VLC on Suse 10.1 - how to allow specific server?

[starl8gazer]

Hello,

I have installed VLC according to http://www.videolan.org/vlc/download-suse.html on a Linux Suse 10.1 system, all patches installed, firewall running, connected to internet by DSL router.

When I call a playlist by "vlc http://mafreebox.freebox.fr/freeboxtv/playlist.m3u", the VLC media player window and a playlist window appear, and at the prompt there are lots of messages, of which the one that strikes me most reads, "Unable to determine our source address: This computer has an invalid IP address: 0x0".

When I turn off the firewall and issue same vlc call, again the two windows appear, yet the first channel in the playlist is played successfully.

In the README of Freeplayer ( http://adsl.free.fr/tv/multiposte/ ) I read about allowing connections to 212.27.38.253 . How do I allow a connection to a specific server and/or port? Using Yast - Security and Users - Firewall, I did not find where and how to do this.

In your reply, please be as specific as possible, having a newbie in mind.

Thanks a lot,

Starl8gazer

[dimstar]

Hello,

to see exactly what we should do in your firewall, I'd suggest you have a look at /var/log/firewall to see exactly what is getting blocked.

Then we can start adding a rule to /etc/sysconfig/SuSEfirewall2 that allows this specific connection. Post a few lines from the firewall log and I'll tell you what to set in the config files.

DimStar

[starl8gazer]

Hello,

In the file /var/log/firewall I found many lines of the following form (I looked only at lines mentioning the specific server):

Nov 29 03:07:36 mycomp kernel: SFW2-INext-DROP-DEFLT IN=eth1 OUT= MAC=00:40:96:44:9f:c7:00:07:cb:4f:94:78:08:00 SRC=212.27.38.253 DST=192.168.0.10 LEN=1356 TOS=0x00 PREC=0x00 TTL=64 ID=654 DF PROTO=UDP SPT=44606 DPT=1102 LEN=1336

All these lines differed only in the time stamp and the "ID" value.

DimStar mentioned /etc/sysconfig/SuSEfirewall2 . I was assuming all required settings in Suse could be done through Yast. Did I miss something when searching there?

Thanks again for your time and help,

Starl8gazer

[dimstar]

Hello,

Well, you can set it in Yast2, Firewall (I just had to look up how.. I never did it )

So.. go to Yast2, Firewall, and select 'Custom Rules'

I guess all your devices are in the external zone (standard).

Add a rule, with the following parameters:
Source Network: 212.27.38.253/32 (if all entries come from this address... )
Protocol: select UDP

The ports can be left blank (if you trust that server) or you can try setting the values from your firewall log. But I'm not sure if they will remain the same at all the time. So there you'll have to experiment a bit.
From your log, you see:
Source Port: 44606
Destination Port: 1102

I wish you luck!

[starl8gazer]

Hello back,

Thank you for this latest post. That sounds feasible, yet...

When I go to Yast2 - Security and Users - Firewall, the options I get in the left column are: Start-Up, Interfaces, Allowed Services, Masquerading, Broadcast, IPsec Support, Logging Level. I do not see an option called 'Custom Rules', also not if I search around in those options. As a reminder, I'm on Suse 10.1; could that be a reason for not seeing an option 'Custom Rules'?

Re. interfaces, in "Interfaces" I see my wireless card with "no zone assigned", my ethernet interface with "external zone". BTW, help for "Interfaces" says, "Network traffic through any unassigned interface is blocked". Yet, I can use my wireless card just fine to connect to networks.

Thanks again for further help.

[dimstar]

Hi,

sorry, did not realize that you're on 10.1... indeed, the firewall module had a bit less features at this time. So for you it might be that you have to enter the line directly in /etc/sysconfig/SuSEfirewall2

I think you should be able to find a line like:
FW_SERVICE_ACCEPT_EXT (or something similar.. not perfectly sure at the moment, sorry).
there, you have to add
212.27.38.253,udp
and then your restart your firewall. This should help you also on 10.1.

sorry that you can not do this step in YaST yet... but development was moving a lot since 10.1

Dominique

[kmf31]

I have Suse 10.1 and I have simply added in the yast2 firewall the custom rule to open all udp-ports between 1024 and 65535. To be more precise in the yast2 firewall menu chose the "allowed services" submenu and there you click on the "Advanced" button which opens an extra window and here I put in the udp box: 1024:65535 and in the tcp box 8080 (for the freeplayer if you are you using this on this PC).
However, my Suse 10.1 PC is also behind a NAT-router (another Linux-PC) and is therefore quite well protected such that opening all udp-ports is not really a problem.

A better and safer solution would be to open every port for the IP number 212.27.38.253 but in yast2 this is indeed not obvious. Maybe you can define this IP to be in the demilitarized zone or something like this or simply as dimstar suggested.

If you want to do it directly by iptables (and not yast2) this is quite easy with the rules:

Code: Select all

-I INPUT -s 212.27.38.253 -i eth0 -p udp -j ACCEPT

(this one for the TV on the PC) and:

Code: Select all

-I INPUT -s 212.27.38.253 -i eth0 -p tcp -m tcp --dport 8080 -j ACCEPT

(this one for the Freeplayer). Here I assume that eth0 is appropriate network device which can also be eth1, ... or something different if you have a wireless connection.

You can add these rules by hand as root simply by the command:

/usr/sbin/iptables ...

where "..." is one of the exact above rules. The only problem is that this is not very proper because it is actually yast2 that is responsible for the firewall (one would mix different tools for firewall configuration which may create conflicts and unpredictable behavior). However it will work, until the next reboot of the machine or the next call of yast2 with a firewall update (which will probably clean your own rules).

The very best solution would be to patch the kernel with the rtsp-conntrack module and to recompile it. Then the appropriate udp-port will be automatically opened (without any particular rule and simply by charging the rtsp-conntrack modules) but this is more important if you want to use your Linux PC as NAT-routeur that transmits the IP-TV of Free to another PC behind the router (without rtsp-conntrack thing becomes quite complicated with rtsp and NAT). If you are interested here are the rtsp-patches for the latest kernels:
http://mike.it-loops.com/rtsp/
If you use one of these patchs you will need to compile your own Linux kernel, something like 2.6.22.x or 2.6.23.x (Suse 10.1 is normally 2.6.16... but I would recommend to change to a newer version if you really want to compile your own kernel). I am actually using 2.6.22.6 with Suse 10.1 and without any important problem (the "Suse-Amor-module" no longer works with a stock-kernel but I don't care about that).

[starl8gazer]

Thank you everyone for your useful input. Sorry for not coming back earlier.

Nevertheless, for reference and explicit summary of all the input so that maybe other users can profit, here is what worked for me:

* log in as root
* copy /etc/sysconfig/SuSEfirewall2 to /etc/sysconfig/.SuSEfirewall2.vlc
* edit /etc/sysconfig/.SuSEfirewall2.vlc , search for FW_SERVICES_ACCEPT_EXT="" , change it to
FW_SERVICES_ACCEPT_EXT="212.27.38.253,udp,1024:65535"
* stop firewall and restart it by:
/sbin/SuSEfirewall2 stop
/sbin/SuSEfirewall2 start file /etc/sysconfig/.SuSEfirewall2.vlc

This lets you watch TV on your compi, for example, by
vlc http://mafreebox.freebox.fr/freeboxtv/playlist.m3u .

Cheers,

Starl8gazer