From patchwork Tue Apr 25 18:40:09 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Stefan Schantl <stefan.schantl@ipfire.org>
X-Patchwork-Id: 6814
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384
	 client-signature ECDSA (P-384) client-digest SHA384)
	(Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4Q5W5f4pMTz3xG6
	for <patchwork@web04.haj.ipfire.org>; Tue, 25 Apr 2023 18:40:22 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384
	 client-signature ECDSA (P-384) client-digest SHA384)
	(Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4Q5W5c5c0lz5c0;
	Tue, 25 Apr 2023 18:40:20 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Q5W5c3Q4Jz2yRn;
	Tue, 25 Apr 2023 18:40:20 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384
 client-signature ECDSA (P-384) client-digest SHA384)
 (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
 by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Q5W5Z6zyNz2xRt
 for <development@lists.ipfire.org>; Tue, 25 Apr 2023 18:40:18 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384)
 (No client certificate requested)
 by mail01.ipfire.org (Postfix) with ESMTPSA id 4Q5W5Y4m7Lz119;
 Tue, 25 Apr 2023 18:40:17 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003ed25519; t=1682448017;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding;
 bh=BmDAa6vH8gkRfVYr6/Tr09IZD6XN/Bv9punfbwDRwY8=;
 b=LSzXvRuK02Y2c7VmjZ8dOH4lH9n6OpCDmPId3Jx0iPD0+/f0gEOFh/aI2xfgBJ3yekldfE
 jD7hF01guX+3TzDw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003rsa;
 t=1682448017;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding;
 bh=BmDAa6vH8gkRfVYr6/Tr09IZD6XN/Bv9punfbwDRwY8=;
 b=UMPp0DHwAaZDUGJF3VrbD+FztETrUYX4eQyf5EI+EFzC3t0pi6JbjFh5zA1DmkxOxMxJt4
 U6gty6nWz94h8QftaqsmfrI/+KrrAGDmNtPCbCsg7cGsG6n5NR6dQSR6ueyAxfTQlhZUzs
 E8h2v5vFlQTosanCQsqk3wzTAobOYtSoA3B9wBGWJ6QWEYHHIVpNvgfhFjQQfCHmgnegvi
 CyMspi9g+2PnjL63k0+QaU3C6oQqYdfFP3DX087yTda0PVTWzVxw78S8KWG1pQhBZqJhCb
 JJ+OcML3DPFzTPtTJIxwIK2/+wJb/e/nhR3loHjqPT11UOfEzN0LGqr41sfqDA==
From: Stefan Schantl <stefan.schantl@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] firewall: Allow traffic from multicast networks
Date: Tue, 25 Apr 2023 20:40:09 +0200
Message-Id: <20230425184009.3674-1-stefan.schantl@ipfire.org>
MIME-Version: 1.0
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
 <mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <http://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
 <mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

The multicast network segment 224.0.0.0/4 is used for a lot of
different services provided by the local ISP's. (IPTV etc.)

We have to allow traffic from this networks when using one of
the BOGON blocklists in order to get those ISP services still
accessable.

https://www.iana.org/assignments/multicast-addresses/multicast-addresses.xhtml

Fixes 13092.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
---
 config/firewall/rules.pl | 1 +
 1 file changed, 1 insertion(+)

diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
index 6c08feb86..7edb910e2 100644
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -55,6 +55,7 @@ my @PRIVATE_NETWORKS = (
 	"172.16.0.0/12",
 	"192.168.0.0/16",
 	"100.64.0.0/10",
+	"224.0.0.0/4",
 );
 
 # MARK masks