Re: [SlimDevices: SqueezeCenter] Port mapping between LMS and piCorePlayer
I'm trying to set some rules for my firewall. What for? You might save yourself a lot of trouble by understanding what you're trying to do, and deciding not to do after all :-) -- Michael ___ Squeezecenter mailing list Squeezecenter@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/squeezecenter
Re: [SlimDevices: SqueezeCenter] Port mapping between LMS and piCorePlayer
squeezetux wrote: > Right, so are you saying that a rule like: > > RULE TYPE SOURCE PORT ; DESTINATION > PORT > PASS TCP/UDP 192.168.X.XXALL ; 192.168.Y.YY > 9000, 3483 > > Basically, any port from the client can contact the destination port on > LMS. But doesn't this expose the server if someone maliciously hack my > piCorePlayer client and attempt to run other programs? Surely by > resticting the source port you tie it down more? I guess if the source > port is changing all the time, then you could use an interval for the > source port (if its running on intervals I guess ...)? BUt maybe the > whole point is to ensure that the clients are secure too by changing > default passwords, etc. Client application call servers on specific ports (e.g. 80 for web) . When client open a source ports to connect to a desintation the OS decides the source port number. The source port is not usually chosen by the application ( see https://superuser.com/questions/1118735/how-are-source-ports-determined-and-how-can-i-force-it-to-use-a-specific-port). Security should be based on the source IP address and not the port number of the source. Even if you only allow a specific source port number - it would not prevent a malicious application from using the part number and so it is not secure. LMS was not designed to be securely accessed from outside the local LAN. All devices on local LAN are assumed to be trusted. If you want an outside device to access LMS - use a VPN. bpa's Profile: http://forums.slimdevices.com/member.php?userid=1806 View this thread: http://forums.slimdevices.com/showthread.php?t=109260 ___ Squeezecenter mailing list Squeezecenter@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/squeezecenter
Re: [SlimDevices: SqueezeCenter] Port mapping between LMS and piCorePlayer
bpa wrote: > These are port number of the "caller" or client and will always be > different - each time each connection will be different. This is how TCP > works. > > Firewalls are setup to stop calls TO a port number not FROM a port > number. Right, so are you saying that a rule like: RULE TYPE SOURCE PORT ; DESTINATION PORT PASS TCP/UDP 192.168.X.XXALL ; 192.168.Y.YY 9000, 3483 Basically, any port from the client can contact the destination port on LMS. But doesn't this expose the server if someone maliciously hack my piCorePlayer client and attempt to run other programs? Surely by resticting the source port you tie it down more? I guess if the source port is changing all the time, then you could use an interval for the source port (if its running on intervals I guess ...)? BUt maybe the whole point is to ensure that the clients are secure too by changing default passwords, etc. squeezetux's Profile: http://forums.slimdevices.com/member.php?userid=68286 View this thread: http://forums.slimdevices.com/showthread.php?t=109260 ___ Squeezecenter mailing list Squeezecenter@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/squeezecenter
Re: [SlimDevices: SqueezeCenter] Port mapping between LMS and piCorePlayer
squeezetux wrote: > So the questions is why are there ports here not listed by you? eg. > 34882, 34974 These are clearly port running on the pCP client. These are port number of the "caller" or client and will always be different - each time each connection will be different. This is how TCP works. Firewalls are setup to stop calls TO a port number not FROM a port number. bpa's Profile: http://forums.slimdevices.com/member.php?userid=1806 View this thread: http://forums.slimdevices.com/showthread.php?t=109260 ___ Squeezecenter mailing list Squeezecenter@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/squeezecenter
Re: [SlimDevices: SqueezeCenter] Port mapping between LMS and piCorePlayer
paul- wrote: > piCoreplayer has a web server running on 80, and sshd running on 22 > > pCP will access LMS CLI at port 9090 Thanks Paul- I posted a archived firewalld xml file, checked on actual server and corrected post Jeff *Players:* SliMP3,Squeezebox3 x3,Receiver,SqueezeLiteX,PiCorePlayer x3,Wandboard *Server:* LMS Version: Latest Nightly on Centos 7 VM on ESXi 6.5.0U1 on Dell T320 *Plugins:* AutoRescan/BBCiPlayer/PowerSave/PowerSwitchIII/Squeezecloud/Spotty/Player Groups *Remotes:* iPeng9/Orangesqueeze/PC/Jivelite/SqueezeLiteX *Music:* 522GB,1660 albums with 23087 songs by 5204 artists mostly FLACs *Want a webapp ?* See http://forums.slimdevices.com/showthread.php?104305-Webapp-for-LMS Jeff07971's Profile: http://forums.slimdevices.com/member.php?userid=49290 View this thread: http://forums.slimdevices.com/showthread.php?t=109260 ___ Squeezecenter mailing list Squeezecenter@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/squeezecenter
Re: [SlimDevices: SqueezeCenter] Port mapping between LMS and piCorePlayer
piCoreplayer has a web server running on 80, and sshd running on 22 pCP will access LMS CLI at port 9090 piCorePlayer a small player for the Raspberry Pi in RAM. Homepage: https://sites.google.com/site/picoreplayer/home Please 'donate' (https://www.paypal.com/cgi-bin/webscr?cmd=_donations=U7JHY5WYHCNRU=GB_code=USD=PP%2dDonationsBF%3abtn_donateCC_LG%2egif%3aNonHosted) if you like the piCorePlayer paul-'s Profile: http://forums.slimdevices.com/member.php?userid=58858 View this thread: http://forums.slimdevices.com/showthread.php?t=109260 ___ Squeezecenter mailing list Squeezecenter@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/squeezecenter
Re: [SlimDevices: SqueezeCenter] Port mapping between LMS and piCorePlayer
squeezetux wrote: > Thanks folks. I guess I just have to work out the ports used by > piCorePlayer now. Jeff, your music collection is quite impressive if it > means you hold >1600 CDs ... Yup, Got my SliMP3 way back in 2001/2 (Still have it and still works !) and been building the collection ever since but had to rerip the whole collection some time ago into FLACs Current Library Statistics are Total Tracks: 23,161 Total Albums: 1,661 Total Artists: 5,205 Total Genres: 119 Total Playing Time: 1562:04:01 About 522GB Jeff *Players:* SliMP3,Squeezebox3 x3,Receiver,SqueezeLiteX,PiCorePlayer x3,Wandboard *Server:* LMS Version: Latest Nightly on Centos 7 VM on ESXi 6.5.0U1 on Dell T320 *Plugins:* AutoRescan/BBCiPlayer/PowerSave/PowerSwitchIII/Squeezecloud/Spotty/Player Groups *Remotes:* iPeng9/Orangesqueeze/PC/Jivelite/SqueezeLiteX *Music:* 522GB,1660 albums with 23087 songs by 5204 artists mostly FLACs *Want a webapp ?* See http://forums.slimdevices.com/showthread.php?104305-Webapp-for-LMS Jeff07971's Profile: http://forums.slimdevices.com/member.php?userid=49290 View this thread: http://forums.slimdevices.com/showthread.php?t=109260 ___ Squeezecenter mailing list Squeezecenter@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/squeezecenter
Re: [SlimDevices: SqueezeCenter] Port mapping between LMS and piCorePlayer
Jeff07971 wrote: > As DJanGo says. > > My config (squeezeboxserver.xml) for firewalld is:- > > > Code: > > > > > Squeezeboxserver > Squeezebox server webadmin port > > > > > > > > > > Jeff Thanks folks. I guess I just have to work out the ports used by piCorePlayer now. Jeff, your music collection is quite impressive if it means you hold >1600 CDs ... squeezetux's Profile: http://forums.slimdevices.com/member.php?userid=68286 View this thread: http://forums.slimdevices.com/showthread.php?t=109260 ___ Squeezecenter mailing list Squeezecenter@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/squeezecenter
Re: [SlimDevices: SqueezeCenter] Port mapping between LMS and piCorePlayer
squeezetux wrote: > > Anyone successfully managed to build some tight rules around a similar > configuration? > > Thanks for the real lms you need tcp 9000 3483 udp 3483 DJanGo's Profile: http://forums.slimdevices.com/member.php?userid=1516 View this thread: http://forums.slimdevices.com/showthread.php?t=109260 ___ Squeezecenter mailing list Squeezecenter@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/squeezecenter
Re: [SlimDevices: SqueezeCenter] Port mapping between LMS and piCorePlayer
squeezetux wrote: > > Anyone successfully managed to build some tight rules around a similar > configuration? > > Thanks use a vpn - otherwise you will have some minor fun and some scriptkiddie on the other side has great fun (to wake you up, change language of your gui adding nice plugins you dont want ) - there is a sticky thread - here DJanGo's Profile: http://forums.slimdevices.com/member.php?userid=1516 View this thread: http://forums.slimdevices.com/showthread.php?t=109260 ___ Squeezecenter mailing list Squeezecenter@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/squeezecenter
[SlimDevices: SqueezeCenter] Port mapping between LMS and piCorePlayer
HI folks, I'm trying to set some rules for my firewall. My setting is LMS on a wired network (linux Debian server) and many PiCorePlayers on the wireless network. If I allow traffic between the single IPs (all ports), it all works. As soon as I try to specify ports, it stops working. I did some packet capture but the ports keep changing, at least on the PiCorePlayer end. Does anyone know how to map the ports across? I have figures out the following up to now: a) LMS streams on port 3483 b) LMS has its payer listening on port 9000 c) pCP seem to listen on 60612, 60628 for streaming and port 80 for the WebGUI As soon as I map the above ports, things change. Anyone successfully managed to build some tight rules around a similar configuration? Thanks squeezetux's Profile: http://forums.slimdevices.com/member.php?userid=68286 View this thread: http://forums.slimdevices.com/showthread.php?t=109260 ___ Squeezecenter mailing list Squeezecenter@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/squeezecenter
