Am Freitag, 7. Dezember 2012 schrieb Tom Eastep: > On 12/06/2012 11:16 PM, Dr. Harry Knitter wrote: > > Am Donnerstag, 6. Dezember 2012 schrieb Tom Eastep: > >> Try adding these rules: > >> > >> REDIRECT zone-of-the-tv:address-of-the-tv 1900 > >> > >> udp port-tv-is-sending-to > >> > >> ACCEPT $FW > >> zone-of-the-tv:address-of-the-tv udp > >> > >> -Tom > >> You do not need a parachute to skydive. You only need a parachute to > >> skydive twice. > > > > I have tried the following rules: > > > > REDIRECT ext:192.168.178.24 $FW::1900 udp 32410 > > ACCEPT:info ext:192.168.178.24 $FW:192.168.178.3 udp 1900 > > > > > > In syslog we have > > > > Dec 7 08:12:17 bitgully kernel: [ 3428.094905] > > Shorewall:ext_dnat:REDIRECT:IN=eth0 OUT= > > MAC=01:00:5e:7f:ff:fa:e8:5b:5b:44:1c:7f:08:00 SRC=192.168.178.24 > > DST=239.255.255.250 LEN=51 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=UDP > > SPT=46710 DPT=32410 LEN=31 > > Dec 7 08:12:22 bitgully kernel: [ 3433.096257] > > Shorewall:ext_dnat:REDIRECT:IN=eth0 OUT= > > MAC=01:00:5e:7f:ff:fa:e8:5b:5b:44:1c:7f:08:00 SRC=192.168.178.24 > > DST=239.255.255.250 LEN=51 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=UDP > > SPT=43212 DPT=32410 LEN=31 > > > > no incoming packets on udp 1900 are registered > > > > tshark still shows: > > 15.004511 192.168.178.24 -> 239.255.255.250 UDP Source port: 44414 > > > > Destination port: 32410 > > > > 16.004916 192.168.178.24 -> 239.0.0.250 UDP Source port: 50273 > > Destination > > > > port: 32414 > > > > The DNLA server cannot be found. > > What multi-port address is the server listening on (netstat -unap)? > > -Tom
udp 0 0 0.0.0.0:1900 0.0.0.0:* 3311/mediatomb udp 0 0 127.0.0.1:37879 0.0.0.0:* 3311/mediatomb What I have done since my last posting: I opened the udp ports the tv is sending to (32410 and 32414) and the ports the server is listening on exept the port for localhost (i.e. tcp 49152 and udp 1900) and get the server connected. However not always and when it takes up to 20 minutes until the DLNA sever is found. The firewall log shows ACCEPT for ports 32410 udp and 49152 tcp. What I do not understand is: Why didnĀ“t I get DROPs for port 32410 and 32414 before opening these ports. Why isn't there ACCEPTs for port 32414 while tshark is telling me that packets to this port come in. How does the tv connect to the DLNA server when there are no corresponding ports (except tcp 49152 when connected). I have to watch the behavior of this connection to find out how to make it more reliable, i.e., that the tv finds the server always and faster. It is not very amazing having guests who want to see some photos and the system does not work as expected :-( I know that uPnP and DLNA is crap especially from the security point of view. Being a little paranoid I even don't want to open more holes in my firewall than necessary and restrict these only holes to those devices who need them. Thanks for your tips Harry ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
