Skip to Content.
Sympa Menu

wg-multicast - Re: Firewall ruleset/ACL best practice

Subject: All things related to multicast

List archive

Re: Firewall ruleset/ACL best practice


Chronological Thread 
  • From: Marshall Eubanks <>
  • To: Bruce Curtis <>
  • Cc: wg-multicast <>
  • Subject: Re: Firewall ruleset/ACL best practice
  • Date: Wed, 9 May 2007 19:38:19 -0400


On May 9, 2007, at 5:16 PM, Bruce Curtis wrote:


On May 9, 2007, at 1:16 PM, Bayly, Thomas G. wrote:

Does anyone have a best practice rule set to apply to firewalls that permits end users to receive multicast content but not source it? And likewise for router ACL's?

In a router you want to block 232.0.0.0/4 outbound but not inbound, which is generally pretty simple.

Regards
Marshall


Cheers,

Tom Bayly

Information Technology Services

University Support Building II

Pennsylvania State University


The answers to Lab 7 in the Internet2 Multicast Workshop have some example access-lists to prevent TCP or ICMP scanning of the multicast IP range from creating state. The access lists could be modified to block all multicast traffic rather than just TCP or ICMP.


http://multicast.internet2.edu/workshops/minneapolis/

But the access lists will still need to allow IGMP packets so that clients can join groups and receive multicast.

---
Bruce Curtis

Certified NetAnalyst II 701-231-8527
North Dakota State University





Archive powered by MHonArc 2.6.16.

Top of Page