LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Mandriva firewall and minidlna (http://www.linuxquestions.org/questions/linux-security-4/mandriva-firewall-and-minidlna-913964/)

Johng 11-16-2011 10:36 PM

Mandriva firewall and minidlna
 
Mandriva Firewall:

If I run minidlna without a firewall, everything works fine. The client tells me the tcp port is 1900.

If I enable the Firewall and on the "Advanced" page I nominate 'Other Ports' 1900/tcp 1900/udp the client (Sony TV) cannot connect.

With no firewall:
netstat -anp | grep 1900
tcp 0 0 0.0.0.0:1900 0.0.0.0:* LISTEN 3432/minidlna
udp 0 0 0.0.0.0:1900 0.0.0.0:* 3432/minidlna

With firewall:
netstat -anp | grep 1900
tcp 0 0 0.0.0.0:1900 0.0.0.0:* LISTEN 3432/minidlna
tcp 0 0 192.168.1.65:1900 192.168.1.76:61927 TIME_WAIT -
tcp 0 0 192.168.1.65:1900 192.168.1.76:61930 TIME_WAIT -
tcp 0 0 192.168.1.65:1900 192.168.1.76:61931 TIME_WAIT -
tcp 0 0 192.168.1.65:1900 192.168.1.76:61928 TIME_WAIT -
tcp 0 0 192.168.1.65:1900 192.168.1.76:61929 TIME_WAIT -
udp 0 0 0.0.0.0:1900 0.0.0.0:* 3432/minidlna

What do I need to do??

davemguru 11-19-2011 02:54 PM

Quote:

Originally Posted by Johng (Post 4526208)
Mandriva Firewall:

If I run minidlna without a firewall, everything works fine. The client tells me the tcp port is 1900.

If I enable the Firewall and on the "Advanced" page I nominate 'Other Ports' 1900/tcp 1900/udp the client (Sony TV) cannot connect.

With no firewall:
netstat -anp | grep 1900
tcp 0 0 0.0.0.0:1900 0.0.0.0:* LISTEN 3432/minidlna
udp 0 0 0.0.0.0:1900 0.0.0.0:* 3432/minidlna

With firewall:
netstat -anp | grep 1900
tcp 0 0 0.0.0.0:1900 0.0.0.0:* LISTEN 3432/minidlna
tcp 0 0 192.168.1.65:1900 192.168.1.76:61927 TIME_WAIT -
tcp 0 0 192.168.1.65:1900 192.168.1.76:61930 TIME_WAIT -
tcp 0 0 192.168.1.65:1900 192.168.1.76:61931 TIME_WAIT -
tcp 0 0 192.168.1.65:1900 192.168.1.76:61928 TIME_WAIT -
tcp 0 0 192.168.1.65:1900 192.168.1.76:61929 TIME_WAIT -
udp 0 0 0.0.0.0:1900 0.0.0.0:* 3432/minidlna

What do I need to do??

The default port for the minidlna webui is 80. I presume that you have changed it. Can you show the contents of your /etc/minidlna.conf?

Johng 11-19-2011 05:23 PM

Hi davemguru

I changed the port from 8200 to 1900 to see what happened. The relevant portion from minidlna.conf looks like this:

# port for HTTP (descriptions, SOAP, media transfer) traffic
port=1900


Before modifying the original minidlna.conf from port at 8200, I tried adding 8200/tcp 8200/udp to the firewall (without success).

The only other change to the minidlna.conf is the addition of media_dir=V,/home/john/Videos which works when there's no firewall.

davemguru 11-20-2011 04:20 AM

why not try port 80? If it works - then it tells you that your firewall exclusions/rules are the problem right?


Dave

Johng 11-20-2011 02:59 PM

Changing to port 80 makes do difference, ie the firewall on blocks minidlna connection.

davemguru 11-21-2011 07:34 AM

OK - then we conclude that the firewall is doing more than we think it should right? So, how can this be?
Well, I decided to setup a little test and "lo and behold" - my system "decided to use shorewall" as the backend.

My lan sits behind a router with a firewall on the router. This is a "typical setup" So, within my lan - there is no firewall. My server has mediatomb as my dlna/UPnP server and my clients use djmount for their requests.

Shorewall considers UPnP to be
Quote:

a disaster
. Read this to see why.
So, if you want to turn on shorewall in Mandriva - you will have to install Linux IGD because shorewall thinks this is the safest solution.
You may (like me) think "Hrmphhh!" and other grunts and expletives. You may (like me) wonder why the Mandriva gui doesn't say "There are secret things that will be silently disallowed" because we use shorewall.

I am now going to experiment with direct bashing of /usr/share/shorewall and the files that use "macro.DropUPnP". I will post here if I have any success.
Note - I know this is bludgeoning behavior and not the "proper way". But, I had a cursory look at the documentation for linux IGD and decided it was too hard. I like to pride myself on my ability to decipher documentation. I have been unix-ing since 1979 and linux-ing since 1997. I will (eventually) read the linux IGD docs in full and work out a simpler way to do things. I am somewhat pedantic and I enjoy the problems.
My answer to you right now in order of "correctness" is;
A) Use the firewall (shorewall) with Linux IGD
B) use a different firewall.
C) ask someone else if they have a better suggestion.
D) Don't use the firewall.
E) Bash the shorewall files yourself
F) wait for someone like me to bash the shorewall files.
Dave

davemguru 11-21-2011 08:43 AM

OK - my "sledgehammer approach is"...
Stop the firewall.
in the folder /usr/share/shorewall edit 2 files - "action.Drop" and "action.Reject".
locate the line DropUPnP in each file and "comment out" vizx:-
Code:

#DropUPnP
Start the firewall.

It worked for me.

Dave

Johng 11-22-2011 12:04 AM

And it worked for me.

Thank you Dave.

davemguru 11-23-2011 02:49 AM

You are welcome. Perhaps you should mark the thread as "SOLVED"?

Dave

Johng 11-23-2011 03:20 PM

It's really great to have someone go to the trouble of finding a solution to a problem that googling indicates others share, but there's no corresponding answer(s). Thanks again. (I think I have ticked all the boxes).


All times are GMT -5. The time now is 03:20 AM.