[mythtv-users] FYI: Firewall Settings to allow FE to BE connections [needed to allow pings]
ctd at minneapolish3.com
ctd at minneapolish3.com
Mon Dec 22 13:03:42 UTC 2008
I just noticed something odd which I had not seen discussed anywhere,
so i figured I would post here.
Recently I just added and have been setting up Shorewall on my
mythtv backend. I opened the needed ports (6543-TCP, 6544-TCP,
3306-TCP) mentioned in the mythtv documentation, but I still had
issues connecting to the BE when my FE booted up.
I looked at my shorewall logs, and noticed these entries:
Dec 21 14:01:41 mainserver Shorewall:net2all:DROP:IN=eth0 OUT=
MAC=XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX SRC=192.168.1.202
DST=192.168.1.200 LEN=84 TOS=0x00 PREC=0x00 TTL=3 ID=0 DF PROTO=ICMP
TYPE=8 CODE=0 ID=10517 SEQ=1
Dec 21 14:01:51 mainserver Shorewall:net2all:DROP:IN=eth0 OUT=
MAC=XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:X0 SRC=192.168.1.202
DST=192.168.1.200 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP
TYPE=8 CODE=0 ID=11029 SEQ=1
After a little digging, it looks like my FE was attempting to ping
(PROTO=ICMP) my BE during the startup process. The FE did not like
these packets being dropped and would give the "standard" cannot
connect to the BE message.
I was able to overcome this by added this rule to
/etc/shorewall/rules:
Ping/ACCEPT net fw
Anyone else running a firewall on their BE ever have to handle this?
I would assume that any BE that uses an IPTABLES based firewall would
need to do something similar? Maybe the default setting is to allow
pings.
Just curious.
Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mythtv.org/pipermail/mythtv-users/attachments/20081222/e0b3acd9/attachment.htm
More information about the mythtv-users
mailing list