Mageia forum

[rc10b]

I'm running a Humax HDR set-top box and using it as a UPnP (DLNA) server so that I can watch TV recordings on my PC in another room. I'm using VLC, with the UPnP plugin, as the client. This set-up only works if I disable the Personal Firewall via MCC, i.e. tick the box for "Everything(no firewall)". If I just enable the firewall by removing the tick from the box, with only the default options set, VLC cannot see my Humax UPnP server, so there is something that is blocking the UPnP port/s (?) just by enabling the default firewall.

I've taken a look at the theory of iptables but I find it difficult to grasp how to safely use them and I don't want to "re-invent the wheel" of how Shorewall is set up in Mageia, I just want to enable UPnP on my home network. I have examined the iptables with and without the firewall enabled, and with the default firewall enabled there are two entries for UPnP, which are associated with the DROP command, so it looks like they could be changed ?

I've tried opening ports in the advanced settings but all to no avail.

As I would still like to have a basic firewall enabled, can anybody suggest how the basic "enabling" settings of Shorewall can be changed to open the UPnP ports ?

Note: I have exactly the same problem if I use XBMC as the client.

TIA,
Steve

[doktor5000]

I've taken a look at the theory of iptables but I find it difficult to grasp how to safely use them and I don't want to "re-invent the wheel" of how Shorewall is set up in Mageia, I just want to enable UPnP on my home network. I have examined the iptables with and without the firewall enabled, and with the default firewall enabled there are two entries for UPnP, which are associated with the DROP command, so it looks like they could be changed ?

I've tried opening ports in the advanced settings but all to no avail.

Uhmm, which ports/protocol did you try to open? You should at least open 1900/UDP and 2869/TCP.

[rc10b]

I have tried a blanket approach of opening ports with the advanced option, hoping that I might be able to use a binary approach to narrow the possibilities, e.g. 1:9000/udp 1:9000/tcp, but UPnP is still blocked. I tried just the ports that you suggested but no go.

[rc10b]

Some progress.
By using this command:

Code: Select all

lsof -i

I can see the ports associated with vlc when the firewall is not enabled.
I get this output after vlc is launched and Universal Plug'n'Play is selected under Local Network in the Playlist:

Code: Select all

vlc       22991 steve   10u  IPv4 389114      0t0  TCP *:49152 (LISTEN)
vlc       22991 steve   11u  IPv4 389115      0t0  UDP localhost.localdomain:xxxxx
vlc       22991 steve   12u  IPv4 389116      0t0  UDP *:yyyyy
vlc       22991 steve   13u  IPv4 389117      0t0  UDP *:1900

where the xxxxx and yyyyy ports are different every time that vlc is launched. So far these ports have always been between 30000 and 60000, so I entered this

Code: Select all

30000:60000/udp

in the advanced option of the firewall configuration in mcc, and I can now consistently see my Humax server with the firewall enabled, this is the only change that I have made to the default settings. I have not needed to specifically open ports 49152/tcp nor 1900/udp.

I'm not happy about opening such a wide range of ports but maybe someone with better knowledge of firewalls could comment on whether I am compromising my security by doing this. ?

[doktor5000]

Well, client ports are always dynamically chosen. Maybe your router allows for automatic port-forwarding via UPnP?
So that VLC or XBMC will automatically open the ports it needs? What router are you using?

[rc10b]

I've assumed that port-forwarding is specific to allowing access from the Internet ? I thought I could use UPnP from within my internal network without port-forwarding, or am I mistaken about this function ?

I've had a quick look at my router's port-forwarding capabilities and in the Port Forwarding section UPnP is already enabled. My router is made by my ISP here in the UK, British Telecom. It has a long list of games and applications that are supported for port-forwarding but none seem relevant for what I need. If you can convince me that this process is relevant I will investigate further, as it's possible to add user defined applications.

Thanks for your ideas so far.

[doktor5000]

Dumb me, allowing the router to be auto-configured via UPnP doesn't solve your problem with the Mageia Firewall
I'll think about that after rereading the whole thread, but that will probably not happen until tomorrow.

But anyways, if your router has an SPI-Firewall, there's not much use for another firewall on your desktop systems.
Could you please look for a model number ofthat router, should be underneath it, there's often a typeplate/sticker.

[rc10b]

It's a BTHomeHub 2.0, thanks again.

[doktor5000]

Well, i didn't find any relevant/detailed information in it's user guide, it doesn't even mention if that thing has a firewall or not
Could you please tell which model your Humax UPnP server is?

[rc10b]

It's a Humax HDR-Fox T2, (Freeview, not Freesat), although I doubt you'll find much information in that manual either, if that's what you intend. The ability to stream (DLNA) video from the Humax to a client has been enabled by the latest software update (last year) and is just a matter of enabling it through a single menu option in the settings.

[doktor5000]

Well, normally you would only neet to allow the outgoing acces to the UPnP server, which would be 1900/UDP and 2869/TCP ports as mentioned already.

If incoming transfers via dynamic client ports (above port 1024, below are the "well-known ports" used for system stuff) are blocked, as your finding seem to
indicate, that would be bad behaviour of the firewall implementation IMHO as it would be initiated by an outgoing connection, which shouldn't be blocked.
But i can't really tell as i always disable the firewall, as a personal firewall usually makes no sense if you're behind a router with a working
SPI firewall, normally the only use-case for such personal firewalls would be to disallow programs to "phone home" or to block "portscanning" types of attacks
on your local network.

[rc10b]

I'm coming round to your way of thinking about the use of firewalls behind routers but my original intention of posting this issue was to try and get a better understanding of the Mageia firewall implementation and hope that someone would be able to explain how to modify things(?) to allow vlc to work with the firewall enabled.
I tend to agree with YHO (your humble opinion ) and I'm contemplating raising a bug but I'm not sure which package to raise it against, my dilemma is that MCC allows a user to modify shorewall, via the security GUI, which in turn modifies the iptables. Do you think that it should be MCC as it is the use of this that initiates the issue ?

[doktor5000]

Well, it SHOULD be enough to open ports 1900/UDP and 2869/TCP to allow vlc to work with the firewall enabled.

For the explanation, iptables is the low end kernel package filter, shorewall is a high-level tool to manage iptables more easily and drakfirewall is just the graphic user interface to shorewall.

If you want to raise a bug, it should be on drakfirewall, which is contained in the package drakx-net-text,
but this may become a problem as the firewall would need to be completely interactive for this, and that would be rather hard to implement.

Also by taking a look at viewtopic.php?p=13367#p13367
it seems mageia's iptables setting let's it drop/reject upnp packets coming in at port 1900 udp:

-A Drop -p udp -m udp --dport 1900 -m comment --comment UPnP -j DROP
[...]
-A Reject -p udp -m udp --dport 1900 -m comment --comment UPnP -j DROP

[rc10b]

OK, I'll check my

Code: Select all

iptables --list-rules

and see if it has the same entries for UPnP that you identified.
Depending on what I find, I might raise a bug and see what develops, I'll post a link back here if I do.

By the way, I didn't know my router had a firewall either ! It's hidden away in advanced settings under the UPnP option.

Thanks,
Steve

[rc10b]

I've opened this bug report https://bugs.mageia.org/show_bug.cgi?id=4898

[linuxero]

Are you using WIFI to connect your PC?

I'm pretty sure it's irrelevant here, but with WIFI connections zeroconf never worked using Mandriva's Firewall, and NEVER AT ALL in Ubuntu.

Does the thing you're doing has any relation with zeroconf?

Sorry, but I'm still learning and I have many unsolved doubts in my head

[rc10b]

I'm using ethernet over power line, so not Wi-Fi.

Sorry, I don't know what zeroconf is, so I can't comment

[linuxero]

I'm using ethernet over power line, so not Wi-Fi.

I've never tried to connect over power-line, but it could be the same problem as the WIFI..does the system recognise the connection as a normal ethernet?

Sorry, I don't know what zeroconf is, so I can't comment

In short, it's a way by which devices can connect to a network without any special configuration on the part of the user..so the devices introduce themselves to each others.

[rc10b]

Yes, it acts just like a wired ethernet connection. I have no problem with the connection, as with the firewall disabled VLC can see my media server and I can receive the video stream perfectly.

[linuxero]

... as with the firewall disabled VLC can see my media server and I can receive the video stream perfectly.

Exactly! That's what I am talking about. So the cable goes through the ethernet card..

Well, you only have to figure out the ports needed..! Does the server have a fixed ip? The problem is to know whether the ports are chamaeleonic or fixed!

Sorry I couldn't help farther, but I'll go checking..

Good luck

[rc10b]

Ref. the ports, see post 4 in this thread. The server has a fixed IP.

[linuxero]

Ref. the ports, see post 4 in this thread. The server has a fixed IP.

Yes, but the thing is that you either have missed the right port(s) or the port/ports is/are random.!

I am trying to find out still..

Please refer to this:

http://www.youtube.com/watch?v=Tdph2gUPIGA /French

http://www.youtube.com/watch?v=Nrq_b_DV ... re=related /English

Try checking these videos. Note the ports!

I still believe that you have missed the server's port! Try setting it on the server then open it in MCC Firewall.

[rc10b]

My Humax server is using port 9000. I have already tried the method of using VLC as a client to receive the stream from a VLC server that was shown in the Linux video from your link but that did not work with my Humax as the server, in fact it stops the Humax from streaming for some reason, but I'm not going there Also, opening port 9000 does not work either. I am therefore using the UPnP option, which shows up in the Playlist view under Local Network.

I have determined that VLC uses dynamic ports and as an experiment I opened a large range of ports (30000:60000) using MCC, to see if VLC would then be able to see my Humax stream, and it worked.

So my assumption is that the default firewall is blocking these (or an even larger range) of ports. I could leave this range of ports open and I would no longer have a problem but I am trying to understand whether this is a bug in the shorewall implementation or if it is intended to work this way.

As doktor5000 has suggested, I probably don't need to use shorewall at all, as I'm behind a router firewall, but I'm trying to improve my understanding of the shorewall firewall.

[doktor5000]

So my assumption is that the default firewall is blocking these (or an even larger range) of ports. I could leave this range of ports open and I would no longer have a problem but I am trying to understand whether this is a bug in the shorewall implementation or if it is intended to work this way.

As doktor5000 has suggested, I probably don't need to use shorewall at all, as I'm behind a router firewall, but I'm trying to improve my understanding of the shorewall firewall.

It is intended to work this way. For such stuff there's either a blacklist or whitelist approach.
Blacklist meaning everything is allowed, except for the items on the blacklist, and whitelist means everything is blocked, except for the whitelist items.
Normally for a firewall you always have a whitelist approach, to close all ports, if that box is directly connected to the internet. If you're behind a router with a firewall,
there's normally not much use for a client or personal firewall, as i've already written above.

So you currently have two options, either open up that port range you've already tried, and maybe try to narrow that down,
or completely disable the firewall.

[rc10b]

Thanks doktor5000, that's clear.

Perhaps someone would mark this thread as Resolved.

Thanks
Steve