UPnP required, but can't set firewall rule since port keeps changing

[nomadicME]

I just started using jitsi the other day. It is advertised as a more secure alternative to skype. Apparently it requires UPnP to be turned on in my Qwest Q1000 router. I can't seem to find in the Q1000 where to limit the ports used for UPnP even though it has a place to list such rules if they were defined.

If I shut off my firewall (ufw) I can place phone calls from jitsi via google voice just fine. However if I start ufw, I get log entries in syslog that tell me that the firewall is blocking UPnP traffic. Here are three such entries for three different phone call attempts:

Jul 25 13:52:00 hostname kernel: [UFW BLOCK] IN=eth0 OUT= MAC=<ipv6 address> SRC=192.168.2.11 DST=192.168.2.4 LEN=356 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=60528 LEN=336

Jul 25 13:34:28 hostname kernel: [UFW BLOCK] IN=eth0 OUT= MAC=<ipv6 address> SRC=192.168.2.11 DST=192.168.2.4 LEN=356 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=42368 LEN=336

Jul 25 13:31:45 hostname kernel: [UFW BLOCK] IN=eth0 OUT= MAC=<ipv6 address> SRC=192.168.2.11 DST=192.168.2.4 LEN=356 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=40166 LEN=336

The problem as I have highlighted in bold, is that the destination port is never the same, so a ufw rule cannot be constructed and leaving all ports open to the internet access point defeats the purpose of a firewall. 192.168.2.11 is the ip of the router, 192.168.2.4 is the ip of the laptop running ufw and jitsi.

Any ideas would be greatly appreciated.

Clarification:

I was able to unblock outgoing (from laptop to router)
UPnP traffic prior to this issue. This problem seems to be with the transmission from the router (192.168.2.11) back to the laptop (192.168.2.4) running jitsi and ufw. It is leaving the router port 1900 and
being sent to a random port on the laptop. This is the only block listed in
syslog at the time these calls were placed.

[mizzle]

While I'm not going to try to dissect UFW and Ubuntu's famously poor documentation, I suggest you switch to interfacing directly with iptables via the command line. You can then set a stateful rule to allow all ports (or ports in the range of your application), and only allow RELATED,ESTABLISHED states inbound.

[Lazydog]

On another note, the purpose of the firewall is to block connections from the internet to your system. You can leave all out going traffic from your network to the internet open. People that block outgoing traffic are the ones who do not trust the users on their network, i.e., companies. As a home user you can leave all traffic OUTBOUND open. You just have to make sure the return traffic can get back to the system with ESTABLISHED/RELATED rules.

Here is a Tutorial

[nomadicME]

[QUOTE=Lazydog;899115]On another note, the purpose of the firewall is to block connections from the internet to your system. You can leave all out going traffic from your network to the internet open. People that block outgoing traffic are the ones who do not trust the users on their network, i.e., companies. As a home user you can leave all traffic OUTBOUND open. You just have to make sure the return traffic can get back to the system with ESTABLISHED/RELATED rules.


Lazydog,

Thanks for your insight, however, this is incoming traffic that is the problem. I'll try to clarify this in the original post.

[nomadicME]

mizzle,

Thanks for your idea. I'm keeping it as an option in case no other solutions surface. Just to clarify, would this qualify as an "ESTABLISHED" communication since it was initiated by the laptop inside the firewall and the transmission blocked was a returning signal?

BTW, UFW stands for uncomplicated firewall, not Ubuntu firewall. I'm actually on a gentoo system. I do realize that uncomplicated means less configurable, so maybe it is time to make the change back to straight up iptables.

[mizzle]

My mistake. I know ubuntu uses ufw now, and I just don't care for it (for reasons such as the ones we're discussing here)

TCP is a 'stateful' connection. Now that I look more closely at your problem, I see PROTO=UDP
So, stateful rules may or may not help...but..

Generally speaking, the reply from the distant host would qualify as "ESTABLISHED" since the firewall should be connection tracking transmission.

[Lazydog]

Would it be possible for you to post your rules or if you are not comfortable you could PM them to me. I have found in the past that most people do not understand how their rules work and it is usually one rule that they never think of looking at that is causing them their headaches.

One thing that has me puzzled is why the SRC address is a private ip? This could be the problem right here as I am sure the ip you are contacting for the phone service is not a private ip.

Jul 25 13:52:00 hostname kernel: [UFW BLOCK] IN=eth0 OUT= MAC=<ipv6 address> SRC=192.168.2.11 DST=192.168.2.4 LEN=356 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=60528 LEN=336

Are you also logging outgoing packets? If not you should be so you can look at the whole conversation to figure out the problem.