Hello,
I have a small question for you.
My setup :
- One server under Debian Wheezy where Shorewall resides
- One bridge to allow my LAN (ethernet, wifi, and TV)
- Several clients
I want to install a UPnP client on the shorewall box.
So I read: http://www.shorewall.net/UPnP.html
/etc/upnpd.conf:
create_forward_rules = yes
forward_rules_append = no
forward_chain_name = forwardUPnP
prerouting_chain_name = UPnP
I defined following interfaces:
net ppp0
dhcp,blacklist,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0,upnp,upnpclient
loc br0 dhcp,tcpflags,bridge
/etc/default/linux-igd:
# External interface name. If undefined then upnpd will not be
started.
EXTIFACE=ppp0
# Internal interface name. If undefined then upnpd will not be
started.
INIFACE=br0
ALLOW_MULTICAST=yes
/etc/shorewall/rules contains:
forwardUPnP net loc
/etc/shorewall/policy contains:
loc net ACCEPT
loc $FW ACCEPT
The result is:
# route
Table de routage IP du noyau
Destination Passerelle Genmask Indic Metric Ref
Use Iface
default * 0.0.0.0 U 0 0 0 ppp0
192.168.1.0 * 255.255.255.0 U 0 0 0 br0
net1lo-bidon.bs * 255.255.255.255 UH 0 0 0 ppp0
224.0.0.0 * 240.0.0.0 U 0 0 0 br0
Incoming connections are dropped:
My computer opened the TCP port 61190. I can see dropped packets in
syslog.
Server''s connections are dropped too (several ports used as I
opened the client lot of times)
You can see a shorewall dump at this location:
http://srv-bron.hebergement-pro.org/shorewall_dump.log
What should I try to find the root cause? Do you see any error I could
have done?
Best regards.
Jerome Blion.
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don''t have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics
Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
On 12/2/2013 3:16 PM, Jérôme Blion wrote:> Hello, > > I have a small question for you. > My setup : > - One server under Debian Wheezy where Shorewall resides > - One bridge to allow my LAN (ethernet, wifi, and TV) > - Several clients > > I want to install a UPnP client on the shorewall box. > So I read: http://www.shorewall.net/UPnP.htmlWhich client? You must: a) configure your client to use a particular incoming port; and b) open that port net->fw And what do you mean by ''server''? Neither linux-igd nor Shorewall support a server such as a media server. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don''t have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
Le 2013-12-03 01:47, Tom Eastep a écrit :> On 12/2/2013 3:16 PM, Jérôme Blion wrote: >> Hello, >> >> I have a small question for you. >> My setup : >> - One server under Debian Wheezy where Shorewall resides >> - One bridge to allow my LAN (ethernet, wifi, and TV) >> - Several clients >> >> I want to install a UPnP client on the shorewall box. >> So I read: http://www.shorewall.net/UPnP.html > > Which client? You must: > > a) configure your client to use a particular incoming port; and > b) open that port net->fw > > And what do you mean by 'server'? Neither linux-igd nor Shorewall > support a server such as a media server. > > -TomHello, I want to use a bitorrent client, either on my computer, either on the shorewall box. They can use a random port at start. I would like this bitorrent client to dynamically open this port using UPnP. With miniupnpc, I was not able to detect the linux-igd daemon on the shorewall box. Is that more clear ? Best regards. Jerome Blion ------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
On 12/3/2013 1:03 AM, Jérôme Blion wrote:> Le 2013-12-03 01:47, Tom Eastep a écrit : >> On 12/2/2013 3:16 PM, Jérôme Blion wrote: >>> Hello, >>> >>> I have a small question for you. >>> My setup : >>> - One server under Debian Wheezy where Shorewall resides >>> - One bridge to allow my LAN (ethernet, wifi, and TV) >>> - Several clients >>> >>> I want to install a UPnP client on the shorewall box. >>> So I read: http://www.shorewall.net/UPnP.html >> >> Which client? You must: >> >> a) configure your client to use a particular incoming port; and >> b) open that port net->fw >> >> And what do you mean by ''server''? Neither linux-igd nor Shorewall >> support a server such as a media server. >> >> -Tom > > > Hello, > > I want to use a bitorrent client, either on my computer, either on the > shorewall box. They can use a random port at start. > I would like this bitorrent client to dynamically open this port using > UPnP.That is not possible when the bitorrent client is running on the Shorewall box. In that case, you must configure the client to use a static incoming port and you must have a net->fw ACCEPT rule for that port. The ''upnpclient'' option is not relevant in that configuration.> > With miniupnpc, I was not able to detect the linux-igd daemon on the > shorewall box. >And you were running miniupnpc where? On a computer in your local LAN? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don''t have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
On 12/3/2013 9:20 AM, Tom Eastep wrote:> On 12/3/2013 1:03 AM, Jérôme Blion wrote: >> Le 2013-12-03 01:47, Tom Eastep a écrit : >>> On 12/2/2013 3:16 PM, Jérôme Blion wrote: >>>> Hello, >>>> >>>> I have a small question for you. >>>> My setup : >>>> - One server under Debian Wheezy where Shorewall resides >>>> - One bridge to allow my LAN (ethernet, wifi, and TV) >>>> - Several clients >>>> >>>> I want to install a UPnP client on the shorewall box. >>>> So I read: http://www.shorewall.net/UPnP.html >>> >>> Which client? You must: >>> >>> a) configure your client to use a particular incoming port; and >>> b) open that port net->fw >>> >>> And what do you mean by ''server''? Neither linux-igd nor Shorewall >>> support a server such as a media server. >>> >>> -Tom >> >> >> Hello, >> >> I want to use a bitorrent client, either on my computer, either on the >> shorewall box. They can use a random port at start. >> I would like this bitorrent client to dynamically open this port using >> UPnP. > > That is not possible when the bitorrent client is running on the > Shorewall box. In that case, you must configure the client to use a > static incoming port and you must have a net->fw ACCEPT rule for that > port. The ''upnpclient'' option is not relevant in that configuration. > >> >> With miniupnpc, I was not able to detect the linux-igd daemon on the >> shorewall box. >> > > And you were running miniupnpc where? On a computer in your local LAN?I notice that you have a REJECT policy for fw->loc. That being the case, you need the following rule to allow UPnP to work from the local LAN: ACCEPT $FW loc udp The reason is that Netfilter connection tracking doesn''t work with Multicast, so you must explicitly accept the firewall''s responses to Multicasts from the LAN. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don''t have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk