Uncomplicated Firewall (UFW) and UPNP

linux firewall ufw upnp

14,884

You seem to be close to the answer. The easiest thing to do is to temporarily turn off the firewall let your media boxes run for a couple of minutes and then check the output from lsof

lsof -i :1025-9999 +c 15

The -i lists "files" corresponding to an open port, use -i4 to restrict to IPv4 only. The number list restricts this to a list of port numbers - miss it off if you want everything. The +c bit just gives you more meaningfull command names associated with the ports

netstat -lptu --numeric-ports

This lists all of the active ports along with their protocol and source/target address.

With this information, you can build a script to set ufw correctly. Here is my script by way of example:

#!/bin/sh

# Set up local firewall using ufw (default install on Ubuntu)
# @see /etc/services for port names


# obtain server's IP address
SERVERIP=192.168.1.181

# Local Network
LAN="192.168.0.0/255.255.0.0"

# disable firewall
ufw disable

# reset all firewall rules
ufw reset

# set default rules: deny all incoming traffic, allow all outgoing traffic
#ufw default allow incoming
ufw default deny incoming
ufw default allow outgoing

# open port for SSH
ufw allow OpenSSH

# open port for Webmin
ufw allow webmin

# open ports for Samba file sharing
ufw allow from $LAN to   $SERVERIP app Samba
ufw allow to   $LAN from $SERVERIP app Samba

#ufw allow from $LAN to $SERVERIP 137/udp # NetBIOS Name Service
#ufw allow from $LAN to $SERVERIP 138/udp # NetBIOS Datagram Service
#ufw allow from $LAN to $SERVERIP 139/tcp # NetBIOS Session Service
#ufw allow from $LAN to $SERVERIP 445/tcp # Microsoft Directory Service

# open ports for Transmission-Daemon
ufw allow 9091
ufw allow 20500:20599/tcp
ufw allow 20500:20599/udp

# Mediatomb
## upnp service discovery
ufw allow 1900/udp
## Mediatomb management web i/f
ufw allow 49152

# Plex Media Server
## Manage
ufw allow 32400

# open port for MySQL
ufw allow proto tcp from $LAN to any port 3306

# open ports for web services
ufw allow 80
ufw allow 443
ufw allow 8000:9999/tcp
ufw allow 8000:9999/udp

# Deny FTP
ufw deny 21/tcp

# Webmin/usermin allow
ufw allow webmin
ufw allow 20000

# open port for network time protocol (ntpd)
ufw allow ntp

# Allow Firefly (DAAP)
ufw allow 3689

# enable firewall
ufw enable

# list all firewall rules
ufw status verbose

You should be able to see from the Mediatomb section that uPNP is working on the standard port 1900 over UDP (not TCP) and is open in both directions, this is the main port for you. But you can also see that there are numerous other ports required for specific services.

14,884

Author by

xercool

Updated on September 18, 2022

Comments

xercool over 1 year

Is it possible to configured UFW to allow UPNP between computers in the home network?

Everything works if I turn off the firewall. I can see in syslog the firewall is blocking me. I've tried all sorts of tips out there like open 1900, 1901, 5353, these all seemed like random attempts. I know the issue is UPNP requests a random port and UFW is simply blocking it.
xercool almost 12 years

Thanks for this. It inspired me to build a script for my server to regenerate the firewall quickly. I was also able to solve the problem with UPNP, specifically with XBMC as the upnp server.
Julian Knight almost 12 years

Happy I could help