On Fri, Nov 22, 2019 at 12:56:51PM +0100, Rachel Roch wrote:
> They sent me the following long email, it does mention inbound access but
> seems like a bit of a generic answer if all those ports really need to be
> opened inbound via PAT ? I've asked Sonos to clarify exactly what is
> required inbound (as opposed to stateful outbound), and am still awaiting a
> reply !
>
> "If your firewall needs to be manually configured, refer to the port numbers
> below and make sure inbound access is enabled for the Sonos application.
I get the feeling that there is some confusion at the support people's end
about what needs to be open inbound vs outbound.
My guesses are
> Port (TCP) Used for
> 80 and 443 Music services, radio, and Sonos account
pass proto tcp from $sonos to any port { http https } # reasonable, web radio
and such
> 445 and 3445 Music library
> 3400, 3401, and 3500 Sonos app control
Almost certainly only needed to access your (in-house?) media storage. Start
with those blocked on egress.
That is, assuming that all relevant in-house devices are on the same net (as in
the Sonos is not
on a separate subnet).
> 4070 Spotify Connect
> 4444 System updates
Sounds odd, I'd say again, start with those blocked on egress, pass only if
tests reveal they're needed.
(much like the earlier rule, pass only traffic that the sonos box initiates)
> Port (UDP) Used for
> 136 through 139 Music library
> 1900 and 1901 Sonos app control
> 2869, 10243, and 10280 through 10284 Windows Media Sharing
These too sound like only useful for local network access, such as if you have
media stored on
machines around the house.
> 5353 Spotify Connect
> 6969 Sonos setup"
I'd start with those closed, test the specific functionality that *might*
require those ports to be open
and again, I struggle to believe any claim that you need to pass those *in*, in
all likelihood
a simple pass proto udp from $sonos to those ports should do.
Anyway, please do go back to the simple starting point such as a default to
block, then
add pass rules that allow traffic initiated by the sonos box or others in the
local net.
I'm almost certain you do not need to explicitly allow anything initiated from
the outside.
All the best,
Peter
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
