PasTim wrote: > Hi Ron F. I'm not sue I understand the 3rd line - how does it limit the > searches to just one? I also have other servers (eg minimserver) and > worry that more things I need will be stopped. As to the browsers, is > this doing any harm? It's still only port 1900 is it not? > > Meanwhile, I on your suggestion of using iptables -S, I found that > iptables has held onto some rules that I deleted using ufw. ufw status > does not show these rules, but iptables does (some 30000:60000 rules), > which explains why some devices continued to be discovered. Weird. More > things to look at.
The third rule limits the broadcast of a UPNP SSDP M-SEARCH packet to just one by dropping any such additional packet destined for output that has the (ip, port) pair, (or tuple as I have seen experts call it,) of (239.255.255.250, 1900) after the first such packet has been seen and registered in the ipset upnp - until the timeout period has expired! This rule looks for a match of this tuple to what has been saved in ipset upnp. When the timeout occurs, what is in the upnp set is dumped, and we start over. One broadcast packet should be enough to gather responses from all you upnp media renderers that respond to it, which is one reason I made the timeout to be 6 seconds. It might not be necessary to do this, and this is the least important rule we are adding - I just wanted a very clean method of conducting the procedure of collecting media renderers. I have found that for something complicated like what we have been doing here, that ufw, which is a simplified interface to iptables, and gufw, which is a GUI interface to ufw - are problematic. I have been using iptables directly, albeit I find that it can take a long time for iptables to list all the rules this way in a specified chain, and even longer to list all rules in all chains. For example, to list all firewall rules with line numbers so that they can be referred to later: sudo iptables -L --line-numbers To list just those input rules that you created using gufw or ufw: sudo iptables -L ufw-user-input --line-numbers To delete an existing rule, such as one from your ufw-user-input chain, that probably contains your ACCEPT rule for ports 30000:60000: sudo iptables -D ufw-user-input XX # where XX the line number you saw in the list for ufw-user-input By design, rules added or deleted using iptables are not persistent: sudo apt install iptables-persistent netfilter-persistent To save: sudo netfilter-persistent save OK, the question regarding the use of port 1900... Port 1900 is being used for outgoing UPnP SSDP broadcasts, and it can also be used by media renderers to broadcast their availability, but I think UPnPBridge is not using it for this purpose - at least not when running on a Linux-based machine. It is listening instead on whatever host source port was used in it's own broadcast. Given that, I am not sure how useful it is to have it open for INPUT to begin with. Additionally, I found that some Chromium-based browsers will also broadcast using port 1900! If we have used ipset to dynamically open ports to receive SSDP packets, then more ports get opened that we did not anticipate! This might not cause a problem but I don't like it, as it was an unexpected consequence of what we had set out to accomplish here. Please note: I typed a lot of info in this post, and I make mistakes and blunders. If I made a mistake here, please forgive. I am not an IT professional, and I don't even play one on TV. I recommend duplicating my research before making such permanent changes to your own firewall. I am still engaged in investigation myself. *Living Room:* SB Touch + DIY PSU > CI Audio VDA.2 DAC + VAC.1 PSU > VRX.1 cables > Emotiva XSP-1 Gen 2 preamp + XPA-DR2 amp > Blue Jeans cables > B&W 804 speakers *Laptop:* System76 Galago + Ubuntu 16.04 + Squeezelite + Material Skin > ifi USB iSilencer > Audirect Beam DAC > Senn IE 80 earbuds *Bedroom:* Android Phone + SB Player + Squeeze Ctrl > Bluetooth > Bose SoundLink Revolve *Server:* Puget Systems Serenity + Ubuntu 18.04 + LMS 7.9.2 *Music:* Personal FLAC, Radio Paradise FLAC, Qobuz, Spotify ------------------------------------------------------------------------ Ron F.'s Profile: http://forums.slimdevices.com/member.php?userid=5616 View this thread: http://forums.slimdevices.com/showthread.php?t=103728 _______________________________________________ plugins mailing list [email protected] http://lists.slimdevices.com/mailman/listinfo/plugins
