How can I allow IGMP-traffic in Firewalld?

So I've been chasing my tail on this exact same issue, and I stumbled across a bug report filed against firewalld for enabling IGMP during application install. (Credit to the OP here: https://bugzilla.redhat.com/show_bug.cgi?id=1048947)

In that the author was kind enough to provide a workaround that does what we need:

firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p igmp -j ACCEPT

Until (or if) a feature is added for enabling IGMP communication in another way, it seems the Direct interface is the best way to apply such rule changes.

Official documentation on the direct interface: https://fedoraproject.org/wiki/FirewallD#Direct_options

As an alternative to a direct rule, IGMP traffic can also be accepted with either --add-protocol=igmp (if your firewall-cmd version already supports it) or with the help of a rich rule.

For firewall-cmd versions already supporting --add-protocol=protocol:

firewall-cmd --permanent \
             --zone=YOUR-ZONE \
             --add-protocol=igmp

firewall-cmd --reload

For previous firewall-cmd versions without support for --add-protocol=protocol:

firewall-cmd --permanent \
             --zone=YOUR-ZONE \
             --add-rich-rule='rule protocol value="igmp" accept'

firewall-cmd --reload

This results in the following iptables/netfiler rule:

-A IN_YOUR-ZONE_allow -p igmp -m conntrack --ctstate NEW -j ACCEPT

How can I allow IGMP-traffic in Firewalld?

Tags:

Firewalld

Related

Recent Posts