Closed snizzleorg closed 1 year ago
Looks like it blocks the rtsp connection? You can try this: sudo ufw allow from 192.168.0.0/24 to any port proto udp (provided that is your lan subnet)
This will allow obviously weaken your firewall a bit, but I can't think of anything better right now. I think the ports are dynamic.
well that would open it completely for the intranet. which of course I don't want as it would be easier to simply turn off the firewall.
I probably could open the firewall for the IPs of the airplay speakers ... is that what the rtsp is used for? also which port is used for this?
When I get home I will try to open port 5000 as all the airplay devices advertise port 5000
avahi-browse -alr
= eth0 IPv4 001B63235A8B@kitchentunes AirTunes Remote Audio local
hostname = [airtunes.local]
address = [192.168.178.93]
port = [5000]
txt = ["tp=TCP,UDP" "sm=false" "sv=false" "ek=1" "et=0,1" "cn=0,1" "ch=2" "ss=16" "sr=44100" "pw=false" "vn=3" "txtvers=1"]
That's the port that forked-daapd connects to, so that would be an outgoing connection. I don't think you need firewall rules for that. Also, you can't count on it always being 5000.
I think the ports you need to open are the timing and control ports opened by forked-daapd. You can see what they are in the log if you set the log level to debug. To find it in the log "grep raop /var/log/forked-daapd.log |grep port". You might also be able to find the ports with netstat.
But again, I don't think you can count on these ports being static.
Cool. Thanks
[2015-01-30 10:46:29] [DEBUG] raop: Timing IPv4 port: 57207
[2015-01-30 10:46:29] [DEBUG] raop: Control IPv4 port: 59973
this is now my
/etc/ufw/applications.d/forked-daapd
for those interested
[forked-daapd]
title=forked-daapd
description=iTunes Media Server
ports=3689,57207,59973
I can only test this once I get back but I'll keep you posted
the above rules are working. maybe it's a good idea to include the applications file ?
Like I mentioned, those ports are not static, so it won't work as a general solution
An answer seems to have been given for that issue. Shouldn't it be closed?
Yes, agree, closing it here!
Since port is dynamic it seems the best option is to allow UDP traffic from LAN. Something like this but with your network addresses:
ufw allow from 10.0.1.0/24 to any proto udp comment 'multicast IPv4'
ufw allow from fd04:1bb:ab66:4c90::/64 to any proto udp comment 'multicast IPv6'
I have the following in my log as soon as I activate the ufw firewall of the ubuntu system where forked-daad is running.
Of course I have the port forked-daapd is running enabled:
forked-daapd is indeed advertising its services on this port, checked via bonjour browser.
any idea why this is happening?