Well these 224.0.0.x multicasts aren't coming in - they're going OUT from WinXP and Win2K3 boxes here, but being blocked because of port 0 (unknown port). Class D I thought was NASA? Guess I was wrong - but it appears to be routeable? Where is this going? What's broadcasting it? Any ideas? Thanks a million for all your help!
an excerpt from the "Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference" book:
quote:IP multicast provides an efficient one-to-many delivery service. To achieve one-to-many delivery using IP unicast traffic, each datagram needs to be sent multiple times. To achieve one-to-many delivery using IP broadcast traffic, a single datagram is sent, but all nodes process it, even those that are not interested. Broadcast delivery service is unsuitable for internetworks, as routers are designed to prevent the spread of broadcast traffic. With IP multicast, a single datagram is sent and forwarded across routers only to the network segments containing nodes that are interested in receiving it.
Historically, IP multicast traffic has been little utilized. However, recent developments in audio and video teleconferencing, distance learning, and data transfer to a large number of hosts have made IP multicast traffic more important.
All multicast traffic is sent to a class D address in the range 18.104.22.168 through 22.214.171.124 (126.96.36.199/4). All traffic in the range 188.8.131.52 through 184.108.40.206 (220.127.116.11/24) is for the local subnet and is not forwarded by routers. Multicast-enabled routers forward multicast traffic in the range 18.104.22.168 through 22.214.171.124 with an appropriate Time to Live (TTL).
From: fort frances.on.ca
Shawn, Looks like Stefaan answered your question about multicast. My comment about "shit coming at you from the outside" was not intended to suggest that the multicast was coming from the outside. I did read your comment "(source is Internal)".
It was a general comment, hence my use of the term "Basically", that I subscribe to and not just from outside to inside. You should not be opening up traffic you do not have good reason to, especially when you do not fully understand what the traffic is and does.
I still don't understand your inclination and joy in being able to ping. Ping is EVIL and should be blocked. That is why MS buried it in the system policy!
You seem to driven by a desire to eliminate as much of the last "default" rule blocked entries in your log, as if they are a bad thing. They are not bad, but rather GOOD... evidence that the firewall is doing what it is intended to do. After you have the firewall working the way you want, if you are wanting to reduce the log entries, you can define a "Next to Last" deny rule that does not log, and enable/disable it as needed. Before anyone thinks about flaming me for the suggestion, I do understand the implication of not logging. To each his own.
As far as I see - you both have stars! and I'll add to that! I like the idea about dropping the logging as a next to last rule - good suggestion. As for pinging - how else do you troubleshoot cheap connections!??! When you can get a 6mbps / 768kbps for $100 a month (or soon to be 15mbps / 2mpbs for $50 from a competitor) - I have to be able to do traceroutes and pings to see what's going on and why things just don't work. The days of spending $2000 a month for a T1 line which worked 99% of the time are over. Now it's $100 a month and at least once or twice a month things aren't working up to par... it's the price of speed these days!
True - Ping is just ping for a heartbeat - and yes - I do have some connectivity verifiers already running. But traceroutes rely on pings thus the two go together, and when trying to isolate a problem - one needs to trace where the problem is coming from.
Stefaan, I'm all set - all is working well now. I've got some other issues, but I'm going on vacation on Tuesday for 12 days - and I've got Tom's new book for ISA2K4, so I'm going to study it a little bit to see if I can figure them out before I post anything else. Thanks again, Shawn