[mythtv-users] Usefulness of firewall (Was: firewalld settings to allow mythtv to work?)

[Simon]

James <jam at tigger.ws> wrote:

> If you have a modem/router and you are running an ipv4 network at home then any firewall within your network is totally without any value what so ever.

I disagree - (almost) totally.

To be honest, the days of “secure” inside and “insecure” outside ore more or less over - and it’s every host (and service) for itself. OK, perhaps a bit OTT, but as already pointed out we no longer have a handful of devices that we control - a typical home network already has multiple devices running SOUP (software of unknown provenance). And given the number of devices that tunnel out (undocumented) to outside hosts (undocumented) and permit external hosts (undocumented) to come back in to do undocumented stuff, then it pays these days to assume your internal network is no longer secure.
And before we get onto stuff that may or may not do this stuff, but is just plain insecure because the SOUP is written by idiots. There have been a number of stories on ElReg about the number of DVR appliances which all run the same DVR software, exposed to the internet “to allow remote viewing”, and which are full of security holes which the manufacturers aren’t fixing. That’s just one class of device.



As to how to configure a firewall ...
I would suggest that to start with, you arrange for your frontends to occupy known IPs (or a small subset of IPs on the network). That in itself is not sufficient as any device can use any address unless you have a moderately mid-high end switch with port snooping and isolation. But it allows you to narrow down your access rules and thus reduce the exposure.
So if (for example) you use 192.168.123.0/24, then allocate say 192.168.123.48-63 (192.168.123.48/28) for your frontends - then anything outside that range will not even be able to see the MythTV services.
So as a starting point you could add rules to :
allow from 192.168.123.48/28 to any port/protocol
drop everything
You might want to add rules to allow your SSH access etc first BTW !

From memory, the first port you need is MySQL TCP port 3306. The frontends access the database to get various settings.
Then, according to https://www.mythtv.org/wiki/Myth_Protocol/Guide, you need UDP port 6543 for the API.

After that it probably gets “interesting”. After a quick skim of the above page I get the impression that data transfers (i.e. streaming a video) use a second port that is dynamically allocated. So that’s going to mean allowing connections from the frontend IPs to a range of ports.

And you’ll want port 80 (443 if you’ve put Mythweb behind TLS).

There’s a number of ways to work out what you need to open.

One is to have a working system and sniff the network to see what flows are going on.

Another is to break it by blocking everything  - then looking to see what you need to allow. You can either sniff the network, or log the firewall drop rules and just watch what packets/flows the firewall is dropping.



A note about firewall config style.
I’ve not used firewalld (my preferred option has been Shorewall for quite a while, though I’m not sure how that fits in with the newer net filter system), so I don’t know what it allows you to do. But if it’s supported, use names for stuff !

So for example :
define frontends as 192.168.123.48/24
define myth ports as TCP/3306,UDP/5432
then you can “allow from frontends to mythports”
Not only is it more readable, but it’s more maintainable - e.g. if you renumber your network you only need to redefine frontends once rather than find and change all occurrences of 192.168.123.48/24. It’s especially important when configs are spread across multiple files.

I’ve worked with some truly awful commercial firewalls - imagine a web interface, that shows you only 10 rules to a page, takes a while to move back/forwards a page, defaults to only showing a summary of each rule (you have to click to expand the rules to see the hosts and ports involved), and doesn’t allow you to define anything as an alias/shortcut (or add comments). Truly a ‘kin nightmare to work with when you get to hundreds of rules !


Simon