[mythtv-users] FYI: Firewall Settings to allow FE to BE connections [needed to allow pings]
Daniel Kristjansson
danielk at cuymedia.net
Tue Dec 30 00:58:40 UTC 2008
On Mon, 2008-12-22 at 07:03 -0600, ctd at minneapolish3.com wrote:
> I just noticed something odd which I had not seen discussed anywhere,
> so i figured I would post here.
>
> Recently I just added and have been setting up Shorewall on my mythtv
> backend. I opened the needed ports (6543-TCP, 6544-TCP, 3306-TCP)
> mentioned in the mythtv documentation, but I still had issues
> connecting to the BE when my FE booted up.
>
> I looked at my shorewall logs, and noticed these entries:
> Dec 21 14:01:41 mainserver Shorewall:net2all:DROP:IN=eth0 OUT= MAC=XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX SRC=192.168.1.202 DST=192.168.1.200 LEN=84 TOS=0x00 PREC=0x00 TTL=3 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=10517 SEQ=1
Blocking ICMP has all kinds of nasty consequences besides blocking
pings. It can prevent you from connecting to any host that needs
to get "can't fragment" messages to you. I'm surprised that Shorewall
didn't give you a whole slew of warning messages before allowing you
to commit that mistake, it's exactly the type of common mistake that
utility is supposed to protect you from...
-- Daniel
More information about the mythtv-users
mailing list