Page 7 of 7 FirstFirst ... 567
Results 61 to 67 of 67

Thread: How do I fix my firewall to enable minimwatch on laptop to talk to NAS

  1. #61
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    22,848
    Blog Entries
    1

    Default Re: How do I fix my firewall to enable minimwatch on laptop to talk to NAS

    Quote Originally Posted by Budgie2 View Post
    Please forgive my loose reference to "original fix." I was referring to these commands:-

    Code:
    firewall-cmd --permanent --new-ipset=upnp --type=hash:ip,port --option timeout=3
    firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j SET --add-set upnp src,src --exist
    firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p udp -m set --match-set upnp dst,dst -j ACCEPT
    I am trying to remove what has been added but is no longer required and clean up my network configuration by removing the above incorrect commands. I do not know how permanent these are.
    They're part of your firewalld config, (and were working as expected). However, you would have needed something similar for the TCP communication as well. Anyway, the relevant config files you created are located at:
    /etc/firewalld/direct.xml (for the direct rules)
    /etc/firewalld/ipsets/upnp.xml (for the ipset rule)

    Remove them at your leisure, and restart the firewall.
    Last edited by deano_ferrari; 13-Mar-2021 at 14:02.
    openSUSE Leap 15.2; KDE Plasma 5

  2. #62
    Join Date
    Sep 2012
    Posts
    6,315

    Default Re: How do I fix my firewall to enable minimwatch on laptop to talk to NAS

    Quote Originally Posted by arvidjaar View Post
    1. For TCP part you also need to somehow examine incoming packets (notifications) to renew expectation, otherwise it will timeout. But there is no way to match notifications in advance. So either you need to pass every incoming packet to ssdp helper (with obvious performance hit) or jump through the hoops by creating additional rule after SUBSCRIBE packet was parsed and incoming port is known.
    2. Finally - I have no idea whether port 9791 is always correct. UPnP is most firewall-unfriendly protocol I have ever seen. In particular, the actual URL that client must use to subscribe to notifications is part of device description; client gets URL to this description in discovery response, it needs to fetch and parse it. So if you are going to take this route you really need to ask maintainer of your software whether the same fixed port is always used for this purpose. This was the port in your packet capture and this is one of ports mentioned on application site.
    Actually I was probably too pessimistic.

    1. When connection has helper assigned, this helper is implicitly called for every packet. ssdp helper assigns itself to connection expectations it creates, so it should automatically process notifications and renew its expectations. This depends on how often server sends events and may require tuning (e.g. by increasing timeout). But basic functionality is there. This covers 1.
    2. While theoretically subscription URL can be anything, in practice it is relative to the base URL in those device descriptions I have seen (and likely in your case too, unfortunately discovery response is truncated). This base URL is extracted by ssdp helper from discovery reply and it installs expectation for incoming connections to this TCP port. This covers 2 for the common case.


    Could you test whether your client works if you omit the second iptables command (for TCP port 9791)? Do it after reboot to have clean initial environment. Whether it works or not, could also you post output of "conntrack -L expect"?

  3. #63
    Join Date
    Nov 2008
    Posts
    1,788
    Blog Entries
    1

    Default Re: How do I fix my firewall to enable minimwatch on laptop to talk to NAS

    Quote Originally Posted by arvidjaar View Post
    Could you test whether your client works if you omit the second iptables command (for TCP port 9791)? Do it after reboot to have clean initial environment. Whether it works or not, could also you post output of "conntrack -L expect"?
    Hi,
    It does work even with the second command omitted.

    Here is the output of the above requested command:-

    Code:
    216 proto=6 src=192.168.169.130 dst=192.168.169.206 sport=0 dport=39937 mask-src=0.0.0.0 mask-dst=0.0.0.0 sport=0 dpo
    rt=65535 master-src=192.168.169.130 master-dst=192.168.169.206 sport=44745 dport=39937 class=0 helper=ssdp 
    conntrack v1.4.6 (conntrack-tools): 1 expectations have been shown.
    
    

  4. #64
    Join Date
    Sep 2012
    Posts
    6,315

    Default Re: How do I fix my firewall to enable minimwatch on laptop to talk to NAS

    Quote Originally Posted by Budgie2 View Post
    It does work even with the second command omitted.
    Good, This gives more or less complete how-to for UPnP firewall integration.

  5. #65
    Join Date
    Nov 2008
    Posts
    1,788
    Blog Entries
    1

    Default Re: How do I fix my firewall to enable minimwatch on laptop to talk to NAS

    Hi Deano,
    Your last message came after that from arvidjaar, perhaps it had further to come! Many thanks for your reply and advice on cleaning up my configuration. I have done as you suggested and all seems OK. More anon.
    Regards,
    Budge.

  6. #66
    Join Date
    Sep 2012
    Posts
    6,315

    Default Re: How do I fix my firewall to enable minimwatch on laptop to talk to NAS

    Quote Originally Posted by Budgie2 View Post
    I cannot thank you enough for helping me here.
    Actually this was very good occasion to refresh my netfilter knowledge. I certainly learned a lot that were not possible without troubleshooting real life case (Grau, teurer Freund, ist alle Theorie Und grün des Lebens goldner Baum). So I have to thank you for patience.

  7. #67
    Join Date
    Nov 2008
    Posts
    1,788
    Blog Entries
    1

    Default Re: How do I fix my firewall to enable minimwatch on laptop to talk to NAS

    Hi arvidjaar, many thanks once more and thanks too for the Faustian wisdom.
    Yes my minimwatch icon is green now but reverts to grey after each reboot. Please could I have bit of help with the script. With TW requiring reboots almost every day, entering the commands one at a time and in the right order after booting has been completed could become a chore. Sadly the script is well beyond me.
    Regards,
    Budge

Page 7 of 7 FirstFirst ... 567

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •