CubelaPetar/notes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
notes/projects/gg/avahi_mdns-reflector/prep/20250716-firewall-rules-bonjour.md
Petar Cubela 584265c22c 20250907
2025-09-07 13:07:01 +02:00

3.2 KiB
Raw Permalink Blame History

You're absolutely correct. Xsan (Apple's high-performance file system) uses a dynamic port range (4915265535) for data transfer between clients and servers. These ports are essential for high-throughput file access in environments like video production, where Apple TVs or other devices may interact with Xsan servers. Below is the updated list of critical ports for Apple services, including Xsan:

🚫 Critical Ports to Open (Updated)

Port Range Protocol Purpose Required
5353 UDP mDNS/Bonjour (service discovery) Yes
80 TCP HTTP (web services, streaming) Yes
443 TCP HTTPS (secure web services) Yes
554 TCP/UDP RTSP (media streaming) Yes
9876 TCP Apple TV Remote Access Yes
9877 TCP Apple TV Media Streaming Yes
4915265535 TCP Xsan Filesystem Access (dynamic range) Yes

📌 Key Notes

  1. Xsan (4915265535)

    • Purpose: Used for high-performance file transfers between Xsan clients (e.g., Apple TVs, editing stations) and Xsan servers.
    • Why It Matters: Xsan is designed for low-latency, high-throughput environments. The dynamic port range ensures scalability and avoids port exhaustion.
    • Security: While these ports are required for Xsan, they are dynamic and should be restricted to trusted VLANs (e.g., Apple TV VLAN ↔ Xsan server VLAN).

  2. Firewall Rules

    • Direction: Allow bidirectional traffic between VLANs.
    • Stateful Inspection: Use stateful rules (e.g., in OPNsense) to automatically handle both directions.
    • VLAN Isolation: Ensure traffic is only allowed between Apple TV VLAN and Xsan server VLAN (or Teacher/Student VLANs, if applicable).

  3. Testing and Validation

    • Simulate Load: Use tools like tcpdump or Wireshark to capture traffic and confirm the port range is being used.
    • Monitor Traffic: Ensure no unintended exposure by restricting access to only the necessary VLANs.

🧠 Example OPNsense Rule (Xsan Server ↔ Apple TV VLAN)

  1. Interface: Create VLAN interfaces (e.g., VLAN10 for Apple TV, VLAN20 for Xsan server).
  2. Rule:
    • Action: Allow
    • Source: VLAN10 (Apple TV VLAN)
    • Destination: VLAN20 (Xsan server VLAN)
    • Protocol: TCP (4915265535)
    • State: Enable (for bidirectional traffic).

Summary

  • Xsan requires the dynamic port range 4915265535 (TCP) for efficient file access.
  • Ensure these ports are allowed between relevant VLANs and restricted to trusted devices.
  • Always verify if Xsan is required in your environment to avoid unnecessary exposure.

By including these ports and configuring the firewall accordingly, Apple services (including Xsan) will function seamlessly across VLANs.

Reference in New Issue View Git Blame Copy Permalink