forked-daapd and ufw firewall

[snizzleorg]

I have the following in my log as soon as I activate the ufw firewall of the ubuntu system where forked-daad is running.

2015-01-29 19:17:00] [  LOG]     raop: RECORD request failed in session startup: 500 Internal Server Error
[2015-01-29 19:17:00] [  LOG]   player: Cannot start playback: no output started
[2015-01-29 19:17:00] [  LOG]     dacp: Could not start playback

Of course I have the port forked-daapd is running enabled:

To                         Action      From
--                         ------      ----
22                         ALLOW IN    Anywhere
3689 (forked-daapd)        ALLOW IN    Anywhere
5353/udp (avahi)           ALLOW IN    Anywhere
22 (v6)                    ALLOW IN    Anywhere (v6)
3689 (forked-daapd (v6))   ALLOW IN    Anywhere (v6)
5353/udp (avahi (v6))      ALLOW IN    Anywhere (v6)

forked-daapd is indeed advertising its services on this port, checked via bonjour browser.

any idea why this is happening?

[ejurgensen]

Looks like it blocks the rtsp connection? You can try this: sudo ufw allow from 192.168.0.0/24 to any port proto udp (provided that is your lan subnet)

This will allow obviously weaken your firewall a bit, but I can't think of anything better right now. I think the ports are dynamic.

[snizzleorg]

well that would open it completely for the intranet. which of course I don't want as it would be easier to simply turn off the firewall.

I probably could open the firewall for the IPs of the airplay speakers ... is that what the rtsp is used for? also which port is used for this?

[snizzleorg]

When I get home I will try to open port 5000 as all the airplay devices advertise port 5000

avahi-browse -alr

=   eth0 IPv4 001B63235A8B@kitchentunes                     AirTunes Remote Audio local
   hostname = [airtunes.local]
   address = [192.168.178.93]
   port = [5000]
   txt = ["tp=TCP,UDP" "sm=false" "sv=false" "ek=1" "et=0,1" "cn=0,1" "ch=2" "ss=16" "sr=44100" "pw=false" "vn=3" "txtvers=1"]

[ejurgensen]

That's the port that forked-daapd connects to, so that would be an outgoing connection. I don't think you need firewall rules for that. Also, you can't count on it always being 5000.

I think the ports you need to open are the timing and control ports opened by forked-daapd. You can see what they are in the log if you set the log level to debug. To find it in the log "grep raop /var/log/forked-daapd.log |grep port". You might also be able to find the ports with netstat.

But again, I don't think you can count on these ports being static.

[snizzleorg]

Cool. Thanks

[2015-01-30 10:46:29] [DEBUG]     raop: Timing IPv4 port: 57207
[2015-01-30 10:46:29] [DEBUG]     raop: Control IPv4 port: 59973

this is now my

/etc/ufw/applications.d/forked-daapd for those interested

[forked-daapd]
title=forked-daapd
description=iTunes Media Server
ports=3689,57207,59973

I can only test this once I get back but I'll keep you posted

[snizzleorg]

the above rules are working. maybe it's a good idea to include the applications file ?

[ejurgensen]

Like I mentioned, those ports are not static, so it won't work as a general solution

[hacketiwack]

An answer seems to have been given for that issue. Shouldn't it be closed?

[ejurgensen]

Yes, agree, closing it here!

[kulak]

Since port is dynamic it seems the best option is to allow UDP traffic from LAN. Something like this but with your network addresses:

ufw allow from 10.0.1.0/24 to any proto udp comment 'multicast IPv4'
ufw allow from fd04:1bb:ab66:4c90::/64 to any proto udp comment 'multicast IPv6'