After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 699691 - rygel is impossible to use with a firewall
rygel is impossible to use with a firewall
Status: RESOLVED INVALID
Product: rygel
Classification: Applications
Component: general
0.18.x
Other Linux
: Normal critical
: ---
Assigned To: rygel-maint
rygel-maint
Depends on:
Blocks:
 
 
Reported: 2013-05-05 04:10 UTC by Ankur Sinha (FranciscoD)
Modified: 2013-05-13 20:17 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
s-c-g asking to modify firewall (147.05 KB, image/png)
2013-05-12 01:34 UTC, Ankur Sinha (FranciscoD)
Details

Description Ankur Sinha (FranciscoD) 2013-05-05 04:10:35 UTC
This seems to have been discussed again and again, but I haven't been able to find a solution. What ports is one supposed to open to get rygel to work?

Various scattered sources on the internet say 1900/udp should be enough, but it doesn't seem to be. There is *no* mention of firewall configuration in the docs at all. I understand that the idea is that the user not know what ports are required etc, but the way it's being done is broken. I haven't been able to use rygel at all because I can't figure out what ports need to be opened. 

[ankur@ankur-pc  ~]$ sudo netstat -nlp | egrep rygel
tcp        0      0 192.168.1.17:57260      0.0.0.0:*               LISTEN      30429/rygel
tcp        0      0 127.0.0.1:49854         0.0.0.0:*               LISTEN      30429/rygel
udp        0      0 192.168.1.17:41985      0.0.0.0:*                           30429/rygel
udp        0      0 239.255.255.250:1900    0.0.0.0:*                           30429/rygel
udp        0      0 192.168.1.17:1900       0.0.0.0:*                           30429/rygel
udp        0      0 239.255.255.250:1900    0.0.0.0:*                           30429/rygel
udp        0      0 127.0.0.1:1900          0.0.0.0:*                           30429/rygel
udp        0      0 127.0.0.1:51382         0.0.0.0:*                           30429/rygel
[ankur@ankur-pc  ~]$

Do I do this each time I run rygel and then open all these ports? Which ones? 1900/udp, and?

If rygel crashes, when you rerun it, you have a new list of ports:

[ankur@ankur-pc  ~]$ sudo netstat -nlp | egrep rygel
[sudo] password for ankur:
tcp        0      0 192.168.1.17:51444      0.0.0.0:*               LISTEN      2444/rygel
tcp        0      0 127.0.0.1:57219         0.0.0.0:*               LISTEN      2444/rygel
udp        0      0 192.168.1.17:37667      0.0.0.0:*                           2444/rygel
udp        0      0 239.255.255.250:1900    0.0.0.0:*                           2444/rygel
udp        0      0 192.168.1.17:1900       0.0.0.0:*                           2444/rygel
udp        0      0 127.0.0.1:38764         0.0.0.0:*                           2444/rygel
udp        0      0 239.255.255.250:1900    0.0.0.0:*                           2444/rygel
udp        0      0 127.0.0.1:1900          0.0.0.0:*                           2444/rygel
[ankur@ankur-pc  ~]$

There really has to be a better way of doing this. There's a bug against system-config-firewall at fedora which has been open since Fedora 13. We're into Fedora 19 now, and it hasn't been fixed since there isn't a simple way of finding what port s-c-f, or firewalld now, needs to open. https://bugzilla.redhat.com/show_bug.cgi?id=626188#c6

Comparatively, other tools like minidlna are much simpler to set up. They also have complete documentation on what port is to be opened exactly. https://wiki.archlinux.org/index.php/MiniDLNA

I'd really like to use rygel since it integrates with gnome and can use tracker etc data, but it's really not easy to do at the moment. One cannot switch off the firewall (which makes it work) or keep manually modifying ports every time rygel runs. 

Suggestions:
1. Use static ports only, or provide a configuration option that would let a user use static ports only. I don't know if this is possible since rygel uses libsoup or something which allocates a random port. 

2. Provide firewall configuration documentation at least until a way of automatically opening ports has been decided on.
Comment 1 Ankur Sinha (FranciscoD) 2013-05-05 04:12:34 UTC
[ankur@ankur-pc  ~]$ rpm -q rygel
rygel-0.18.1-1.fc19.x86_64

[ankur@ankur-pc  ~]$ sudo firewall-cmd --list-ports
1900/udp 8200/tcp

It isn't working. Neither my smart tv nor my wdtv live box show my laptop where I have rygel running.
Comment 2 Zeeshan Ali 2013-05-05 14:23:51 UTC
This is not really a bug in rygel. We can't do anything about firewall. If you just want to know which ports to open, please ask on list/IRC.
Comment 3 Jens Georg 2013-05-05 14:58:24 UTC
That said, it might get better with the zone support in NetworkManager/firewalld which we're currently discussing.
Comment 4 Jens Georg 2013-05-05 15:03:16 UTC
(In reply to comment #0)

Also:

> Suggestions:
> 1. Use static ports only, or provide a configuration option that would let a
> user use static ports only. I don't know if this is possible since rygel uses
> libsoup or something which allocates a random port. 

rygel.conf, section [general], port= or command-line option -p or RYGEL_PORT environment variable.
Comment 5 Ankur Sinha (FranciscoD) 2013-05-09 07:43:12 UTC
(In reply to comment #2)
> This is not really a bug in rygel. We can't do anything about firewall. If you
> just want to know which ports to open, please ask on list/IRC.

Well, system-config-printer asks the user and opens ports in the firewall when you want it to look for network printers, iirc. I was hoping you could do something similar to that.

Anyway, can this please be documented on the wiki instead of me asking on the mailing list/irc channel? It'll save you from having to 
answer this question again and again, each time someone tries to use rygel. (Users do want to know how to set it up, and tips on how they could set up the firewall would be nice, even if you can't do anything about the firewall from code)

If you google for this information, you'll come across a lot of folks who've been looking for this.

Thanks, 
Warm regards,
Ankur
Comment 6 Zeeshan Ali 2013-05-10 13:05:45 UTC
(In reply to comment #5)
> (In reply to comment #2)
> > This is not really a bug in rygel. We can't do anything about firewall. If you
> > just want to know which ports to open, please ask on list/IRC.
> 
> Well, system-config-printer asks the user and opens ports in the firewall when
> you want it to look for network printers, iirc. I was hoping you could do
> something similar to that.

Oh it does? How does it look like? We'll have to do this in every UPnP/DLNA server at least, not just rygel then. Probably also clients would need this? Also rygel is not a UI so we can't really do the same even if its appropriate to do this in rygel.

> Anyway, can this please be documented on the wiki instead of me asking on the
> mailing list/irc channel?

Sure thing. Please keep in mind that its a wiki so anyone can help out it there: https://live.gnome.org/Rygel/FAQ

> It'll save you from having to 
> answer this question again and again, each time someone tries to use rygel.

This only happens on fedora afaik. I have not only filed bug against that (as you found out) but have also provided a patch on demand. For some reason the bug has been ignored especially after providing the patch. It not really our fault.
Comment 7 Ankur Sinha (FranciscoD) 2013-05-12 01:34:16 UTC
Created attachment 243871 [details]
s-c-g asking to modify firewall

That's what it looks like. 


Anyway, thank you for your help. I'll follow up the Fedora bug and see if I can get the patch etc. accepted.

Ankur
Comment 8 Marc-Andre Lureau 2013-05-13 20:17:34 UTC
(In reply to comment #3)
> That said, it might get better with the zone support in
> NetworkManager/firewalld which we're currently discussing.

Where is this discussion?

Btw, fedora/firewall folks are asking rygel folks to talk to firewalld
https://bugzilla.redhat.com/show_bug.cgi?id=626188