CubelaPetar/notes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
584265c22c6f472c7656969d85e778e0a4ab5742
notes/projects/gg/avahi_mdns-reflector/prep/20250716-firewall-rules-bonjour.md
Petar Cubela 584265c22c 20250907
2025-09-07 13:07:01 +02:00

52 lines
3.2 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
You're absolutely correct. **Xsan** (Apple's high-performance file system) uses a **dynamic port range** (4915265535) for **data transfer** between clients and servers. These ports are essential for **high-throughput file access** in environments like video production, where Apple TVs or other devices may interact with Xsan servers. Below is the updated list of **critical ports** for Apple services, including **Xsan**:
---
### 🚫 **Critical Ports to Open (Updated)**
| Port Range | Protocol | Purpose | Required |
|------------------|----------|----------------------------------------------|----------|
| **5353** | UDP | **mDNS/Bonjour** (service discovery) | ✅ Yes |
| **80** | TCP | **HTTP** (web services, streaming) | ✅ Yes |
| **443** | TCP | **HTTPS** (secure web services) | ✅ Yes |
| **554** | TCP/UDP | **RTSP** (media streaming) | ✅ Yes |
| **9876** | TCP | **Apple TV Remote Access** | ✅ Yes |
| **9877** | TCP | **Apple TV Media Streaming** | ✅ Yes |
| **4915265535** | TCP | **Xsan Filesystem Access** (dynamic range) | ✅ Yes |
---
### 📌 **Key Notes**
1. **Xsan (4915265535)**
- **Purpose**: Used for **high-performance file transfers** between Xsan clients (e.g., Apple TVs, editing stations) and Xsan servers.
- **Why It Matters**: Xsan is designed for **low-latency, high-throughput** environments. The dynamic port range ensures scalability and avoids port exhaustion.
- **Security**: While these ports are required for Xsan, they are **dynamic** and should be **restricted to trusted VLANs** (e.g., Apple TV VLAN ↔ Xsan server VLAN).
2. **Firewall Rules**
- **Direction**: Allow **bidirectional traffic** between VLANs.
- **Stateful Inspection**: Use stateful rules (e.g., in OPNsense) to automatically handle both directions.
- **VLAN Isolation**: Ensure traffic is only allowed between **Apple TV VLAN** and **Xsan server VLAN** (or Teacher/Student VLANs, if applicable).
3. **Testing and Validation**
- **Simulate Load**: Use tools like `tcpdump` or `Wireshark` to capture traffic and confirm the port range is being used.
- **Monitor Traffic**: Ensure no unintended exposure by restricting access to only the necessary VLANs.
---
### 🧠 **Example OPNsense Rule (Xsan Server ↔ Apple TV VLAN)**
1. **Interface**: Create VLAN interfaces (e.g., `VLAN10` for Apple TV, `VLAN20` for Xsan server).
2. **Rule**:
- **Action**: Allow
- **Source**: `VLAN10` (Apple TV VLAN)
- **Destination**: `VLAN20` (Xsan server VLAN)
- **Protocol**: TCP (4915265535)
- **State**: Enable (for bidirectional traffic).
---
### ✅ **Summary**
- **Xsan** requires the **dynamic port range 4915265535 (TCP)** for efficient file access.
- Ensure these ports are **allowed between relevant VLANs** and **restricted to trusted devices**.
- Always **verify if Xsan is required** in your environment to avoid unnecessary exposure.
By including these ports and configuring the firewall accordingly, Apple services (including Xsan) will function seamlessly across VLANs.
Reference in New Issue View Git Blame Copy Permalink