Problems allowing outgoing multicast in ufw

networking firewall iptables ufw
10,383

I have seen similar messages in the log and the following worked for me:

Editing /etc/ufw/before.rules, I added:

\# allow igmp codes from my local sub-net
-A ufw-before-input -p igmp -m ttl --ttl-eq 1 -j ACCEPT

and to /etc/ufw/before6.rules, I added:

\# allow multicast group membership maintenance
-A ufw6-before-output -p icmpv6 --icmpv6-type 130 -m hl --hl-eq 1 -j ACCEPT
-A ufw6-before-output -p icmpv6 --icmpv6-type 131 -m hl --hl-eq 1 -j ACCEPT
-A ufw6-before-output -p icmpv6 --icmpv6-type 132 -m hl --hl-eq 1 -j ACCEPT
-A ufw6-before-output -p icmpv6 --icmpv6-type 143 -m hl --hl-eq 1 -j ACCEPT

\# allow multicast group membership maintenance go in as well
-A ufw6-before-input -p icmpv6 --icmpv6-type 130 -j ACCEPT
-A ufw6-before-input -p icmpv6 --icmpv6-type 131 -j ACCEPT
-A ufw6-before-input -p icmpv6 --icmpv6-type 132 -j ACCEPT
-A ufw6-before-input -p icmpv6 --icmpv6-type 143 -j ACCEPT

Note, however that the messages blocked were group membership queries from the local router, I have no actual program running that use IP multicast at all.

The log entries were gone after making the above configuration changes.

Share:
10,383

Related videos on Youtube

Daniel
Author by

Daniel

I’m pretty much like every other users on StackExchange. Looking for answers to life’s many small and hopefully quantifiable and answerable questions. I host my own email and other services. Specialist in obscure details.

Updated on September 18, 2022

Comments

  • Daniel
    Daniel over 1 year

    I am having problems configuring the uncomplicated firewall (ufw) to allow outgoing multicast traffic. I am blocking all in and outgoing connections as the default policy. I have supplemented with the rules listed below. Yet, I get these error messages repeated twice after every time I boot the system:

    Errors (repeated twice on boot-up):

    [UFW BLOCK] IN= OUT=eth0 SRC=192.168.0.2 DST=224.0.0.22 LEN=40 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2

    [UFW BLOCK] IN= OUT=eth0 SRC=fe80:0000:0000:0000:f66d:feee:feee:feee DST=ff02:0000:0000:0000:0000:0000:0000:0002 LEN=56 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=133 CODE=0

    [UFW BLOCK] IN= OUT=eth0 SRC=fe80:0000:0000:0000:f66d:04ff:feee:df54 DST=ff02:0000:0000:0000:0000:0000:0000:0016 LEN=96 TC=0 HOPLIMIT=1 FLOWLBL=0 PROTO=ICMPv6 TYPE=143 CODE=0

    Main rules:

    ufw allow out proto udp to 224.0.0.0/3
ufw allow out proto udp to ff00::/8
ufw allow in  proto udp to 224.0.0.0/3
ufw allow in  proto udp to ff00::/8

    in

    /etc/ufw/user.rules:
-A ufw-before-input  -p igmp -d 224.0.0.0/3 -j ACCEPT
-A ufw-before-output -p igmp -d 224.0.0.0/3 -j ACCEPT

    and in

    /etc/ufw/user6.rules:
-A ufw6-before-input  -p icmpv6 -d ff00::/8 -j ACCEPT
-A ufw6-before-output -p icmpv6 -d ff00::/8 -j ACCEPT
    • ssb
      ssb about 10 years
      Please note that the multicast range is not 224.0.0.0/3. It is 224.0.0.0/4 because the addresses from 240.0.0.0 up are not multicast.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

ufw firewall deny outgoing but allow browser
Configure UFW to allow only established and related conections (on IPv4)
How do I allow multiple ports simultaneously in UFW?
Open port 80 on Ubuntu server
UFW/IPTables: how to securely allow authenticated git access with github
ufw won't allow connections to port 5432
How can I allow ssh connection from an IP subnet on port 10022 using iptables?
UFW BLOCK syslog - tcp/ip is blocked and this is allowed in UFW - GPS TRACKING/TCP/UDP report server
Configuring NAT with ufw instead iptables
Correct way to masquerade IP in iptables