IGMP outbound filtering not working

[dbradley14620]

I've got a Windows 2008 R2 server with Firewall with Advanced Security configured with an outbound rule configured, in all policies, to block all IGMP traffic. I've deleted all but this one rule from the outbound list. When I run software, on this host, that joins a multicast group, I still see the IGMP membership packet leaking out onto the network. It's just plain not working. If I go back to the rule and change the protocol to something else, like ICMP, it works like a charm. No leakage of said protocol.

So what's special about IGMP? Help!!!

Thanks.

Regards,
Dave

 

[dogbert2]

If you run software which by definition joins a multicast group, it will have to use IGMP in order to function properly (otherwise, the software simply will not work).

 

[dbradley14620]

Correct. We have customers that lease these systems from us. Sort of a "cloud", but not quite. They don't have administative rights. We have multicast services that the customer can pay for and subscribe to. However, if they haven't paid, then their IGMP joins should be blocked by rules on the host. Ideally we would be able to filter IGMP membership reports upstream at a L2 switch, but, because of our unique (and currently deficient) design, we are forced to do the filtering at the host level. Hopefully this is short term. In the meantime, I have to find a Windows solution. iptables does the job for our Linux offerings and works without issue. Our Windows offering is Windows 2008 R2, which comes with this firewall. I figured it would just work, and it does, except for IGMP outbound traffic, for some reason.

Thanks for your response.

Regards,
Dave

 

[dogbert2]

IGMP uses the Class D multicast IP address of 224.0.0.22, blocking outbound traffic for this IP should effectively disable traffic at the host level. More effective filtering could be done at the switch or outbound router.