FIrewall still blocking open port?

HEllo

I am trying to enable my plex server to access the outside as per:

&

https://forums.opensuse.org/content.php/191-Set-up-Plex-Media-Server-in-openSUSE-Tumbleweed-Leap-42-1

If I take down the firewall, plex reaches the outside as I would like, however, I want to keep my firewall running so This is what I did:

linux-f5tb:/home/Kilbert # touch /etc/sysconfig/SuSEfirewall2.d/services/PlexMedia-server
linux-f5tb:/home/Kilbert # pico /etc/sysconfig/SuSEfirewall2.d/services/PlexMedia-server
inserted from above forum link:
## Name: Plexmedia Server
## Description: Opens ports for Plex Media Server with broadcast allowed.

# space separated list of allowed TCP ports
TCP="3005 8324 32400 32469"

# space separated list of allowed UDP ports
UDP="1900 5353 32410 32412 32413 32414"

# space separated list of allowed RPC services
RPC=""

# space separated list of allowed IP protocols
IP=""

# space separated list of allowed UDP broadcast ports

saved file & exited
then:
linux-f5tb:/home/Kilbert # systemctl enable plexmediaserver.service
Synchronizing state of plexmediaserver.service with SysV service script with /usr/lib/systemd/systemd-sysv-install.
Executing: /usr/lib/systemd/systemd-sysv-install enable plexmediaserver

then went to firewall in yast selected the service plexmedia-server and hit next etc to retart firewll and save changes.

no dice - still unreachable

I then restarted the firewall also.

no dice - stil lunreachable

I also tried inserting the ports manualy in yast/security&users/firewall

allowed services - advanced, and pu all the ports in to their respectful places. then saved and restarted.

no dice still unreachable.

tried: , AS far as i can tell , its dropping UDP 1900?, which i say to keep open?

linux-f5tb:/home/Kilbert # dmesg |grep DROP
   23.062094] SFW2-INext-DROP-DEFLT IN=enp5s0 OUT= MAC= mine SRC=192.168.1.1 DST=plexserver LEN=380 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=48971 LEN=360 
   23.084945] SFW2-INext-DROP-DEFLT IN=enp5s0 OUT= MAC= mine SRC=192.168.1.1 DST=plexserver LEN=360 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=54352 LEN=340 
   23.085227] SFW2-INext-DROP-DEFLT IN=enp5s0 OUT= MAC= mine SRC=192.168.1.1 DST=plexserver LEN=305 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=54352 LEN=285 
   23.085520] SFW2-INext-DROP-DEFLT IN=enp5s0 OUT= MAC= mine SRC=192.168.1.1 DST=plexserver LEN=296 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=54352 LEN=276 
   23.085816] SFW2-INext-DROP-DEFLT IN=enp5s0 OUT= MAC= mine SRC=192.168.1.1 DST=plexserver LEN=370 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=54352 LEN=350 
   44.327968] SFW2-INext-DROP-DEFLT IN=enp5s0 OUT= MAC= mine SRC=192.168.1.1 DST=plexserver LEN=296 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=32783 LEN=276 
   65.650232] SFW2-INext-DROP-DEFLT IN=enp5s0 OUT= MAC=d0:unknown device SRC=192.168.1.131 DST=plexserver LEN=283 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=54352 LEN=263 
   83.641923] SFW2-INext-DROP-DEFLT IN=enp5s0 OUT= MAC=d0:unknown device SRC=192.168.1.131 DST=plexserver LEN=283 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=54352 LEN=263 
  103.556477] SFW2-INext-DROP-DEFLT IN=enp5s0 OUT= MAC=unknown device 2 SRC=192.168.1.129 DST=plexserver LEN=283 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=54352 LEN=263 
  126.306052] SFW2-INext-DROP-DEFLT IN=enp5s0 OUT= MAC=d0:unknown device SRC=192.168.1.131 DST=plexserver LEN=283 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=54352 LEN=263 
  143.129017] SFW2-INext-DROP-DEFLT IN=enp5s0 OUT= MAC=unknown device 2 SRC=192.168.1.129 DST=plexserver LEN=283 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=54352 LEN=263 
  164.109849] SFW2-INext-DROP-DEFLT IN=enp5s0 OUT= MAC=d0:unknown device SRC=192.168.1.131 DST=plexserver LEN=283 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=54352 LEN=263 
  183.961727] SFW2-INext-DROP-DEFLT IN=enp5s0 OUT= MAC=d0:unknown device SRC=192.168.1.131 DST=plexserver LEN=283 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=54352 LEN=263 
  206.475314] SFW2-INext-DROP-DEFLT IN=enp5s0 OUT= MAC=unknown device 2 SRC=192.168.1.129 DST=plexserver LEN=283 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=54352 LEN=263 
  237.954217] SFW2-INext-DROP-DEFLT IN=enp5s0 OUT= MAC= mine SRC=192.168.1.1 DST=plexserver LEN=380 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=49342 LEN=360 
  243.167517] SFW2-INext-DROP-DEFLT IN=enp5s0 OUT= MAC=d0:unknown device SRC=192.168.1.131 DST=plexserver LEN=283 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=60619 LEN=263 
  267.965316] SFW2-INext-DROP-DEFLT IN=enp5s0 OUT= MAC= mine SRC=192.168.1.1 DST=plexserver LEN=360 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=60619 LEN=340 
  283.230542] SFW2-INext-DROP-DEFLT IN=enp5s0 OUT= MAC=unknown device 2 SRC=192.168.1.129 DST=plexserver LEN=283 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=56300 LEN=263 
..removed dups
  857.974581] SFW2-INext-DROP-DEFLT IN=enp5s0 OUT= MAC= mine SRC=192.168.1.1 DST=plexserver LEN=360 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=60619 LEN=340 
  877.974972] SFW2-INext-DROP-DEFLT IN=enp5s0 OUT= MAC= mine SRC=192.168.1.1 DST=plexserver LEN=360 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=60619 LEN=340 
  897.975222] SFW2-INext-DROP-DEFLT IN=enp5s0 OUT= MAC= mine SRC=192.168.1.1 DST=plexserver LEN=360 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=60619 LEN=340 
  917.975405] SFW2-INext-DROP-DEFLT IN=enp5s0 OUT= MAC= mine SRC=192.168.1.1 DST=plexserver LEN=360 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=60619 LEN=340 
  937.975596] SFW2-INext-DROP-DEFLT IN=enp5s0 OUT= MAC= mine SRC=192.168.1.1 DST=plexserver LEN=360 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=60619 LEN=340 
  957.975938] SFW2-INext-DROP-DEFLT IN=enp5s0 OUT= MAC= mine SRC=192.168.1.1 DST=plexserver LEN=360 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=60619 LEN=340 
  977.976290] SFW2-INext-DROP-DEFLT IN=enp5s0 OUT= MAC= mine SRC=192.168.1.1 DST=plexserver LEN=360 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=60619 LEN=340 
  992.724862] SFW2-INext-DROP-DEFLT IN=enp5s0 OUT= MAC=unknown device 2 SRC=192.168.1.129 DST=plexserver LEN=283 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=60619 LEN=263 
  992.724893] SFW2-INext-DROP-DEFLT IN=enp5s0 OUT= MAC=unknown device 2 SRC=192.168.1.129 DST=plexserver LEN=244 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=60619 LEN=224 
  992.725078] SFW2-INext-DROP-DEFLT IN=enp5s0 OUT= MAC=unknown device 2 SRC=192.168.1.129 DST=plexserver LEN=342 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=60619 LEN=322 
  994.303749] SFW2-INext-DROP-DEFLT IN=enp5s0 OUT= MAC= mine SRC=192.168.1.1 DST=plexserver LEN=380 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=54205 LEN=360 
  994.574673] SFW2-INext-DROP-DEFLT IN=enp5s0 OUT= MAC= mine SRC=192.168.1.1 DST=plexserver LEN=380 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=52438 LEN=360 
..removed dups...
 1015.574615] SFW2-INext-DROP-DEFLT IN=enp5s0 OUT= MAC= mine SRC=192.168.1.1 DST=plexserver LEN=296 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=33052 LEN=276 
 1027.976949] SFW2-INext-DROP-DEFLT IN=enp5s0 OUT= MAC= mine SRC=192.168.1.1 DST=plexserver LEN=360 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=60619 LEN=340 

linux-f5tb:/home/Kilbert # 

I feel I am missing something basic here, can someone assist?

edit to add:

linux-f5tb:/home/Kilbert # SuSEfirewall2 status |grep 1900
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 tcp dpt:1900 flags:0x17/0x02 LOG flags 6 level 4 prefix "SFW2-INext-ACC-TCP "
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1900
  509  148K ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1900
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1900
    0     0 LOG        tcp      *      *       ::/0                 ::/0                 limit: avg 3/min burst 5 tcp dpt:1900 flags:0x17/0x02 LOG flags 6 level 4 prefix "SFW2-INext-ACC-TCP "
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0                 tcp dpt:1900
    0     0 ACCEPT     udp      *      *       ::/0                 ::/0                 udp dpt:1900
    0     0 ACCEPT     udp      *      *       ::/0                 ::/0                 udp dpt:1900

thanks
JOhn kilbert

Skimming your references,
You might need to correct the camel case in your filename

/etc/sysconfig/SuSEfirewall2.d/services/PlexMedia-server

The Swerdna guide describes the filename as all lower case.

TSU

Thanks I tried that and got this:


linux-f5tb:/home/Kilbert # pico /etc/sysconfig/SuSEfirewall2.d/services/plexmedia-server
linux-f5tb:/home/Kilbert # systemctl enable plexmediaserver.service
Synchronizing state of plexmediaserver.service with SysV service script with /usr/lib/systemd/systemd-sysv-install.
Executing: /usr/lib/systemd/systemd-sysv-install enable plexmediaserver
linux-f5tb:/home/Kilbert # systemctl start plexmediaserver.service
linux-f5tb:/home/Kilbert # 

changed case to lower to match, restarted firewall with new service names, and restarted plex service etc…

Still no connection.

standard troubleshooting practice is to probe the port using telnet, there will be different responses for whether the port is blocked, the port is open but the service is not responding, or if the port is open and the service does respond (which is often just a blank response, waiting).

Optionally but in this case less informative than telnet is to do a netstat to display which ports your machine is listening on.

TSU

Kilbert@linux-f5tb:~> telnet 192.168.1.134
Trying 192.168.1.134...
telnet: connect to address 192.168.1.134: Connection refused
Kilbert@linux-f5tb:~> telnet 192.168.1.134:34000
telnet: 192.168.1.134:34000: Name or service not known
Kilbert@linux-f5tb:~> telnet 192.168.1.134:1900
telnet: 192.168.1.134:1900: Name or service not known
Kilbert@linux-f5tb:~> telnet 192.168.1.134:8324
telnet: 192.168.1.134:8324: Name or service not known
Kilbert@linux-f5tb:~> telnet 192.168.1.134:3005
telnet: 192.168.1.134:3005: Name or service not known
Kilbert@linux-f5tb:~> telnet 192.168.1.134:32469
telnet: 192.168.1.134:32469: Name or service not known
Kilbert@linux-f5tb:~> telnet 192.168.1.134:32410
telnet: 192.168.1.134:32410: Name or service not known
Kilbert@linux-f5tb:~> telnet 192.168.1.134:32412
telnet: 192.168.1.134:32412: Name or service not known
Kilbert@linux-f5tb:~> telnet 192.168.1.134:32413
telnet: 192.168.1.134:32413: Name or service not known
Kilbert@linux-f5tb:~> telnet 192.168.1.134:32414
telnet: 192.168.1.134:32414: Name or service not known
Kilbert@linux-f5tb:~> telnet 192.168.1.134:80
telnet: 192.168.1.134:80: Name or service not known
Kilbert@linux-f5tb:~> telnet 192.168.1.134 34000
Trying 192.168.1.134...
telnet: connect to address 192.168.1.134: Connection refused
Kilbert@linux-f5tb:~> telnet 192.168.1.134 8324
Trying 192.168.1.134...
telnet: connect to address 192.168.1.134: Connection refused
Kilbert@linux-f5tb:~> telnet 192.168.1.134 1023
Trying 192.168.1.134...
telnet: connect to address 192.168.1.134: Connection refused
Kilbert@linux-f5tb:~> 

appears ports are responding Name or service not known.

When you use telnet to probe a network port, you have to specify the port you’re probing…
Else, you’re only poking the default telnet port which should be closed since nowadays telnet should never be used for communications the way it was originally intended (Today you should always SSH instead of telnet).

Telnet today should be used only as a network testing tool.

TSU

I am trying here, never used telnet, read the man pages at your suggestion to test the ports: “standard troubleshooting practice is to probe the port using telnet,”
However every probe minus the first, had a port eg:
telnet 192.168.1.134:32414
isn’t 32414 the port?

The syntax is ‘telnet <IP address> <port>’ eg using my printer as an example to test port 80…

# telnet 192.168.90.13 80
Trying 192.168.90.13...
Connected to 192.168.90.13.
Escape character is '^]'.
^]
telnet> close
Connection closed.

Thanks for the help, Same results with spaces

Kilbert@linux-f5tb:~> su
Password: 
linux-f5tb:/home/Kilbert # telnet 192.168.1.134 32000
Trying 192.168.1.134...
telnet: connect to address 192.168.1.134: Connection refused
linux-f5tb:/home/Kilbert # telnet 192.168.1.134 3400
Trying 192.168.1.134...
telnet: connect to address 192.168.1.134: Connection refused
linux-f5tb:/home/Kilbert # telnet 192.168.1.134 1900
Trying 192.168.1.134...
telnet: connect to address 192.168.1.134: Connection refused
linux-f5tb:/home/Kilbert # telnet 192.168.1.134 32469
Trying 192.168.1.134...
telnet: connect to address 192.168.1.134: Connection refused
linux-f5tb:/home/Kilbert # dmesg |grep DROP                                             
   33.675927] SFW2-INext-DROP-DEFLT IN=enp5s0 OUT= MAC=d0 SRC=192.168.1.1 DST=192.168.1.134 LEN=380 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=55844 LEN=360 
   33.844798] SFW2-INext-DROP-DEFLT IN=enp5s0 OUT= MAC=d0: SRC=192.168.1.1 DST=192.168.1.134 LEN=360 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=33468 LEN=340 
   33.845080] SFW2-INext-DROP-DEFLT IN=enp5s0 OUT= MAC=d0:SRC=192.168.1.1 DST=192.168.1.134 LEN=305 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=33468 LEN=285 
   33.845340] SFW2-INext-DROP-DEFLT IN=enp5s0 OUT= MAC=d0: SRC=192.168.1.1 DST=192.168.1.134 LEN=296 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=33468 LEN=276 
   33.845651] SFW2-INext-DROP-DEFLT IN=enp5s0 OUT= MAC=d0: SRC=192.168.1.1 DST=192.168.1.134 LEN=370 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=33468 LEN=350 
   53.678919] SFW2-INext-DROP-DEFLT IN=enp5s0 OUT= MAC=d0: SRC=192.168.1.1 DST=192.168.1.134 LEN=360 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=33468 LEN=340 
   73.669223] SFW2-INext-DROP-DEFLT IN=enp5s0 OUT= MAC=d0: SRC=192.168.1.1 DST=192.168.1.134 LEN=360 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=33468 LEN=340

Can connect to one port that is nin the list of open port:

linux-f5tb:/home/Kilbert # telnet 192.168.1.134 32400
Trying 192.168.1.134…
Connected to 192.168.1.134.
Escape character is ‘^]’.

Can you confirm that you did this step in Swerdna’s guide?

  1. Open the Firewall in Yast ==> Allowed Services ==> Service to allow ==> Plexmedia Server (in the drop-down box) + Add ==> Next etc

Review your current firewall rules if in doubt…

iptables -nL -v --line-numbers

2nd image

Review your current firewall rules if in doubt…

iptables -nL -v --line-numbers
linux-f5tb:/home/Kilbert # iptables -nL -v --line-numbers
Chain INPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1     287K   46M ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
2    1079K 1603M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate ESTABLISHED
3        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED
4        4   865 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:5353 PKTTYPE = multicast
5     3333  959K input_ext  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
6        0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 LOG flags 6 level 4 prefix "SFW2-IN-ILL-TARGET "
7        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 LOG flags 6 level 4 prefix "SFW2-FWD-ILL-ROUTING "

Chain OUTPUT (policy ACCEPT 653K packets, 38M bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1     287K   46M ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           

Chain forward_ext (0 references)
num   pkts bytes target     prot opt in     out     source               destination         

Chain input_ext (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1      401 23172 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            PKTTYPE = broadcast
2        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 4
3        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
4        0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 tcp dpts:1714:1764 flags:0x17/0x02 LOG flags 6 level 4 prefix "SFW2-INext-ACC-TCP "
5        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpts:1714:1764
6        0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 tcp dpt:3005 flags:0x17/0x02 LOG flags 6 level 4 prefix "SFW2-INext-ACC-TCP "
7        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3005
8        0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 tcp dpt:32400 flags:0x17/0x02 LOG flags 6 level 4 prefix "SFW2-INext-ACC-TCP "
9        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:32400
10       0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 tcp dpt:32469 flags:0x17/0x02 LOG flags 6 level 4 prefix "SFW2-INext-ACC-TCP "
11       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:32469
12       0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 tcp dpt:8324 flags:0x17/0x02 LOG flags 6 level 4 prefix "SFW2-INext-ACC-TCP "
13       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8324                                                                                                                                                                     
14       0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 tcp dpts:1714:1764 flags:0x17/0x02 LOG flags 6 level 4 prefix "SFW2-INext-ACC-TCP "                                                                     
15       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpts:1714:1764                                                                                                                                                               
16       0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 tcp dpt:3005 flags:0x17/0x02 LOG flags 6 level 4 prefix "SFW2-INext-ACC-TCP "                                                                           
17       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3005                                                                                                                                                                     
18       0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 tcp dpt:8324 flags:0x17/0x02 LOG flags 6 level 4 prefix "SFW2-INext-ACC-TCP "                                                                           
19       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8324                                                                                                                                                                     
20       0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 tcp dpt:32400 flags:0x17/0x02 LOG flags 6 level 4 prefix "SFW2-INext-ACC-TCP "                                                                          
21       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:32400                                                                                                                                                                    
22       0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 tcp dpt:32469 flags:0x17/0x02 LOG flags 6 level 4 prefix "SFW2-INext-ACC-TCP "                                                                          
23       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:32469                                                                                                                                                                    
24       0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpts:1714:1764                                                                                                                                                               
25     453  132K ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1900                                                                                                                                                                     
26       0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:3005                                                                                                                                                                     
27       0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:3240                                                                                                                                                                     
28       0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:32400                                                                                                                                                                    
29       0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:32410                                                                                                                                                                    
30       0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:32412                                                                                                                                                                    
31       0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:32413                                                                                                                                                                    
32       0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:32414                                                                                                                                                                    
33       0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:32469                                                                                                                                                                    
34       0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:5353                                                                                                                                                                     
35       0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpts:1714:1764                                                                                                                                                               
36       0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1900                                                                                                                                                                     
37       0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:5353                                                                                                                                                                     
38       0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:32410                                                                                                                                                                    
39       0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:32412                                                                                                                                                                    
40       0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:32413                                                                                                                                                                    
41       0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:32414                                                                                                                                                                    
42      28  1859 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* sfw2.insert.pos */ PKTTYPE != unicast                                                                                                                                         
43      53 15295 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 LOG flags 6 level 4 prefix "SFW2-INext-DROP-DEFLT "                                                                                                     
44    2451  801K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                                                                                                             
                                                                                                                                                                                                                                                                               
Chain reject_func (0 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with tcp-reset
2        0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
3        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-proto-unreachable
linux-f5tb:/home/Kilbert # 

no fire wall:
1st image

thanks
JOhn

Apart from the duplicate rules you seem to have, I think this looks ok. You can get the active rule-list using

iptables -S

In an effort to assist I configured a test machine with the plexmedia server rules and get


# iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N forward_ext
-N input_ext
-N reject_func
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
-A INPUT -j input_ext
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options
-A INPUT -j DROP
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
-A OUTPUT -o lo -j ACCEPT
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A input_ext -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A input_ext -m pkttype ! --pkt-type unicast -j DROP
-A input_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p udp -m limit --limit 3/min -m conntrack --ctstate NEW -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -j DROP
-A reject_func -p tcp -j REJECT --reject-with tcp-reset
-A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject_func -j REJECT --reject-with icmp-proto-unreachable

Can you access the server from another device on the LAN via its web interface?

http://<Plex_server_IP_address>:32400/web/index.html

Sorry, that should have been

# iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N forward_ext
-N input_ext
-N reject_func
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
-A INPUT -j input_ext
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options
-A INPUT -j DROP
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
-A OUTPUT -o lo -j ACCEPT
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A input_ext -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 3005 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 3005 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 8324 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 8324 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 32400 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 32400 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 32469 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 32469 -j ACCEPT
-A input_ext -p udp -m udp --dport 1900 -j ACCEPT
-A input_ext -p udp -m udp --dport 5353 -j ACCEPT
-A input_ext -p udp -m udp --dport 32410 -j ACCEPT
-A input_ext -p udp -m udp --dport 32412 -j ACCEPT
-A input_ext -p udp -m udp --dport 32413 -j ACCEPT
-A input_ext -p udp -m udp --dport 32414 -j ACCEPT
-A input_ext -m pkttype ! --pkt-type unicast -j DROP
-A input_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p udp -m limit --limit 3/min -m conntrack --ctstate NEW -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -j DROP
-A reject_func -p tcp -j REJECT --reject-with tcp-reset
-A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject_func -j REJECT --reject-with icmp-proto-unreachable

Ummmm… have you considered setting **FW_CONFIGURATIONS_EXT="**PlexMedia-server" in /etc/sysconfig/SuSEfirewall2?

If not, the drop-in configuration just won’t be read.

If the OP has followed swerdna’s guide, then this will have been done via YaST (by allowing the required service).

Sorry so long between,
Thanks for the help, I still cannot get it working,

[QUOTE Can you access the server from another device on the LAN via its web interface?[/QUOTE]

>Y ES, only with firewall off, can log in from my phone.

> LOOKS like its set

# FW_SERVICES_ACCEPT_*
#
# Example: "samba-server nfs-kernel-server"
FW_CONFIGURATIONS_EXT="plexmedia-server"

## Type:        string
# 
# see comments for FW_SERVICES_EXT_TCP
FW_SERVICES_DMZ_TCP=""

## Type:        string

&

#
FW_SERVICES_EXT_TCP=" 1714:1764 3005 32400 32469 8324"
 
## Type:        string
# 
# Which UDP services _on the firewall_ should be accessible from
# untrusted networks?
# 
# Format: space separated list of ports, port ranges or well known
#         service names (see /etc/services)
#
# Example: "53", "syslog"
# 
# Note: this setting has precedence over FW_SERVICES_ACCEPT_*
#
FW_SERVICES_EXT_UDP="1714:1764 1900 3005 3240 32400 32410 32412 32413 32414 32469 5353"
 
## Type:        string
#
# Which IP services _on the firewall_ should be accessible from
# untrusted networks?
#
# Usually for VPN/Routing services that END at the firewall like
# IPsec, GRE, PPTP or OSPF
# 
# Format: space separated list of ports, port ranges or well known
#         protocol names (see /etc/protocols)
# 
# Example: "esp"
# 
# Note: this setting has precedence over FW_SERVICES_ACCEPT_*
# 
FW_SERVICES_EXT_IP=""

## Type:        string

My IP tables looks similar, has the same allowed ports:

linux-f5tb:/home/Kilbert # iptables -S                                                                                                                                                                                                                                     
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N forward_ext
-N input_ext
-N reject_func
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
-A INPUT -p udp -m udp --dport 5353 -m pkttype --pkt-type multicast -j ACCEPT
-A INPUT -j input_ext
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options
-A INPUT -j DROP
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
-A OUTPUT -o lo -j ACCEPT
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A input_ext -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 1714:1764 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 1714:1764 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 3005 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 3005 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 32400 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 32400 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 32469 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 32469 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 8324 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 8324 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 1714:1764 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 1714:1764 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 3005 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 3005 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 8324 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 8324 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 32400 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 32400 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 32469 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 32469 -j ACCEPT
-A input_ext -p udp -m udp --dport 1714:1764 -j ACCEPT
-A input_ext -p udp -m udp --dport 1900 -j ACCEPT
-A input_ext -p udp -m udp --dport 3005 -j ACCEPT
-A input_ext -p udp -m udp --dport 3240 -j ACCEPT
-A input_ext -p udp -m udp --dport 32400 -j ACCEPT
-A input_ext -p udp -m udp --dport 32410 -j ACCEPT
-A input_ext -p udp -m udp --dport 32412 -j ACCEPT
-A input_ext -p udp -m udp --dport 32413 -j ACCEPT
-A input_ext -p udp -m udp --dport 32414 -j ACCEPT
-A input_ext -p udp -m udp --dport 32469 -j ACCEPT
-A input_ext -p udp -m udp --dport 5353 -j ACCEPT
-A input_ext -p udp -m udp --dport 1714:1764 -j ACCEPT
-A input_ext -p udp -m udp --dport 1900 -j ACCEPT
-A input_ext -p udp -m udp --dport 5353 -j ACCEPT
-A input_ext -p udp -m udp --dport 32410 -j ACCEPT
-A input_ext -p udp -m udp --dport 32412 -j ACCEPT
-A input_ext -p udp -m udp --dport 32413 -j ACCEPT
-A input_ext -p udp -m udp --dport 32414 -j ACCEPT
-A input_ext -m comment --comment "sfw2.insert.pos" -m pkttype ! --pkt-type unicast -j DROP
-A input_ext -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -j DROP
-A reject_func -p tcp -j REJECT --reject-with tcp-reset
-A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject_func -j REJECT --reject-with icmp-proto-unreachable

any help is appreciated.

Your two effective firewall outputs are not exactly the same.
Didn’t take a close look whether the differences are substantive or not.

Recommend that deano post the FW rules from his test,
Then @kilbert should take the file, use a “Find and replace” to insert his own IP address values and then use that file in his firewall (rename the original so it can be restored if you wish. Or, maybe just start over if this all fails).

The idea is that if deano’s firewall config works and if @kilbert’s machine is similarly nearly a default install then that should solve whatever FW issues that exist.

After copying in the new rules, you will need to restart the FW services (You can use YaST to do that or reboot).

This is a “quick and dirty” solution which should work.
From a practical perspective, it is expedient but of course without close inspection the real problem won’t be known.

IMO,
TSU