Jump to content

MB Server (clients too?) and firewalls


Carneth
 Share

Recommended Posts

Carneth

Hi there,

 

I'm building a gigabit (ish) back-end network for the media in the house... The set up is  a primary media system running both media browser server and a media browser client.

 

What I want to do is isolate this network from the internet, with the exception of (ideally) just media browser server for updates and - I guess the media browser classic for it's theme updates..

 

So, to still retain all media server functionality.. What protocols and remote addresses should I allow on my physical firewall that separates the back-end network from the front-end one (which has the internet connection).

 

So, is there a list of protocols used (I'm guessing just 80 / 443? and DNS?) and is there a list of target IP ranges or addresses? 

 

I'm using software firewalls to only allow the media server software and client out (well windows media centre) of the individual machines.. then further restricting on my physical firewall.. 

 

 

... hmm.. i'm waffling on.. basically, my question is - what ports/protocols and addresses do i need to configure on my firewall to allow *just* the media server functionality.

Link to comment
Share on other sites

Beardyname

8096 is the standard port that MB uses, but outbound rules usually are totally different from inbound rules.

anyway you can set whatever port you'd like for MB3 and then port forward that, to allow incoming connections.

 

Other than that I don't really know but I think you made a good guess with the 80 one :)

Link to comment
Share on other sites

Carneth

Thanks..

 

yes ingress is different to egress... for the moment, I'm allowing nothing in.. I only want to allow the Media Browser Server and maybe the clients out... 

 

So, I just wanna know where they go to and if they use any other ports (outbound) other than 80 and/or 443... and what protocols .. my firewall is actually a business class product, and has some protocol awareness.. So, if the services are all REST, or SOAP, or JSON or whatever.. plus DNS for lookups.. Or maybe screen scraping is being done for metadata, in which case I'd need to allow general browsing too blah balh..

 

 

Well, I'll start with a deny all, and open up stuff one at a time until I get everything working..

 

Then, I'll post a guide or something I guess, so, if anyone else wants to to the same it should be easier for them!

Link to comment
Share on other sites

Beardyname

Thanks..

 

yes ingress is different to egress... for the moment, I'm allowing nothing in.. I only want to allow the Media Browser Server and maybe the clients out... 

 

So, I just wanna know where they go to and if they use any other ports (outbound) other than 80 and/or 443... and what protocols .. my firewall is actually a business class product, and has some protocol awareness.. So, if the services are all REST, or SOAP, or JSON or whatever.. plus DNS for lookups.. Or maybe screen scraping is being done for metadata, in which case I'd need to allow general browsing too blah balh..

 

 

Well, I'll start with a deny all, and open up stuff one at a time until I get everything working..

 

Then, I'll post a guide or something I guess, so, if anyone else wants to to the same it should be easier for them!

 

 

Sounds good :)

 

Also I don't "think" the standard clients needs to be able to talk to the internet, only the server.

Link to comment
Share on other sites

ginjaninja

The clients would benefit from internet access for things like media browser client updates and os updates.

Only the server will need inbound rules if u have clients on foreign/untrusted networks.

Segregation of networks will be easiest with separate physical ports on switches and routers which support neccessary vlans and routes but this is probably beyond home user hardware.

Link to comment
Share on other sites

Carneth

So,

 

 

I'm using an entry-level netgear business class physical firewall, which acts (obviously, as it's a firewall) as a switch and a router and a firewall.. It has 1 or 2 (depending on the specific model) WAN ports and a set of 4-8 LAN ports (depending on the model again).. It doesn't support VLANs, but it doesn't need to in my setup... 

 

I have my "front-end" network created by my TP-LINK router... that has my wifi devices and has the internet connection.. Then, this netgear firewall creates the back-end network.. It's blocking all ingress communication... and I want it to only allow the absolute minimum for outbound communication... All my media systems are running on this back-end network.. 

 

Once I get the iOS remotes working, then, I may assign static addresses and set-up ipsec, and allow just those devices from the front end to the back end to run the remote...

 

I don't expose - and dont want to expose - my media browser server, or clients, to the internet... 

 

I just want the server to be able to connect out to do the metadata discovery, and it's updates.. as well as updates for the media browser clients.. 

 

Well, that's the plan... The system is now running smoothly, everything pretty much seems to work.. I'm upgrading the hardware.. and now I don't really want much to change, except in a very controlled fashion.

 

That and, everyone and their dog who come around my house want access to my network, wired or wireless.. and I don't really want them on the same network as the family photos of the little one etc... So, isolating all the personal stuff onto this back end network.... hope this should work... 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...