HomeAssitant firewalld configuration

Hi everyone, I installed homeassistant container docker as per the official documentation, when I deactivate the firewall it manages to discover the devices, which ports do you recommend I open? Unfortunately I really don’t know how to do it, furthermore they don’t say which ports to open, I changed the firewall zone to home but it didn’t work,
thanks in advance!

fatalii@omv:~/storage/raid_1/docker_data/domotica> sudo firewall-cmd --zone=home --add-port=1900/udp --permanent
[sudo] password for root: 
Sorry, try again.
[sudo] password for root: 
Warning: ALREADY_ENABLED: 1900:udp
success
fatalii@omv:~/storage/raid_1/docker_data/domotica> sudo firewall-cmd --zone=home --add-port=5353/udp --permanent

Warning: ALREADY_ENABLED: 5353:udp
success
fatalii@omv:~/storage/raid_1/docker_data/domotica> sudo firewall-cmd --zone=home --add-port=5353/udp --permanent
Warning: ALREADY_ENABLED: 5353:udp
success
fatalii@omv:~/storage/raid_1/docker_data/domotica> 
fatalii@omv:~/storage/raid_1/docker_data/domotica> sudo firewall-cmd --zone=home --add-port=5683/udp --permanent
Warning: ALREADY_ENABLED: 5683:udp
success
fatalii@omv:~/storage/raid_1/docker_data/domotica> sudo firewall-cmd --zone=home --add-port=51827/tcp --permanent
Warning: ALREADY_ENABLED: 51827:tcp
success
fatalii@omv:~/storage/raid_1/docker_data/domotica> sudo firewall-cmd --reload
success
fatalii@omv:~/storage/raid_1/docker_data/domotica> 
fatalii@omv:~/storage/raid_1/docker_data/domotica> sudo firewall-cmd --list-all
public (default, active)
  target: default
  ingress-priority: 0
  egress-priority: 0
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client ssh
  ports: 8123/tcp 8080/tcp 1883/tcp 9001/tcp
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
fatalii@omv:~/storage/raid_1/docker_data/domotica> 

I tried on another distro that has different firewall rules, and for example fedora workstation started it without any problems.
The problem is understanding which ports to open

To learn which port to open I would enable logging in the firewall:

sudo firewall-cmd --set-log-denied=all

The do what you like to do and study the journal on what is blocked. Check if that makes sense and if so add that/those port(s) to your config. When done disable the logging again.

1 Like

I resolved the issue: OpenSUSE comes with default firewall rules that offer a high level of security, suitable for enterprise environments. It’s secure from the start. Debian, on the other hand, does not come with default firewall rules; everything is open, and it’s up to the user to configure a firewall (e.g., UFW or firewalld) to enhance security. Fedora has a range of ports open by default, which is why things worked right away.

For my setup, I configured the firewall for the “home” zone and then opened a specific range of ports for Home Assistant OS, which is what it typically uses. While this approach might seem a bit flexible, it’s still better than having no firewall. Many operating systems have similar default configurations. Additionally, since my server is at home and there is no external network access, the risk is minimized. Access is only possible via WireGuard, which adds an extra layer of security.

I might be among the first to set up this configuration, and I’m quite pleased with it. I wrote this quickly, so I hope it’s clear. Writing is not always my strong suit.
firewalld rules👇🏻


target: default
ingress-priority: 0
egress-priority: 0
icmp-block-inversion: no
interfaces: wlp165s0
sources:
services: dhcpv6-client mdns samba-client ssh
ports: 1025-65535/udp 1025-65535/tcp
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

I’m sure there are more refined methods for my distribution, but this setup is working well for me. Thanks to everyone for the support!

1 Like

i see this https://www.cyberciti.biz/faq/enable-firewalld-logging-for-denied-packets-on-linux/

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.