Date: Mon, 3 Mar 1997 12:01:04 -0800 (PST) From: Archie Cobbs <archie@whistle.com> To: fenner@parc.xerox.com (Bill Fenner) Cc: freebsd-multimedia@freebsd.org Subject: Re: multicast firewall implications Message-ID: <199703032001.MAA26146@bubba.whistle.com> In-Reply-To: <97Mar3.103653pst.177476@crevenia.parc.xerox.com> from Bill Fenner at "Mar 3, 97 10:36:44 am"
next in thread | previous in thread | raw e-mail | index | archive | help
> Archie Cobbs <archie@whistle.com> wrote: > >Is it sufficient to open a hole in the firewall for all traffic between > >A and B for IP protocol 4 (IP-in-IP) only? > > You also need IP protocol 2 (IGMP) for the DVMRP routing messages. > > >To what degree does opening this hole compromise the security of the > >internal network? > > It allows multicast traffic destined for groups to which internal > machines are joined to flow onto your network. > > >What non-multicast traffic is associated with multi-cast routing or > >with the popular MBONE applications (sdr, vat, vic, etc.), if any? > > Just the tunnel traffic you mentioned above. > > >Do IP packets destined for 224.x.x.x ever "jump across" into normal > >class A, B, or C addresses? > > Only through an application designed to do so. Thanks! So assuming you had a mrouted(8) tunnel between remote-gw (external machine on the ISP's network) and local-gw (internal machine behind the firewall) you might install these "holes" on some intervening packet filtering machine... ipfw add 100 allow igmp from remote-gw local-gw ipfw add 100 allow igmp from local-gw remote-gw ipfw add 100 allow ipencap from remote-gw local-gw ipfw add 100 allow ipencap from local-gw remote-gw ...and this would be all you would need? Looks pretty easy then. -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199703032001.MAA26146>