[mythtv-users] ports needing passage thru firewall?

[Mike Perkins]

On 04/08/2024 16:20, James Linder wrote:
>
>
>> On Aug 2, 2024, at 16:41, Mike Perkins <mikep at randomtraveller.org.uk> wrote:
>>
>> On 02/08/2024 01:39, James Abernathy wrote:
>>> When installing MythTV Combo FE/BE I've always had to disable my firewall,
>>> firewalld, to get things to work.  I've decided to try and figure out what
>>> needs to be added to the exceptions.  firewalld had a number of zones like
>>> Home and Public.  If I set it to the Home zone, it has services for cifs,
>>> mdns, ssh, etc.  I'd like to create one for MythTV.
>>>
>>> I thought that being a combo FE/BE I wouldn't need to pass network traffic
>>> outside the PC.  My first failure was when the Web App tried to find the
>>> HDHomerun tuners I added. No tuners were found until I disabled firewalld
>>> and restarted the backend.
>>>
>>> Any ideas?
>>>
>> By definition your HDHomeRun tuners are "outside the PC"! Of course they need access.
>>
>> I don't run a firewall on any of my PCs, I leave that to my pfSense router. My mythtv system, both
>> backend, frontend and two HDHomeRuns are segregated on a separate subnet and connected together by a
>> dumb 1Gb switch.
>
> Mike I dont know limitations, but I run a subnet on the same wires with a netgear router.
>
> I quibble in minor way to address common misunderstanding, not in anyway to joust with thee:
>
> You run a firewall because ??
>
> * you have windows machines on your network and you want to stop them phoning-home when they get compromised
> * you think bad guys will attack you. But by RFC no router may route a private address.
> * your router has a firmware bug that allows non port forwared ports to be forwarded.
>
> * You have a real ip address. THIS IS A VALID REASON.
>
> * You run things like Wemo or Alexa or door bell camera or Solar monitoring. You have not put them in a DMZ sometimes called a guest network. You are crazy. You need a firewall on every machine!
>
> * Your wife or kids are going to hack yor backend, in which case the router firewall does not help.
>
> If you port-forward port nnnn to machine xxxx then a firewall is not going to help.
>
> In general, for orninary (sic) folk using NAT, you do not need any sort of firewall.
>
> Bad Guys can reach your modem. Here endith the story.
>
> If you want to access myth from outside use a ssh tunnel.
> I use Root login without password (only public/private key (use a passphrase if you are paranoid)
> Use a good password.
>
> “Your Favourite book title” is MUCH more secure than “34rffwff3@#” (Bits of entropy)
> During the Crowdstrike outage I watched thousands of login attempts, some 5000 for root, a whole host of interesting login names.
>
> One generallly allows ESTABLISHED,RELATED packets back so If you browse a suspect site then the firewall will not help you.
> One of the buzz words is VPN. I think ssh tunnel is easier, but cie est la vie.
>
> When an elderly and distinguished scientist says some is impossible he is nearly always wrong. I have yet to see why the average mythtv user has a need for a firewall.
>
Well, I may be accounted elderly by some - 74 today - and I was once, indeed, a scientist. I have
work that now orbits the Earth in Prospero (and still works). But the Government wouldn't pay me
enough to keep me /and/ a wife so I moved into IT. After fifty+ years at the job I would consider
that I am /not/ an average mythtv user!

Briefly, I run a small mythtv subnet which consists of backend server, two dual HDHomeruns and a
Frontend which is elsewhere in the house (and presently recording 3 programs).

I also run a zoneminder subnet with (presently) 4 cameras to keep an eye on the wildlife that roams
our suburban estate. These are mostly hedgehogs, one of which has taken up residence under the back
garden shed. Most of the rest is cats and foxes with occasional squirrels, toads and birds.

There is also a "main" subnet which has two servers, one of which has VMs, one of those is our main
server, accessed by "thin" client via x2go software. We all use that for day-to-day activities.

Also requiring broadband access are the TV STB, some Tado gear which runs the heating and hot water,
a shared printer and a WiFi Access point - which has 3 SSIDs on different subnets (VLANs). I shall
soon be adding an MQTT broker to that lot, pending time to build various Raspberry Pi Pico projects.

Oh, and my son runs the only Windows device in the house that connects to the Internet.

To connect these I have a Jetway NF692G6-345 board which has 6 1Gb Ethernet ports. This runs
pfSense. One port is the WAN, one port is the WiFi AP and the other four go to switches. Three are
the subnets mentioned above. The fourth is basically "everything else". (The MQTT broker may end up
configured different.) Including things like phones, tablets and (linux) laptops which occasionally
require connection I have 62 hosts configured.

The only place I have any firewall rules is in the router. All subnets are isolated except for
specific ports required for use or maintenance. The "everything else" switch has each device on a
separate subnet (VLAN) which is configured to access the WAN port and nowhere else. Blame this on
50+ years of hard-won experience. I grant that some of that may no longer be necessary but it
doesn't cause any delays that I have noticed.

My ISP does give me a real address and it does get thousands of access attempts, sometimes on very
strange port numbers. I block whole countries and a list of dodgy ports, mainly so that it does not
spam my firewall logs.

It keeps me out of trouble so why complain?

--

Mike Perkins