0800 (PST) Received: (from smap@localhost) by whistle.com (8.7.5/8.6.12) id MAA10129; Mon, 3 Mar 1997 12:01:33 -0800 (PST) Received: from bubba.whistle.com(207.76.205.7) by whistle.com via smap (V1.3) id sma010125; Mon Mar 3 12:01:04 1997 Received: (from archie@localhost) by bubba.whistle.com (8.7.5/8.6.12) id MAA26146; Mon, 3 Mar 1997 12:01:04 -0800 (PST) From: Archie Cobbs Message-Id: <199703032001.MAA26146@bubba.whistle.com> Subject: Re: multicast firewall implications In-Reply-To: <97Mar3.103653pst.177476@crevenia.parc.xerox.com> from Bill Fenner at "Mar 3, 97 10:36:44 am" To: fenner@parc.xerox.com (Bill Fenner) Date: Mon, 3 Mar 1997 12:01:04 -0800 (PST) Cc: freebsd-multimedia@freebsd.org X-Mailer: ELM [version 2.4ME+ PL25 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-multimedia@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > Archie Cobbs wrote: > >Is it sufficient to open a hole in the firewall for all traffic between > >A and B for IP protocol 4 (IP-in-IP) only? > > You also need IP protocol 2 (IGMP) for the DVMRP routing messages. > > >To what degree does opening this hole compromise the security of the > >internal network? > > It allows multicast traffic destined for groups to which internal > machines are joined to flow onto your network. > > >What non-multicast traffic is associated with multi-cast routing or > >with the popular MBONE applications (sdr, vat, vic, etc.), if any? > > Just the tunnel traffic you mentioned above. > > >Do IP packets destined for 224.x.x.x ever "jump across" into normal > >class A, B, or C addresses? > > Only through an application designed to do so. Thanks! So assuming you had a mrouted(8) tunnel between remote-gw (external machine on the ISP's network) and local-gw (internal machine behind the firewall) you might install these "holes" on some intervening packet filtering machine... ipfw add 100 allow igmp from remote-gw local-gw ipfw add 100 allow igmp from local-gw remote-gw ipfw add 100 allow ipencap from remote-gw local-gw ipfw add 100 allow ipencap from local-gw remote-gw ...and this would be all you would need? Looks pretty easy then. -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com