MinimServer Forum

Full Version: Minimwatch and Firewall
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Delighted that after some fumbling on my part because cookie and script blockers had hidden the licence installation tag all is well with minimserver2 and I have also upgraded my minimwatch. Unfortunately this icon in my panel is permanently grey (always has been) unless I turn off my firewall.
It is time I mastered exactly what I should allow to get minimwatch to work through the firewall and for that I seek help please. I am running Linux openSUSE Tumbleweed with KDE desktop. The firewall settings include no less than 10 zones which are:-
block
dmz
drop
external
home
internal
nm-shared
public
trusted
work

All of these can be configured for services and ports and I haven't a clue which zones, services and ports to open to allow minimserver and upnp to work without opening up everything to the wide world, which upnp is wont to do.

If there is somebody out there who can help I would be most grateful.
Budge.
(24-09-2020 16:55)Budgie Wrote: [ -> ]Delighted that after some fumbling on my part because cookie and script blockers had hidden the licence installation tag all is well with minimserver2 and I have also upgraded my minimwatch. Unfortunately this icon in my panel is permanently grey (always has been) unless I turn off my firewall.
It is time I mastered exactly what I should allow to get minimwatch to work through the firewall and for that I seek help please. I am running Linux openSUSE Tumbleweed with KDE desktop. The firewall settings include no less than 10 zones which are:-
block
dmz
drop
external
home
internal
nm-shared
public
trusted
work

All of these can be configured for services and ports and I haven't a clue which zones, services and ports to open to allow minimserver and upnp to work without opening up everything to the wide world, which upnp is wont to do.

If there is somebody out there who can help I would be most grateful.
Budge.

Hi Simon,
Never able to get this to work earlier it has now been more critical as I am relocating away from my servers.
I have tried including upnp-client in my firewall allowed protocols and have enabled ports 1900, 9790 and 9791 on both TCP and UDP on every interface from external to trusted but still cannot get minimwatch to work unless I disable the firewall. On the same machine using windoze operating system minimwatch is working.

Here is a clip from the minimwatch log file:-

Code:
Retrying monitor subscription for server at 192.168.169.130:9791 (attempt 1)
Retrying monitor subscription for server at 192.168.169.130:9791 (attempt 2)
Retrying monitor subscription for server at 192.168.169.130:9791 (attempt 3)
Retrying monitor subscription for server at 192.168.169.130:9791 (attempt 4)

I confess I am not clear which direction this traffic is going but I assume from the laptop minimwatch trying to connect to the server.

Whatever is happening it is not working and a look at the packets being logged by firewall log suggest dynamic ports are somehow involved.
Can anybody please help?
Budgie
This message is produced when a firewall is preventing MinimServer from establishing a connection/subscription with MinimWatch.

MinimWatch exposes a dynamically assigned port number for inbound connections and sends an outbound "subscribe" message to MinimServer requesting an inbound connection/subscription from MinimServer on that dynamic port. It is not possible to control or predict which port number will be used for the inbound connection.

After MinimWatch has sent the outbound "subscribe" message to MinimServer, it waits 4 seconds for the inbound connection/subscription. If the inbound connection/subscription isn't received in that time (usually because of a blocking firewall), MinimWatch prints the message, cancels the subscription and tries again (forever).
(10-03-2021 11:17)simoncn Wrote: [ -> ]This message is produced when a firewall is preventing MinimServer from establishing a connection/subscription with MinimWatch.

MinimWatch exposes a dynamically assigned port number for inbound connections and sends an outbound "subscribe" message to MinimServer requesting an inbound connection/subscription from MinimServer on that dynamic port. It is not possible to control or predict which port number will be used for the inbound connection.

After MinimWatch has sent the outbound "subscribe" message to MinimServer, it waits 4 seconds for the inbound connection/subscription. If the inbound connection/subscription isn't received in that time (usually because of a blocking firewall), MinimWatch prints the message, cancels the subscription and tries again (forever).

Hi Simon,
I understand your summary fully now and it explains the arbitrary dynamic port assignment I have observed in my firewall log. The problem is that the way firewall works now in my openSUSE Tumbleweed system, which requires me to go into iptables and nftables, needs a better understanding than mine of the how this problem should be solved. I have been getting help from the OS forum but not cracked it yet.
I doubt many of your clients will be troubled by this but will share it when I have the solution just in case as security is the hot topic of the day!!!. Meanwhile many thanks for your reply.
Regards,
Budge
So am I correct in understanding that forwarding ports 9790 and 9791 isn't sufficient to get a MinimWatch connection? There is another randomly assigned port that must be open as well (and no way to predefine what that port should be)?

This is important for getting a working Docker installation, as all necessary ports need to be defined in the Docker configuration in order to communicate with the host environment in bridged networking mode. If an extra random port is required we will need to set up Docker to only use host networking (which isn't optimal, but is an option which seems to work).
My experience with using MinimServer and Docker is that host networking is required.
(16-03-2021 01:23)dukdukgoos Wrote: [ -> ]So am I correct in understanding that forwarding ports 9790 and 9791 isn't sufficient to get a MinimWatch connection? There is another randomly assigned port that must be open as well (and no way to predefine what that port should be)?

This is important for getting a working Docker installation, as all necessary ports need to be defined in the Docker configuration in order to communicate with the host environment in bridged networking mode. If an extra random port is required we will need to set up Docker to only use host networking (which isn't optimal, but is an option which seems to work).
I cannot comment on your Docker question but in order to address my minimwatch upnp problem it was necessary to use a netfilter ssdp helper which is in conntrack-tools. You could look there first. I cannot take the credit for this as all the difficult stuff was done by arvidjaar on the openSUSE TW Networking forum.
Hope this helps.
Reference URL's