Plex opens random UDP port numbers that change with each restart, and I see UFW packet denies

Plex Media Server
1

Server Version#: 1.32.2.7100-248a2daf0
Player Version#: Mostly using website.

The machine from which I’m seeing the denied UDP packets is my son’s machine. As far as I know, he does not use my plex server, so I am confused about why I would be getting packets on the port plex listens on from that machine.

I am opening this topic because Plex is choosing high UDP ports at random and listening on those ports. If I restart plexmediaserver, then the port numbers change.

root@smeagol:/var/backups/misc/mysql/daily# lsof -Pn -i | grep plex | grep UDP
Plex\x20M 2972514            plex   77u  IPv4 411717791      0t0  UDP *:32414 
Plex\x20M 2972514            plex   78u  IPv4 411717792      0t0  UDP *:32410 
Plex\x20M 2972514            plex   79u  IPv4 411717793      0t0  UDP *:32412 
Plex\x20M 2972514            plex   80u  IPv4 411717794      0t0  UDP *:32413 
Plex\x20M 2972514            plex   81u  IPv4 411717795      0t0  UDP 127.0.0.1:59512 
Plex\x20M 2972514            plex   82u  IPv4 411717796      0t0  UDP 169.254.116.253:55946 
Plex\x20M 2972514            plex   83u  IPv4 411717797      0t0  UDP 192.168.217.200:57604 
Plex\x20M 2972514            plex   84u  IPv4 411717798      0t0  UDP 192.168.217.170:55401 
Plex\x20M 2972514            plex   85u  IPv4 411717799      0t0  UDP 169.254.45.112:50630 
Plex\x20M 2972514            plex   86u  IPv4 411717800      0t0  UDP 127.0.0.1:55067 
Plex\x20M 2972514            plex   87u  IPv4 411717801      0t0  UDP 169.254.116.253:39992 
Plex\x20M 2972514            plex   88u  IPv4 411717802      0t0  UDP 192.168.217.200:47957 
Plex\x20M 2972514            plex   89u  IPv4 411717803      0t0  UDP 192.168.217.170:34196 
Plex\x20M 2972514            plex   90u  IPv4 411717804      0t0  UDP 169.254.45.112:56912 
Plex\x20M 2972514            plex   91u  IPv4 411717805      0t0  UDP *:1901 
Plex\x20M 2972514            plex   92u  IPv4 411717806      0t0  UDP 169.254.116.253:53250 
Plex\x20M 2972514            plex   93u  IPv4 411717807      0t0  UDP 192.168.217.200:59508 
Plex\x20M 2972514            plex   94u  IPv4 411717808      0t0  UDP 192.168.217.170:38271 
Plex\x20M 2972514            plex   95u  IPv4 411717809      0t0  UDP 169.254.45.112:38884 
root@smeagol:/var/backups/misc/mysql/daily# systemctl restart plexmediaserver.service 
root@smeagol:/var/backups/misc/mysql/daily# lsof -Pn -i | grep plex | grep UDP
Plex\x20M 2981131            plex   73u  IPv4 411814227      0t0  UDP *:32410 
Plex\x20M 2981131            plex   74u  IPv4 411814228      0t0  UDP *:32412 
Plex\x20M 2981131            plex   77u  IPv4 411814226      0t0  UDP *:32414 
Plex\x20M 2981131            plex   78u  IPv4 411814229      0t0  UDP *:32413 
Plex\x20M 2981131            plex   79u  IPv4 411814230      0t0  UDP 127.0.0.1:39398 
Plex\x20M 2981131            plex   80u  IPv4 411814231      0t0  UDP 169.254.116.253:58813 
Plex\x20M 2981131            plex   81u  IPv4 411814232      0t0  UDP 192.168.217.200:52249 
Plex\x20M 2981131            plex   82u  IPv4 411814233      0t0  UDP 192.168.217.170:51147 
Plex\x20M 2981131            plex   83u  IPv4 411814234      0t0  UDP 169.254.45.112:41763 
Plex\x20M 2981131            plex   84u  IPv4 411814241      0t0  UDP 169.254.116.253:39270 
Plex\x20M 2981131            plex   85u  IPv4 411814235      0t0  UDP 127.0.0.1:55514 
Plex\x20M 2981131            plex   86u  IPv4 411814236      0t0  UDP 169.254.116.253:47244 
Plex\x20M 2981131            plex   87u  IPv4 411814237      0t0  UDP 192.168.217.200:40239 
Plex\x20M 2981131            plex   88u  IPv4 411814238      0t0  UDP 192.168.217.170:51169 
Plex\x20M 2981131            plex   89u  IPv4 411814239      0t0  UDP 169.254.45.112:50263 
Plex\x20M 2981131            plex   90u  IPv4 411814240      0t0  UDP *:1901 
Plex\x20M 2981131            plex   91u  IPv4 411814243      0t0  UDP 192.168.217.170:48879 
Plex\x20M 2981131            plex   92u  IPv4 411814242      0t0  UDP 192.168.217.200:39323 
Plex\x20M 2981131            plex   93u  IPv4 411814244      0t0  UDP 169.254.45.112:42744
2

I’m running on Ubuntu 22.04 from the plex APT repository.

3

Just a guess, but I think this could be related to SSDP discovery packets being sent, and responses being received. Try a tcpdump similar to the following:

sudo tcpdump -i any -A port 1900 and host 'IP address of your server'

This should show the SSDP search requests being sent from your server and the replies it receives. Run it for a bit and see if your son’s IP address shows up in the list.

4

https://support.plex.tv/articles/201543147-what-network-ports-do-i-need-to-allow-through-my-firewall/

The UDP ports are how the apps (on LAN) discover / communicate with the server for everything except the actual streaming

5

There’s a little more to it than that, but yeah, that’s one purpose for the UDP port usage. Others would be network tuner (HDHomeRun, for example) discovery and router discovery (for NAT-PMP). SSDP underpins/enables/works with other protocols (UPnP, for example) as a way to search for devices on your network.

I feel like there’s going to be a follow-up question resulting from the initial one: Is there a way to turn this off (SSDP multicast from the server)? The short answer is no, not directly at least.

The longer answer is that certain usages can be disabled:

  • To disable local network player/server discovery, disable ‘Enable local network discover (GDM)’ in Settings → [Server Name] → Network.
  • To disable NAT-PMP, set a manual port in Settings → [Server Name] → Remote Access (and perform the router configuration to support manual port forwarding).

Certain other usages cannot be disabled and the server is always going to send SSDP search messages.

You can do things with your server’s local firewall to block these messages (block all outbound traffic destined to UDP port 1900, or inbound traffic from UDP port 1900 from specific hosts).

6

The problem with this is that all traffic to those ports is blocked by UFW.

I have a different followup question for you: Is there perhaps a plugin for plex that would automatically update UFW to allow these dynamic ports? And turn off those ports just before it shuts down so that old ones are no longer open on service restart?

7

Alternately, and perhaps even better:

  • Define a range of ports from which these will be chosen. OR
  • Make it possible to explicitly define every port that plex uses.

Either of these options would make it possible to allow specific ports in the UFW config that will always work.

8

I can’t speak for Plex, but that’s unlikely to happen. The choice of which port to send from locally (and consequently the one to which replies will be sent) is generally left up to the network stack for uses like this (where it really doesn’t matter from a functionality standpoint). Remember, these begin as multicast messages sent from Plex Media Server, to which it is expecting replies.

At any rate, I was certain that, by default, UFW allowed related and established traffic, which I believe would cover this (it does on my own system at least). These are defined in /etc/ufw/before.rules. Have you overridden those for some reason?

1 Like
9

I try not to modify ufw config directly. I have on occasion removed old stuff from user.rules that I couldn’t figure out how to remove any other way, but haven’t done that for quite a while, and I don’t touch the other files. I don’t want to risk screwing up my firewall.

So I am mystifed about why I am seeing traffic to these random ports being dropped by UFW.

Here’s a packet capture:

elyograg@smeagol:~/git/mail_status_check$ sudo tcpdump -nni br0 host 192.168.217.109
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on br0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
23:06:36.268364 IP 192.168.217.109.58024 > 192.168.217.200.49848: UDP, length 234
23:06:37.271545 IP 192.168.217.109.58025 > 192.168.217.170.33677: UDP, length 234
23:06:42.078125 ARP, Request who-has 192.168.217.170 (16:8b:32:b9:4b:55) tell 192.168.217.109, length 46
23:06:42.078151 ARP, Reply 192.168.217.170 is-at 16:8b:32:b9:4b:55, length 28
23:06:43.265830 IP 192.168.217.109.58026 > 192.168.217.200.49848: UDP, length 269
23:06:43.266004 IP 192.168.217.109.58027 > 192.168.217.200.49848: UDP, length 234
23:06:43.374377 IP 192.168.217.109.58026 > 192.168.217.200.49848: UDP, length 269
23:06:43.484238 IP 192.168.217.109.58026 > 192.168.217.200.49848: UDP, length 269
23:06:43.594306 IP 192.168.217.109.58026 > 192.168.217.200.49848: UDP, length 269
23:06:43.711626 IP 192.168.217.109.58026 > 192.168.217.200.49848: UDP, length 269
23:06:45.272609 IP 192.168.217.109.58028 > 192.168.217.170.33677: UDP, length 234
23:06:46.723485 IP 192.168.217.109.58029 > 192.168.217.170.33677: UDP, length 269
23:06:46.827521 IP 192.168.217.109.58029 > 192.168.217.170.33677: UDP, length 269
23:06:46.936732 IP 192.168.217.109.58029 > 192.168.217.170.33677: UDP, length 269
23:06:47.046298 IP 192.168.217.109.58029 > 192.168.217.170.33677: UDP, length 269
23:06:47.157021 IP 192.168.217.109.58029 > 192.168.217.170.33677: UDP, length 269
23:06:48.576250 IP 192.168.217.109 > 224.0.0.252: igmp v2 report 224.0.0.252
23:06:53.266546 IP 192.168.217.109.58032 > 192.168.217.170.33677: UDP, length 234
23:06:54.272761 IP 192.168.217.109.58033 > 192.168.217.170.33677: UDP, length 269
23:06:54.382430 IP 192.168.217.109.58033 > 192.168.217.170.33677: UDP, length 269
23:06:54.493476 IP 192.168.217.109.58033 > 192.168.217.170.33677: UDP, length 269
23:06:54.602392 IP 192.168.217.109.58033 > 192.168.217.170.33677: UDP, length 269
23:06:54.709233 IP 192.168.217.109.58033 > 192.168.217.170.33677: UDP, length 269
23:06:56.266862 IP 192.168.217.109.58034 > 192.168.217.200.49848: UDP, length 269
23:06:56.375860 IP 192.168.217.109.58034 > 192.168.217.200.49848: UDP, length 269
23:06:56.477246 IP 192.168.217.109.58034 > 192.168.217.200.49848: UDP, length 269
23:06:56.584597 IP 192.168.217.109.58034 > 192.168.217.200.49848: UDP, length 269
23:06:56.693770 IP 192.168.217.109.58034 > 192.168.217.200.49848: UDP, length 269
23:06:57.266242 IP 192.168.217.109.58035 > 192.168.217.200.49848: UDP, length 234
23:07:00.598945 IP 192.168.217.109.58037 > 255.255.255.255.8612: UDP, length 16
23:07:00.598946 IP 192.168.217.109.58037 > 255.255.255.255.8612: UDP, length 16
23:07:03.266841 IP 192.168.217.109.58039 > 192.168.217.200.49848: UDP, length 268
23:07:03.267035 IP 192.168.217.109.58040 > 192.168.217.200.49848: UDP, length 234
23:07:03.370621 IP 192.168.217.109.58039 > 192.168.217.200.49848: UDP, length 268
23:07:03.479363 IP 192.168.217.109.58039 > 192.168.217.200.49848: UDP, length 268
23:07:03.591494 IP 192.168.217.109.58039 > 192.168.217.200.49848: UDP, length 268
23:07:03.704519 IP 192.168.217.109.58039 > 192.168.217.200.49848: UDP, length 268
23:07:05.280746 IP 192.168.217.109.58041 > 192.168.217.170.33677: UDP, length 234
23:07:07.702020 IP 192.168.217.109.58042 > 192.168.217.170.33677: UDP, length 268
23:07:07.808655 IP 192.168.217.109.58042 > 192.168.217.170.33677: UDP, length 268
23:07:07.918451 IP 192.168.217.109.58042 > 192.168.217.170.33677: UDP, length 268
23:07:08.026588 IP 192.168.217.109.58042 > 192.168.217.170.33677: UDP, length 268
23:07:08.135328 IP 192.168.217.109.58042 > 192.168.217.170.33677: UDP, length 268
23:07:13.267533 IP 192.168.217.109.58043 > 192.168.217.170.33677: UDP, length 234
23:07:14.280798 IP 192.168.217.109.58044 > 192.168.217.200.49848: UDP, length 269
23:07:14.383495 IP 192.168.217.109.58044 > 192.168.217.200.49848: UDP, length 269
23:07:14.493953 IP 192.168.217.109.58044 > 192.168.217.200.49848: UDP, length 269
23:07:14.602572 IP 192.168.217.109.58044 > 192.168.217.200.49848: UDP, length 269
23:07:14.710550 IP 192.168.217.109.58044 > 192.168.217.200.49848: UDP, length 269

The .109 address is my son’s computer. The .170 address is a VIP shared by this server and another. The .200 address is the primary address of this server.

This is all the UDP ports that plex is listening on right now:

elyograg@smeagol:~/git/mail_status_check$ sudo lsof -Pn -i | grep plex | grep UDP
Plex\x20M    5275            plex   77u  IPv4    51951      0t0  UDP *:32414 
Plex\x20M    5275            plex   78u  IPv4    51954      0t0  UDP *:32410 
Plex\x20M    5275            plex   79u  IPv4    51955      0t0  UDP *:32412 
Plex\x20M    5275            plex   80u  IPv4    51956      0t0  UDP *:32413 
Plex\x20M    5275            plex   81u  IPv4    51957      0t0  UDP 127.0.0.1:58744 
Plex\x20M    5275            plex   82u  IPv4    51958      0t0  UDP 169.254.116.253:58979 
Plex\x20M    5275            plex   83u  IPv4    51959      0t0  UDP 169.254.0.2:44090 
Plex\x20M    5275            plex   84u  IPv4    51960      0t0  UDP 192.168.217.200:37440 
Plex\x20M    5275            plex   85u  IPv4    51961      0t0  UDP 192.168.217.170:55401 
Plex\x20M    5275            plex   86u  IPv4    51962      0t0  UDP 127.0.0.1:46839 
Plex\x20M    5275            plex   87u  IPv4    51963      0t0  UDP 169.254.116.253:51848 
Plex\x20M    5275            plex   88u  IPv4    51964      0t0  UDP 169.254.0.2:48373 
Plex\x20M    5275            plex   89u  IPv4    51965      0t0  UDP 192.168.217.200:55017 
Plex\x20M    5275            plex   90u  IPv4    51966      0t0  UDP 192.168.217.170:55310 
Plex\x20M    5275            plex   91u  IPv4    51967      0t0  UDP *:1901 
Plex\x20M    5275            plex   92u  IPv4    51968      0t0  UDP 169.254.116.253:47945 
Plex\x20M    5275            plex   93u  IPv4    51969      0t0  UDP 169.254.0.2:50056 
Plex\x20M    5275            plex   94u  IPv4    51970      0t0  UDP 192.168.217.200:49848 
Plex\x20M    5275            plex   95u  IPv4    51971      0t0  UDP 192.168.217.170:33677

I see the 49848 and 33677 ports being blocked by UFW. Not sure about the others.

10

This doesn’t appear to be SSDP traffic, so it wouldn’t likely fall into the related/established bucket. Without the -A -vv options being set on the tcpdump command-line, it’s hard to see what this might be. But your son’s system is sending link-local multicast name resolution requests on the network, so some of the traffic could be related to that.

I meant to ask this question sooner, but is there a specific problem which you’re trying to solve? The answer to your original question (why is Plex listening on random, high UDP ports) is that it is itself sending (multicast, and likely other) traffic to which it is expecting replies. The network stack is assigning available UDP ports for this outbound traffic.

The ports shown in the document ChuckPa linked should show all the specific ports which need to be allowed through any local (on-server) firewall for all server features to be available. Everything else which should be allowed through should be handled by rules allowing related/established traffic. Anything else should be safe to drop (and the default UFW rules should handle the last two points).

It’s possible your son is running a Plex client (or even server?) on their own and there are some attempts at discovery taking place. That may explain some of the traffic. But given the limited packet capture provided, it’s hard to tell what protocols are involved. Only that there is traffic, and that it doesn’t appear to be SSDP (which should involve port 1900).

11

The specific problem I am trying to solve is unnecessary cruft in my logs, making it harder to troubleshoot real problems when they occur.

I have asked him and he says he’s not using my plex server. Who knows what kind of software he has installed on his system that may be generating odd traffic.

12

It’s PowerDVD.

Attached is a tcpdump with -Annvv, and the results of curling two of the URLs it has indicated.

suspect_traffic_tcpdump_Annvv.txt (12 KB)
suspect_http_57017.txt (2.2 KB)
suspect_http_50003.txt (2.3 KB)

13

It’s a good thing I don’t allow UPnP on my network.

14

Yep, that tracks.

15

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.