I'm trying to develop a discovery procedure based on how a 3rd party device works... For discovery, I need to do a UDP broadcast to a specific port, and in turn all of the devices out there, will send a UDP response from that port, back to the (ephemeral) source port from the original broadcast.
For example:
192.168.1.149:port --> 255.255.255.255:9999 192.168.1.149:port <-- 192.168.1.130:9999
How do I configure firewalld to enable such behaviour?
Thanks Fulko
On Fri, Oct 09, 2020 at 11:24:53PM -0400, Fulko Hew wrote:
I'm trying to develop a discovery procedure based on how a 3rd party device works... For discovery, I need to do a UDP broadcast to a specific port, and in turn all of the devices out there, will send a UDP response from that port, back to the (ephemeral) source port from the original broadcast.
For example:
192.168.1.149:port --> 255.255.255.255:9999 192.168.1.149:port <-- 192.168.1.130:9999
How do I configure firewalld to enable such behaviour?
There are two options:
1) source ports
You can accept anything from UDP source port 9999.
# firewall-cmd --add-source-port 9999/udp
2) conntrack helpers
Disclaimer: this is a lot of effort.
You would have to develop a userspace conntrack helper for linux connection tracking. I have no idea idea how to do this.
Then for firewalld you can use the conntrack helper:
2a) Create helper definition. See man page firewalld.helper.
2b) Use the helper from a new service definition. See man page firewalld.service.
2c) Use the new service in a policy (e.g. HOST --> ANY) - policy objects are new, but allow using services on the OUTPUT or FORWARD chains
If #1 works, then use that. #2 is a ton of work and I don't really have any advice for it.
Hope that helps. Eric.
firewalld-users@lists.fedorahosted.org