wg-multicast - Re: Firewall ruleset/ACL best practice
Subject: All things related to multicast
List archive
- From: debbie fligor <>
- To: Marshall Eubanks <>, wg-multicast List <>
- Cc: Debbie Fligor <>
- Subject: Re: Firewall ruleset/ACL best practice
- Date: Thu, 10 May 2007 13:38:37 -0500
On May 9, 2007, at 18:38, Marshall Eubanks wrote:
On May 9, 2007, at 5:16 PM, Bruce Curtis wrote:
On May 9, 2007, at 1:16 PM, Bayly, Thomas G. wrote:
Does anyone have a best practice rule set to apply to firewalls that permits end users to receive multicast content but not source it? And likewise for router ACL's?
In a router you want to block 232.0.0.0/4 outbound but not inbound, which is generally pretty simple.
I think you have to be careful where you do this. If it's at your campus edge, that should work. If it's on the net where the users are because you don't want that traffic in your core at all, you need to be careful.
I was planning on using an ACL to block a specific group from going out an interface in order to keep traffic local to that net and mentioned this to an SE. He said he'd just had that come up elsewhere, and if I applied that ACL to that interface the router would drop it before processing the IGMP and then couldn't be the IGMP querier for that group (which I needed it to be). This is for Foundry gear, others may be different.
Also what Bruce said below about IGMP for joins applies as well.
Regards
Marshall
Cheers,
Tom Bayly
Information Technology Services
University Support Building II
Pennsylvania State University
The answers to Lab 7 in the Internet2 Multicast Workshop have some example access-lists to prevent TCP or ICMP scanning of the multicast IP range from creating state. The access lists could be modified to block all multicast traffic rather than just TCP or ICMP.
http://multicast.internet2.edu/workshops/minneapolis/
But the access lists will still need to allow IGMP packets so that clients can join groups and receive multicast.
---
Bruce Curtis
Certified NetAnalyst II 701-231-8527
North Dakota State University
-----
-debbie
Debbie Fligor, n9dn Network Engineer, CITES, Univ. of Il
email:
<http://www.uiuc.edu/ph/www/fligor>
"My turn." -River
- Firewall ruleset/ACL best practice, Bayly, Thomas G., 05/09/2007
- Re: Firewall ruleset/ACL best practice, Leonard Giuliano, 05/09/2007
- Re: Firewall ruleset/ACL best practice, Bruce Curtis, 05/09/2007
- Re: Firewall ruleset/ACL best practice, Marshall Eubanks, 05/09/2007
- Re: Firewall ruleset/ACL best practice, debbie fligor, 05/10/2007
- Re: Firewall ruleset/ACL best practice, Leonard Giuliano, 05/10/2007
- Re: Firewall ruleset/ACL best practice, Marshall Eubanks, 05/10/2007
- Re: Firewall ruleset/ACL best practice, jf, 05/16/2007
- Re: Firewall ruleset/ACL best practice, Marshall Eubanks, 05/10/2007
- Re: Firewall ruleset/ACL best practice, Leonard Giuliano, 05/10/2007
- Re: Firewall ruleset/ACL best practice, debbie fligor, 05/10/2007
- Re: Firewall ruleset/ACL best practice, Marshall Eubanks, 05/09/2007
Archive powered by MHonArc 2.6.16.