Is it possible to configured UFW to allow UPNP between computers in the home network?
Everything works if I turn off the firewall. I can see in syslog the firewall is blocking me. I've tried all sorts of tips out there like open 1900, 1901, 5353, these all seemed like random attempts. I know the issue is UPNP requests a random port and UFW is simply blocking it.
You seem to be close to the answer. The easiest thing to do is to temporarily turn off the firewall let your media boxes run for a couple of minutes and then check the output from lsof
lsof -i :1025-9999 +c 15 The -i lists "files" corresponding to an open port, use -i4 to restrict to IPv4 only. The number list restricts this to a list of port numbers - miss it off if you want everything. The +c bit just gives you more meaningfull command names associated with the ports
netstat -lptu --numeric-ports This lists all of the active ports along with their protocol and source/target address.
With this information, you can build a script to set ufw correctly. Here is my script by way of example:
#!/bin/sh # Set up local firewall using ufw (default install on Ubuntu) # @see /etc/services for port names # obtain server's IP address SERVERIP=192.168.1.181 # Local Network LAN="192.168.0.0/255.255.0.0" # disable firewall ufw disable # reset all firewall rules ufw reset # set default rules: deny all incoming traffic, allow all outgoing traffic #ufw default allow incoming ufw default deny incoming ufw default allow outgoing # open port for SSH ufw allow OpenSSH # open port for Webmin ufw allow webmin # open ports for Samba file sharing ufw allow from $LAN to $SERVERIP app Samba ufw allow to $LAN from $SERVERIP app Samba #ufw allow from $LAN to $SERVERIP 137/udp # NetBIOS Name Service #ufw allow from $LAN to $SERVERIP 138/udp # NetBIOS Datagram Service #ufw allow from $LAN to $SERVERIP 139/tcp # NetBIOS Session Service #ufw allow from $LAN to $SERVERIP 445/tcp # Microsoft Directory Service # open ports for Transmission-Daemon ufw allow 9091 ufw allow 20500:20599/tcp ufw allow 20500:20599/udp # Mediatomb ## upnp service discovery ufw allow 1900/udp ## Mediatomb management web i/f ufw allow 49152 # Plex Media Server ## Manage ufw allow 32400 # open port for MySQL ufw allow proto tcp from $LAN to any port 3306 # open ports for web services ufw allow 80 ufw allow 443 ufw allow 8000:9999/tcp ufw allow 8000:9999/udp # Deny FTP ufw deny 21/tcp # Webmin/usermin allow ufw allow webmin ufw allow 20000 # open port for network time protocol (ntpd) ufw allow ntp # Allow Firefly (DAAP) ufw allow 3689 # enable firewall ufw enable # list all firewall rules ufw status verbose You should be able to see from the Mediatomb section that uPNP is working on the standard port 1900 over UDP (not TCP) and is open in both directions, this is the main port for you. But you can also see that there are numerous other ports required for specific services.
