[mythtv-users] FYI: Firewall Settings to allow FE to BE connections [needed to allow pings]

[Michael T. Dean]

On 12/22/2008 08:03 AM, ctd wrote:
> I just noticed something odd which I had not seen discussed anywhere, 
> so i figured I would post here.
>
> Recently I just added and have been setting up Shorewall on my mythtv 
> backend.  I opened the needed ports (6543-TCP, 6544-TCP, 3306-TCP) 
> mentioned in the mythtv documentation, but I still had issues 
> connecting to the BE when my FE booted up.
>
> I looked at my shorewall logs, and noticed these entries:
> Dec 21 14:01:41 mainserver Shorewall:net2all:DROP:IN=eth0 OUT= 
> MAC=XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX SRC=192.168.1.202 
> DST=192.168.1.200 LEN=84 TOS=0x00 PREC=0x00 TTL=3 ID=0 DF PROTO=ICMP 
> TYPE=8 CODE=0 ID=10517 SEQ=1
> Dec 21 14:01:51 mainserver Shorewall:net2all:DROP:IN=eth0 OUT= 
> MAC=XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:X0 SRC=192.168.1.202 
> DST=192.168.1.200 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP 
> TYPE=8 CODE=0 ID=11029 SEQ=1
>
> After a little digging, it looks like my FE was attempting to ping 
> (PROTO=ICMP) my BE during the startup process.  The FE did not like 
> these packets being dropped and would give the "standard" cannot 
> connect to the BE message.
>
> I was able to overcome this by added this rule to /etc/shorewall/rules:
> Ping/ACCEPT   net    fw
>
> Anyone else running a firewall on their BE ever have to handle this?  
> I would assume that any BE that uses an IPTABLES based firewall would 
> need to do something similar?  Maybe the default setting is to allow 
> pings.
>
> Just curious.

There's also a setting you can specify  by selecting/unselecting the 
appropriate checkbox when asked at initial (database) setup or (once 
configured "incorrectly" by going into frontend settings under 
Settings|General on screen "Database Configuration 1/2":

Ping test server?
Test basic host connectivity using the ping command. Turn off if your 
host or network don't support ping (ICMP ECHO) packets

Mike