Re: GUPnP and Zones

From: Ludovic Ferrandis <ludovic ferrandis linux intel com>
To: Jens Georg <mail jensge org>
Cc: gupnp-list gnome org
Subject: Re: GUPnP and Zones
Date: Tue, 07 May 2013 17:22:11 +0200

Hi,

On 07/05/2013 15:24, Jens Georg wrote:

On Tue, 2013-05-07 at 15:07 +0200, Mark Ryan wrote:

The UPnP service rule only enables UDP on port 1900.  This allows
control points to receive alive and bye messages but it does not allow
them to receive notifications from UPnP devices such as DMRs.  For
example, in any zone other than trusted, a DMC cannot receive a
notification from a DMR when the status of the DMR changes, e.g., it's
volume or its play state changes.  As UPnP control points do not use
fixed port numbers for receiving event messages, I don't think it will
be possible to modify firewalld's UPnP service file in such a way that
it will allow UPnP control points to receive notifications.  Well,
actually, it would be possible but you would need to enable tcp on all
ports.


And will break for UDA 1.1 with its optional non-static SSDP ports. I
really thing the only way to do "firewalled UPnP" is to have an SSDP
conntrack helper module.


_______________________________________________
gupnp-list mailing list
gupnp-list gnome org
https://mail.gnome.org/mailman/listinfo/gupnp-list

I discuss this afternoon with an antique sys admin :) about firewall,rules, etc.


We all agree that we should not try to update the firewall rules.

But he gives me, probably the best solution to our problem.

As you mention earlier, it's not only the SSDP port that we shouldmonitor, but also the dynamic port range used with libsoup server. Andthat's almost impossible, even in 'query' mode.

Usually, applications don't care about firewall. They run, or they don'trun.


The solution we found is probably the simplest and the less intrusive:
1 - Register to firewalld to be notified when a zone is changed
2 - Launch a rescan on the notification.

The main advantage is that we don't care about which port is open ornot, in input or output, ...The rescan will notify immediately the applications to remove devices ifcommunications are blocked by the firewall.

And if the user switch back to an 'open zone', the refresh will makedevice available again.


Ludo

--
Ludovic Ferrandis
Open Source Technology Center
Intel Corporation

References:
- Re: GUPnP and Zones
  - From: Mark Ryan
- Re: GUPnP and Zones
  - From: Jens Georg

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]