Re: GUPnP and Zones
- From: Mark Ryan <mark d ryan linux intel com>
- To: gupnp-list gnome org
- Subject: Re: GUPnP and Zones
- Date: Tue, 07 May 2013 15:07:49 +0200
Hi All,
So, are we talking about managing 'white list', or real support of zones
provided by the Network Manager?
If the goal is to support the Network Manager zones new feature, we
should work with the Network Manager team to ensure DLNA rules are
correctly managed in the various zones.
> But we have nothing to do in GUPnP/Rygel/dLeyna as it's NM that will
> allow or deny networks.
>
> If your proposal of 'white list' is in addition to Network Zone, then
> this is a lame solution, as your solution will only works on networks
> already granted by NM.
>
> You won't be able to enable a network, even if you add it in the white
> list, if NM has already blocked it.
> We will only be able to block a network previously granted by NM.
Your concern about adding zone support to a whitelist in GUPnP seems to
be that the setting might be redundant as it will be overridden by any
rules in the firewall. This is of course true in theory but I wonder if
it will be in practice. If we take Ubuntu as an example, AFAIK, the
default Ubuntu firewall on 12.10 doesn't block anything. I think we
need to now see what happens in Ubuntu 13.04 which supports firewalld
and hence has proper zone support. Assuming that it doesn't block UPnP
either by default in any zones, then I think we have a good case for
adding zone support to GUPnP, rather than trying to configure firewall
rules for every distro.
Ludo, it looks like you were right.
I downloaded Ubuntu 13.04, installed firewalld and played with it a
little bit. Here is a summary of my findings.
UPnP only works correctly in one firewalld Zone (trusted). Firewalld
defines a UPnP service that can be enabled or disabled on a zone by zone
basis. However, this service does not really behave as expected, at
least in my experience.
Firstly, outgoing UDP multicast seems to be blocked by the firewall in
all zones other than 'trusted' even if the UPnP service is enabled. I
can't work out why this is the case or how to enable it via firewalld.
This means that UPnP control points cannot search for UPnP devices in
zones other than trusted. If the UPnP service is enabled in firewalld
for your zone, the devices will be discovered by the control points when
the devices send ssdp:alive messages, but control points cannot initiate
discovery outside of the trusted zone.
The UPnP service rule only enables UDP on port 1900. This allows
control points to receive alive and bye messages but it does not allow
them to receive notifications from UPnP devices such as DMRs. For
example, in any zone other than trusted, a DMC cannot receive a
notification from a DMR when the status of the DMR changes, e.g., it's
volume or its play state changes. As UPnP control points do not use
fixed port numbers for receiving event messages, I don't think it will
be possible to modify firewalld's UPnP service file in such a way that
it will allow UPnP control points to receive notifications. Well,
actually, it would be possible but you would need to enable tcp on all
ports.
UPnP applications such as Rygel and dLeyna-renderer which run http
servers on random ports would also run into the same problem.
So to summarise, UPnP only works properly in one firewalld zone,
'trusted'. I believe the only way to make it work in other zones would
be for GUPnP and its clients to dynamically modify the firewall's rules,
and I'm not really sure we want to do that, i.e, add a firewall
abstraction into GUPnP. This sounds like a lot of work to me.
Regards,
Mark
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
