Fedora firewall with UPnP

firewallfirewalldupnp

I'm using Fedora 15 and Transmission BT client. Transmission can't open ports unless the firewall is disabled.

I searched some posts that said add 1900 to the trusted ports, or via a iptable rule: -A INPUT -m state --state NEW -m udp -p udp --sport 1900 -j ACCEPT". However, Transmission can't open ports anyway.

I also tested with upnp-inspector, which is better than Transmission, it could detect my upnp router after add 1900 to the trusted ports, but the detection is slower than if the firewall is disabled.

Any ideas on how to let Transmission UPnP works with the Firewall?

Best Answer

First thing you need to know is how UPnP IGD protocol is working. You choose random local UDP port and from it you send discovery request to well-known multicast address 239.255.255.250 and UDP port 1900. UPnP IGD server (running on your router) listen for those multicast queries and send you back unicast UDP reply from randomly chosen port to your ip address and port from which discovery request was sent. But such reply is not paired by conntrack iptables module to your sent request so, received reply is dropped by iptables. This is why enabling all UDP ports or disabling firewall helped. In that UDP reply is location of your UPnP IGD server and client then establish classic TCP connection with UPnP IGD server. So the only problem is how to write a rule for receiving UDP reply to that multicast discovery request.

Via ipset it is possible. I described it in answer at https://serverfault.com/a/911286:

$ ipset create upnp hash:ip,port timeout 3
$ iptables -A OUTPUT -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j SET --add-set upnp src,src --exist
$ iptables -A INPUT -p udp -m set --match-set upnp dst,dst -j ACCEPT

In IPv6 are UPnP packets sent to multicast address ff02::c or ff05::c. So rules would look like:

$ ipset create upnp6 hash:ip,port timeout 3 family inet6
$ ip6tables -A OUTPUT -d ff02::c/128 -p udp -m udp --dport 1900 -j SET --add-set upnp6 src,src --exist
$ ip6tables -A OUTPUT -d ff05::c/128 -p udp -m udp --dport 1900 -j SET --add-set upnp6 src,src --exist
$ ip6tables -A INPUT -p udp -m set --match-set upnp6 dst,dst -j ACCEPT

Some UPnP servers (but not all) periodically (e.g. every 30s) announce theirself via multicast UDP packet to well-known address/port. If you have such server and also client which is listening for these multicast packets, then iptables rule very is simple:

$ iptables -A INPUT -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT

And equivalent for IPv6:

$ ip6tables -A INPUT -d ff02::c/128 -p udp -m udp --dport 1900 -j ACCEPT
$ ip6tables -A INPUT -d ff05::c/128 -p udp -m udp --dport 1900 -j ACCEPT

In your question you described something similar to above iptables rule, but you have did one big mistake: You specified source port, instead of destination: --sport 1900. UPnP UDP packets are sent from random source ports to fixed destination port 1900.

You also described that upnp-inspector can detect your UPnP IGD router after you added port 1900 to trusted (probably both source and destination), but it was slower as disabling firewall. This perfectly matches above description of periodic announcement as upnp-inspector was waiting when your router send next announce packet.

Related Solutions

Linux – Uncomplicated Firewall (UFW) and UPNP

You seem to be close to the answer. The easiest thing to do is to temporarily turn off the firewall let your media boxes run for a couple of minutes and then check the output from lsof

lsof -i :1025-9999 +c 15

The -i lists "files" corresponding to an open port, use -i4 to restrict to IPv4 only. The number list restricts this to a list of port numbers - miss it off if you want everything. The +c bit just gives you more meaningfull command names associated with the ports

netstat -lptu --numeric-ports

This lists all of the active ports along with their protocol and source/target address.

With this information, you can build a script to set ufw correctly. Here is my script by way of example:

#!/bin/sh

# Set up local firewall using ufw (default install on Ubuntu)
# @see /etc/services for port names


# obtain server's IP address
SERVERIP=192.168.1.181

# Local Network
LAN="192.168.0.0/255.255.0.0"

# disable firewall
ufw disable

# reset all firewall rules
ufw reset

# set default rules: deny all incoming traffic, allow all outgoing traffic
#ufw default allow incoming
ufw default deny incoming
ufw default allow outgoing

# open port for SSH
ufw allow OpenSSH

# open port for Webmin
ufw allow webmin

# open ports for Samba file sharing
ufw allow from $LAN to   $SERVERIP app Samba
ufw allow to   $LAN from $SERVERIP app Samba

#ufw allow from $LAN to $SERVERIP 137/udp # NetBIOS Name Service
#ufw allow from $LAN to $SERVERIP 138/udp # NetBIOS Datagram Service
#ufw allow from $LAN to $SERVERIP 139/tcp # NetBIOS Session Service
#ufw allow from $LAN to $SERVERIP 445/tcp # Microsoft Directory Service

# open ports for Transmission-Daemon
ufw allow 9091
ufw allow 20500:20599/tcp
ufw allow 20500:20599/udp

# Mediatomb
## upnp service discovery
ufw allow 1900/udp
## Mediatomb management web i/f
ufw allow 49152

# Plex Media Server
## Manage
ufw allow 32400

# open port for MySQL
ufw allow proto tcp from $LAN to any port 3306

# open ports for web services
ufw allow 80
ufw allow 443
ufw allow 8000:9999/tcp
ufw allow 8000:9999/udp

# Deny FTP
ufw deny 21/tcp

# Webmin/usermin allow
ufw allow webmin
ufw allow 20000

# open port for network time protocol (ntpd)
ufw allow ntp

# Allow Firefly (DAAP)
ufw allow 3689

# enable firewall
ufw enable

# list all firewall rules
ufw status verbose

You should be able to see from the Mediatomb section that uPNP is working on the standard port 1900 over UDP (not TCP) and is open in both directions, this is the main port for you. But you can also see that there are numerous other ports required for specific services.

Fedora Firewall – Default Allowed Ports on Workstation and Server

Look at the default zone definitions in /usr/lib/firewalld/zones/, and cross-reference them against /usr/lib/firewalld/services/.

FedoraWorkstation.xml

Unsolicited incoming network packets are rejected from port 1 to 1024, except for select network services. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.

  <service name="dhcpv6-client"/> <!-- udp 546 from fe80::/64 only -->
  <service name="ssh"/>           <!-- tcp 22 -->
  <service name="samba-client"/>  <!-- udp 137,138, plus nf_conntrack_netbios_ns -->
  <port protocol="udp" port="1025-65535"/>
  <port protocol="tcp" port="1025-65535"/>

FedoraServer.xml

For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.

  <service name="ssh"/>           <!-- tcp 22 -->
  <service name="dhcpv6-client"/> <!-- udp 546 from fe80::/64 only -->
  <service name="cockpit"/>       <!-- tcp 9090 -->

("cockpit" is implemented as a web server running on TCP port 9090. It uses HTTPS and password authentication. There is an alternative option to use SSH and SSH key authentication as well).

Does it allow MDNS / avahi?

This is slightly confusing when you look at the package. The package includes a patch to enable MDNS by default, but it does not touch either of these files. Nevertheless, MDNS will be allowed on Fedora Workstation. The standard MDNS port is 5353, which is in the "high ports" that Fedora Workstation allows (1025-65535).

The MDNS patch pre-dates FedoraWorkstation.xml and FedoraServer.xml in Fedora 21 (2014-12-09). This was the first release of Fedora to be split into Workstation and Server editions. In Fedora 20, the default zone definition was public.xml and it allowed MDNS.

Fedora 21 and its Workstation firewall -- LWN.net, 2014-12-17

https://src.fedoraproject.org/rpms/firewalld/tree/f28

Date: Mon, 6 Aug 2012 10:01:09 +0200
Subject: [PATCH] Make MDNS work in all but the most restrictive zones

MDNS is a discovery protocol, and much like DNS or DHCP should
be available for the network to function as expected.

Avahi (the main MDNS) implementation has taken steps to make sure
no private information is published by default.

See: https://fedoraproject.org/wiki/Desktop/Whiteboards/AvahiDefault