[mythtv-users] firewalld settings to allow mythtv to work?
David Hampton
mythtv at love2code.net
Wed Aug 10 19:36:11 UTC 2022
On Wed, 2022-08-10 at 07:10 -0400, James Abernathy wrote:
> I've been using the MythTV FE/BE combo on a PC that in recent updates
> is now running firewalld. I've looked into trying to configure it
> correctly, but without luck at least for MythTV. I know I have to
> set it to Home zone and turn on stuff but so far, I'm missing
> something. If I disable firewalld service, it all works as before.
>
> Anyone figured out firewalld with MythTV yet?
On the backend, define the mythtv-backend service in the file
/etc/firewalld/services/mythtv-backend.xml.
--- cut ---
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>MythTV Server</short>
<description>The MythTV Backend server.</description>
<port protocol="tcp" port="6543"/>
<port protocol="tcp" port="6544"/>
<port protocol="tcp" port="6545"/>
<port protocol="tcp" port="6549"/>
<port protocol="tcp" port="6554"/>
</service>
--- cut ---
Then issue the following commands:
# firewall-cmd --reload
# firewall-cmd --add-service=mythtv-backend
# firewall-cmd --add-service=mysql
# firewall-cmd --runtime-to-permanent
When the firewall reloads, it reads the definition for the mythtv-
backend service. The other commands allow access to the mythtv and
mysql ports, and save all the changes to make them permanent.
Here's what my firewall config looks like:
# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: enp3s0f0 enp3s0f1 enp5s0
sources:
services: chrony dhcpv6-client http https mdns mysql mythtv-backend
ssh
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="192.168.3.22" accept
rule family="ipv4" source address="192.168.2.22" accept
The "rich rules" are to allow the backend access to my HDHomeRun tuners
by IP address. I haven't taken the time to try and figure out a more
specific rule for them.
If you're using mythweb, you'll need to allow access to the http and/or
https services, depending on how you set it up.
You probably don't need to allow any special access to the frontend for
it to work properly. I am using network control instead of an IR
remote, so I need to open at least one port. In the past I had allowed
all ports on my frontends, but I just now reworked them to use
firewalld. The /etc/firewalld/services/mythtv-frontend.xml service
file should look something like this:
--- cut ---
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>MythTV Client</short>
<description>The MythTV Frontend client.</description>
<port protocol="tcp" port="6546"/>
<port protocol="tcp" port="6547"/>
<port protocol="tcp" port="8081"/>
</service>
--- cut ---
Then issue the following commands:
# firewall-cmd --reload
# firewall-cmd --add-service=mythtv-frontend
# firewall-cmd --runtime-to-permanent
Here's what my firewall config looks like on the frontend:
# firewall-cmd --list-all
FedoraWorkstation (active)
target: default
icmp-block-inversion: no
interfaces: enp2s0
sources:
services: chrony dhcpv6-client mythtv-frontend samba-client ssh
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
I hope this helps.
David
More information about the mythtv-users
mailing list