Find the answer to your Linux question:
Results 1 to 7 of 7
I just started using jitsi the other day. It is advertised as a more secure alternative to skype. Apparently it requires UPnP to be turned on in my Qwest Q1000 ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jul 2012
    Posts
    8

    UPnP required, but can't set firewall rule since port keeps changing


    I just started using jitsi the other day. It is advertised as a more secure alternative to skype. Apparently it requires UPnP to be turned on in my Qwest Q1000 router. I can't seem to find in the Q1000 where to limit the ports used for UPnP even though it has a place to list such rules if they were defined.

    If I shut off my firewall (ufw) I can place phone calls from jitsi via google voice just fine. However if I start ufw, I get log entries in syslog that tell me that the firewall is blocking UPnP traffic. Here are three such entries for three different phone call attempts:

    Jul 25 13:52:00 hostname kernel: [UFW BLOCK] IN=eth0 OUT= MAC=<ipv6 address> SRC=192.168.2.11 DST=192.168.2.4 LEN=356 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=60528 LEN=336

    Jul 25 13:34:28 hostname kernel: [UFW BLOCK] IN=eth0 OUT= MAC=<ipv6 address> SRC=192.168.2.11 DST=192.168.2.4 LEN=356 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=42368 LEN=336

    Jul 25 13:31:45 hostname kernel: [UFW BLOCK] IN=eth0 OUT= MAC=<ipv6 address> SRC=192.168.2.11 DST=192.168.2.4 LEN=356 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=40166 LEN=336

    The problem as I have highlighted in bold, is that the destination port is never the same, so a ufw rule cannot be constructed and leaving all ports open to the internet access point defeats the purpose of a firewall. 192.168.2.11 is the ip of the router, 192.168.2.4 is the ip of the laptop running ufw and jitsi.

    Any ideas would be greatly appreciated.

    Clarification:

    I was able to unblock outgoing (from laptop to router)
    UPnP traffic prior to this issue. This problem seems to be with the transmission from the router (192.168.2.11) back to the laptop (192.168.2.4) running jitsi and ufw. It is leaving the router port 1900 and
    being sent to a random port on the laptop. This is the only block listed in
    syslog at the time these calls were placed.
    Last edited by nomadicME; 07-26-2012 at 05:49 PM.

  2. #2
    Linux Engineer
    Join Date
    Apr 2012
    Location
    Virginia, USA
    Posts
    910
    While I'm not going to try to dissect UFW and Ubuntu's famously poor documentation, I suggest you switch to interfacing directly with iptables via the command line. You can then set a stateful rule to allow all ports (or ports in the range of your application), and only allow RELATED,ESTABLISHED states inbound.

  3. #3
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    On another note, the purpose of the firewall is to block connections from the internet to your system. You can leave all out going traffic from your network to the internet open. People that block outgoing traffic are the ones who do not trust the users on their network, i.e., companies. As a home user you can leave all traffic OUTBOUND open. You just have to make sure the return traffic can get back to the system with ESTABLISHED/RELATED rules.

    Here is a Tutorial

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  4. $spacer_open
    $spacer_close
  5. #4
    Just Joined!
    Join Date
    Jul 2012
    Posts
    8
    [QUOTE=Lazydog;899115]On another note, the purpose of the firewall is to block connections from the internet to your system. You can leave all out going traffic from your network to the internet open. People that block outgoing traffic are the ones who do not trust the users on their network, i.e., companies. As a home user you can leave all traffic OUTBOUND open. You just have to make sure the return traffic can get back to the system with ESTABLISHED/RELATED rules.


    Lazydog,

    Thanks for your insight, however, this is incoming traffic that is the problem. I'll try to clarify this in the original post.

  6. #5
    Just Joined!
    Join Date
    Jul 2012
    Posts
    8
    mizzle,

    Thanks for your idea. I'm keeping it as an option in case no other solutions surface. Just to clarify, would this qualify as an "ESTABLISHED" communication since it was initiated by the laptop inside the firewall and the transmission blocked was a returning signal?

    BTW, UFW stands for uncomplicated firewall, not Ubuntu firewall. I'm actually on a gentoo system. I do realize that uncomplicated means less configurable, so maybe it is time to make the change back to straight up iptables.

  7. #6
    Linux Engineer
    Join Date
    Apr 2012
    Location
    Virginia, USA
    Posts
    910
    My mistake. I know ubuntu uses ufw now, and I just don't care for it (for reasons such as the ones we're discussing here)

    TCP is a 'stateful' connection. Now that I look more closely at your problem, I see PROTO=UDP
    So, stateful rules may or may not help...but..

    Generally speaking, the reply from the distant host would qualify as "ESTABLISHED" since the firewall should be connection tracking transmission.

  8. #7
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Would it be possible for you to post your rules or if you are not comfortable you could PM them to me. I have found in the past that most people do not understand how their rules work and it is usually one rule that they never think of looking at that is causing them their headaches.

    One thing that has me puzzled is why the SRC address is a private ip? This could be the problem right here as I am sure the ip you are contacting for the phone service is not a private ip.

    Jul 25 13:52:00 hostname kernel: [UFW BLOCK] IN=eth0 OUT= MAC=<ipv6 address> SRC=192.168.2.11 DST=192.168.2.4 LEN=356 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=60528 LEN=336
    Are you also logging outgoing packets? If not you should be so you can look at the whole conversation to figure out the problem.
    Last edited by Lazydog; 07-27-2012 at 11:49 AM.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •