[mythtv-users] firewalld settings to allow mythtv to work?

[David Hampton]

On Wed, 2022-08-10 at 07:10 -0400, James Abernathy wrote:
> I've been using the MythTV FE/BE combo on a PC that in recent updates
> is now running firewalld.  I've looked into trying to configure it
> correctly, but without luck at least for MythTV.  I know I have to
> set it to Home zone and turn on stuff but so far, I'm missing
> something. If I disable firewalld service, it all works as before.
> 
> Anyone figured out firewalld with MythTV yet?

On the backend, define the mythtv-backend service in the file
/etc/firewalld/services/mythtv-backend.xml.

--- cut ---
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>MythTV Server</short>
  <description>The MythTV Backend server.</description>
  <port protocol="tcp" port="6543"/>
  <port protocol="tcp" port="6544"/>
  <port protocol="tcp" port="6545"/>
  <port protocol="tcp" port="6549"/>
  <port protocol="tcp" port="6554"/>
</service>
--- cut ---

Then issue the following commands:

# firewall-cmd --reload
# firewall-cmd --add-service=mythtv-backend
# firewall-cmd --add-service=mysql
# firewall-cmd --runtime-to-permanent

When the firewall reloads, it reads the definition for the mythtv-
backend service. The other commands allow access to the mythtv and
mysql ports, and save all the changes to make them permanent.

Here's what my firewall config looks like:

# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp3s0f0 enp3s0f1 enp5s0
  sources: 
  services: chrony dhcpv6-client http https mdns mysql mythtv-backend
ssh
  ports: 
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	rule family="ipv4" source address="192.168.3.22" accept
	rule family="ipv4" source address="192.168.2.22" accept

The "rich rules" are to allow the backend access to my HDHomeRun tuners
by IP address.  I haven't taken the time to try and figure out a more
specific rule for them.

If you're using mythweb, you'll need to allow access to the http and/or
https services, depending on how you set it up.


You probably don't need to allow any special access to the frontend for
it to work properly.  I am using network control instead of an IR
remote, so I need to open at least one port.  In the past I had allowed
all ports on my frontends, but I just now reworked them to use
firewalld.  The /etc/firewalld/services/mythtv-frontend.xml service
file should look something like this:

--- cut ---
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>MythTV Client</short>
  <description>The MythTV Frontend client.</description>
  <port protocol="tcp" port="6546"/>
  <port protocol="tcp" port="6547"/>
  <port protocol="tcp" port="8081"/>
</service>
--- cut ---

Then issue the following commands:

# firewall-cmd --reload
# firewall-cmd --add-service=mythtv-frontend
# firewall-cmd --runtime-to-permanent

Here's what my firewall config looks like on the frontend:

# firewall-cmd --list-all
FedoraWorkstation (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp2s0
  sources: 
  services: chrony dhcpv6-client mythtv-frontend samba-client ssh
  ports: 
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

I hope this helps.

David