On Fri, Oct 09, 2020 at 11:24:53PM -0400, Fulko Hew wrote:
I'm trying to develop a discovery procedure based on how a 3rd
party device
works...
For discovery, I need to do a UDP broadcast to a specific port, and in turn
all of the devices out there, will send a UDP response from that port, back
to the (ephemeral) source port from the original broadcast.
For example:
192.168.1.149:port --> 255.255.255.255:9999
192.168.1.149:port <-- 192.168.1.130:9999
How do I configure firewalld to enable such behaviour?
There are two options:
1) source ports
You can accept anything from UDP source port 9999.
# firewall-cmd --add-source-port 9999/udp
2) conntrack helpers
Disclaimer: this is a lot of effort.
You would have to develop a userspace conntrack helper for linux
connection tracking. I have no idea idea how to do this.
Then for firewalld you can use the conntrack helper:
2a) Create helper definition. See man page
firewalld.helper.
2b) Use the helper from a new service definition. See man page
firewalld.service.
2c) Use the new service in a policy (e.g. HOST --> ANY)
- policy objects are new, but allow using services on the
OUTPUT or FORWARD chains
If #1 works, then use that. #2 is a ton of work and I don't really have
any advice for it.
Hope that helps.
Eric.