[jitsi-users] Router UPnP required for ICE, but can't set firewall rule since port keeps changing


#1

I just started using jitsi the other day. Apparently it requires UPnP to be turned on in my Qwest
Q1000 router. I can't seem to find in the Q1000 where to limit the ports used
for UPnP even though it has a place to list such rules if they were defined.

If I shut off my firewall (ufw) I can place phone calls from jitsi via google
voice just fine. However if I start ufw, I get log entries in syslog that tell
me that the firewall is blocking UPnP traffic. Here are three such entries for
three different phone call attempts:

Jul 25 13:52:00 hostname kernel: [UFW BLOCK] IN=eth0 OUT= MAC=<ipv6 address>
SRC=192.168.2.11 DST=192.168.2.4 LEN=356 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF
PROTO=UDP SPT=1900 DPT=60528 LEN=336

Jul 25 13:34:28 hostname kernel: [UFW BLOCK] IN=eth0 OUT= MAC=<ipv6 address>
SRC=192.168.2.11 DST=192.168.2.4 LEN=356 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF
PROTO=UDP SPT=1900 DPT=42368 LEN=336

Jul 25 13:31:45 hostname kernel: [UFW BLOCK] IN=eth0 OUT= MAC=<ipv6 address>
SRC=192.168.2.11 DST=192.168.2.4 LEN=356 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF
PROTO=UDP SPT=1900 DPT=40166 LEN=336

The problem is that the destination port (DPT) is
never the same, so a ufw rule cannot be constructed and leaving all ports open
to the internet access point defeats the purpose of a firewall. 192.168.2.11
is the ip of the router, 192.168.2.4 is the ip of the laptop running ufw and
jitsi.

Any ideas would be greatly appreciated.


#2

Hey John,

I just started using jitsi the other day. Apparently it requires UPnP to be turned on

UPnP is just one of the techniques we try for NAT traversal. It's not a
requirement.

in my Qwest
Q1000 router. I can't seem to find in the Q1000 where to limit the ports used
for UPnP even though it has a place to list such rules if they were defined.

If I shut off my firewall (ufw) I can place phone calls from jitsi via google
voice just fine. However if I start ufw, I get log entries in syslog that tell
me that the firewall is blocking UPnP traffic. Here are three such entries for
three different phone call attempts:

It sounds like your firewall is simply blocking our UDP packets. I don't
see why it would do that. These are outgoing UDP packets and there's
reason to filter them.

If you have a way of lifting the UDP ban, then that should fix your problem.

Cheers,
Emil

···

On 26.07.12, 02:38, John Lips wrote:

Jul 25 13:52:00 hostname kernel: [UFW BLOCK] IN=eth0 OUT= MAC=<ipv6 address>
SRC=192.168.2.11 DST=192.168.2.4 LEN=356 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF
PROTO=UDP SPT=1900 DPT=60528 LEN=336

Jul 25 13:34:28 hostname kernel: [UFW BLOCK] IN=eth0 OUT= MAC=<ipv6 address>
SRC=192.168.2.11 DST=192.168.2.4 LEN=356 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF
PROTO=UDP SPT=1900 DPT=42368 LEN=336

Jul 25 13:31:45 hostname kernel: [UFW BLOCK] IN=eth0 OUT= MAC=<ipv6 address>
SRC=192.168.2.11 DST=192.168.2.4 LEN=356 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF
PROTO=UDP SPT=1900 DPT=40166 LEN=336

The problem is that the destination port (DPT) is
never the same, so a ufw rule cannot be constructed and leaving all ports open
to the internet access point defeats the purpose of a firewall. 192.168.2.11
is the ip of the router, 192.168.2.4 is the ip of the laptop running ufw and
jitsi.

Any ideas would be greatly appreciated.


#3

Emil,

Thank you for the info. I was able to unblock outgoing (from laptop to router)
UPnP traffic prior to this issue. This problem seems to be with the transmission from the router back to
the laptop running jitsi and ufw. It is leaving the router port 1900 and
being sent to a random port on the laptop. This is the only block listed in
syslog at the time the call was placed. The response from jitsi:

Error: Could not establish connection (ICE failed)

Is there any way to disable UPnP in jitsi?

By the way, I'm one of those that heard about jitsi on slashdot. I was
looking for something like this. Very cool application.

Thanks again,
John

···

On Thu, Jul 26, 2012 at 06:25:27PM +0200, Emil Ivov wrote:

Hey John,

On 26.07.12, 02:38, John Lips wrote:
> I just started using jitsi the other day. Apparently it requires UPnP to be turned on

UPnP is just one of the techniques we try for NAT traversal. It's not a
requirement.

> in my Qwest
> Q1000 router. I can't seem to find in the Q1000 where to limit the ports used
> for UPnP even though it has a place to list such rules if they were defined.
>
> If I shut off my firewall (ufw) I can place phone calls from jitsi via google
> voice just fine. However if I start ufw, I get log entries in syslog that tell
> me that the firewall is blocking UPnP traffic. Here are three such entries for
> three different phone call attempts:

It sounds like your firewall is simply blocking our UDP packets. I don't
see why it would do that. These are outgoing UDP packets and there's
reason to filter them.

If you have a way of lifting the UDP ban, then that should fix your problem.

Cheers,
Emil
>
> Jul 25 13:52:00 hostname kernel: [UFW BLOCK] IN=eth0 OUT= MAC=<ipv6 address>
> SRC=192.168.2.11 DST=192.168.2.4 LEN=356 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF
> PROTO=UDP SPT=1900 DPT=60528 LEN=336
>
> Jul 25 13:34:28 hostname kernel: [UFW BLOCK] IN=eth0 OUT= MAC=<ipv6 address>
> SRC=192.168.2.11 DST=192.168.2.4 LEN=356 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF
> PROTO=UDP SPT=1900 DPT=42368 LEN=336
>
> Jul 25 13:31:45 hostname kernel: [UFW BLOCK] IN=eth0 OUT= MAC=<ipv6 address>
> SRC=192.168.2.11 DST=192.168.2.4 LEN=356 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF
> PROTO=UDP SPT=1900 DPT=40166 LEN=336
>
> The problem is that the destination port (DPT) is
> never the same, so a ufw rule cannot be constructed and leaving all ports open
> to the internet access point defeats the purpose of a firewall. 192.168.2.11
> is the ip of the router, 192.168.2.4 is the ip of the laptop running ufw and
> jitsi.
>
> Any ideas would be greatly appreciated.


#4

Hey John,

Sorry for the late reply.

Emil,

Thank you for the info. I was able to unblock outgoing (from laptop to router)
UPnP traffic prior to this issue. This problem seems to be with the transmission from the router back to
the laptop running jitsi and ufw. It is leaving the router port 1900 and
being sent to a random port on the laptop. This is the only block listed in
syslog at the time the call was placed. The response from jitsi:

Error: Could not establish connection (ICE failed)

Is there any way to disable UPnP in jitsi?

Yup. In your account settings, go to the connection tab and uncheck the
"Use UPnP" box.

By the way, I'm one of those that heard about jitsi on slashdot. I was
looking for something like this. Very cool application.

Thank you for your kind words!

Emil

···

On 26.07.12, 19:44, John Lips wrote:

Thanks again,
John

On Thu, Jul 26, 2012 at 06:25:27PM +0200, Emil Ivov wrote:

Hey John,

On 26.07.12, 02:38, John Lips wrote:

I just started using jitsi the other day. Apparently it requires UPnP to be turned on

UPnP is just one of the techniques we try for NAT traversal. It's not a
requirement.

in my Qwest
Q1000 router. I can't seem to find in the Q1000 where to limit the ports used
for UPnP even though it has a place to list such rules if they were defined.

If I shut off my firewall (ufw) I can place phone calls from jitsi via google
voice just fine. However if I start ufw, I get log entries in syslog that tell
me that the firewall is blocking UPnP traffic. Here are three such entries for
three different phone call attempts:

It sounds like your firewall is simply blocking our UDP packets. I don't
see why it would do that. These are outgoing UDP packets and there's
reason to filter them.

If you have a way of lifting the UDP ban, then that should fix your problem.

Cheers,
Emil

Jul 25 13:52:00 hostname kernel: [UFW BLOCK] IN=eth0 OUT= MAC=<ipv6 address>
SRC=192.168.2.11 DST=192.168.2.4 LEN=356 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF
PROTO=UDP SPT=1900 DPT=60528 LEN=336

Jul 25 13:34:28 hostname kernel: [UFW BLOCK] IN=eth0 OUT= MAC=<ipv6 address>
SRC=192.168.2.11 DST=192.168.2.4 LEN=356 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF
PROTO=UDP SPT=1900 DPT=42368 LEN=336

Jul 25 13:31:45 hostname kernel: [UFW BLOCK] IN=eth0 OUT= MAC=<ipv6 address>
SRC=192.168.2.11 DST=192.168.2.4 LEN=356 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF
PROTO=UDP SPT=1900 DPT=40166 LEN=336

The problem is that the destination port (DPT) is
never the same, so a ufw rule cannot be constructed and leaving all ports open
to the internet access point defeats the purpose of a firewall. 192.168.2.11
is the ip of the router, 192.168.2.4 is the ip of the laptop running ufw and
jitsi.

Any ideas would be greatly appreciated.