Re: Firewall and beacon
- To: Mitch Kutzko <mitch@ncsa.uiuc.edu>
- Subject: Re: Firewall and beacon
- From: "jehan.procaccia" <jehan.procaccia@int-evry.fr>
- Date: Tue, 16 Nov 2004 20:24:44 +0100
- Cc: NLANR Multicast Beacon <beacon@dast.nlanr.net>
- Content-transfer-encoding: 7bit
- Content-type: text/plain; charset=ISO-8859-1; format=flowed
- In-reply-to: <3.0.5.32.20040923133252.03048f98@pop.ncsa.uiuc.edu>
- References: <3.0.5.32.20040923133252.03048f98@pop.ncsa.uiuc.edu>
- Reply-to: "jehan.procaccia" <jehan.procaccia@int-evry.fr>
- Sender: owner-beacon@dast.nlanr.net
- User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040510
I fanally found the firewall rules (iptables on fedora) to let beacon
clients and server speak to each other :-)
However I still don't explain why the theorical and optimized (closed as
much as possible) rules I tried don't work !?
My experience is documented at :
http://www.int-evry.fr/mci/user/procacci/Doc/Beacon/beacon.html#htoc10
thanks in advance for any comment ...
Mitch Kutzko wrote:
>Hi, Jehan -- I use pfilter to handle this for all the boxes I have the run
>iptables.
>
> http://sourceforge.net/projects/pfilter/
>
>pfilter is a perl-based front end to iptables that handles generating the
>appropriate rulesets for you for iptables. You just install the RPM,
>specify the behavior you want in (by default) /etc/pfilter.conf, and
>restart the pfilter service via "service pfilter restart", and you're all set.
>
>The relevant lines from my /etc/pfilter.conf file are:
>
> OPEN udp 10002 # v1.1 DAST Beacon traffic (RTP)
> OPEN udp 10003 # v1.1 DAST Beacon traffic (RTCP)
> OPEN tcp 10004 # v1.1 DAST Beacon traffic (TCP)
>
>Hope this helps!
>
>Mitch
>
>PS - Nice writeup, BTW...
>
>At 06:57 PM 9/23/2004 +0200, you wrote:
>
>
>>hello
>>I used to play with beacon 0.8.X and I really appreciate that you invest
>>in the developement of this beautiful tool !
>>So I upgraded to 1.1, howerver I cannot figure out how to set my
>>localhost firewall to permit either my own central server and client
>>beacon clients to pass through correctly ( I mean fine tune the
>>firewall) :-(
>>
>>I work on a fedora core 2 system (Thanks for the RPMS !) -> so firewall
>>is netfilter/iptables.
>>I may also contribute myself to the project by writing a doc on the
>>fedora installation of a beacon client and server . It's available here:
>>http://www.int-evry.fr/mci/user/procacci/Doc/Beacon/beacon.html
>>
>>In this doc I mention the FAQ/info provided by nlanr about firewall
>>configuration in my section 1.5
>>http://www.int-evry.fr/mci/user/procacci/Doc/Beacon/beacon.html#htoc9
>>
>>Although theses settings works by restarting iptables while beacon
>>client&server are already running, the firewall needs to be stoped at
>>beacon client&server startup for the matrix to appear. (get initialized)
>>clearly I need to stop the iptables firewall on both client&server ,
>>then start them after matrix initialization, and it works. But if I
>>start the firewall first, the matrix (central loss for exemple) keeps
>>beeing empty :-(
>>
>>I suppose I miss to allow in my iptable firewall the initial join in the
>>multicast group maybe ? or something else ?
>>
>>as anyone configured correctly iptables to allow beacon client&server to
>>communicate ?
>>
>>Thanks a lot.
>>
>>PS: I'll correct my doc if I finally find out how to do it
>>PS again: I played with more sofisticated iptables rules like the one
>>below , but no way :-( , should I continue with these kind of multicast
>>rules ?
>>
>>-A RH-Firewall-1-INPUT -m pkttype --pkt-type multicast -d 233.157.159.11
>>-j ACCEPT
>>
>>
>>
>>
>>
>--
>Mitch Kutzko | mitch@dast.nlanr.net | mitch@ncsa.uiuc.edu | 217-333-1199
>http://hobbes.ncsa.uiuc.edu/
>
>