How do you setup your router's firewall for Squeezebox internet radio access?

My firewall is running a Deny-all strategy. I already have opened ports 3483 and 9000 for outgoing connections. But internet radio station seem to use all kinds of ports. In my firewall's log files, I found references to port numbers from as low as 824 up to 31115. Not opening those station-specific ports results in "Connect timed out: Transport endpoint is not connected." messages.

Somewhat reluctantly, I guess I could open that whole port range for connections originating at IP addresses assigned to my Squeezebox hardware in the local network. But I definitely would not want to open the same port range for my desktop running SqueezeSlave.

So, how should I configure my router's firewall?

Thanks, Malte

A bit paranoid?

There's no predicting what port someone will run a music stream on. Often it's just a plain old http url, but sometimes they will run several ports to increase session count or provide multiple different streams.

It would be easiest to allow the SB's to initiate anything they wanted to the outside world: it's not like the older models have enough memory to even think about running spamming software (not to mention it would be tricky to get it on there) and opening sessions started from an 'inside' machine are nowhere near as dangerous as allowing outsiders in... restricting inside machines completel is nigh impossible if they need to be usable: darned near anything can be tunnelled over https, for example, and blocking 443 would cripple most PC usage.

Is whatever you're using for a router able to distinguish between 'established' connections?

In psuedofirewallese:
allow from internal -> external
allow from external -> internal established
deny all

A bit paranoid?Probably :-) But it's only the desktop running SqueezeSlave I'm really worried about.


Is whatever you're using for a router able to distinguish between 'established' connections?

In psuedofirewallese:
allow from internal -> external
allow from external -> internal established
deny all
I guess it is, but I'm not sure. The router is a LANCOM DSL/I-10+ running LANCOM 7.80. It has a 'stateful inspection' firewall. At least for well known protocols it seems to be able to monitor the connection and learn about additional channels opened during the exchange.

All I have to do is to specify what connections I would like to allow using combinations of local and/or remote stations and protocols...