UPnP Blocked by SuSE Firewall

killsforpie · January 16, 2011, 2:05am

I setup Mediatomb on another box in my house to connect to with XBMC. XBMC will only connect though if the firewall is off on the local machine. I have both TCP and UCP ports 1900 and 50500 (the port for Mediatomb) enabled on my laptop (local) and the correct ports are open on the remote machine (my wife’s vista laptop will connect through XBMC). I can connect to Mediatomb through it’s web interface (to set visible folders/files) but not through UPnP (at least not through XBMC).

Is there a good resource for understanding SuSE’s firewall zones? Right now only the external zone is protected.

Thanks!

killsforpie · January 16, 2011, 3:10am

Well I guess I should probably include some system details…

Opensuse 11.3 32bit remote machine (I say remote but it’s just across the room… )
Opensuse 11.3 64bit local machine

Laptop (local) is a Dell Vostro with Broadcom43xx wireless

Remote machine has a static IP while local is dynamic.

I’ve also seen a couple of posts which suggest multicasting not working properly could be the issue.
My hosts.conf has “multi on” set, and ifconfig gives me:


eth0      Link encap:Ethernet  HWaddr 00:1D:09:BF:E8:1E  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
          Interrupt:17 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:164 errors:0 dropped:0 overruns:0 frame:0
          TX packets:164 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:11372 (11.1 Kb)  TX bytes:11372 (11.1 Kb)

wlan0     Link encap:Ethernet  HWaddr 00:1E:4C:48:4A:3F  
          inet addr:192.168.1.3  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::21e:4cff:fe48:4a3f/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:14937 errors:0 dropped:0 overruns:0 frame:0
          TX packets:13612 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:9384937 (8.9 Mb)  TX bytes:3168914 (3.0 Mb)

Is there better testing I can do?

venzkep · January 16, 2011, 6:04am

On Sat January 15 2011 07:06 pm, killsforpie wrote:

>
> I setup Mediatomb on another box in my house to connect to with XBMC.
> XBMC will only connect though if the firewall is off on the local
> machine. I have both TCP and UCP ports 1900 and 50500 (the port for
> Mediatomb) enabled on my laptop (local) and the correct ports are open
> on the remote machine (my wife’s vista laptop will connect through
> XBMC). I can connect to Mediatomb through it’s web interface (to set
> visible folders/files) but not through UPnP (at least not through XBMC).
>
>
> Is there a good resource for understanding SuSE’s firewall zones? Right
> now only the external zone is protected.
>
> Thanks!
>
>
killsforpie;

Have you read:
http://mediatomb.cc/pages/documentation

Unless you specify otherwise it looks like mediatomb will pick any available
port above 49152. Have you specified a port? If you Google “mediatomb port”
you will find a number of suggestions and explanations. I’ve never tried
mediatomb and am no expert.

It is possible to allow traffic through the high ports of SuSEfirewall2, but
not recommended. I don’t think you can any longer do this with the YaST
firewall module, but you can do it manually as follows:
YaST -> System -> /etc/syscongig Editor -> Expand network, firewall,
SuSEfirewall2 -> select FW_ALLOW_INCOMING_HIGHPORTS_[TCP,UDP]

There is a big risk just opening hight ports, particularly if you are not
behind a NAT router.

–
P. V.
“We’re all in this together, I’m pulling for you.” Red Green

killsforpie · January 16, 2011, 2:32pm

Hey venzkep, thanks for the response.

I have read the documentation and set the Mediatomb port manually with a command line option to 50500. This is confirmed by looking at the logs. Is there a way for me to monitor what ports XBMC is trying to open and see if there’s another one I need to unblock? I’d rather not simply allow high ports even though I am behind a NAT router.

I’ve also discovered that if I restart Mediatomb with XBMC open that XBMC can then make the connection. But if I close XBMC and try again, it can’t.

glistwan · January 16, 2011, 4:14pm

Sure. Everything will be there in the firewall log. I think by default it logs all the dropped packets but of course it can be changed.

Best regards,
Greg

killsforpie · January 16, 2011, 8:44pm

I took a look at the firewall log and came up with this:


Jan 16 14:09:12 linux-jy1p kernel: [69527.073416] SFW2-INext-DROP-DEFLT IN=wlan0 OUT= SRC=192.168.1.165 DST=192.168.1.3 LEN=323 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=56568 DPT=14788 LEN=303 
Jan 16 14:09:12 linux-jy1p kernel: [69527.074669] SFW2-INext-DROP-DEFLT IN=wlan0 OUT= SRC=192.168.1.1 DST=192.168.1.3 LEN=278 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=14788 LEN=258 
Jan 16 14:09:12 linux-jy1p kernel: [69527.074931] SFW2-INext-DROP-DEFLT IN=wlan0 OUT= SRC=192.168.1.1 DST=192.168.1.3 LEN=278 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=14788 LEN=258 
Jan 16 14:09:12 linux-jy1p kernel: [69527.170536] SFW2-INext-DROP-DEFLT IN=wlan0 OUT= SRC=192.168.1.165 DST=192.168.1.3 LEN=323 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=51260 DPT=14788 LEN=303 
Jan 16 14:10:02 linux-jy1p kernel: [69577.119205] SFW2-INext-DROP-DEFLT IN=wlan0 OUT= SRC=192.168.1.1 DST=192.168.1.3 LEN=278 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=14788 LEN=258 
Jan 16 14:10:02 linux-jy1p kernel: [69577.120662] SFW2-INext-DROP-DEFLT IN=wlan0 OUT= SRC=192.168.1.1 DST=192.168.1.3 LEN=278 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=14788 LEN=258

and I noticed the destination port (is this the port that needs to be open?) isn’t open. So I opened 14788 and tried again:


Jan 16 14:21:08 linux-jy1p kernel: [70243.710369] SFW2-INext-DROP-DEFLT IN=wlan0 OUT= SRC=192.168.1.1 DST=192.168.1.3 LEN=278 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=5534 LEN=258 
Jan 16 14:21:08 linux-jy1p kernel: [70243.714844] SFW2-INext-DROP-DEFLT IN=wlan0 OUT= SRC=192.168.1.1 DST=192.168.1.3 LEN=278 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=5534 LEN=258 
Jan 16 14:21:08 linux-jy1p kernel: [70243.715762] SFW2-INext-DROP-DEFLT IN=wlan0 OUT= SRC=192.168.1.165 DST=192.168.1.3 LEN=323 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=53222 DPT=5534 LEN=303 
Jan 16 14:21:09 linux-jy1p kernel: [70244.825636] SFW2-INext-DROP-DEFLT IN=wlan0 OUT= SRC=192.168.1.165 DST=192.168.1.3 LEN=323 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=52881 DPT=5534 LEN=303 
Jan 16 14:21:58 linux-jy1p kernel: [70293.760739] SFW2-INext-DROP-DEFLT IN=wlan0 OUT= SRC=192.168.1.1 DST=192.168.1.3 LEN=278 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=5534 LEN=258 
Jan 16 14:21:58 linux-jy1p kernel: [70293.761768] SFW2-INext-DROP-DEFLT IN=wlan0 OUT= SRC=192.168.1.1 DST=192.168.1.3 LEN=278 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=5534 LEN=258 
Jan 16 14:21:58 linux-jy1p kernel: [70293.828136] SFW2-INext-DROP-DEFLT IN=wlan0 OUT= SRC=192.168.1.165 DST=192.168.1.3 LEN=323 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=60705 DPT=5534 LEN=303

Now the destination is 5534 so I’m guessing there isn’t a specific pattern. I suppose at this point I need to head to the XBMC or Mediatomb forums and figure out why it’s picking these seemingly random ports…

killsforpie · January 16, 2011, 8:57pm

One last thing: if I let XBMC sit long enough eventually it connects.

glistwan · January 16, 2011, 9:34pm

I haven’t used any of this applications but isn’t it possible to configure the port with which it should connect inside the application ?

Best regards,
Greg

glistwan · January 16, 2011, 9:41pm

One last thought. I had to open 1900 UDP port in my firewall so that I could use UPnP in ktorrent. Did You try this already ?

Best regards,
Greg

killsforpie · January 16, 2011, 10:34pm

Glistwan:

Yes, I set 50500 as the port in Mediatomb. I have 1900 open as well.

glistwan · January 16, 2011, 11:08pm

Ok then I guess I can’t help You out good luck.

Best regards,
Greg

venzkep · January 17, 2011, 1:20am

On Sun January 16 2011 02:06 pm, killsforpie wrote:

>
> One last thing: if I let XBMC sit long enough eventually it connects.
>
>
killsforpie;

What is 192.168.1.1 assigned to. Normally one would expect the router. Could
you have XBMC also using 192.168.1.1? It might help if you posted the
results of:


/sbin/route -n

–
P. V.
“We’re all in this together, I’m pulling for you.” Red Green

killsforpie · January 17, 2011, 1:51am

I believe 192.168.1.1 is the router (that’s how I get to it in the browser).

/sbin/route -n


Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     0.0.0.0         255.255.255.0   U     2      0        0 wlan0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 wlan0

killsforpie · January 18, 2011, 3:02am

Using gupnp-universal-cp the UPnP server takes awhile to come up as well. This makes me think it’s not XBMC, and the fact that it works on my wife’s vista laptop with XBMC makes me think it’s not Mediatomb. Any other suggestions for me to try?

iainlennon · April 11, 2012, 6:17pm

I found it most useful within my trusted network to simply open up to all network traffic from the uPnP device’s IP address, rather than fight with which ports to open to every device