20250720 regular commit

2025-07-20 22:29:13 +02:00
parent 252a91dbcc
commit b79839500c
22 changed files with 998 additions and 24 deletions
--- a/projects/gg/avahi_mdns-reflector/20250716-firewall-rules-bonjour.md
+++ b/projects/gg/avahi_mdns-reflector/20250716-firewall-rules-bonjour.md
@@ -0,0 +1,52 @@
+
+You're absolutely correct. **Xsan** (Apple's high-performance file system) uses a **dynamic port range** (49152–65535) for **data transfer** between clients and servers. These ports are essential for **high-throughput file access** in environments like video production, where Apple TVs or other devices may interact with Xsan servers. Below is the updated list of **critical ports** for Apple services, including **Xsan**:
+
+---
+
+### 🚫 **Critical Ports to Open (Updated)**
+| Port Range       | Protocol | Purpose                                      | Required |
+|------------------|----------|----------------------------------------------|----------|
+| **5353**         | UDP      | **mDNS/Bonjour** (service discovery)         | ✅ Yes   |
+| **80**           | TCP      | **HTTP** (web services, streaming)           | ✅ Yes   |
+| **443**          | TCP      | **HTTPS** (secure web services)              | ✅ Yes   |
+| **554**          | TCP/UDP  | **RTSP** (media streaming)                   | ✅ Yes   |
+| **9876**         | TCP      | **Apple TV Remote Access**                   | ✅ Yes   |
+| **9877**         | TCP      | **Apple TV Media Streaming**                 | ✅ Yes   |
+| **49152–65535** | TCP      | **Xsan Filesystem Access** (dynamic range)   | ✅ Yes   |
+
+---
+
+### 📌 **Key Notes**
+1. **Xsan (49152–65535)**  
+   - **Purpose**: Used for **high-performance file transfers** between Xsan clients (e.g., Apple TVs, editing stations) and Xsan servers.  
+   - **Why It Matters**: Xsan is designed for **low-latency, high-throughput** environments. The dynamic port range ensures scalability and avoids port exhaustion.  
+   - **Security**: While these ports are required for Xsan, they are **dynamic** and should be **restricted to trusted VLANs** (e.g., Apple TV VLAN ↔ Xsan server VLAN).  
+
+2. **Firewall Rules**  
+   - **Direction**: Allow **bidirectional traffic** between VLANs.  
+   - **Stateful Inspection**: Use stateful rules (e.g., in OPNsense) to automatically handle both directions.  
+   - **VLAN Isolation**: Ensure traffic is only allowed between **Apple TV VLAN** and **Xsan server VLAN** (or Teacher/Student VLANs, if applicable).  
+
+3. **Testing and Validation**  
+   - **Simulate Load**: Use tools like `tcpdump` or `Wireshark` to capture traffic and confirm the port range is being used.  
+   - **Monitor Traffic**: Ensure no unintended exposure by restricting access to only the necessary VLANs.  
+
+---
+
+### 🧠 **Example OPNsense Rule (Xsan Server ↔ Apple TV VLAN)**
+1. **Interface**: Create VLAN interfaces (e.g., `VLAN10` for Apple TV, `VLAN20` for Xsan server).  
+2. **Rule**:  
+   - **Action**: Allow  
+   - **Source**: `VLAN10` (Apple TV VLAN)  
+   - **Destination**: `VLAN20` (Xsan server VLAN)  
+   - **Protocol**: TCP (49152–65535)  
+   - **State**: Enable (for bidirectional traffic).  
+
+---
+
+### ✅ **Summary**
+- **Xsan** requires the **dynamic port range 49152–65535 (TCP)** for efficient file access.  
+- Ensure these ports are **allowed between relevant VLANs** and **restricted to trusted devices**.  
+- Always **verify if Xsan is required** in your environment to avoid unnecessary exposure.  
+
+By including these ports and configuring the firewall accordingly, Apple services (including Xsan) will function seamlessly across VLANs.