I might have discovered something PasTim...
This whole business with the Linux firewall began with the desire to allow UPnPBridge to find mediarenderers on the local network by punching a hole in the server's firewall just big enough to allow that to happen. Using iptables and ipset, this appears to be possible. However, I have found that the use of ipset has an unintended consequence: it is not application specific and it allows other running programs to take advantage of this and send a UPnP SSDP M-SEARCH broadcast of their own, and open more ports than we had intended! I have found that Chromium-based browsers, such as Opera and Vivaldi, (which I personally use,) were doing this. I don't like this; I only wanted a port for receiving Notify responses to be opened for the UPnPBridge plugin. I note that Firefox does NOT behave this way - kudos to Mozilla. Solution: yet another rule to be added to iptables. I found that all browsers add a USER-AGENT field to their SSDP payload, and we can use this to drop their outgoing broadcast before it gets sent, and before they open another port using the ipset we created for UPnP. sudo iptables -I OUTPUT 4 -d 239.255.255.250/32 -p udp -m udp --dport 1900 -m string --algo kmp --string 'USER-AGENT' -j DROP In testing, this appears to have solved the issue for me. OK, so now, disregarding the need for persistence across a reboot, I have the following list of commands, to modify my netfilter-based firewall to allow UPnPBridge to find my mediarenderers by opening a port for only a few seconds for it to pick up responses, and then the port is closed. This search is repeated every 20 seconds. I might put all this into a bash script: sudo ipset create upnp hash:ip,port timeout 6 sudo iptables -I OUTPUT 4 -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j SET --add-set upnp src,src --exist sudo iptables -I OUTPUT 4 -d 239.255.255.250/32 -p udp -m set --match-set upnp src,src -j DROP sudo iptables -I OUTPUT 4 -d 239.255.255.250/32 -p udp -m udp --dport 1900 -m string --algo kmp --string 'USER-AGENT' -j DROP sudo iptables -I INPUT 4 -p udp -m set --match-set upnp dst,dst -j ACCEPT I will continue testing! *Living Room:* SB Touch + DIY PSU > CI Audio VDA.2 DAC + VAC.1 PSU > VRX.1 cables > Emotiva XSP-1 Gen 2 preamp + XPA-DR2 amp > Blue Jeans cables > B&W 804 speakers *Laptop:* System76 Galago + Ubuntu 16.04 + Squeezelite + Material Skin > ifi USB iSilencer > Audirect Beam DAC > Senn IE 80 earbuds *Bedroom:* Android Phone + SB Player + Squeeze Ctrl > Bluetooth > Bose SoundLink Revolve *Server:* Puget Systems Serenity + Ubuntu 18.04 + LMS 7.9.2 *Music:* Personal FLAC, Radio Paradise FLAC, Qobuz, Spotify ------------------------------------------------------------------------ Ron F.'s Profile: http://forums.slimdevices.com/member.php?userid=5616 View this thread: http://forums.slimdevices.com/showthread.php?t=103728 _______________________________________________ plugins mailing list [email protected] http://lists.slimdevices.com/mailman/listinfo/plugins
