Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

Firewall Issues

Help
Elliott
2011-01-16
2013-05-30
  • Elliott
    Elliott
    2011-01-16

    I'm running mediatomb 0.12.1 and have the port configured to 50500 (confirmed in the logs). On a remote linux machine (Opensuse 11.3) I have ports 1900 and 50500 open and can connect to the web UI through my browser but cannot find the UPnP server with XBMC unless I disable the SUSE firewall. If I let XBMC sit for about 5 minutes eventually I can access the UPnP or if I disable the firewall I can access them instantly. Are there other ports I should open up?

    XBMC gives this error in their logs (I'm also going to open up a post over at their forums):

    22:04:28 T:140330623027264 M:1176035328   ERROR: GetDirectory - Error getting upnp://999ac040-a3e2-439f-a720-a824d05f8ef7/4/
    22:04:28 T:140330623027264 M:1176035328   ERROR: CGUIMediaWindow::GetDirectory(upnp://999ac040-a3e2-439f-a720-a824d05f8ef7/4/) failed
    

    Thanks!

     
  • 1900 should suffice, or at least it does for me…

     
  • Elliott
    Elliott
    2011-01-16

    Can you recommend another UPnP client I could use to check if it's just XBMC?

     
  • I forgot to mention that the protocol is UDP. To test from a linux box, you can use nc:

    nc -zu <ip_address> 1900

    where <ip_address> is your mediatomb server address. You should get something like:

    Connection to xxx.xxx.xxx.xxx 1900 port  succeeded!

     
  • Elliott
    Elliott
    2011-01-17

    I have UDP and TCP open for 1900. I have netcat instead of nc. Here's the output:

    netcat -zuv 192.168.1.165 1900
    192.168.1.165: inverse host lookup failed: 
    (UNKNOWN) [192.168.1.165] 1900 (ssdp) open
    
     
  • Despite the reverse lookup warning, it looks like the command succeded.
    The failed message is there just to warn that no DNS has been setup for your private network and therefore the IP address could not be translated to a domain name. The following line reports, in fact, that for host UNKNOWN, port 1900 is open

     
  • Elliott
    Elliott
    2011-01-17

    Looks like this is leaning towards an XBMC issue then. I'll proceed over there. Thanks for the help.

     
  • Elliott
    Elliott
    2011-01-17

    One last thing:

    I watched the firewall logs and got this:

    Jan 16 14:09:12 linux-jy1p kernel: [69527.073416] SFW2-INext-DROP-DEFLT IN=wlan0 OUT= SRC=192.168.1.165 DST=192.168.1.3 LEN=323 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=56568 DPT=14788 LEN=303 
    Jan 16 14:09:12 linux-jy1p kernel: [69527.074669] SFW2-INext-DROP-DEFLT IN=wlan0 OUT= SRC=192.168.1.1 DST=192.168.1.3 LEN=278 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=14788 LEN=258 
    Jan 16 14:09:12 linux-jy1p kernel: [69527.074931] SFW2-INext-DROP-DEFLT IN=wlan0 OUT= SRC=192.168.1.1 DST=192.168.1.3 LEN=278 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=14788 LEN=258 
    Jan 16 14:09:12 linux-jy1p kernel: [69527.170536] SFW2-INext-DROP-DEFLT IN=wlan0 OUT= SRC=192.168.1.165 DST=192.168.1.3 LEN=323 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=51260 DPT=14788 LEN=303 
    Jan 16 14:10:02 linux-jy1p kernel: [69577.119205] SFW2-INext-DROP-DEFLT IN=wlan0 OUT= SRC=192.168.1.1 DST=192.168.1.3 LEN=278 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=14788 LEN=258 
    Jan 16 14:10:02 linux-jy1p kernel: [69577.120662] SFW2-INext-DROP-DEFLT IN=wlan0 OUT= SRC=192.168.1.1 DST=192.168.1.3 LEN=278 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=14788 LEN=258
    

    So then I opened 14788 and then the log showed:

    Jan 16 14:21:08 linux-jy1p kernel: [70243.710369] SFW2-INext-DROP-DEFLT IN=wlan0 OUT= SRC=192.168.1.1 DST=192.168.1.3 LEN=278 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=5534 LEN=258 
    Jan 16 14:21:08 linux-jy1p kernel: [70243.714844] SFW2-INext-DROP-DEFLT IN=wlan0 OUT= SRC=192.168.1.1 DST=192.168.1.3 LEN=278 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=5534 LEN=258 
    Jan 16 14:21:08 linux-jy1p kernel: [70243.715762] SFW2-INext-DROP-DEFLT IN=wlan0 OUT= SRC=192.168.1.165 DST=192.168.1.3 LEN=323 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=53222 DPT=5534 LEN=303 
    Jan 16 14:21:09 linux-jy1p kernel: [70244.825636] SFW2-INext-DROP-DEFLT IN=wlan0 OUT= SRC=192.168.1.165 DST=192.168.1.3 LEN=323 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=52881 DPT=5534 LEN=303 
    Jan 16 14:21:58 linux-jy1p kernel: [70293.760739] SFW2-INext-DROP-DEFLT IN=wlan0 OUT= SRC=192.168.1.1 DST=192.168.1.3 LEN=278 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=5534 LEN=258 
    Jan 16 14:21:58 linux-jy1p kernel: [70293.761768] SFW2-INext-DROP-DEFLT IN=wlan0 OUT= SRC=192.168.1.1 DST=192.168.1.3 LEN=278 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=5534 LEN=258 
    Jan 16 14:21:58 linux-jy1p kernel: [70293.828136] SFW2-INext-DROP-DEFLT IN=wlan0 OUT= SRC=192.168.1.165 DST=192.168.1.3 LEN=323 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=60705 DPT=5534 LEN=303
    

    Does the DPT (destination port http://logi.cc/en/2010/07/netfilter-log-format/) need to be open? If so, any idea why are these random numbers being picked?

     
  • Since on my mediatomb server those ports are closed, I assume that they are not needed for mediatomb to work. Maybe a few more words about your actual setup would help. I read your thread on the xmbc forum and I assume you have mediatomb installed on a OpenSuSe box protected by a firewall and are trying to access mediatomb from your laptop (running Ubuntu and xbmc) and your wife's laptop running Vista. You can access mediatomb from your wife's laptop with the firewall on but, in orrder to access mediatomb from xbmc on your Ubuntu laptop, you have to turn the firewall off on the mediatomb server running OpenSuSe. Is that correct?

     
  • Also, 192.168.1.3 is your MediaTomb server, whose logs are shown above, 192.168.1.1 is your laptop running xbmc and 192.168.1.165 is your wife's laptop, correct?

     
  • Elliott
    Elliott
    2011-01-17

    Close, Mediatomb is on opensuse 11.3, my laptop is running opensuse 11.3 (x86) with XBMC on it. My laptop is assigned an IP dynamically (currently it is 192.168.1.3) and the mediatomb box is static at 192.168.1.165. 192.168.1.1 should be the router. Wife's IP is 192.168.1.4. Those firewall logs are from my laptop.

     
  • Ok, at this point, and especially since xbmc on your wife's Vista laptop can connect to mediatomb fine, I think we can rule out 192,168.1.165 (mediatomb server). Have you tried opening port 1900 on 192.168.1.3 (your laptop) too?

     
  • Also, have you opened port 9777 UDP on 192.168.1.3 (your laptop), as this thread suggests?

     
  • Elliott
    Elliott
    2011-01-17

    Yes 1900 is open on the laptop and I just opened 9777 as well, though that seems to be for connecting one XBMC to another. Still same results.

     
  • Elliott
    Elliott
    2011-01-18

    One more thing I've been playing with, my router has a "UPnP" section with

    Advertisement Period (in minutes)
    Advertisement Time To Live (in hops)

    UPnP Portmap Table

    Options I've been playing with (with another option to turn it off) but no combination of options seems to make a difference for me.

     
  • I am running out of ideas… A couple more things to try: Do you remember if you had to open any ports on your wife's laptop when connecting to your mediatomb server from there? What software does OpenSuse use to set up iptables? Maybe you could also try posting your firewall setup for both the mediatomb server and your laptop. The command

    /sbin/iptables -L

    given as root from a terminal should do the job. This is where I would concentrate my attention, given that:

    1. The mediatomb server seems to be working fine. In fact,
    2. XBMC on your wife's laptop running Vista works
    3.  If you turn off the firewall on your laptop, XBMC works fine from there too

    Ergo, I would experiment with your laptop's firewall settings in a bit more detail. It could also be a difference between XBMC Windows and Linux versions, but since that is the worst option, I would tend to rule that out for the time being…

     
  • Jin
    Jin
    2011-01-18

    You should only need to open 1900 and the web port (in your case 50500) both UDP and TCP, nothing else. And also make sure MT binds to the correct network interface in case you have more than one on your server.

     
  • Hi jin_eld, since you joined the discussion, let me ask you a question: Does SSDP need port 1900 to be open on the control point too? That is, is the discovery process one way only (server->client) or does a new client advertise its presence when joining the network so that a stateful firewall will allow the connection?

     
  • Jin
    Jin
    2011-01-18

    It really depends on the type of the device; there are control points that will search for others and that will listen for others, but that will not announce their presence, because they are not offering any external services.

    But - if they subscribe to services they will have to have at least some ports open because others will post their events to the subscribed URL. This part is not SSDP howerver and happens via the webserver port.

     
  • So, longlivegd, you may want to try with port 80 open too to see if the situation improves…

     
  • Elliott
    Elliott
    2011-01-18

    Thanks guys, I will work on this again tonight after I get home from work. I went to show my wife the setup on her laptop last night and guess what? Her laptop couldn't find the UPnP server. This is such a weird little issue.

     
  • Elliott
    Elliott
    2011-01-18

    I was mistaken this morning about my wife's vista laptop, I forgot I moved the files around. It is still one click, immediate access the UPnP server from her laptop.

    Opened port 80 on local and remote machines with no change. I should also make mention that disabling the firewall on the remote machine does not fix the problem, only when I disable it on the local machine. 1900 is open on remote and 50500.

    Here's the iptables info: http://pastebin.ubuntu.com/555569/

     
  • Elliott
    Elliott
    2011-01-18

    Well after reading this post: http://forum.xbmc.org/showthread.php?t=39835&highlight=scraper+upnp&page=4

    It seems like what I'm really after is to share via samba. I've had difficulty getting samba to work in the past (to share a printer) but I think at this point my best option is to try this again with samba. 

    Thanks for the help guys. Mediatomb seems like a great application with intuitive configuration and I will definitely use it in the future if I ever need UPnP again.