How to disable completly firewall in Nethserver NG 7 (Madsonic uPnP/DLNA)

Nice one!

I tried combining our “get the ports out of madsonic” lines to make it as short as possible.

netstat -tlpn | grep $(cat /var/run/madsonic.pid) | cut -d "." -f 4 | cut -d ":" -f 2
1 Like

new version for ns6 & ns7, find the dlna port and open it in the firewall

2 Likes

It’s possibile that UPnP/DLNA opens a random port in UDP also?

I tried the connection with hiFiCast (Android app) and it doesn’t connect or have issues until i add the UDP random port associated to madsonic pid:

config set fw_madsonic service status enabled TCPPorts 4040,$(echo $(netstat -tlpn | grep $(cat /var/run/madsonic.pid) | cut -d "." -f 4 | cut -d ":" -f 2)) UDPPort 1900,$(echo $(netstat -ulpn | grep $(cat /var/run/madsonic.pid) | cut -d "." -f 4 | cut -d ":" -f 2)) access green
signal-event firewall-adjust
signal-event runlevel-adjust

Then, there’s a mode to restart the script every time that madsonic service is started/restarted?

1 Like

well…I made a mistake, probably I forgotten to add the port UDPPort 1900

can u connect if you only add the UDP port 1900 ?

I added a script which start when you use nethserver-madsonic-update, it probes if the port is open

Yest, I tried with 1900/UDP Only but iI had problems but… I have problem now again with TCP/UDP random port opened…
Madsonic becomes unavailable
I tried with “shorewall clear” but madsonic UPnP/DLNA still unavailable…
This thing drives me crazy ;:slight_smile:
If I restart madsonic service, the UPnP/DLNA becomes available again until… who knows…

Maybe there are problems with my version of Madsonic (8.3.9720 Premium).

I Installed it reading the instructions from Madsonic site an not the Nethserver package…

I added a new option to my script to find and open the udp ports (random one and 1900)

released

I have to “clear” always shorewall if I want that UPnP/DLNA works correctly…

shorewall clear

I don’t know if is a HiFiCast problem or something other

Meanwhile HiFiCast has released a new android app version.
I will try it this evening.

I tested it now and it didn’t work as expected. I had to replace the space between the open UDP/TCP ports in the strings with a comma to work in the “config set” line. I don’t know why it originally worked with space but maybe it was just one port…and now there are two open ports.

These commands worked:

TCPPortDlna=$(echo $(netstat -tlpn | grep $(cat /var/run/madsonic.pid) | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b:[0-9]+" |sed 's/[0-9]\{1,3\}.[0-9]\{1,3\}.[0-9]\{1,3\}.[0-9]\{1,3\}://g') | sed 's/ /,/')
UDPPortDlna=$(echo $(netstat -ulpn | grep $(cat /var/run/madsonic.pid) | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b:[0-9]+" |sed 's/[0-9]\{1,3\}.[0-9]\{1,3\}.[0-9]\{1,3\}.[0-9]\{1,3\}://g') | sed 's/ /,/')
config set madsonic service TCPPorts 4040,$TCPPortDlna UDPPorts 1900,$UDPPortDlna access green status enabled
signal-event firewall-adjust

Another thing is that some properties like maxmemory or webaccess are missing the “nethserver-madsonic-find-dlna-port” script “config set” line.
You used “madsonic-dlna” as service, on my testmachine it’s just “madsonic”.

1 Like

fun it works here at home, tested on ns7

[root@ns7dev ~]# iptables -L |grep 44650
ACCEPT     udp  --  anywhere             anywhere             udp dpt:44650 /* madsonic-dlna */

[root@ns7dev ~]# iptables -L |grep 41424
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:41424 /* madsonic-dlna */

I did not want to mix with static configuration and random one, the end user could want to change the TCP4040 port for security reason

TCPPortDlna=$(echo $(netstat -tlpn | grep $(cat /var/run/madsonic.pid) | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b:[0-9]+" |sed 's/[0-9]\{1,3\}.[0-9]\{1,3\}.[0-9]\{1,3\}.[0-9]\{1,3\}://g') | sed 's/ /,/')
UDPPortDlna=$(echo $(netstat -ulpn | grep $(cat /var/run/madsonic.pid) | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b:[0-9]+" |sed 's/[0-9]\{1,3\}.[0-9]\{1,3\}.[0-9]\{1,3\}.[0-9]\{1,3\}://g') | sed 's/ /,/')

instead of | sed 's/ /,/'
why simply not | sed 's/ //'

after you did your script, can see the command

config show madsonic

Thanks for explaining. I’ll give it another try asap…
Maybe the problem is my LG TV which I used as DLNA client.

Because if there are more ports they have to be separated with comma: “UDPPorts 3355,6622,6345…”

1 Like

I hope not because I did a validation of the random port, and I’m sure it won’t succeed. What we do is really tricked and not much a workaround because madsonic/subsonic developers never wanted to answer a NFR since age.

I don’t want to break the firewall

There’s a typo in the port check:

if ! [[ $TCPPortDlna =~ $re ]] || [[ $UDPPortDlna -gt 65536 ]]; then

I put “echo $TCPPortDlna” to your script to check the TCP Ports and there are two open TCP ports by madsonic and your TCP Port check fails because you assume just one TCP port. Instead we have to enumerate the ports and check them but I am lazy and just commented out the port check for testing.

[root@testserver ~]# /etc/e-smith/events/actions/nethserver-madsonic-find-dlna-port
33547 37284
Madsonic DLNA error: Not a TCP Port

With your script and the two ports it looks like this because with two ports you’ll need one comma in between. That’s the reason for the " | sed ‘s/ /,/’ ". If you don’t do it, “config set” thinks it’s another param:

[root@testserver ~]# config show madsonic-dlna
madsonic-dlna=service
    1900,57670=51580
    37284=UDPPorts
    TCPPort=33547
    access=green
    status=enabled

And there was a s missing here because you expected just one TCPPort:

/usr/sbin/e-smith/config set madsonic-dlna service TCPPort s $TCPPortDlna UDPPorts 1900,$UDPPortDlna

This is working for me:

#!/usr/bin/bash
#I need to do a hack to retrieve the dlna port
#because I don't want to activate the upnp service in shorewall
#the dlna port change randomly at each boot, it is not simple for me :)

#test if madsonic has opened the ports
while :
do
    Test=$(netstat -tlpn | grep $(cat /var/run/madsonic.pid))
    if [ "$Test" ];then
        break
    fi
    if [ "$count" == 30 ]; then
       echo "we cannot wait more for madsonic"
       exit 1
    fi
    sleep 1
    let "count++"
done

#other method, could be interesting also
#TCPPortDlna=$(echo $(netstat -tlpn |
#grep $(netstat -tlpn | grep 4040 |
#cut -c 80-84 | awk '{$1=$1};1') |
#cut -d "." -f 4 | cut -d ":" -f 2))

TCPPortDlna=$(echo $(netstat -tlpn | grep $(cat /var/run/madsonic.pid) | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b:[0-9]+" |sed 's/[0-9]\{1,3\}.[0-9]\{1,3\}.[0-9]\{1,3\}.[0-9]\{1,3\}://g') | sed 's/ /,/')

UDPPortDlna=$(echo $(netstat -ulpn | grep $(cat /var/run/madsonic.pid) | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b:[0-9]+" |sed 's/[0-9]\{1,3\}.[0-9]\{1,3\}.[0-9]\{1,3\}.[0-9]\{1,3\}://g') | sed 's/ /,/')

#make a regex to test if the port is right
#re='^[0-9]+$'

#if ! [[ $TCPPortDlna =~ $re ]] || [[ $TCPPortDlna -gt 65536 ]]; then
#   echo "Madsonic DLNA error: Not a TCP Port"
#   exit 1
#fi
#if ! [[ $UDPPortDlna =~ $re ]] || [[ $UDPPortDlna -gt 65536 ]]; then
#   echo "Madsonic DLNA error: Not a UDP Port"
#   exit 1
#fi

/usr/sbin/e-smith/config set madsonic-dlna service TCPPorts $TCPPortDlna UDPPorts 1900,$UDPPortDlna access green status enabled
/usr/sbin/e-smith/signal-event firewall-adjust

Now madsonic-dlna looks better:

[root@testserver ~]# config show madsonic-dlna
madsonic-dlna=service
    TCPPorts=37996,41147
    UDPPorts=1900,52437,58299
    access=green
    status=enabled
2 Likes

please can you return the content of this command

That’s the problem! I have two green networks! One random port per network…

[root@testserver ~]# netstat -tlpn | grep $(cat /var/run/madsonic.pid)
tcp6       0      0 :::45235                :::*                    LISTEN      8619/java
tcp6       0      0 192.168.1.185:35123     :::*                    LISTEN      8619/java
tcp6       0      0 192.168.225.129:38871   :::*                    LISTEN      8619/java
tcp6       0      0 :::9412                 :::*                    LISTEN      8619/java
tcp6       0      0 :::4040                 :::*                    LISTEN      8619/java

There’s another thing:

[root@testserver ~]# config show madsonic
madsonic=service
    MaxMemory=512
    Name=madsonic
    TCPPort=4040
    status=enabled
    webaccess=private
[root@testserver ~]# config show madsonic-dlna
madsonic-dlna=service
    TCPPorts=35123,38871
    UDPPorts=1900,33304,41955
    access=green
    status=enabled
[root@testserver ~]# iptables -L | grep 35123
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:35123 /* madsonic-dlna */
[root@testserver ~]# iptables -L | grep 4040
[root@testserver ~]#

No open port 4040 in shorewall, but I don’t know why, everything seems to be correct.

1 Like

4040 is restricted to the localhost, it is not opened

do we really need the 1900 udp ?

I think so, it’s mentioned everywhere:

1 Like

Nice shot for duckduck go, I’m a google addict, I cannot live without him

1 Like

Me too but I try to change in slooow steps

1 Like