You are not logged in.
- Topics: Active | Unanswered
#1 2024-11-29 14:44:27
- barnd3
- Member
- Registered: 2023-02-07
- Posts: 136
Firewall block "rtsp"
I watch the rtsp stream from my cable provider via the Fritzbox with VLC.
Everything was fine yesterday.
Today my firewall (ufw) is blocking the streams via rtsp, but it works via https.
The m3u file looks like this
rtsp://192.168.178.1:554/?avm=1&freq=450&bw=8&msys=dvbc&mtype=256qam&sr=6900&specinv=1&pids=0,16,17,18,20,100,110,120,121,122,125,130,131,950,951,952I have already opened port 554, but without success.
Does anyone know which ports I need to open?
Offline
#2 2024-11-29 20:08:39
- seth
- Member
- Registered: 2012-09-03
- Posts: 59,882
Re: Firewall block "rtsp"
Today my firewall (ufw) is blocking the streams via rtsp
Does disabling ufw allow you to play the stream?
Everything was fine yesterday.
And what happened since?
Updates? Reboots? …
rtsp by default and your explicit uri operates on 554
Offline
#3 2024-11-29 21:18:10
- barnd3
- Member
- Registered: 2023-02-07
- Posts: 136
Re: Firewall block "rtsp"
These are the last updates from yesterday and RTSP was still running......
upgraded alsa-utils (1.2.13-1 -> 1.2.13-2)
upgraded openal (1.24.0-1 -> 1.24.1-1)
upgraded lib32-openal (1.24.0-1 -> 1.24.1-1)
upgraded sqlite (3.46.1-1 -> 3.47.1-1)
upgraded libetonyek (0.1.11-1 -> 0.1.12-1)
upgraded pacman (7.0.0.r3.g7736133-1 -> 7.0.0.r6.gc685ae6-1)
upgraded plocate (1.1.22-3 -> 1.1.23-1)
upgraded rust (1:1.82.0-2 -> 1:1.83.0-1)
upgraded webkit2gtk (2.46.3-1 -> 2.46.4-1)
upgraded webkit2gtk-4.1 (2.46.3-1 -> 2.46.4-1)
upgraded xdg-desktop-portal-xapp (1.0.9-1 -> 1.1.0-1)Yes, if I deactivate the firewall or set incoming to allowed, then the stream runs via rtsp.
Last edited by barnd3 (2024-11-29 21:18:36)
Offline
#4 2024-11-29 21:26:02
- seth
- Member
- Registered: 2012-09-03
- Posts: 59,882
Re: Firewall block "rtsp"
Nothing there looks overly prone to break anything here (certainly wrt any firewall intervention)
Did you also reboot and thus go live with some previous kernel update?
pacman -Qs iptables
iptables -nvLYou can also use tcpdump or https://wiki.archlinux.org/title/Wireshark to monitor the connection to see what ports are actually used.
Offline
#5 2024-11-29 21:38:04
- barnd3
- Member
- Registered: 2023-02-07
- Posts: 136
Re: Firewall block "rtsp"
A different port is used each time.
22:33:26.433566 IP _gateway.commplex-main > I-NET.9484: UDP, length 132822:34:36.468218 IP _gateway.commplex-main > I-NET.9176: UDP, length 1328very strange
Edit: I have now entered a port range of 9000:9500.
I don't know if that's good!?
Last edited by barnd3 (2024-11-29 21:41:36)
Offline
#6 2024-11-29 21:44:00
- seth
- Member
- Registered: 2012-09-03
- Posts: 59,882
Re: Firewall block "rtsp"
Hold on, that's gonna be the local port?
You're controlling the wrong side of the traffic, the local port can be whatever.
Offline
#7 2024-11-29 21:54:29
- barnd3
- Member
- Registered: 2023-02-07
- Posts: 136
Re: Firewall block "rtsp"
I don't understand much about it...
The port range definitely works
Offline
#8 2024-11-29 22:03:53
- seth
- Member
- Registered: 2012-09-03
- Posts: 59,882
Re: Firewall block "rtsp"
Disable the firewall, play the rtsc stream, run "ss -tulpen" and post the output.
Also post the output of "iptables -nvL" w/ ufw enabled.
Every connection has two ends, eg. when your browser is opening a webpage, that happens on the remote port 80.
But your browser also needs a local port for that connection and that's gonna be some unprivileged (>1024) port.
If you wanted to block http traffic, the insane approach would be to block every local port your browser could use.
You're blocking the remote port 80.
If opening the unprivileed ports 9000:9500 helps you (right now. "random") but opening 554 doesn't despite the uri explicitly setting it, that means you're somehow operating on the local ports. Which is insane.
Offline
#9 2024-11-29 22:09:44
- barnd3
- Member
- Registered: 2023-02-07
- Posts: 136
Re: Firewall block "rtsp"
ss -tulpen:
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 0.0.0.0:32862 0.0.0.0:* uid:971 ino:8914 sk:1 cgroup:/system.slice/avahi-daemon.service <->
udp UNCONN 0 0 0.0.0.0:5353 0.0.0.0:* uid:971 ino:8912 sk:2 cgroup:/system.slice/avahi-daemon.service <->
udp UNCONN 0 0 0.0.0.0:9330 0.0.0.0:* users:(("vlc",pid=30372,fd=20)) uid:1000 ino:113899 sk:3 cgroup:/user.slice/user-1000.slice/session-2.scope <->
udp UNCONN 62720 0 0.0.0.0:9331 0.0.0.0:* users:(("vlc",pid=30372,fd=21)) uid:1000 ino:113900 sk:4 cgroup:/user.slice/user-1000.slice/session-2.scope <->
udp UNCONN 0 0 [fe80::9ac4:cb88:3fbb:e855]%enp11s0:546 [::]:* ino:2787 sk:1001 cgroup:/system.slice/NetworkManager.service v6only:1 <->
udp UNCONN 0 0 [::]:33794 [::]:* uid:971 ino:8915 sk:1002 cgroup:/system.slice/avahi-daemon.service v6only:1 <->
udp UNCONN 0 0 [::]:5353 [::]:* uid:971 ino:8913 sk:1003 cgroup:/system.slice/avahi-daemon.service v6only:1 <->
tcp LISTEN 0 4096 127.0.0.1:631 0.0.0.0:* ino:9730 sk:2001 cgroup:/system.slice/system-cups.slice/cups.service <->
tcp LISTEN 0 4096 [::1]:631 [::]:* ino:9729 sk:3001 cgroup:/system.slice/system-cups.slice/cups.service v6only:1 <->iptables -nvL:
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1577K 2120M ufw-before-logging-input 0 -- * * 0.0.0.0/0 0.0.0.0/0
1577K 2120M ufw-before-input 0 -- * * 0.0.0.0/0 0.0.0.0/0
34624 46M ufw-after-input 0 -- * * 0.0.0.0/0 0.0.0.0/0
34560 46M ufw-after-logging-input 0 -- * * 0.0.0.0/0 0.0.0.0/0
34560 46M ufw-reject-input 0 -- * * 0.0.0.0/0 0.0.0.0/0
34560 46M ufw-track-input 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ufw-before-logging-forward 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-before-forward 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-forward 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-logging-forward 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-reject-forward 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-track-forward 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
9195 1010K ufw-before-logging-output 0 -- * * 0.0.0.0/0 0.0.0.0/0
9195 1010K ufw-before-output 0 -- * * 0.0.0.0/0 0.0.0.0/0
1415 93769 ufw-after-output 0 -- * * 0.0.0.0/0 0.0.0.0/0
1415 93769 ufw-after-logging-output 0 -- * * 0.0.0.0/0 0.0.0.0/0
1415 93769 ufw-reject-output 0 -- * * 0.0.0.0/0 0.0.0.0/0
1415 93769 ufw-track-output 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-after-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-input (1 references)
pkts bytes target prot opt in out source destination
0 0 ufw-skip-to-policy-input 17 -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137
1 238 ufw-skip-to-policy-input 17 -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138
0 0 ufw-skip-to-policy-input 6 -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
0 0 ufw-skip-to-policy-input 6 -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
0 0 ufw-skip-to-policy-input 17 -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ufw-skip-to-policy-input 17 -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 ufw-skip-to-policy-input 0 -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT 1 -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT 1 -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT 1 -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
0 0 ACCEPT 1 -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ufw-user-forward 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-input (1 references)
pkts bytes target prot opt in out source destination
3 108 ACCEPT 0 -- lo * 0.0.0.0/0 0.0.0.0/0
30 3061 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ufw-logging-deny 0 -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 ACCEPT 1 -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT 1 -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT 1 -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
0 0 ACCEPT 1 -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ACCEPT 17 -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
5131 6898K ufw-not-local 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 17 -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353
0 0 ACCEPT 17 -- * * 0.0.0.0/0 239.255.255.250 udp dpt:1900
5131 6898K ufw-user-input 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-logging-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-output (1 references)
pkts bytes target prot opt in out source destination
3 108 ACCEPT 0 -- * lo 0.0.0.0/0 0.0.0.0/0
32 3902 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
7 292 ufw-user-output 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-logging-allow (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID limit: avg 3/min burst 10
0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
pkts bytes target prot opt in out source destination
5129 6897K RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
1 36 RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
1 238 RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 ufw-logging-deny 0 -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-reject-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-skip-to-policy-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-input (7 references)
pkts bytes target prot opt in out source destination
1 238 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-track-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-output (1 references)
pkts bytes target prot opt in out source destination
2 120 ACCEPT 6 -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
5 172 ACCEPT 17 -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
Chain ufw-user-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-input (1 references)
pkts bytes target prot opt in out source destination
1 36 DROP 0 -- * * 192.168.178.1 224.0.0.1
0 0 ACCEPT 17 -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:5353
0 0 ACCEPT 17 -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:5004
5129 6897K ACCEPT 17 -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 9000:9500
Chain ufw-user-limit (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
0 0 REJECT 0 -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-user-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-output (1 references)
pkts bytes target prot opt in out source destinationOffline
#10 2024-11-30 07:03:00
- seth
- Member
- Registered: 2012-09-03
- Posts: 59,882
Re: Firewall block "rtsp"
ss -tulpen:
-------------
vlc locally listens on 9330 for whatever, so that's (likely) not it?
ss -tupn | grep vlc5129 6897K ACCEPT 17 -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 9000:9500You're accepting the destination port rule.
Sanity check #1: ufw and vlc are running on the same host?
Sanity check #2: can you play the stream w/ mpv w/o any further rules?
It this relies on cold inbound traffic, you'll have to check whether you can tell vlc to use a specific local port - otherwise you're chasing a moving target.
Offline
#11 2024-11-30 08:50:04
- barnd3
- Member
- Registered: 2023-02-07
- Posts: 136
Re: Firewall block "rtsp"
UFW and VLC are used on the same host.
MPV starts the stream without any further rules.
I can change the ports for rtp and rtsp in VLC, but that has no effect.
Port 5004 is used for the RTP stream output.
RTP/RTSP/SDB demuxer (Live555), client port -1 is specified, a change here has no effect.
No matter what I do, it is always sent via port 9000-9500.
No matter, I now have the streams running via HTTP, that works without port forwarding...
Offline
#12 2024-11-30 12:18:25
- barnd3
- Member
- Registered: 2023-02-07
- Posts: 136
Re: Firewall block "rtsp"
Nevertheless, thank you very much for your help
Last edited by barnd3 (2024-11-30 12:18:41)
Offline
#13 2024-11-30 17:56:55
- seth
- Member
- Registered: 2012-09-03
- Posts: 59,882
Re: Firewall block "rtsp"
Can you configure VLC to run rtsp over tcp?
Offline
#14 2024-12-01 13:51:40
- barnd3
- Member
- Registered: 2023-02-07
- Posts: 136
Re: Firewall block "rtsp"
That's what doesn't work.
The whole thing works via http
Last edited by barnd3 (2024-12-01 13:51:58)
Offline
#15 2024-12-01 18:40:21
- seth
- Member
- Registered: 2012-09-03
- Posts: 59,882
Re: Firewall block "rtsp"
tcp != http (not even in the same group)
rtsp can run on tcp or udp, vlc runs it on udp and the idea is to move it to tcp because that might not require the backchannel
Offline
#16 2024-12-01 19:31:08
- ewaller
- Administrator
- From: Pasadena, CA
- Registered: 2009-07-13
- Posts: 20,260
Re: Firewall block "rtsp"
VLC can be configured to force RTSP over TCP. Go to settings, select advanced settings, search for rtsp, under demuxers find and check 'Use RTP over RTSP (TCP)'
I can speak from personal experience that VLC responds badly to the monolithic time stamp field rolling over before its terminal count, but I digress....
Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way
Offline
#17 2024-12-01 22:12:50
- barnd3
- Member
- Registered: 2023-02-07
- Posts: 136
Re: Firewall block "rtsp"
Then vlc now runs over udp...
or am I seeing this wrong?
Everything would be fine then...
I didn't even notice 'Use RTP over RTSP (TCP)'..., my mistake
Offline
#18 2024-12-01 22:26:18
- seth
- Member
- Registered: 2012-09-03
- Posts: 59,882
Re: Firewall block "rtsp"
Yes, you are - according to the previous "ss -tulpen"
udp UNCONN 0 0 0.0.0.0:9330 0.0.0.0:* users:(("vlc",pid=30372,fd=20)) uid:1000 ino:113899 sk:3 cgroup:/user.slice/user-1000.slice/session-2.scope <->
udp UNCONN 62720 0 0.0.0.0:9331 0.0.0.0:* users:(("vlc",pid=30372,fd=21)) uid:1000 ino:113900 sk:4 cgroup:/user.slice/user-1000.slice/session-2.scope <-> But that's not "fine" - you're supposed to switch to tcp and see whether you avoid the backchannel this way so you don't have to excempt it in the firewall.
Offline
#19 2024-12-01 23:45:58
- barnd3
- Member
- Registered: 2023-02-07
- Posts: 136
Re: Firewall block "rtsp"
with 'Use RTP over RTSP (TCP)', I get these errors
[00007666a4c0d190] live555 demux error: SETUP of'video/MP2T' failed 454 Unkown
[00007666a4c0d190] live555 demux error: RTSP PLAY failed 454 Unkown
[00007666a4c08ea0] cache_block stream error: cannot pre fill buffer
[00007666a4c0d190] mjpeg demux error: cannot peekand the firewall blocks...
Offline
#20 2024-12-02 01:25:40
- cryptearth
- Member
- Registered: 2024-02-03
- Posts: 1,084
Re: Firewall block "rtsp"
out of curiosity: why you run a firewall at all if you are already behind a FritzBox? unless you open a port-forwarding or set your host as dmz there's nothin a host firewall could block that isn't already blocked by your FB - and, depending which ISP you use (there aren't many cable ISP in germany anyway) you're also behind a cg-nat
Offline
#21 2024-12-02 02:32:09
- barnd3
- Member
- Registered: 2023-02-07
- Posts: 136
Re: Firewall block "rtsp"
I agree with you... but I just feel better.
As for the error, it also appears when the firewall is off.
Offline
#22 2024-12-02 08:08:01
- seth
- Member
- Registered: 2012-09-03
- Posts: 59,882
Re: Firewall block "rtsp"
As for the error, it also appears when the firewall is off.
If the error is irrelevant, check whether vlc also wants to listen on local tcp ports (and get traffic there)
ss -tulpenIf rtsp on vlc doesn't work w/o the backchannel and you cannot configure the local rtsp ports in vlc (use mpv or) you'll have to run after them - does ufw not allow you to limit/free inbound traffic discriminating by segment and remote port (cause that'll remain 554), ie. allow everything that comes from 192.168.178.1:554?
Offline
#23 2024-12-02 10:24:16
- barnd3
- Member
- Registered: 2023-02-07
- Posts: 136
Re: Firewall block "rtsp"
sorry
No offense @seth, but the whole thing is overwhelming me.
The way it's running now (via udp) is more than satisfactory, so I'll leave it at that.
Thank you for your help!
Last edited by barnd3 (2024-12-02 11:34:35)
Offline
#24 2024-12-02 16:13:06
- seth
- Member
- Registered: 2012-09-03
- Posts: 59,882
Re: Firewall block "rtsp"
Does this work?
ufw allow in from 192.168.178.1 port 554 comment "rtsp backchannel"Offline
#25 2024-12-02 16:38:57
- barnd3
- Member
- Registered: 2023-02-07
- Posts: 136
Re: Firewall block "rtsp"
No doesn't work
In VLC, ports 554 and 5004 are also entered, which are the standard ports, but ports 9000-9500 are still used.
That's a mystery to me...
Offline