Multicast and NAT

[BarryStiefel]

Multicast and NAT



Contributed by BenSmith
Published in geeklog Thursday, June 26 2003 @ 12:48 PM EST
Published in oldfaq 2002-Nov-28 21:23 dwelchATphoneboyDOTcom

Multicast packets aren't "routed" in the conventional sense. Multicast packets must either be tunneled in a unicast packet, which will get routed, or all the intermediary routers/firewalls must support multicast "routing," which is a bit like using a broadcast helper for DHCP/BOOTP packets.

FireWall-1 doesn't route packets, your host OS does. Your host OS needs to run some sort of multicast routing daemon in order to forward multicast packets.

However, FireWall-1 isn't entirely out of the picture here. On IPSO, at least, routed multicast packets are treated different as FireWall-1 isn't quite sure how to associate a given multicast packet with an interface, since it could potentially come from any interface. FireWall-1 treats this packet as coming from an "unknown" interface and drops it.

IPSO (Nokia/VPN-1 Appliance): You need modzap from Nokia Knowledge Base Resolution 1261. Then you can execute the following command and reboot your Nokia Application Platform:

modzap _fw_allow_unknown_if $FWDIR/boot/modules/fwmod.o 0x1

Solaris: Add the following to /etc/system and reboot:

set fw:fw_allow_unknown_if 0x1

HP/UX 9.x: Execute the following command and reboot the gateway:

echo "fw_allow_unknown_if?W1" | adb -w /hp-ux

HP/UX 10 and 11: Execute the following command and reboot the gateway:

echo "fw_allow_unknown_if?W1" | adb -w /stand/vmunix

AIX: Execute the following commands:

fwstop
echo "fw_allow_unknown_if/W 1" | adb -w $FWDIR/boot/modules/fwmod.4.x.o
fwstart

NT: Check Point has not yet provided information on how to do this on NT.

-- RayLodato - 14 Jan 2004

FAQForm FAQs.Class: FAQs.OS: FAQs.Version: