# Opening Firewall Ports for *Arr Services To access Radarr, Sonarr, and Lidarr from other devices on your network (or remotely), you need to open the required ports in your firewall. ## Required Ports | Service | Port | Purpose | |---------|------|---------| | Radarr | 7878 | Movies management | | Sonarr | 8989 | TV Shows management | | Lidarr | 8686 | Music management | | beStream Backend | 3001 | Streaming server (optional) | ## Quick Method: Use the Script The easiest way is to use the provided script: ```bash sudo bash scripts/open-ports.sh ``` This will automatically: - Install UFW if needed - Enable UFW firewall - Open all required ports - Show the current firewall status ## Manual Method: Using UFW If you prefer to do it manually: ### 1. Check if UFW is installed ```bash which ufw ``` If not installed: ```bash sudo apt update sudo apt install -y ufw ``` ### 2. Enable UFW (if not already enabled) ```bash sudo ufw enable ``` ### 3. Open the ports ```bash # Radarr (Movies) sudo ufw allow 7878/tcp comment 'Radarr' # Sonarr (TV Shows) sudo ufw allow 8989/tcp comment 'Sonarr' # Lidarr (Music) sudo ufw allow 8686/tcp comment 'Lidarr' # beStream Backend (optional) sudo ufw allow 3001/tcp comment 'beStream Backend' ``` ### 4. Verify ports are open ```bash sudo ufw status numbered ``` You should see entries for ports 7878, 8989, 8686, and 3001. ## Alternative: Using iptables If you're using iptables instead of UFW: ```bash # Radarr sudo iptables -A INPUT -p tcp --dport 7878 -j ACCEPT # Sonarr sudo iptables -A INPUT -p tcp --dport 8989 -j ACCEPT # Lidarr sudo iptables -A INPUT -p tcp --dport 8686 -j ACCEPT # beStream Backend sudo iptables -A INPUT -p tcp --dport 3001 -j ACCEPT # Save rules (Ubuntu/Debian) sudo netfilter-persistent save ``` ## Cloud Provider Firewalls If your server is on a cloud provider (AWS, DigitalOcean, Azure, etc.), you also need to configure their firewall: ### AWS (Security Groups) 1. Go to EC2 → Security Groups 2. Edit inbound rules 3. Add rules for ports 7878, 8989, 8686, 3001 4. Allow from your IP or 0.0.0.0/0 (less secure) ### DigitalOcean (Firewalls) 1. Go to Networking → Firewalls 2. Create or edit firewall 3. Add inbound rules for the ports 4. Apply to your droplet ### Azure (Network Security Groups) 1. Go to Network Security Groups 2. Add inbound security rules 3. Configure ports and source IPs ## Router Configuration (For Remote Access) If you want to access from outside your local network: 1. **Find your server's local IP:** ```bash hostname -I ``` 2. **Configure port forwarding on your router:** - Log into your router's admin panel - Find "Port Forwarding" or "Virtual Server" settings - Forward external ports to your server's IP: - External 7878 → Internal 7878 (Radarr) - External 8989 → Internal 8989 (Sonarr) - External 8686 → Internal 8686 (Lidarr) - External 3001 → Internal 3001 (beStream) 3. **Security Note:** - Consider using a VPN instead of exposing ports directly - Use reverse proxy with SSL (nginx/caddy) for HTTPS - Change default ports if exposing publicly ## Testing Port Access ### From the server itself: ```bash # Test if services are listening sudo netstat -tulpn | grep -E '7878|8989|8686|3001' # Or using ss sudo ss -tulpn | grep -E '7878|8989|8686|3001' ``` ### From another device: ```bash # Test if ports are accessible telnet YOUR_SERVER_IP 7878 telnet YOUR_SERVER_IP 8989 telnet YOUR_SERVER_IP 8686 telnet YOUR_SERVER_IP 3001 # Or using nc (netcat) nc -zv YOUR_SERVER_IP 7878 nc -zv YOUR_SERVER_IP 8989 nc -zv YOUR_SERVER_IP 8686 nc -zv YOUR_SERVER_IP 3001 ``` ## Troubleshooting ### Ports are open but can't connect 1. **Check if services are running:** ```bash sudo systemctl status radarr sudo systemctl status sonarr sudo systemctl status lidarr ``` 2. **Check if services are listening on the right interface:** - Services should listen on `0.0.0.0` (all interfaces), not just `127.0.0.1` - Check service configuration files 3. **Check firewall status:** ```bash sudo ufw status verbose ``` 4. **Check service logs:** ```bash sudo journalctl -u radarr -n 50 sudo journalctl -u sonarr -n 50 sudo journalctl -u lidarr -n 50 ``` ### Services only accessible locally If you can access services on the server but not from other devices: 1. **Check service configuration:** - Services should bind to `0.0.0.0`, not `127.0.0.1` - Check `/var/lib/radarr/config.xml` (or similar for other services) 2. **Check firewall rules:** ```bash sudo ufw status numbered ``` 3. **Check if port is actually open:** ```bash sudo ufw status | grep 7878 ``` ## Security Best Practices 1. **Use a VPN** for remote access instead of exposing ports publicly 2. **Use a reverse proxy** (nginx/caddy) with SSL certificates 3. **Change default ports** if exposing publicly 4. **Use strong API keys** and don't share them 5. **Restrict source IPs** in firewall rules if possible 6. **Keep services updated** regularly ## Next Steps After opening ports: 1. ✅ Verify services are running 2. ✅ Test access from another device 3. ✅ Get API keys from each service 4. ✅ Configure beStream to connect