1

I want to use the Alljoyn framework on an embedded linux device. Due to security reasons, it is necessary to configure a firewall for that device. This is done with iptables.

What I've done so far: I tried to run the AboutService example on that device without firewall and then checked the TCPDump. As client, I used the IoT Explorer for AllJoyn (Windows 10), but AboutClient should work well, too. Checking TCPDump with wireshark, the ports for the announcement are clear, I have to open Ports 9955 (alljoyn-mcm) 9956 (alljoyn) and 5353 (MDNS?!?) for UDP. I solved that with following rules:

$ iptables -A OUTPUT -p udp --sport 9955 -j ACCEPT
$ iptables -A OUTPUT -p udp --sport 9956 -j ACCEPT
$ iptables -A OUTPUT -p udp --dport 5353 -j ACCEPT
$ iptables -A INPUT  -p udp --sport 9955 -j ACCEPT

With these rules, device is succesfully discovered in IoT explorer.

But when acessing the device (e.g. to get full about-data) TCP communication starts. And this is not on a certain port. The port seems to be random. NMap shows e.g. following ports, when (re)starting the AboutService.

  • 46368/tcp open unknown, or
  • 52739/tcp open unknown

How can I determine the port? How can I force Alljoyn framework to nail the TCP-Communication to a certain port or at least small port range, e.g. 41000-41100? Or is there any other way to configure the firewall so Alljoyn communication is not blocked?

meddle0106
  • 1,292
  • 1
  • 11
  • 22

2 Answers2

0

Generally the AllJoyn Framework, uses UDP for discovery and TCP for direct communication.

Wellkown (registered) ports are;

  • Port Number 9956: IANA assigned UDP multicast port for AllJoyn
  • Port Number 5353: IANA-assigned UDP multicast port for mDNS

When the devices discover each other, TCP communication starts on a random ephemeral port. This implementation is a target dependent code, you can check source codes of the target.

Aksel Fatih
  • 1,419
  • 18
  • 31
0

I solved it in another way:

Before starting my Alljoyn Service, I launched the alljoyn-daemon binary from the Alljoyn core lib. This routes the traffic over definable ports, by default over port 9955 (alljoyn-mcm).

With this setup I could configure following firewall rules and everything worked:

$ iptables -A INPUT  -p udp -m multiport --dports 9955,9956,5353 -j ACCEPT
$ iptables -A INPUT  -p udp -m multiport --sports 9955,9956,5353 -j ACCEPT
$ iptables -A INPUT  -p tcp -m multiport --dports 9955,9956,5353 -j ACCEPT
$ iptables -A INPUT  -p tcp -m multiport --sports 9955,9956,5353 -j ACCEPT
$ iptables -A OUTPUT -p udp -m multiport --dports 9955,9956,5353 -j ACCEPT
$ iptables -A OUTPUT -p udp -m multiport --sports 9955,9956,5353 -j ACCEPT
$ iptables -A OUTPUT -p tcp -m multiport --dports 9955,9956,5353 -j ACCEPT
$ iptables -A OUTPUT -p tcp -m multiport --sports 9955,9956,5353 -j ACCEPT

Hint: I suppose these are too much open ports but this is enough for me. With more investigation, the list can surely be reduced.

meddle0106
  • 1,292
  • 1
  • 11
  • 22