noson-app icon indicating copy to clipboard operation
noson-app copied to clipboard

Published 20 hours ago verified publisher icon janbar

Firewall information?

Open jdpipe opened this issue 5 years ago • 10 comments

Hi there -- thanks for the huge amount of work that must have gone in to getting noson working as well as is does.

There was a comment in bug #104 saying that it was recommended to disable the firewall in Ubuntu when running Noson. I did that and it works fine. However I am not comfortable taking my laptop all over the place with no firewall active. I have not seen a definitive list of ports that noson really needs to function properly.

Sonos provides this big list of ports, but which ones is noson depending on (listening on)? https://support.sonos.com/s/article/688?language=en_US

Is there any way that setting up the typical 'ufw' firewall for noson could be automated, since it's so fiddly to set up so many different ports, and even after setting them all up, my noson-app still doesn't work correctly.

jdpipe avatar Feb 13 '20 12:02 jdpipe

I created a file named noson in /etc/ufw/applications.d with the following:

[noson]
title=noson Sonos controller app
description=controls Sonos devices on the same network
ports=80,443,445,1400,3400,3445,3400,3401,3405,4070,4444/tcp|136,137,138,139,1900,1901,2869,10243,10280,10281,10282,10283,10284,5353,6969/udp|35382

Then loaded it into my firewall as follows:

sudo ufw app update noson
sudo ufw allow noson

@jdpipe, hope this helps!

brozeph avatar Apr 02 '20 19:04 brozeph

The listen port range of noson is 1400-1410. You have to allow IN for this range too.

janbar avatar Apr 03 '20 20:04 janbar

So FWIW I just put together the above two comments like this:

[noson]
title=noson Sonos controller app
description=controls Sonos devices on the same network
ports=80,443,445,1400:1410,3400,3445,3400,3401,3405,4070,4444/tcp|136,137,138,139,1900,1901,2869,10243,10280,10281,10282,10283,10284,5353,6969/udp|35382

Trevoke avatar Sep 13 '20 21:09 Trevoke

There is also some UDP communication from the SONOS device to the random chosen port taken from the pool somewhere between 40000 - 60000, I saw 40417 but also 58138. Unfortunately they are randomized every time and not mentioned anywhere on the SONOS page, so I don't really known exact pool range.

FINAL_REJECT: IN=wlp2s0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=(IP.of.SONOS.device) DST=(IP.of.the.computer) LEN=545 TOS=0x00 PREC=0x00 TTL=64 ID=35576 DF PROTO=UDP SPT=45231 DPT=41061 LEN=525 

FINAL_REJECT: IN=wlp2s0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=(IP of SONOS device) DST=(IP of the computer) LEN=545 TOS=0x00 PREC=0x00 TTL=64 ID=35576 DF PROTO=UDP SPT=41449 DPT=58138 LEN=525

jankohoutek avatar Sep 21 '20 15:09 jankohoutek

@Trevoke There was a small error in your ufw profile which made it not work for me. You listed port 3400 (tcp) twice and port 3500 (tcp) was missing. According to Sonos 3500 (tcp) is needed. I updated the configuration and reloaded ufw and I can connect just fine now.

Create a file named noson in /etc/ufw/applications.d` with the following:

[noson]
title=noson Sonos controller app
description=controls Sonos devices on the same network
ports=80,443,445,1400:1410,3400,3401,3405,3445,3500,4070,4444/tcp|136,137,138,139,1900,1901,2869,10243,10280,10281,10282,10283,10284,5353,6969/udp|35382

Update the rules for ufw with:

sudo ufw app update noson
sudo ufw allow noson

Hopefully this sorts the problem. Might make sense to put this in a wiki / readme?

sjoerdschouten avatar Sep 27 '20 08:09 sjoerdschouten

Opened a PR for this: #142

sjoerdschouten avatar Oct 01 '20 09:10 sjoerdschouten

OpenSuse Tumbleweed with firewalld

create a "noson.xml" zone file in /etc/firewalld/zones/

this file worked for my setup with 2xZP100 running on the network

<?xml version="1.0" encoding="utf-8"?>
<zone version="1" target="ACCEPT">
  <short>noson port enable</short>
  <port port="80" protocol="tcp"/>
  <port port="443" protocol="tcp"/>
  <port port="445" protocol="tcp"/>
  <port port="1400-1410" protocol="tcp"/>
  <port port="3400" protocol="tcp"/>
  <port port="3401" protocol="tcp"/>
  <port port="3405" protocol="tcp"/>
  <port port="3445" protocol="tcp"/>
  <port port="3500" protocol="tcp"/>
  <port port="4070" protocol="tcp"/>
  <port port="4444" protocol="tcp"/>
  <port port="35382" protocol="tcp"/>
  <port port="136-139" protocol="udp"/>
  <port port="1900" protocol="udp"/>
  <port port="1901" protocol="udp"/>
  <port port="2869" protocol="udp"/>
  <port port="5353" protocol="udp"/>
  <port port="6969" protocol="udp"/>
  <port port="10243" protocol="udp"/>
  <port port="10280-10284" protocol="udp"/>
  <port port="35382" protocol="udp"/>
  <protocol value="tcp"/>
  <protocol value="udp"/>
  <source address="192.168.n.xxx"/>
  <source address="192.168.n.xxx"/>
  <source address="192.168.n.xxx"/>
</zone>

the first source address IP is the PC that noson is running on

the other two are my ZP100

you will need to go superuser to edit the file in the /etc/firewalld/zones directory

or install firewall-config and do it graphically by creating a new zone ("noson") then adding the two protocols (tcp and udp) - in the tab associated with the new "noson" zone then add the ports as per the list above - in the ports tab then add the ip addresses of all the devices - in the sources tab

make sure you do this to the permanent rules not the runtime (tab near top of the firewall-config app screen)

restart the firewall with sudo systemctl restart firewalld and noson should be talking to your sonos box/boxes and you've still got a firewall running

hope this helps

foodmonkey avatar Dec 10 '23 05:12 foodmonkey