Ron F. wrote: > I might have discovered something PasTim... > > This whole business with the Linux firewall began with the desire to > allow UPnPBridge to find mediarenderers on the local network by punching > a hole in the server's firewall just big enough to allow that to happen. > Using iptables and ipset, this appears to be possible. However, I have > found that the use of ipset has an unintended consequence: it is not > application specific and it allows other running programs to take > advantage of this and send a UPnP SSDP M-SEARCH broadcast of their own, > and open more ports than we had intended! I have found that > Chromium-based browsers, such as Opera and Vivaldi, (which I personally > use,) were doing this. I don't like this; I only wanted a port for > receiving Notify responses to be opened for the UPnPBridge plugin. I > note that Firefox does NOT behave this way - kudos to Mozilla. > > Solution: yet another rule to be added to iptables. I found that all > browsers add a USER-AGENT field to their SSDP payload, and we can use > this to drop their outgoing broadcast before it gets sent, and before > they open another port using the ipset we created for UPnP. > > sudo iptables -I OUTPUT 4 -d 239.255.255.250/32 -p udp -m udp --dport > 1900 -m string --algo kmp --string 'USER-AGENT' -j DROP > > In testing, this appears to have solved the issue for me. OK, so now, > disregarding the need for persistence across a reboot, I have the > following list of commands, to modify my netfilter-based firewall to > allow UPnPBridge to find my mediarenderers by opening a port for only a > few seconds, (maybe just a bit longer than that,) for it to pick up > responses, and then the port is closed. This search is repeated every 20 > seconds. I might put all this into a bash script: > > sudo ipset create upnp hash:ip,port timeout 6 > sudo iptables -I OUTPUT 4 -d 239.255.255.250/32 -p udp -m udp --dport > 1900 -j SET --add-set upnp src,src --exist > sudo iptables -I OUTPUT 4 -d 239.255.255.250/32 -p udp -m set > --match-set upnp src,src -j DROP > sudo iptables -I OUTPUT 4 -d 239.255.255.250/32 -p udp -m udp --dport > 1900 -m string --algo kmp --string 'USER-AGENT' -j DROP > sudo iptables -I INPUT 4 -p udp -m set --match-set upnp dst,dst -j > ACCEPT > > I will continue testing! Hi Ron F. I'm not sue I understand the 3rd line - how does it limit the searches to just one? I also have other servers (eg minimserver) and worry that more things I need will be stopped. As to the browsers, is this doing any harm? It's still only port 1900 is it not?
Meanwhile, I on your suggestion of using iptables -S, I found that iptables has held onto some rules that I deleted using ufw. ufw status does not show these rules, but iptables does (some 30000:60000 rules), which explains why some devices continued to be discovered. Weird. More things to look at. LMS 7.9.2 on PC, Xubuntu 18.04, FLACs 16->24 bit, 44.1->192kbps. 2 Touchs & EDO. LMS plugin UPnP/DLNA Bridge to MF M1 CLiC (A308CR amp & ESLs) & Marantz CR603 UPnP renderers. Also Minimserver & Upplay to same & to upmpdcli/mpd PC renderers. Squeezelite to Meridian USB Explorer DAC to PC speakers/headphones. Wireless Xubuntu 18.04 laptop firefox/upplay or Android 'phone with Squeeze-Commander/BubbleUPnP controls LMS/Minimserver. ------------------------------------------------------------------------ PasTim's Profile: http://forums.slimdevices.com/member.php?userid=41642 View this thread: http://forums.slimdevices.com/showthread.php?t=103728 _______________________________________________ plugins mailing list [email protected] http://lists.slimdevices.com/mailman/listinfo/plugins
