LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-16-2011, 10:36 PM   #1
Johng
Member
 
Registered: Feb 2002
Location: NZ
Distribution: Mageia
Posts: 282

Rep: Reputation: 30
Mandriva firewall and minidlna


Mandriva Firewall:

If I run minidlna without a firewall, everything works fine. The client tells me the tcp port is 1900.

If I enable the Firewall and on the "Advanced" page I nominate 'Other Ports' 1900/tcp 1900/udp the client (Sony TV) cannot connect.

With no firewall:
netstat -anp | grep 1900
tcp 0 0 0.0.0.0:1900 0.0.0.0:* LISTEN 3432/minidlna
udp 0 0 0.0.0.0:1900 0.0.0.0:* 3432/minidlna

With firewall:
netstat -anp | grep 1900
tcp 0 0 0.0.0.0:1900 0.0.0.0:* LISTEN 3432/minidlna
tcp 0 0 192.168.1.65:1900 192.168.1.76:61927 TIME_WAIT -
tcp 0 0 192.168.1.65:1900 192.168.1.76:61930 TIME_WAIT -
tcp 0 0 192.168.1.65:1900 192.168.1.76:61931 TIME_WAIT -
tcp 0 0 192.168.1.65:1900 192.168.1.76:61928 TIME_WAIT -
tcp 0 0 192.168.1.65:1900 192.168.1.76:61929 TIME_WAIT -
udp 0 0 0.0.0.0:1900 0.0.0.0:* 3432/minidlna

What do I need to do??
 
Old 11-19-2011, 02:54 PM   #2
davemguru
Member
 
Registered: Apr 2006
Location: London
Distribution: Pclos,Debian,Puppy,Fedora
Posts: 87

Rep: Reputation: 40
Quote:
Originally Posted by Johng View Post
Mandriva Firewall:

If I run minidlna without a firewall, everything works fine. The client tells me the tcp port is 1900.

If I enable the Firewall and on the "Advanced" page I nominate 'Other Ports' 1900/tcp 1900/udp the client (Sony TV) cannot connect.

With no firewall:
netstat -anp | grep 1900
tcp 0 0 0.0.0.0:1900 0.0.0.0:* LISTEN 3432/minidlna
udp 0 0 0.0.0.0:1900 0.0.0.0:* 3432/minidlna

With firewall:
netstat -anp | grep 1900
tcp 0 0 0.0.0.0:1900 0.0.0.0:* LISTEN 3432/minidlna
tcp 0 0 192.168.1.65:1900 192.168.1.76:61927 TIME_WAIT -
tcp 0 0 192.168.1.65:1900 192.168.1.76:61930 TIME_WAIT -
tcp 0 0 192.168.1.65:1900 192.168.1.76:61931 TIME_WAIT -
tcp 0 0 192.168.1.65:1900 192.168.1.76:61928 TIME_WAIT -
tcp 0 0 192.168.1.65:1900 192.168.1.76:61929 TIME_WAIT -
udp 0 0 0.0.0.0:1900 0.0.0.0:* 3432/minidlna

What do I need to do??
The default port for the minidlna webui is 80. I presume that you have changed it. Can you show the contents of your /etc/minidlna.conf?
 
Old 11-19-2011, 05:23 PM   #3
Johng
Member
 
Registered: Feb 2002
Location: NZ
Distribution: Mageia
Posts: 282

Original Poster
Rep: Reputation: 30
Hi davemguru

I changed the port from 8200 to 1900 to see what happened. The relevant portion from minidlna.conf looks like this:

# port for HTTP (descriptions, SOAP, media transfer) traffic
port=1900


Before modifying the original minidlna.conf from port at 8200, I tried adding 8200/tcp 8200/udp to the firewall (without success).

The only other change to the minidlna.conf is the addition of media_dir=V,/home/john/Videos which works when there's no firewall.
 
Old 11-20-2011, 04:20 AM   #4
davemguru
Member
 
Registered: Apr 2006
Location: London
Distribution: Pclos,Debian,Puppy,Fedora
Posts: 87

Rep: Reputation: 40
why not try port 80? If it works - then it tells you that your firewall exclusions/rules are the problem right?


Dave
 
Old 11-20-2011, 02:59 PM   #5
Johng
Member
 
Registered: Feb 2002
Location: NZ
Distribution: Mageia
Posts: 282

Original Poster
Rep: Reputation: 30
Changing to port 80 makes do difference, ie the firewall on blocks minidlna connection.
 
Old 11-21-2011, 07:34 AM   #6
davemguru
Member
 
Registered: Apr 2006
Location: London
Distribution: Pclos,Debian,Puppy,Fedora
Posts: 87

Rep: Reputation: 40
OK - then we conclude that the firewall is doing more than we think it should right? So, how can this be?
Well, I decided to setup a little test and "lo and behold" - my system "decided to use shorewall" as the backend.

My lan sits behind a router with a firewall on the router. This is a "typical setup" So, within my lan - there is no firewall. My server has mediatomb as my dlna/UPnP server and my clients use djmount for their requests.

Shorewall considers UPnP to be
Quote:
a disaster
. Read this to see why.
So, if you want to turn on shorewall in Mandriva - you will have to install Linux IGD because shorewall thinks this is the safest solution.
You may (like me) think "Hrmphhh!" and other grunts and expletives. You may (like me) wonder why the Mandriva gui doesn't say "There are secret things that will be silently disallowed" because we use shorewall.

I am now going to experiment with direct bashing of /usr/share/shorewall and the files that use "macro.DropUPnP". I will post here if I have any success.
Note - I know this is bludgeoning behavior and not the "proper way". But, I had a cursory look at the documentation for linux IGD and decided it was too hard. I like to pride myself on my ability to decipher documentation. I have been unix-ing since 1979 and linux-ing since 1997. I will (eventually) read the linux IGD docs in full and work out a simpler way to do things. I am somewhat pedantic and I enjoy the problems.
My answer to you right now in order of "correctness" is;
A) Use the firewall (shorewall) with Linux IGD
B) use a different firewall.
C) ask someone else if they have a better suggestion.
D) Don't use the firewall.
E) Bash the shorewall files yourself
F) wait for someone like me to bash the shorewall files.
Dave
 
Old 11-21-2011, 08:43 AM   #7
davemguru
Member
 
Registered: Apr 2006
Location: London
Distribution: Pclos,Debian,Puppy,Fedora
Posts: 87

Rep: Reputation: 40
OK - my "sledgehammer approach is"...
Stop the firewall.
in the folder /usr/share/shorewall edit 2 files - "action.Drop" and "action.Reject".
locate the line DropUPnP in each file and "comment out" vizx:-
Code:
#DropUPnP
Start the firewall.

It worked for me.

Dave
 
Old 11-22-2011, 12:04 AM   #8
Johng
Member
 
Registered: Feb 2002
Location: NZ
Distribution: Mageia
Posts: 282

Original Poster
Rep: Reputation: 30
And it worked for me.

Thank you Dave.
 
Old 11-23-2011, 02:49 AM   #9
davemguru
Member
 
Registered: Apr 2006
Location: London
Distribution: Pclos,Debian,Puppy,Fedora
Posts: 87

Rep: Reputation: 40
You are welcome. Perhaps you should mark the thread as "SOLVED"?

Dave
 
1 members found this post helpful.
Old 11-23-2011, 03:20 PM   #10
Johng
Member
 
Registered: Feb 2002
Location: NZ
Distribution: Mageia
Posts: 282

Original Poster
Rep: Reputation: 30
It's really great to have someone go to the trouble of finding a solution to a problem that googling indicates others share, but there's no corresponding answer(s). Thanks again. (I think I have ticked all the boxes).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
MiniDLNA plus VLC to XBox 360 or DirecTV On-The-Fly akhill44 Linux - Software 1 04-22-2011 07:04 PM
Mandriva firewall turned off mikieboy Linux - Security 1 04-03-2010 03:38 AM
Mandriva Firewall setup FNC Linux - Networking 1 03-12-2007 04:51 AM
mandriva 2005 - firewall High-gain Linux - Security 5 08-04-2006 02:23 PM
How to set up Firewall on mandriva 2006 stefan1988 Linux - Newbie 6 12-11-2005 04:35 PM


All times are GMT -5. The time now is 04:03 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration