UPnP and firewalls on mark1


#1

I’ve started working on a skill to control a roku:

I wrote some code to find the roku using UPnP which works fine, but the issue is that I need to poke holes in the firewall on the mark1 for it to discover the roku. I send a multicast packet out, and then the roku sends a unicast udp response to me which is blocked.

Is there a way to package new firewall rules in skills? Or otherwise, maybe there’s room for a UPnP service to be pushed up into mycroft core so that others can use it? It seems like it might be a relatively common operation to find all the devices on the network that you might want to control.


#2

Great question @scherererer, and great to see a Roku Skill in the making. It’s one of the most upvoted Skills in our Skills Suggestions area.

I’m going to flag my colleagues @forslund and @steve.penrod on this one, as we’ve been discussing firewalls a lot recently in the context of security hardening.

There are also broader implications of having a UPnP service in mycroft-core - because it would make other Skills for third party devices easier to achieve.


#3

There is currently no way to package firewall rules for skills.

I’m surprised that the upnp discovery fails, sending a multicast from the device shouldn’t be hindered by the firewall as far as I know. (But after testing I see that it does)

I’ve used Zeroconf/avahi to discover devices without any issues as well as setting up the mark-1 to be discoverable over zeroconf without firewall issues.

If you can give me the firewall rule needed I can see if we can add it to the mycroft-core package


#4

I don’t believe it’s an issue to send multicast packets, just to receive the UDP unicast response. I verified this by issuing multicast on the roku with the firewall enabled and I was able to see it from my laptop (with its firewall disabled).

The rule I think works best is:

sudo ufw allow proto udp from any port 1900 to any port 32768:61000

This allows us to bind to a random port rather than having to bind to a well-known port.

I’m surprised that you didn’t run into any issues with the firewall when using zeroconf. The exception for it doesn’t appear to be enabled by default on the mark1 that I have.