Please advise on firewall port openings

[davidrylance]

Question

Hi everybody,

Thank you for the amazing project! And great documentation!

The only thing I'm missing is a list of all ports that need to be opened in iptables/nftables (local firewall on a server) and on an external firewall between LANs (assuming the server is on a different LAN than a client connecting the server).

Looking at the documentation and sample https://github.com/bluenviron/mediamtx/blob/main/mediamtx.yml and assuming I didn't change any ports from the default values:

playback: yes # not default
playbackAddress: :9996

rtsp: yes
protocols: [udp, multicast, tcp]
encryption: "no"
rtspAddress: :8554
rtspsAddress: :8322
rtpAddress: :8000
rtcpAddress: :8001
multicastIPRange: 224.1.0.0/16
multicastRTPPort: 8002
multicastRTCPPort: 8003

rtmp: yes
rtmpAddress: :1935
rtmpEncryption: "no"
rtmpsAddress: :1936

hls: yes
hlsAddress: :8888
hlsEncryption: no

webrtc: yes
webrtcAddress: :8889
webrtcEncryption: no
webrtcLocalUDPAddress: :8189

srt: yes
srtAddress: :8890

paths:
# ....

These are the ports I think need to be opened:

• tcp: 9996
• tcp: 8554
• udp: 8000
• udp: 8001
• udp: 8002 - only on local firewall on the server
• udp: 8003 - only on local firewall on the server
• tcp: 1935
• tcp: 8888
• tcp: 8889
• udp: 8189
• tcp: 8890

[neilyoung]

I would like to add, that you also need to open the potential ports, a configured STUN/TURN server might provide. This is for instance configurable, if you drive your own TURN server (e.g. COTURN).

If MediaMTX runs on a AWS instance, for instance, it doesn't publish the public instance address for port 8889, but some local VM address in the AWS world. This will not work. So, here your STUN/TURN server comes into the play. If the remote is taking the delivered public UDP addresses and ports serious, then it will try to do ICE establishments on these addresses/ports. This will fail, if the server firewall is not open in this range.

[aler9]

Hello, every protocol supported by the server has its own port list and can be used regardless of the fact that ports belonging to other protocols are open or not. I strongly discourage opening all ports indiscriminately, since exposing ports belonging to protocols or features that you're not using or are not familiar with might cause security issues.

Open the ports of the services you are actively using only.

The port list can be found:

• in the configuration file

• in the README, in particular in the Docker example:

  docker run --rm -it \
  -e MTX_PROTOCOLS=tcp \
  -e MTX_WEBRTCADDITIONALHOSTS=192.168.x.x \
  -p 8554:8554 \
  -p 1935:1935 \
  -p 8888:8888 \
  -p 8889:8889 \
  -p 8890:8890/udp \
  -p 8189:8189/udp \
  bluenviron/mediamtx