Jasper Jans wrote:
> After setting up a firewall i noticed a lot of traffic being rejected
> comming from 224.0.0.1. This is so called multicast traffic.
>
> Nov 27 23:55:23 badaboom kernel: Packet log: input REJECT eth0 PROTO=2
> xxx.xxx.xxx.xxx:65535 224.0.0.1:65535 L=28 S=0xC0 I=36214 F=0x0000 T=1
> Nov 27 23:55:33 badaboom kernel: Packet log: input REJECT eth0 PROTO=17
> xxx.xxx.xxx.xxx:1484 224.0.0.1:4242 L=57 S=0x00 I=2340 F=0x0000 T=1
> Nov 27 23:56:09 badaboom kernel: Packet log: input REJECT eth0 PROTO=17
> xxx.xxx.xxx.xxx:1483 224.0.0.1:4242 L=57 S=0x00 I=2498 F=0x0000 T=1
> Nov 27 23:56:10 badaboom kernel: Packet log: input REJECT eth0 PROTO=17
> xxx.xxx.xxx.xxx:1482 224.0.0.1:4242 L=57 S=0x00 I=2507 F=0x0000 T=1
> Nov 27 23:56:12 badaboom kernel: Packet log: input REJECT eth0 PROTO=17
> xxx.xxx.xxx.xxx:1481 224.0.0.1:4242 L=57 S=0x00 I=2525 F=0x0000 T=1
> Nov 27 23:56:23 badaboom kernel: Packet log: input REJECT eth0 PROTO=2
> xxx.xxx.xxx.xxx:65535 224.0.0.1:65535 L=28 S=0xC0 I=36241 F=0x0000 T=1
>
> [jjans]$ nslookup 224.0.0.1
> Name: ALL-SYSTEMS.MCAST.NET
> Address: 224.0.0.1
>
> Is it a good idea to block this traffic, or should it be allowed thru the
> firewall?
>
Multicasts to ALL-SYSTEMS multicast address (224.0.0.1) are used by ICMP
router discovery [RFC 1256]. I don't like the idea of passing this traffic
through a firewall and I don't know any case where this is necessary.
Most often multicast traffic is generated for special purposes (e.g. by
routing protocols), in most cases there's information contained you probably
don't want to pass the fw.
So block it.
HTH,
Enno
[EMAIL PROTECTED]
PGP: FB9B DA6D 6706 5A8D A361 F63C 6650 E4C8 3BBE 04E9
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
