Problems allowing outgoing multicast in ufw
I am having problems configuring the uncomplicated firewall (ufw) to allow outgoing multicast traffic. I am blocking all in and outgoing connections as the default policy. I have supplemented with the rules listed below. Yet, I get these error messages repeated twice after every time I boot the system:
Errors (repeated twice on boot-up):
[UFW BLOCK] IN= OUT=eth0 SRC=192.168.0.2 DST=224.0.0.22 LEN=40 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
[UFW BLOCK] IN= OUT=eth0 SRC=fe80:0000:0000:0000:f66d:feee:feee:feee DST=ff02:0000:0000:0000:0000:0000:0000:0002 LEN=56 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=133 CODE=0
[UFW BLOCK] IN= OUT=eth0 SRC=fe80:0000:0000:0000:f66d:04ff:feee:df54 DST=ff02:0000:0000:0000:0000:0000:0000:0016 LEN=96 TC=0 HOPLIMIT=1 FLOWLBL=0 PROTO=ICMPv6 TYPE=143 CODE=0
Main rules:
ufw allow out proto udp to 224.0.0.0/3
ufw allow out proto udp to ff00::/8
ufw allow in proto udp to 224.0.0.0/3
ufw allow in proto udp to ff00::/8
in
/etc/ufw/user.rules:
-A ufw-before-input -p igmp -d 224.0.0.0/3 -j ACCEPT
-A ufw-before-output -p igmp -d 224.0.0.0/3 -j ACCEPT
and in
/etc/ufw/user6.rules:
-A ufw6-before-input -p icmpv6 -d ff00::/8 -j ACCEPT
-A ufw6-before-output -p icmpv6 -d ff00::/8 -j ACCEPT
networking firewall iptables ufw
add a comment |
I am having problems configuring the uncomplicated firewall (ufw) to allow outgoing multicast traffic. I am blocking all in and outgoing connections as the default policy. I have supplemented with the rules listed below. Yet, I get these error messages repeated twice after every time I boot the system:
Errors (repeated twice on boot-up):
[UFW BLOCK] IN= OUT=eth0 SRC=192.168.0.2 DST=224.0.0.22 LEN=40 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
[UFW BLOCK] IN= OUT=eth0 SRC=fe80:0000:0000:0000:f66d:feee:feee:feee DST=ff02:0000:0000:0000:0000:0000:0000:0002 LEN=56 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=133 CODE=0
[UFW BLOCK] IN= OUT=eth0 SRC=fe80:0000:0000:0000:f66d:04ff:feee:df54 DST=ff02:0000:0000:0000:0000:0000:0000:0016 LEN=96 TC=0 HOPLIMIT=1 FLOWLBL=0 PROTO=ICMPv6 TYPE=143 CODE=0
Main rules:
ufw allow out proto udp to 224.0.0.0/3
ufw allow out proto udp to ff00::/8
ufw allow in proto udp to 224.0.0.0/3
ufw allow in proto udp to ff00::/8
in
/etc/ufw/user.rules:
-A ufw-before-input -p igmp -d 224.0.0.0/3 -j ACCEPT
-A ufw-before-output -p igmp -d 224.0.0.0/3 -j ACCEPT
and in
/etc/ufw/user6.rules:
-A ufw6-before-input -p icmpv6 -d ff00::/8 -j ACCEPT
-A ufw6-before-output -p icmpv6 -d ff00::/8 -j ACCEPT
networking firewall iptables ufw
Please note that the multicast range is not 224.0.0.0/3. It is 224.0.0.0/4 because the addresses from 240.0.0.0 up are not multicast.
– ssb
Apr 1 '14 at 18:38
add a comment |
I am having problems configuring the uncomplicated firewall (ufw) to allow outgoing multicast traffic. I am blocking all in and outgoing connections as the default policy. I have supplemented with the rules listed below. Yet, I get these error messages repeated twice after every time I boot the system:
Errors (repeated twice on boot-up):
[UFW BLOCK] IN= OUT=eth0 SRC=192.168.0.2 DST=224.0.0.22 LEN=40 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
[UFW BLOCK] IN= OUT=eth0 SRC=fe80:0000:0000:0000:f66d:feee:feee:feee DST=ff02:0000:0000:0000:0000:0000:0000:0002 LEN=56 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=133 CODE=0
[UFW BLOCK] IN= OUT=eth0 SRC=fe80:0000:0000:0000:f66d:04ff:feee:df54 DST=ff02:0000:0000:0000:0000:0000:0000:0016 LEN=96 TC=0 HOPLIMIT=1 FLOWLBL=0 PROTO=ICMPv6 TYPE=143 CODE=0
Main rules:
ufw allow out proto udp to 224.0.0.0/3
ufw allow out proto udp to ff00::/8
ufw allow in proto udp to 224.0.0.0/3
ufw allow in proto udp to ff00::/8
in
/etc/ufw/user.rules:
-A ufw-before-input -p igmp -d 224.0.0.0/3 -j ACCEPT
-A ufw-before-output -p igmp -d 224.0.0.0/3 -j ACCEPT
and in
/etc/ufw/user6.rules:
-A ufw6-before-input -p icmpv6 -d ff00::/8 -j ACCEPT
-A ufw6-before-output -p icmpv6 -d ff00::/8 -j ACCEPT
networking firewall iptables ufw
I am having problems configuring the uncomplicated firewall (ufw) to allow outgoing multicast traffic. I am blocking all in and outgoing connections as the default policy. I have supplemented with the rules listed below. Yet, I get these error messages repeated twice after every time I boot the system:
Errors (repeated twice on boot-up):
[UFW BLOCK] IN= OUT=eth0 SRC=192.168.0.2 DST=224.0.0.22 LEN=40 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
[UFW BLOCK] IN= OUT=eth0 SRC=fe80:0000:0000:0000:f66d:feee:feee:feee DST=ff02:0000:0000:0000:0000:0000:0000:0002 LEN=56 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=133 CODE=0
[UFW BLOCK] IN= OUT=eth0 SRC=fe80:0000:0000:0000:f66d:04ff:feee:df54 DST=ff02:0000:0000:0000:0000:0000:0000:0016 LEN=96 TC=0 HOPLIMIT=1 FLOWLBL=0 PROTO=ICMPv6 TYPE=143 CODE=0
Main rules:
ufw allow out proto udp to 224.0.0.0/3
ufw allow out proto udp to ff00::/8
ufw allow in proto udp to 224.0.0.0/3
ufw allow in proto udp to ff00::/8
in
/etc/ufw/user.rules:
-A ufw-before-input -p igmp -d 224.0.0.0/3 -j ACCEPT
-A ufw-before-output -p igmp -d 224.0.0.0/3 -j ACCEPT
and in
/etc/ufw/user6.rules:
-A ufw6-before-input -p icmpv6 -d ff00::/8 -j ACCEPT
-A ufw6-before-output -p icmpv6 -d ff00::/8 -j ACCEPT
networking firewall iptables ufw
networking firewall iptables ufw
edited Sep 13 '14 at 12:22
guntbert
9,078133069
9,078133069
asked Feb 6 '13 at 18:58
Aeyoun
493835
493835
Please note that the multicast range is not 224.0.0.0/3. It is 224.0.0.0/4 because the addresses from 240.0.0.0 up are not multicast.
– ssb
Apr 1 '14 at 18:38
add a comment |
Please note that the multicast range is not 224.0.0.0/3. It is 224.0.0.0/4 because the addresses from 240.0.0.0 up are not multicast.
– ssb
Apr 1 '14 at 18:38
Please note that the multicast range is not 224.0.0.0/3. It is 224.0.0.0/4 because the addresses from 240.0.0.0 up are not multicast.
– ssb
Apr 1 '14 at 18:38
Please note that the multicast range is not 224.0.0.0/3. It is 224.0.0.0/4 because the addresses from 240.0.0.0 up are not multicast.
– ssb
Apr 1 '14 at 18:38
add a comment |
2 Answers
2
active
oldest
votes
SRC=fe80:0000
:0000:0000
:f66d:04ff
:feee:df54
DST=ff02:0000
:0000:0000
:0000:0000
:0000:0016
I think that this numbers must be within of the number ff00::/8
. I don't know if them are.
Or maybe you want to try "My UPnP player can not see MediaTomb, what is wrong?"'s rules. Though them be for a necessity that seems the inverse...
add a comment |
I have seen similar messages in the log an did the following:
to
/etc/ufw/before.rules
I added
# allow igmp codes from my local sub-net
-A ufw-before-input -p igmp -m ttl --ttl-eq 1 -j ACCEPT
and to
/etc/ufw/before6.rules
# allow multicast group membership maintenance
-A ufw6-before-output -p icmpv6 --icmpv6-type 130 -m hl --hl-eq 1 -j ACCEPT
-A ufw6-before-output -p icmpv6 --icmpv6-type 131 -m hl --hl-eq 1 -j ACCEPT
-A ufw6-before-output -p icmpv6 --icmpv6-type 132 -m hl --hl-eq 1 -j ACCEPT
-A ufw6-before-output -p icmpv6 --icmpv6-type 143 -m hl --hl-eq 1 -j ACCEPT
and
# allow multicast group membership maintenance go in as well
-A ufw6-before-input -p icmpv6 --icmpv6-type 130 -j ACCEPT
-A ufw6-before-input -p icmpv6 --icmpv6-type 131 -j ACCEPT
-A ufw6-before-input -p icmpv6 --icmpv6-type 132 -j ACCEPT
-A ufw6-before-input -p icmpv6 --icmpv6-type 143 -j ACCEPT
Note however that the messages blocked where group membership queries from the local router, i have no actual programm running that use IP multicast at all.
But the log entries are gone after all.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f252101%2fproblems-allowing-outgoing-multicast-in-ufw%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
SRC=fe80:0000
:0000:0000
:f66d:04ff
:feee:df54
DST=ff02:0000
:0000:0000
:0000:0000
:0000:0016
I think that this numbers must be within of the number ff00::/8
. I don't know if them are.
Or maybe you want to try "My UPnP player can not see MediaTomb, what is wrong?"'s rules. Though them be for a necessity that seems the inverse...
add a comment |
SRC=fe80:0000
:0000:0000
:f66d:04ff
:feee:df54
DST=ff02:0000
:0000:0000
:0000:0000
:0000:0016
I think that this numbers must be within of the number ff00::/8
. I don't know if them are.
Or maybe you want to try "My UPnP player can not see MediaTomb, what is wrong?"'s rules. Though them be for a necessity that seems the inverse...
add a comment |
SRC=fe80:0000
:0000:0000
:f66d:04ff
:feee:df54
DST=ff02:0000
:0000:0000
:0000:0000
:0000:0016
I think that this numbers must be within of the number ff00::/8
. I don't know if them are.
Or maybe you want to try "My UPnP player can not see MediaTomb, what is wrong?"'s rules. Though them be for a necessity that seems the inverse...
SRC=fe80:0000
:0000:0000
:f66d:04ff
:feee:df54
DST=ff02:0000
:0000:0000
:0000:0000
:0000:0016
I think that this numbers must be within of the number ff00::/8
. I don't know if them are.
Or maybe you want to try "My UPnP player can not see MediaTomb, what is wrong?"'s rules. Though them be for a necessity that seems the inverse...
edited May 11 '14 at 0:59
answered May 11 '14 at 0:48
Alexandre
8114
8114
add a comment |
add a comment |
I have seen similar messages in the log an did the following:
to
/etc/ufw/before.rules
I added
# allow igmp codes from my local sub-net
-A ufw-before-input -p igmp -m ttl --ttl-eq 1 -j ACCEPT
and to
/etc/ufw/before6.rules
# allow multicast group membership maintenance
-A ufw6-before-output -p icmpv6 --icmpv6-type 130 -m hl --hl-eq 1 -j ACCEPT
-A ufw6-before-output -p icmpv6 --icmpv6-type 131 -m hl --hl-eq 1 -j ACCEPT
-A ufw6-before-output -p icmpv6 --icmpv6-type 132 -m hl --hl-eq 1 -j ACCEPT
-A ufw6-before-output -p icmpv6 --icmpv6-type 143 -m hl --hl-eq 1 -j ACCEPT
and
# allow multicast group membership maintenance go in as well
-A ufw6-before-input -p icmpv6 --icmpv6-type 130 -j ACCEPT
-A ufw6-before-input -p icmpv6 --icmpv6-type 131 -j ACCEPT
-A ufw6-before-input -p icmpv6 --icmpv6-type 132 -j ACCEPT
-A ufw6-before-input -p icmpv6 --icmpv6-type 143 -j ACCEPT
Note however that the messages blocked where group membership queries from the local router, i have no actual programm running that use IP multicast at all.
But the log entries are gone after all.
add a comment |
I have seen similar messages in the log an did the following:
to
/etc/ufw/before.rules
I added
# allow igmp codes from my local sub-net
-A ufw-before-input -p igmp -m ttl --ttl-eq 1 -j ACCEPT
and to
/etc/ufw/before6.rules
# allow multicast group membership maintenance
-A ufw6-before-output -p icmpv6 --icmpv6-type 130 -m hl --hl-eq 1 -j ACCEPT
-A ufw6-before-output -p icmpv6 --icmpv6-type 131 -m hl --hl-eq 1 -j ACCEPT
-A ufw6-before-output -p icmpv6 --icmpv6-type 132 -m hl --hl-eq 1 -j ACCEPT
-A ufw6-before-output -p icmpv6 --icmpv6-type 143 -m hl --hl-eq 1 -j ACCEPT
and
# allow multicast group membership maintenance go in as well
-A ufw6-before-input -p icmpv6 --icmpv6-type 130 -j ACCEPT
-A ufw6-before-input -p icmpv6 --icmpv6-type 131 -j ACCEPT
-A ufw6-before-input -p icmpv6 --icmpv6-type 132 -j ACCEPT
-A ufw6-before-input -p icmpv6 --icmpv6-type 143 -j ACCEPT
Note however that the messages blocked where group membership queries from the local router, i have no actual programm running that use IP multicast at all.
But the log entries are gone after all.
add a comment |
I have seen similar messages in the log an did the following:
to
/etc/ufw/before.rules
I added
# allow igmp codes from my local sub-net
-A ufw-before-input -p igmp -m ttl --ttl-eq 1 -j ACCEPT
and to
/etc/ufw/before6.rules
# allow multicast group membership maintenance
-A ufw6-before-output -p icmpv6 --icmpv6-type 130 -m hl --hl-eq 1 -j ACCEPT
-A ufw6-before-output -p icmpv6 --icmpv6-type 131 -m hl --hl-eq 1 -j ACCEPT
-A ufw6-before-output -p icmpv6 --icmpv6-type 132 -m hl --hl-eq 1 -j ACCEPT
-A ufw6-before-output -p icmpv6 --icmpv6-type 143 -m hl --hl-eq 1 -j ACCEPT
and
# allow multicast group membership maintenance go in as well
-A ufw6-before-input -p icmpv6 --icmpv6-type 130 -j ACCEPT
-A ufw6-before-input -p icmpv6 --icmpv6-type 131 -j ACCEPT
-A ufw6-before-input -p icmpv6 --icmpv6-type 132 -j ACCEPT
-A ufw6-before-input -p icmpv6 --icmpv6-type 143 -j ACCEPT
Note however that the messages blocked where group membership queries from the local router, i have no actual programm running that use IP multicast at all.
But the log entries are gone after all.
I have seen similar messages in the log an did the following:
to
/etc/ufw/before.rules
I added
# allow igmp codes from my local sub-net
-A ufw-before-input -p igmp -m ttl --ttl-eq 1 -j ACCEPT
and to
/etc/ufw/before6.rules
# allow multicast group membership maintenance
-A ufw6-before-output -p icmpv6 --icmpv6-type 130 -m hl --hl-eq 1 -j ACCEPT
-A ufw6-before-output -p icmpv6 --icmpv6-type 131 -m hl --hl-eq 1 -j ACCEPT
-A ufw6-before-output -p icmpv6 --icmpv6-type 132 -m hl --hl-eq 1 -j ACCEPT
-A ufw6-before-output -p icmpv6 --icmpv6-type 143 -m hl --hl-eq 1 -j ACCEPT
and
# allow multicast group membership maintenance go in as well
-A ufw6-before-input -p icmpv6 --icmpv6-type 130 -j ACCEPT
-A ufw6-before-input -p icmpv6 --icmpv6-type 131 -j ACCEPT
-A ufw6-before-input -p icmpv6 --icmpv6-type 132 -j ACCEPT
-A ufw6-before-input -p icmpv6 --icmpv6-type 143 -j ACCEPT
Note however that the messages blocked where group membership queries from the local router, i have no actual programm running that use IP multicast at all.
But the log entries are gone after all.
edited Sep 13 '14 at 12:19
guntbert
9,078133069
9,078133069
answered Sep 13 '14 at 8:53
Lutz
1
1
add a comment |
add a comment |
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f252101%2fproblems-allowing-outgoing-multicast-in-ufw%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Please note that the multicast range is not 224.0.0.0/3. It is 224.0.0.0/4 because the addresses from 240.0.0.0 up are not multicast.
– ssb
Apr 1 '14 at 18:38