Hello, I have the folowing problem: My TV is attached to a debian (squeeze) erver running MediaTomb as DLNA server. This (gr!*) TV sends its multicast request for discovering the server not to port udp 1900 where the server is listening for those requests. <snip> 65.017066 192.168.178.24 -> 239.255.255.250 UDP Source port: 58715 Destination port: 32410 66.017826 192.168.178.24 -> 239.0.0.250 UDP Source port: 47492 Destination port: 32414 </snip> Is it possible to redirect these requests to the right port with a shorewall rule? And if, how to do it. I have tried REDIRECT and DNAT. Nothing I tried worked, however. Thanks in advance. Regards Harry ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
On 12/06/2012 03:57 AM, Dr. Harry Knitter wrote:> Hello, > > I have the folowing problem: > > My TV is attached to a debian (squeeze) erver running MediaTomb as DLNA > server. > This (gr!*) TV sends its multicast request for discovering the server not to > port udp 1900 where the server is listening for those requests. > > <snip> > 65.017066 192.168.178.24 -> 239.255.255.250 UDP Source port: 58715 > Destination port: 32410 > 66.017826 192.168.178.24 -> 239.0.0.250 UDP Source port: 47492 Destination > port: 32414 > </snip> > > Is it possible to redirect these requests to the right port with a shorewall > rule? And if, how to do it. > > I have tried REDIRECT and DNAT. Nothing I tried worked, however.What is the policy for connections from the firewall back to the zone with the TV (probably $FW -> loc)? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
Am Donnerstag, 6. Dezember 2012 schrieb Tom Eastep:> What is the policy for connections from the firewall back to the zone > with the TV (probably $FW -> loc)? > > -Tomthe TV is attached to the nic pointing to a DSL router (192.168.178.1). The policy (firewall on my server) is DROP for the net the TV is in. A rule ACCEPT udp 1900 to the nic of the server is set. The server has 2 nics 1 attached to the net where the TV is in (192.168.178.0/24) and one attached to my internal net (10.255.80.0/24). The DLNA server listens on 192.168.178.3 and the TV has the IP 192.168.178.25. I have tested the nic with 192.168.178.3 with tshark. The result can be seen in my previous mail: No requests for port udp 1900 from 192.168.178.24 Regards Harry ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
On 12/6/12 9:59 AM, "Dr. Harry Knitter" <harry@knitter-edv-beratung.de> wrote:>Am Donnerstag, 6. Dezember 2012 schrieb Tom Eastep: >> What is the policy for connections from the firewall back to the zone >> with the TV (probably $FW -> loc)? >> >> -Tom > >the TV is attached to the nic pointing to a DSL router (192.168.178.1). >The >policy (firewall on my server) is DROP for the net the TV is in. >A rule ACCEPT udp 1900 to the nic of the server is set. >The server has 2 nics 1 attached to the net where the TV is in >(192.168.178.0/24) and one attached to my internal net (10.255.80.0/24). >The DLNA server listens on 192.168.178.3 and the TV has the IP >192.168.178.25. >I have tested the nic with 192.168.178.3 with tshark. The result can be >seen >in my previous mail: No requests for port udp 1900 from 192.168.178.24Try adding these rules: REDIRECT zone-of-the-tv:address-of-the-tv 1900 udp port-tv-is-sending-to ACCEPT $FW zone-of-the-tv:address-of-the-tv udp -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
Am Donnerstag, 6. Dezember 2012 schrieb Tom Eastep:> > Try adding these rules: > > REDIRECT zone-of-the-tv:address-of-the-tv 1900 > udp port-tv-is-sending-to > ACCEPT $FW > zone-of-the-tv:address-of-the-tv udp > > -Tom > You do not need a parachute to skydive. You only need a parachute to > skydive twice. > > >I have tried the following rules: REDIRECT ext:192.168.178.24 $FW::1900 udp 32410 ACCEPT:info ext:192.168.178.24 $FW:192.168.178.3 udp 1900 In syslog we have Dec 7 08:12:17 bitgully kernel: [ 3428.094905] Shorewall:ext_dnat:REDIRECT:IN=eth0 OUT= MAC=01:00:5e:7f:ff:fa:e8:5b:5b:44:1c:7f:08:00 SRC=192.168.178.24 DST=239.255.255.250 LEN=51 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=UDP SPT=46710 DPT=32410 LEN=31 Dec 7 08:12:22 bitgully kernel: [ 3433.096257] Shorewall:ext_dnat:REDIRECT:IN=eth0 OUT= MAC=01:00:5e:7f:ff:fa:e8:5b:5b:44:1c:7f:08:00 SRC=192.168.178.24 DST=239.255.255.250 LEN=51 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=UDP SPT=43212 DPT=32410 LEN=31 no incoming packets on udp 1900 are registered tshark still shows: 15.004511 192.168.178.24 -> 239.255.255.250 UDP Source port: 44414 Destination port: 32410 16.004916 192.168.178.24 -> 239.0.0.250 UDP Source port: 50273 Destination port: 32414 The DNLA server cannot be found. Regards Harry ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
On 12/06/2012 11:16 PM, Dr. Harry Knitter wrote:> Am Donnerstag, 6. Dezember 2012 schrieb Tom Eastep: >> >> Try adding these rules: >> >> REDIRECT zone-of-the-tv:address-of-the-tv 1900 >> udp port-tv-is-sending-to >> ACCEPT $FW >> zone-of-the-tv:address-of-the-tv udp >> >> -Tom >> You do not need a parachute to skydive. You only need a parachute to >> skydive twice. >> >> >> > > I have tried the following rules: > > REDIRECT ext:192.168.178.24 $FW::1900 udp 32410 > ACCEPT:info ext:192.168.178.24 $FW:192.168.178.3 udp 1900 > > > In syslog we have > > Dec 7 08:12:17 bitgully kernel: [ 3428.094905] > Shorewall:ext_dnat:REDIRECT:IN=eth0 OUT> MAC=01:00:5e:7f:ff:fa:e8:5b:5b:44:1c:7f:08:00 SRC=192.168.178.24 > DST=239.255.255.250 LEN=51 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=UDP > SPT=46710 DPT=32410 LEN=31 > Dec 7 08:12:22 bitgully kernel: [ 3433.096257] > Shorewall:ext_dnat:REDIRECT:IN=eth0 OUT> MAC=01:00:5e:7f:ff:fa:e8:5b:5b:44:1c:7f:08:00 SRC=192.168.178.24 > DST=239.255.255.250 LEN=51 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=UDP > SPT=43212 DPT=32410 LEN=31 > > no incoming packets on udp 1900 are registered > > > tshark still shows: > > 15.004511 192.168.178.24 -> 239.255.255.250 UDP Source port: 44414 > Destination port: 32410 > 16.004916 192.168.178.24 -> 239.0.0.250 UDP Source port: 50273 Destination > port: 32414 > > The DNLA server cannot be found.What multi-port address is the server listening on (netstat -unap)? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
Am Freitag, 7. Dezember 2012 schrieb Tom Eastep:> On 12/06/2012 11:16 PM, Dr. Harry Knitter wrote: > > Am Donnerstag, 6. Dezember 2012 schrieb Tom Eastep: > >> Try adding these rules: > >> > >> REDIRECT zone-of-the-tv:address-of-the-tv 1900 > >> > >> udp port-tv-is-sending-to > >> > >> ACCEPT $FW > >> zone-of-the-tv:address-of-the-tv udp > >> > >> -Tom > >> You do not need a parachute to skydive. You only need a parachute to > >> skydive twice. > > > > I have tried the following rules: > > > > REDIRECT ext:192.168.178.24 $FW::1900 udp 32410 > > ACCEPT:info ext:192.168.178.24 $FW:192.168.178.3 udp 1900 > > > > > > In syslog we have > > > > Dec 7 08:12:17 bitgully kernel: [ 3428.094905] > > Shorewall:ext_dnat:REDIRECT:IN=eth0 OUT> > MAC=01:00:5e:7f:ff:fa:e8:5b:5b:44:1c:7f:08:00 SRC=192.168.178.24 > > DST=239.255.255.250 LEN=51 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=UDP > > SPT=46710 DPT=32410 LEN=31 > > Dec 7 08:12:22 bitgully kernel: [ 3433.096257] > > Shorewall:ext_dnat:REDIRECT:IN=eth0 OUT> > MAC=01:00:5e:7f:ff:fa:e8:5b:5b:44:1c:7f:08:00 SRC=192.168.178.24 > > DST=239.255.255.250 LEN=51 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=UDP > > SPT=43212 DPT=32410 LEN=31 > > > > no incoming packets on udp 1900 are registered > > > > tshark still shows: > > 15.004511 192.168.178.24 -> 239.255.255.250 UDP Source port: 44414 > > > > Destination port: 32410 > > > > 16.004916 192.168.178.24 -> 239.0.0.250 UDP Source port: 50273 > > Destination > > > > port: 32414 > > > > The DNLA server cannot be found. > > What multi-port address is the server listening on (netstat -unap)? > > -Tomudp 0 0 0.0.0.0:1900 0.0.0.0:* 3311/mediatomb udp 0 0 127.0.0.1:37879 0.0.0.0:* 3311/mediatomb What I have done since my last posting: I opened the udp ports the tv is sending to (32410 and 32414) and the ports the server is listening on exept the port for localhost (i.e. tcp 49152 and udp 1900) and get the server connected. However not always and when it takes up to 20 minutes until the DLNA sever is found. The firewall log shows ACCEPT for ports 32410 udp and 49152 tcp. What I do not understand is: Why didn´t I get DROPs for port 32410 and 32414 before opening these ports. Why isn''t there ACCEPTs for port 32414 while tshark is telling me that packets to this port come in. How does the tv connect to the DLNA server when there are no corresponding ports (except tcp 49152 when connected). I have to watch the behavior of this connection to find out how to make it more reliable, i.e., that the tv finds the server always and faster. It is not very amazing having guests who want to see some photos and the system does not work as expected :-( I know that uPnP and DLNA is crap especially from the security point of view. Being a little paranoid I even don''t want to open more holes in my firewall than necessary and restrict these only holes to those devices who need them. Thanks for your tips Harry ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
On 12/07/2012 11:49 PM, Dr. Harry Knitter wrote:> > What I have done since my last posting: > I opened the udp ports the tv is sending to (32410 and 32414) and the ports > the server is listening on exept the port for localhost (i.e. tcp 49152 and > udp 1900) and get the server connected. However not always and when it takes > up to 20 minutes until the DLNA sever is found. > The firewall log shows ACCEPT for ports 32410 udp and 49152 tcp. > > What I do not understand is: > Why didn´t I get DROPs for port 32410 and 32414 before opening these ports.Because the standard default actions (Drop and Reject) silently drop broadcast and multicast packets. Otherwise, the average log would be full of nothing but those.> Why isn''t there ACCEPTs for port 32414 while tshark is telling me that packets > to this port come in.I can''t answer that without seeing the output of ''shorewall dump''.> How does the tv connect to the DLNA server when there are no corresponding > ports (except tcp 49152 when connected). >Don''t know. The normal way this works is via UPnP where the TV would broadcast/multicast on UDP 1900 and the server would respond. Another important point about broadcast/multicast is that the server''s responses must be explicitly allowed by the firewall, either via policy or rules. That''s because Netfilter''s connection tracking mechanism doesn''t associate the server''s response with the corresponding incoming broadcast/multicast conntrack table entry. That is why I was asking earlier about the firewall->tv policy. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d