Re: can the UPnP media port for gupnp-av-cp be configured?

From: Jim Snyder <jhsnyder gmail com>
To: Jussi Kukkonen <jussi kukkonen intel com>
Cc: gupnp-list gnome org
Subject: Re: can the UPnP media port for gupnp-av-cp be configured?
Date: Tue, 12 Mar 2013 11:03:32 -0400

On Mon, Mar 11, 2013 at 5:49 AM, Jussi Kukkonen <jussi kukkonen intel com> wrote:

On 10 March 2013 23:17, Jim Snyder <jhsnyder gmail com> wrote:
> Many UPnP devices generate port numbers dynamically on startup.
>
> E.g. rygel's config file defaults the media / SOAP / ??? port to dynamic
> assignment.
>
> Conventionally UPnP devices seem to use either dynamic ports or a trivnet
> port (8200-8202) for media transfers.
>
> gupnp-av-cp uses dynamic ports by default.
>
> 1) is it possible to configure the gupnp-av-cp dynamic port to a one-time
> static assignment (er, 8200)? ...
>
> ... and if so, how?
>
> I've poked around online for documentation, done the Google thing, and
> grepped through system files ... no joy.

It's not possible without modifying gupnp-av-cp source.
context_manager = gupnp_context_manager_new (NULL, 0);
The second argument is port, '0' meaning "I don't care, any port is
fine". In the end this is handled by libsoup, which will choose a
random unused non-system port.

Roger that, thanks.

> 2) Whether or not gupnp-av-cp can be so configured, how does a network admin
> configure static firewalls on nodes on a local LAN (no router traversal /
> IGD) to deal with dynamic ports?
> I see that Mac OS X relies on blocking application sockets rather than port
> blocking, so no problem for Macs.
>
> Dunno about Windows.
>
> Linux, however ...
>
> ... I've been looking at packet traces from UPnP sessions with minidlna,
> rygel-as-UPnP renderers, gupnp-av-cp, etc, and I don't see how conventional
> iptables port-based firewalls can be compatible with UPnP dynamic ports.
>
> Seems like a local node would have to probe the remote node (eg SSDP or
> WSDP) to discover the media port, then inject local firewall rules to
> open/close ports ...
>
> ... which is putting a lot of trust in the local discovery agent.
>
> Not sure what I'm missing here... appreciate any explanations / advice.

I don't think you're missing anything. If you block all ports on the
local network, then software that requires dynamic ports is ... not
going to work.

I don't really have good advice for you but I have to wonder, is
blocking (non-system) ports really beneficial at that level?
Basically, how is 8080 (defined in a config file somewhere, creating
possibility of conflict) safer than random port?

- Jussi

Thanks very much for your response.

I see two possible answers to your last question. Whether my answers have merit is an entirely different matter. [shrugs] Depends on the network environment, I guess.

First, (as you know ..) when one is debugging an unknown system, it is often convenient (and sometimes necessary) to minimize the number of system variables. Setting the port number to a fixed value reduces the number of variables by one ... in this case, I would like to use gupnp-av-cp to probe the rest of the network while I monitor traffic on UPnP ports. If the port number changes every time I restart the system, I have to change my tcpdump/wireshark filters, change a configuration parameter in my analysis scripts, blah blah blah.

Not a huge deal, I grant you ... but I can't streamline troubleshooting data collection and analysis, and every little bit helps. It's analogous to the difference between an overly cluttered UI and a clean UI. You can get the job done with either, but the latter is more efficient than the former.

Same sort of thing, I easily identified UPnP "ports in play" by looking at firewall packet drops... put differently, I quickly learned something about the protocols because I had all unused-by-me ports blocked and logging packet drops.

Second, specifically about "safe", a similar point applies. If one of my users picks up malware, and that malware probes my network, logs of packet drops will give me an early indication that something unusual is happening. To use your example, if I know that there should be no traffic on port 8080, then seeing one of my network nodes probed on port 8080 is a clue.

As I'm sure you know, just about every active network security tool warns users to get admin acquiescence before running probes of the network... because paranoid admins like me are watching. :-)

Again, dynamic ports don't make that sort of analysis impossible, but they do add noise to the picture and thereby complicate the analysis.

I think I see why UPnP tends to use dynamic ports - guessing that multiple servers may be running on any given (multi-user) machine, correct? so either you multiplex via ports or you multiplex inside the server/tool/whatever. I had exactly this problem when I accidentally kicked off a second instance of minidlna on the content server, both instances running on port 8200 - but I'd still like to be able to set the ports to a static value for troubleshooting.

My two Euros ...

Jim

--
Jim Snyder
jhsnyder.com, LLC
jhs jhsnyder com ( backup e-mail: jhsnyder gmail com)

Follow-Ups:
- Re: can the UPnP media port for gupnp-av-cp be configured?
  - From: Sven Neumann

References:
- can the UPnP media port for gupnp-av-cp be configured?
  - From: Jim Snyder
- Re: can the UPnP media port for gupnp-av-cp be configured?
  - From: Jussi Kukkonen

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]