eliott/beStream
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
beStream/docs/OPENING_PORTS.md
kharonsec e6793f871a First big commit
2025-12-14 12:57:37 +01:00

5.2 KiB
Raw Permalink Blame History

Opening Firewall Ports for *Arr Services

To access Radarr, Sonarr, and Lidarr from other devices on your network (or remotely), you need to open the required ports in your firewall.

Required Ports

Service Port Purpose
Radarr 7878 Movies management
Sonarr 8989 TV Shows management
Lidarr 8686 Music management
beStream Backend 3001 Streaming server (optional)

Quick Method: Use the Script

The easiest way is to use the provided script:

sudo bash scripts/open-ports.sh

This will automatically:

  • Install UFW if needed
  • Enable UFW firewall
  • Open all required ports
  • Show the current firewall status

Manual Method: Using UFW

If you prefer to do it manually:

1. Check if UFW is installed

which ufw

If not installed:

sudo apt update
sudo apt install -y ufw

2. Enable UFW (if not already enabled)

sudo ufw enable

3. Open the ports

# Radarr (Movies)
sudo ufw allow 7878/tcp comment 'Radarr'

# Sonarr (TV Shows)
sudo ufw allow 8989/tcp comment 'Sonarr'

# Lidarr (Music)
sudo ufw allow 8686/tcp comment 'Lidarr'

# beStream Backend (optional)
sudo ufw allow 3001/tcp comment 'beStream Backend'

4. Verify ports are open

sudo ufw status numbered

You should see entries for ports 7878, 8989, 8686, and 3001.

Alternative: Using iptables

If you're using iptables instead of UFW:

# Radarr
sudo iptables -A INPUT -p tcp --dport 7878 -j ACCEPT

# Sonarr
sudo iptables -A INPUT -p tcp --dport 8989 -j ACCEPT

# Lidarr
sudo iptables -A INPUT -p tcp --dport 8686 -j ACCEPT

# beStream Backend
sudo iptables -A INPUT -p tcp --dport 3001 -j ACCEPT

# Save rules (Ubuntu/Debian)
sudo netfilter-persistent save

Cloud Provider Firewalls

If your server is on a cloud provider (AWS, DigitalOcean, Azure, etc.), you also need to configure their firewall:

AWS (Security Groups)

  1. Go to EC2 → Security Groups
  2. Edit inbound rules
  3. Add rules for ports 7878, 8989, 8686, 3001
  4. Allow from your IP or 0.0.0.0/0 (less secure)

DigitalOcean (Firewalls)

  1. Go to Networking → Firewalls
  2. Create or edit firewall
  3. Add inbound rules for the ports
  4. Apply to your droplet

Azure (Network Security Groups)

  1. Go to Network Security Groups
  2. Add inbound security rules
  3. Configure ports and source IPs

Router Configuration (For Remote Access)

If you want to access from outside your local network:

  1. Find your server's local IP:

    hostname -I

  2. Configure port forwarding on your router:

    • Log into your router's admin panel
    • Find "Port Forwarding" or "Virtual Server" settings
    • Forward external ports to your server's IP:
      • External 7878 → Internal 7878 (Radarr)
      • External 8989 → Internal 8989 (Sonarr)
      • External 8686 → Internal 8686 (Lidarr)
      • External 3001 → Internal 3001 (beStream)

  3. Security Note:

    • Consider using a VPN instead of exposing ports directly
    • Use reverse proxy with SSL (nginx/caddy) for HTTPS
    • Change default ports if exposing publicly

Testing Port Access

From the server itself:

# Test if services are listening
sudo netstat -tulpn | grep -E '7878|8989|8686|3001'

# Or using ss
sudo ss -tulpn | grep -E '7878|8989|8686|3001'

From another device:

# Test if ports are accessible
telnet YOUR_SERVER_IP 7878
telnet YOUR_SERVER_IP 8989
telnet YOUR_SERVER_IP 8686
telnet YOUR_SERVER_IP 3001

# Or using nc (netcat)
nc -zv YOUR_SERVER_IP 7878
nc -zv YOUR_SERVER_IP 8989
nc -zv YOUR_SERVER_IP 8686
nc -zv YOUR_SERVER_IP 3001

Troubleshooting

Ports are open but can't connect

  1. Check if services are running:

    sudo systemctl status radarr
sudo systemctl status sonarr
sudo systemctl status lidarr

  2. Check if services are listening on the right interface:

    • Services should listen on 0.0.0.0 (all interfaces), not just 127.0.0.1
    • Check service configuration files

  3. Check firewall status:

    sudo ufw status verbose

  4. Check service logs:

    sudo journalctl -u radarr -n 50
sudo journalctl -u sonarr -n 50
sudo journalctl -u lidarr -n 50

Services only accessible locally

If you can access services on the server but not from other devices:

  1. Check service configuration:

    • Services should bind to 0.0.0.0, not 127.0.0.1
    • Check /var/lib/radarr/config.xml (or similar for other services)

  2. Check firewall rules:

    sudo ufw status numbered

  3. Check if port is actually open:

    sudo ufw status | grep 7878

Security Best Practices

  1. Use a VPN for remote access instead of exposing ports publicly
  2. Use a reverse proxy (nginx/caddy) with SSL certificates
  3. Change default ports if exposing publicly
  4. Use strong API keys and don't share them
  5. Restrict source IPs in firewall rules if possible
  6. Keep services updated regularly

Next Steps

After opening ports:

  1. Verify services are running
  2. Test access from another device
  3. Get API keys from each service
  4. Configure beStream to connect