Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: Firewall troubleshooting

  1. #1

    Default Firewall troubleshooting

    I must say, I don't post much here on the forums because 1) You guys are great at answering questions, and 2) OpenSUSE is a pretty rock solid and easy to use distro. However, I do have a question regarding firewalls. I've been using linux for a long time, but never had to deal with a firewall. I've always just disabled it. In the Windows world, there's usually a prompt whenever an application tries to access the network in which you can choose to deny the program access or allow it access. Linux is way different (Fedora's SElinux troubleshooter and openSUSE's fireall programs)

    I have a chromecast right now that is unable to be detected by my Linux computer running openSUSE 13.1. When I disable the firewall, it works fine.

    As far as I know, the chromecast just requires, "Enable Multicast, UPnP, & IGMP in your router settings. " So I'm assuming it uses multicast, UPnP, and IGMP. However, I'm not exactly sure how to allow these services in OpenSUSE.

    This link is for Ubuntu, but is pretty confusing: How can I use Chromecast - Ask Ubuntu

    So I guess I have two questions: One, how can I start troubleshooting stuff like this on my own. How can I see network traffic and see exactly what is getting blocked so I can see if I can unblock it? And two, once I find out what's getting blocked how do I go into the firewall and allow these items?

  2. #2
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    22,905
    Blog Entries
    15

    Default Re: Firewall troubleshooting

    On Tue 26 Nov 2013 04:06:02 PM CST, DupermanDave wrote:


    I must say, I don't post much here on the forums because 1) You guys are
    great at answering questions, and 2) OpenSUSE is a pretty rock solid and
    easy to use distro. However, I do have a question regarding firewalls.
    I've been using linux for a long time, but never had to deal with a
    firewall. I've always just disabled it. In the Windows world, there's
    usually a prompt whenever an application tries to access the network in
    which you can choose to deny the program access or allow it access.
    Linux is way different (Fedora's SElinux troubleshooter and openSUSE's
    fireall programs)

    I have a chromecast right now that is unable to be detected by my Linux
    computer running openSUSE 13.1. When I disable the firewall, it works
    fine.

    As far as I know, the chromecast just requires, "Enable Multicast, UPnP,
    & IGMP in your router settings. " So I'm assuming it uses multicast,
    UPnP, and IGMP. However, I'm not exactly sure how to allow these
    services in OpenSUSE.

    This link is for Ubuntu, but is pretty confusing: 'How can I use
    Chromecast - Ask Ubuntu'
    (http://askubuntu.com/questions/32423...use-chromecast)

    So I guess I have two questions: One, how can I start troubleshooting
    stuff like this on my own. How can I see network traffic and see exactly
    what is getting blocked so I can see if I can unblock it? And two, once
    I find out what's getting blocked how do I go into the firewall and
    allow these items?


    Hi
    Install wireshark to monitor the network traffic (or use tcpdump if you
    like cli).

    If you check the file /etc/services it shows the ports and what they
    are for, eg ssdp (upnp?) is 1900 udp/tcp to open these in the firewall.

    Use YaST Security & Users -> Firewall -> allowed services and click on
    the 'Advanced' button bottom right and add the port numbers as required.
    The other one is probably 5353 udp/tcp.

    But you should see the requests in wireshark to narrow it down (turn off
    the firewall to observe all the traffic).

    --
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    SLED 11 SP3 (x86_64) GNOME 2.28.0 Kernel 3.0.101-0.8-default
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!


  3. #3

    Default Re: Firewall troubleshooting

    Wildly guessing this is the part (from the Ubuntu thread) that matters here:

    Code:
    --------------------
    The browser will send a multicast UDP packet from the local IP and an
    ephemeral (random) port to 239.255.255.250 port 1900. The ChromeCast
    device will respond with a unicast UDP packet from the ChromeCast device's
    IP and another ephemeral port to the source IP/port of the multicast
    packet. Note that this is slightly different than most other UPnP devices,
    which will usually respond with a unicast UDP packet from port 1900
    instead of an ephemeral port.
    --------------------

    Basically the SUSE Linux firewall doesn't restrict outgoing much, and
    since this is mostly about outgoing (from your browser) data the firewall
    shouldn't matter. The trick is that every outgoing packet has a purpose,
    and is usually answered by something coming back in; else, your browser
    (with any service... FTP, HTTP, Chromecast) would be having a one-way
    conversation and you'd get nothing of use in your browser just like in any
    human conversation where only one side spews data.

    The problem here is that while your browser talks to Chromecast one port,
    that device responds back on another port which the Linux firewall sees as
    an incoming (not outgoing) connection that is NOT related to an existing
    session (the original outgoing packet to Chromecast on another port is not
    the same session b/c the port is different, namely 1900 instead of some
    high/ephemeral port). As a result he incoming packet is blocked.

    With that written, let's prove it. First, /var/log/firewall is the
    default log to check so do so:

    Code:
    --------------------
    sudo tail -f /var/log/firewall
    --------------------

    Watch that while you try to connect to Chromecast and see if you see
    responses being blocked. The text may be hard to understand at first, so
    feel free to post it back here in Code tags for us to review.

    Next, try the iptables command in there to help relax the firewall on
    incoming UDP data from high ports:

    Code:
    --------------------
    sudo iptables -A INPUT -p udp -m udp --dport 32768:61000 -j ACCEPT
    --------------------

    If running that command suddenly fixes your problem then you're set; next
    just make it permanent:

    Code:
    --------------------
    sudo /sbin/yast firewall
    --------------------

    In here go to Allowed Services: Advanced: and in the UDP field put
    32768-61000, then save and exit. Try again. Still works? You're done.
    Doesn't work? Post back our /var/log/firewall stuff.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...

  4. #4

    Default Re: Firewall troubleshooting

    Quote Originally Posted by ab View Post
    Wildly guessing this is the part (from the Ubuntu thread) that matters here:

    Code:
    --------------------
    The browser will send a multicast UDP packet from the local IP and an
    ephemeral (random) port to 239.255.255.250 port 1900. The ChromeCast
    device will respond with a unicast UDP packet from the ChromeCast device's
    IP and another ephemeral port to the source IP/port of the multicast
    packet. Note that this is slightly different than most other UPnP devices,
    which will usually respond with a unicast UDP packet from port 1900
    instead of an ephemeral port.
    --------------------

    Basically the SUSE Linux firewall doesn't restrict outgoing much, and
    since this is mostly about outgoing (from your browser) data the firewall
    shouldn't matter. The trick is that every outgoing packet has a purpose,
    and is usually answered by something coming back in; else, your browser
    (with any service... FTP, HTTP, Chromecast) would be having a one-way
    conversation and you'd get nothing of use in your browser just like in any
    human conversation where only one side spews data.

    The problem here is that while your browser talks to Chromecast one port,
    that device responds back on another port which the Linux firewall sees as
    an incoming (not outgoing) connection that is NOT related to an existing
    session (the original outgoing packet to Chromecast on another port is not
    the same session b/c the port is different, namely 1900 instead of some
    high/ephemeral port). As a result he incoming packet is blocked.

    With that written, let's prove it. First, /var/log/firewall is the
    default log to check so do so:

    Code:
    --------------------
    sudo tail -f /var/log/firewall
    --------------------

    Watch that while you try to connect to Chromecast and see if you see
    responses being blocked. The text may be hard to understand at first, so
    feel free to post it back here in Code tags for us to review.

    Next, try the iptables command in there to help relax the firewall on
    incoming UDP data from high ports:

    Code:
    --------------------
    sudo iptables -A INPUT -p udp -m udp --dport 32768:61000 -j ACCEPT
    --------------------

    If running that command suddenly fixes your problem then you're set; next
    just make it permanent:

    Code:
    --------------------
    sudo /sbin/yast firewall
    --------------------

    In here go to Allowed Services: Advanced: and in the UDP field put
    32768-61000, then save and exit. Try again. Still works? You're done.
    Doesn't work? Post back our /var/log/firewall stuff.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...

    I got the output from the firewall.

    Code:
    2013-12-05T15:27:51.257690-08:00 linux-93t9 kernel: [ 2747.721005] SFW2-INext-DROP-DEFLT IN=wlp2s0 OUT= MAC=74:e5:0b:64:cf:30:d0:e7:82:7b:04:b1:08:00 SRC=192.168.1.119 DST=192.168.1.115 LEN=544 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=50907 DPT=43606 LEN=524 
    
    2013-12-05T15:27:56.582700-08:00 linux-93t9 kernel: [ 2753.052205] SFW2-INext-DROP-DEFLT IN=wlp2s0 OUT= MAC=74:e5:0b:64:cf:30:d0:e7:82:7b:04:b1:08:00 SRC=192.168.1.119 DST=192.168.1.115 LEN=544 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=57414 DPT=56213 LEN=524 
    
    2013-12-05T15:28:16.039661-08:00 linux-93t9 kernel: [ 2772.532783] SFW2-INext-DROP-DEFLT IN=wlp2s0 OUT= MAC=74:e5:0b:64:cf:30:d0:e7:82:7b:04:b1:08:00 SRC=192.168.1.119 DST=192.168.1.115 LEN=544 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=57267 DPT=45592 LEN=524
    I grabbed a few samples as I refreshed youtube pages. 192.168.1.115 is my IP address on the network. 192.168.1.119 appears to be the Chromecast.

    I'm guessing "PROTO=UDP" is the protocol, and "SPT=57267" is the port? Or is "DPT=45592" the port? Or are they both ports, but that's the port range?

  5. #5
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,862

    Default Re: Firewall troubleshooting

    On 2013-12-06 00:36, DupermanDave wrote:
    > I'm guessing "PROTO=UDP" is the protocol, and "SPT=57267" is the port?
    > Or is "DPT=45592" the port? Or are they both ports, but that's the port
    > range?


    "Destination PorT" and "Source PorT"

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 12.3 x86_64 "Dartmouth" at Telcontar)

  6. #6

    Default Re: Firewall troubleshooting

    Did you allow the ports in the Yast Firewall window as mentioned
    previously? Guessing by this that you did not. If you do then the
    firewall should stop blocking these unsolicited packets and the
    application will hopefully work.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...

  7. #7

    Default Re: Firewall troubleshooting

    Quote Originally Posted by ab View Post
    Did you allow the ports in the Yast Firewall window as mentioned
    previously? Guessing by this that you did not. If you do then the
    firewall should stop blocking these unsolicited packets and the
    application will hopefully work.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...
    I didn't want to run the commands until I had a full understanding of what I was doing. I tried the IPtables command, but IPtables isn't installed. So rather than install it I just skipped to the next step and tried to open the ports in the firewall configuration. When I added the port range in the advanced settings, I get this message when I go to save it: "Port name 32768-61000 is unknown in your current system.It probably would not work.
    Really use this port?"

    After I accept the changes anyway there's still no chromecast functionality.

  8. #8
    Join Date
    Nov 2009
    Location
    ND, USA
    Posts
    1,140

    Default Re: Firewall troubleshooting

    On 12/6/2013 12:16 AM, DupermanDave wrote:
    >
    > ab;2605688 Wrote:
    >> Did you allow the ports in the Yast Firewall window as mentioned
    >> previously? Guessing by this that you did not. If you do then the
    >> firewall should stop blocking these unsolicited packets and the
    >> application will hopefully work.
    >>
    >> --
    >> Good luck.
    >>
    >> If you find this post helpful and are logged into the web interface,
    >> show your appreciation and click on the star below...

    >
    > I didn't want to run the commands until I had a full understanding of
    > what I was doing. I tried the IPtables command, but IPtables isn't
    > installed. So rather than install it I just skipped to the next step and
    > tried to open the ports in the firewall configuration. When I added the
    > port range in the advanced settings, I get this message when I go to
    > save it: "Port name 32768-61000 is unknown in your current system.It
    > probably would not work.
    > Really use this port?"
    >
    > After I accept the changes anyway there's still no chromecast
    > functionality.
    >
    >

    DupermanDave:
    You specify a range of ports with a colon not a hyphen. In this particular case you want to add the UDP ports:
    Code:
    32768:61000

    --
    P.V.
    "We're all in this together, I'm pulling for you" Red Green

  9. #9

    Default Re: Firewall troubleshooting

    Quote Originally Posted by venzkep View Post
    On 12/6/2013 12:16 AM, DupermanDave wrote:
    >
    > ab;2605688 Wrote:
    >> Did you allow the ports in the Yast Firewall window as mentioned
    >> previously? Guessing by this that you did not. If you do then the
    >> firewall should stop blocking these unsolicited packets and the
    >> application will hopefully work.
    >>
    >> --
    >> Good luck.
    >>
    >> If you find this post helpful and are logged into the web interface,
    >> show your appreciation and click on the star below...

    >
    > I didn't want to run the commands until I had a full understanding of
    > what I was doing. I tried the IPtables command, but IPtables isn't
    > installed. So rather than install it I just skipped to the next step and
    > tried to open the ports in the firewall configuration. When I added the
    > port range in the advanced settings, I get this message when I go to
    > save it: "Port name 32768-61000 is unknown in your current system.It
    > probably would not work.
    > Really use this port?"
    >
    > After I accept the changes anyway there's still no chromecast
    > functionality.
    >
    >

    DupermanDave:
    You specify a range of ports with a colon not a hyphen. In this particular case you want to add the UDP ports:
    Code:
    32768:61000

    --
    P.V.
    "We're all in this together, I'm pulling for you" Red Green
    And that would be my problem. If you couldn't tell, it's my first time working with a Linux firewall (aside from Fedora's SELinux/SElinux troubleshooter).

    That seemed to have worked. Thanks for the assistance. So the key that I was looking for was using the "tail" command to see what the firewall was actively doing and then adjust accordingly.

  10. #10
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,862

    Default Re: Firewall troubleshooting

    On 2013-12-06 07:16, DupermanDave wrote:
    > I didn't want to run the commands until I had a full understanding of
    > what I was doing. I tried the IPtables command, but IPtables isn't
    > installed.


    It is all lowercase.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 12.3 x86_64 "Dartmouth" at Telcontar)

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •