On Sunday 02 March 2003 11:54 pm, Jean-Christian Imbeault wrote: > I am running Real's Helix Media Server on a linux box and would like > to secure the box as much as possible but I can't figure what ports > this media server needs. It seems to pretty much need everything about > 1024 ... http://service.real.com/help/library/guides/helixuniversalproxy/htmfiles/firewall.htm#198350 > Has anyone been able to come up with some rules for a Helix Media > Server? Presuming the rules are being run on the box itself, it looks like these INPUT rules for a Universal Server: # For Helix universal server dealing with media players iptables -A INPUT -p tcp --multiport --dport 554,7070,8080 -j ACCEPT iptables -A INPUT -p udp --dport 6970:6999 -j ACCEPT # For Helix universal server communicating with universal proxy iptables -A INPUT -p tcp --multiport --dport 3030,7802,7878 -j ACCEPT iptables -A INPUT -p udp --dport 3030 -j ACCEPT and these for a Universal Proxy server: # for Helix universal proxy communicating with media players or child proxies iptables -A INPUT -p tcp --multiport --dport 554,1090,1755 -j ACCEPT # for Helix universal proxy communicating with media servers iptables -A INPUT -p tcp --dport 3030 -j ACCEPT iptables -A INPUT -p udp --dport 3030 -j ACCEPT # 6970-32000 for both media servers and parent proxies iptables -A INPUT -p udp --dport 6970:32000 -j ACCEPT Apparently that huge range of UDPs can be restricted with the "UDP Resend Port Range" Proxy setting. The OUTPUT rules, if you need them as well, should apparently be: # for universal server communicating with media players iptables -A OUTPUT -p udp --dport 6970:6999 -j ACCEPT # for universal server communicating with universal proxy iptables -A OUTPUT -p udp --dport 6970:32000 -j ACCEPT # for universal proxy communicating with players or child proxies iptables -A OUTPUT -p udp --dport 1024:5000 -j ACCEPT iptables -A OUTPUT -p udp --dport 6970:65535 -j ACCEPT # for universal proxy communicating with media server and parent proxy iptables -A OUTPUT -p tcp --multiport --dport 554,1755,3030,7070,7878 -j ACCEPT iptables -A OUTPUT -p udp --dport 3030 -j ACCEPT Also, a universal proxy needs to send on TCP 9090 and listen on a configured port for administration. These are certainly not the tightest rules possible for this beast, quite likely around 50% of these rules wouldn't see any traffic if you have ESTABLISHED,RELATED allowed through. (like OUTPUT going to a media player) My suggestion would be to place EST/REL rules first, then these rules, separated instead of using multiport match. After a reasonable period of time, check the packet counts with "iptables -L -v -n" and see which rules never hit, then try commenting them out of the script for a while to ensure that you can do without them. If you know more about how these communications are initiated than I do, you could probably look at these rules and pick out which ones would only be replies. j
