Creating a firewalld service for Plex Media Server

plex_firewalldI recently rebuilt my Plex Media Server box as a CentOS 7 VM running on Hyper-V on a Windows Server 2012 setup.

When I installed the rpm and started the service I found that I was unable to load the interface on my desktop. I knew that it was running because I installed netstat and I was able to see the port was open for traffic and I was also able to load the interface locally in lynx on the server.

UPDATE: At some point I rebuilt my server and I came back to this post to grab my config.  It turns out that I had a typo in one place and a missing command in another.  I have edited this post to correct the issues.  I have followed the new steps on several machines and this process does work without adding additional files in:
[code]/usr/lib/firewalld/services/[/code]
It turns out that there were two issues:

  1. SELinux
  2. firewalld

Disabling SELinux was as simple as editing the configuration file (/etc/selinux/config) and setting the value of selinux to disabled.

Dealing with firewalld was also initially simple as well:

[code language=”bash”]# systemctl stop firewalld[/code]

The problem with this approach is that I was completely disabling my server’s software firewall. The proper approach would be to create a ruleset that allows for the various ports of Plex Media Server to be open in my server’s active firewalld zone.

Fortunately this is relatively easy to accomplish:

  1. Create the new service configuration file in the services directory
    [code language=”bash”]# vi /etc/firewalld/services/plexmediaserver.xml[/code]
  2. Next add the ruleset using the XML format established for firewalld rules[code language=”xml”]
    <?xml version="1.0" encoding="utf-8"?>
    <service version="1.0">
    <short>plexmediaserver</short>
    <description>Plex TV Media Server</description>
    <port port="32400" protocol="tcp" />
    <port port="1900" protocol="udp" />
    <port port="3005" protocol="tcp" />
    <port port="5353" protocol="udp" />
    <port port="8324" protocol="tcp" />
    <port port="32410" protocol="udp"/>
    <port port="32412" protocol="udp"/>
    <port port="32413" protocol="udp"/>
    <port port="32414" protocol="udp"/>
    <port port="32469" protocol="tcp"/>
    </service>
    [/code]
  3. Save the service file
  4. Reload the firewalld configs
    [code language=”bash”]# firewall-cmd –reload
    success[/code]
  5. Add the service to your active zone (by default it is the public zone, but I have changed my default zone to be the home zone)
  6. [code language=”bash”]# firewall-cmd –permanent –zone=public –add-service=plexmediaserver
    success[/code]
  7. Restart the firewalld service[code language=”bash”]# systemctl restart firewalld.service[/code]
  8. You can get the defined service list from firewalld as follows:
    [code language=”bash”]# firewall-cmd –get-services
    RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imaps ipp ipp-client ipsec iscsi-target kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn plexmediaserver pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind rsyncd samba samba-client smtp ssh telnet tftp tftp-client transmission-client vdsm vnc-server wbem-https[/code]

Now that this is done you should be able to hit the Plex Media Server web interface from a web browser on any other machine in your network.

5 thoughts on “Creating a firewalld service for Plex Media Server

  1. Thanks Andy,

    Simple, concise and made it easy to migrate from CentOS 6 and iptables to CentOS 7.

    I did have to change a few steps to complete the job on my instance, specifically:

    i. I called my service file ‘plexmediaserver.xml’, I don’t know if this was a problem, but the zones were listed as xml files.

    ii. I believe you meant point 5 to be ‘systemctl start firewalld.service’ (‘start’ not ‘stop’)

    iii. I had to execute ‘firewall-cmd –permanent –add-service=plexmediaserver’ command to register the service before adding the service to the zone. Otherwise I was getting an ‘INVALID_SERVICE’ error.

    Thanks again,

    Cheers,
    Jim

  2. I found that adding a service entry in the public zone was needed as well.

    # cat /etc/firewalld/zones/public.xml

    Public
    For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.

    You’ll also notice that I added that forward-port statement as well. That makes it so the plex WebUI works on the default port 80 rather than having to use host.com:32400/

    Thanks for the article very helpful. I’m going to try to get all of this working with SELinux turned on. I’ll let you know what I come up with.

  3. Whoops, the Zone file XML was missing.


    I found that adding a service entry in the public zone was needed as well.

    # cat /etc/firewalld/zones/public.xml

    Public
    For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.

    You'll also notice that I added that forward-port statement as well. That makes it so the plex WebUI works on the default port 80 rather than having to use host.com:32400/

    Thanks for the article very helpful. I'm going to try to get all of this working with SELinux turned on. I'll let you know what I come up with.

  4. This didn’t work for me:-
    /etc/firewalld/services/plexmediaserver.conf
    I had to name it this instead:-
    /etc/firewalld/services/plexmediaserver.xml
    and then after a firewalld restart it worked fine.
    [Centos 7]

  5. For those getting an ‘INVALID_SERVICE’ error. you just need to create plexmediaserver.xml file on /usr/lib/firewalld/services/ with the same content of plexmediaserver.conf restart the firewalld service and it will work 🙂

Leave a Reply

%d bloggers like this: