Re: Sonos and OpenBSD PF - anyone on-list with experience ?
Thanks all for your ideas. I'll spend a little time on it over the next few days and see how far I can get. 22 Nov 2019, 16:34 by s...@spacehopper.org: > On 2019-11-22, Peter N. M. Hansteen wrote: > >> On Fri, Nov 22, 2019 at 12:56:51PM +0100, Rachel Roch wrote: >> >> >>> They sent me the following long email, it does mention inbound access but >>> seems like a bit of a generic answer if all those ports really need to be >>> opened inbound via PAT ? I've asked Sonos to clarify exactly what is >>> required inbound (as opposed to stateful outbound), and am still awaiting a >>> reply ! >>> >>> "If your firewall needs to be manually configured, refer to the port >>> numbers below and make sure inbound access is enabled for the Sonos >>> application. >>> >> >> I get the feeling that there is some confusion at the support people's >> end about what needs to be open inbound vs outbound. >> > > Most users will not have a separate firewall device between Sonos and > anything accessing it, only a host firewall on e.g. Windows machines > running their software, and I think that is what their advice refers to. > > If it is indeed on a different subnet then there are other things > that might need considering, like whether multicast can make it through. > > The other thing to consider if the various devices involved are all > connected via wifi is whether client isolation is enabled. > > We really need a sketch/description of the desired setup to give > further advice .. >
Re: Sonos and OpenBSD PF - anyone on-list with experience ?
On 2019-11-22, Peter N. M. Hansteen wrote: > On Fri, Nov 22, 2019 at 12:56:51PM +0100, Rachel Roch wrote: > >> They sent me the following long email, it does mention inbound access but >> seems like a bit of a generic answer if all those ports really need to be >> opened inbound via PAT ? I've asked Sonos to clarify exactly what is >> required inbound (as opposed to stateful outbound), and am still awaiting a >> reply ! >> >> "If your firewall needs to be manually configured, refer to the port numbers >> below and make sure inbound access is enabled for the Sonos application. > > I get the feeling that there is some confusion at the support people's > end about what needs to be open inbound vs outbound. Most users will not have a separate firewall device between Sonos and anything accessing it, only a host firewall on e.g. Windows machines running their software, and I think that is what their advice refers to. If it is indeed on a different subnet then there are other things that might need considering, like whether multicast can make it through. The other thing to consider if the various devices involved are all connected via wifi is whether client isolation is enabled. We really need a sketch/description of the desired setup to give further advice ..
Re: Sonos and OpenBSD PF - anyone on-list with experience ?
On Fri, Nov 22, 2019 at 12:56:51PM +0100, Rachel Roch wrote:
> They sent me the following long email, it does mention inbound access but
> seems like a bit of a generic answer if all those ports really need to be
> opened inbound via PAT ? I've asked Sonos to clarify exactly what is
> required inbound (as opposed to stateful outbound), and am still awaiting a
> reply !
>
> "If your firewall needs to be manually configured, refer to the port numbers
> below and make sure inbound access is enabled for the Sonos application.
I get the feeling that there is some confusion at the support people's end
about what needs to be open inbound vs outbound.
My guesses are
> Port (TCP)Used for
> 80 and 443Music services, radio, and Sonos account
pass proto tcp from $sonos to any port { http https } # reasonable, web radio
and such
> 445 and 3445 Music library
> 3400, 3401, and 3500 Sonos app control
Almost certainly only needed to access your (in-house?) media storage. Start
with those blocked on egress.
That is, assuming that all relevant in-house devices are on the same net (as in
the Sonos is not
on a separate subnet).
> 4070 Spotify Connect
> System updates
Sounds odd, I'd say again, start with those blocked on egress, pass only if
tests reveal they're needed.
(much like the earlier rule, pass only traffic that the sonos box initiates)
> Port (UDP)Used for
> 136 through 139 Music library
> 1900 and 1901 Sonos app control
> 2869, 10243, and 10280 through 10284 Windows Media Sharing
These too sound like only useful for local network access, such as if you have
media stored on
machines around the house.
> 5353 Spotify Connect
> 6969 Sonos setup"
I'd start with those closed, test the specific functionality that *might*
require those ports to be open
and again, I struggle to believe any claim that you need to pass those *in*, in
all likelihood
a simple pass proto udp from $sonos to those ports should do.
Anyway, please do go back to the simple starting point such as a default to
block, then
add pass rules that allow traffic initiated by the sonos box or others in the
local net.
I'm almost certain you do not need to explicitly allow anything initiated from
the outside.
All the best,
Peter
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Sonos and OpenBSD PF - anyone on-list with experience ?
On 2019-11-22, Rachel Roch wrote: > Refuse to use Sonos myself, but am helping (or trying to) out a friend who > has a Sonos try to get things working wtih OpenBSD PF. > > I've simplified their PF rulese to a simple swiss cheese (i.e. stateful NAT'd > allow any out to any). What exactly are you trying to do, where is PF involved? Often this type of device would be on the same subnet as clients so PF wouldn't be in the way anyway. Generally with PF and unknown protocols you want to make sure that you are logging blocked packets, and then try things and watch tcpdump -neipflog0 and figure out what changes you need in order to permit them.
Re: Sonos and OpenBSD PF - anyone on-list with experience ?
Hi Tom, They sent me the following long email, it does mention inbound access but seems like a bit of a generic answer if all those ports really need to be opened inbound via PAT ? I've asked Sonos to clarify exactly what is required inbound (as opposed to stateful outbound), and am still awaiting a reply ! "If your firewall needs to be manually configured, refer to the port numbers below and make sure inbound access is enabled for the Sonos application. Port (TCP) Used for 80 and 443 Music services, radio, and Sonos account 445 and 3445Music library 3400, 3401, and 3500Sonos app control 4070Spotify Connect System updates Port (UDP) Used for 136 through 139 Music library 1900 and 1901 Sonos app control 2869, 10243, and 10280 through 10284Windows Media Sharing 5353Spotify Connect 6969Sonos setup" 22 Nov 2019, 11:32 by tom.sm...@wirelessconnect.eu: > Hi Rachel, > I does Sonos Require uPnP support ? > (does Sonos require a few ports to be forwarded from your internet > interface back into the Sonos > device on the LAN) > is there a manual port forwarding that you can do to get around the > uPNP requirement ? > > > > > > > > On Fri, 22 Nov 2019 at 11:26, Rachel Roch wrote: > >> >> Hi, >> >> Refuse to use Sonos myself, but am helping (or trying to) out a friend who >> has a Sonos try to get things working wtih OpenBSD PF. >> >> I've simplified their PF rulese to a simple swiss cheese (i.e. stateful >> NAT'd allow any out to any). >> >> Everything else they care to run on their network is running perfectly. >> Apart from their darn Sonos box. >> >> Sonos support are about as much use as a fart in spacesuit, so I'm hoping >> there's somebody on this list who has already fought and won the Sonos >> battle ? >> >> Thanks ! >> >> Rachel >> > > > -- > Kindest regards, > Tom Smyth. >
Re: Sonos and OpenBSD PF - anyone on-list with experience ?
On Fri, Nov 22, 2019 at 12:16:49PM +0100, Rachel Roch wrote: > Refuse to use Sonos myself, but am helping (or trying to) out a friend who > has a Sonos try to get things working wtih OpenBSD PF. > > I've simplified their PF rulese to a simple swiss cheese (i.e. stateful NAT'd > allow any out to any). > > Everything else they care to run on their network is running perfectly. > Apart from their darn Sonos box. > > Sonos support are about as much use as a fart in spacesuit, so I'm hoping > there's somebody on this list who has already fought and won the Sonos battle > ? It does look like the Sonos devices use a number of services out there - https://support.sonos.com/s/article/688?language=en_US No hands on experience with that one myself (we ended up using a Bluesound Vault2 for our home music needs) Cheers, Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Sonos and OpenBSD PF - anyone on-list with experience ?
Hi Rachel, I does Sonos Require uPnP support ? (does Sonos require a few ports to be forwarded from your internet interface back into the Sonos device on the LAN) is there a manual port forwarding that you can do to get around the uPNP requirement ? On Fri, 22 Nov 2019 at 11:26, Rachel Roch wrote: > > Hi, > > Refuse to use Sonos myself, but am helping (or trying to) out a friend who > has a Sonos try to get things working wtih OpenBSD PF. > > I've simplified their PF rulese to a simple swiss cheese (i.e. stateful NAT'd > allow any out to any). > > Everything else they care to run on their network is running perfectly. > Apart from their darn Sonos box. > > Sonos support are about as much use as a fart in spacesuit, so I'm hoping > there's somebody on this list who has already fought and won the Sonos battle > ? > > Thanks ! > > Rachel > -- Kindest regards, Tom Smyth.
Sonos and OpenBSD PF - anyone on-list with experience ?
Hi, Refuse to use Sonos myself, but am helping (or trying to) out a friend who has a Sonos try to get things working wtih OpenBSD PF. I've simplified their PF rulese to a simple swiss cheese (i.e. stateful NAT'd allow any out to any). Everything else they care to run on their network is running perfectly. Apart from their darn Sonos box. Sonos support are about as much use as a fart in spacesuit, so I'm hoping there's somebody on this list who has already fought and won the Sonos battle ? Thanks ! Rachel
