Which URL's are needed for LibreElec (Core)

1st Official Post

    Hello,

    I would like to limit the outgoing traffic from my LibreELEC to what is needed. That to make sure the media player is not connecting to all kind of commercial services or worse. So I wonder if someone (the developers?) could publish a list of all URL's needed by the Libre Elec Core.

    With that list I could allow those sites in my Firewall and block the rest :)

    Note that LibreElec (without any plugins) is connecting to IP-sources not even known to the DNS !! :evil::evil:

    A very first(!) investigation in my firewall log showed me the IPV4 addresses below this mail. Probably there are more and perhaps there are relevant IPV6 addresses as well (did not notice them in the FW-log).

    Sincerely,


    Louis


    89.102.0.150 => mirror.karneval.cz (open source code mirroring service, it seems)

    94.8.197.22 => mirror.netcologne.de (open source code mirroring service, it seems)

    46.101.13.226 => CAN NOT RESOLVE!!?? (web01.libreelec.tv. Other domains hosted on this hardware 46.101.13.226 are libreelec.tv, 46.101.13.226. may be!)

    207.154.220.125 => CAN NOT RESOLVE!!??

    93.187.10.106 => mirror.wearetriple.com (seems to contain software librarys)

    89.16.176.16 => dharma.dh.bytemark.co.uk (seems to contain source code updates)

    151.101.0.133 CAN NOT RESOLVE!! ????

    134.209.250.70 CAN NOT RESOLVE!! ????

    212.227.81.55 ipv4.connman.net (seems to be related to a communication package used)

    129.250.35.251:123 y.ns.gin.ntt.net NTP (ntp service, that is OK, however normal practice is to use the DHCP server provided NTP)

    224.0.0.251:5353 => MDNS

    224.0.0.22 igmp.mcast.net => IGMP (I assume to find local media sources)

    If the DNS can not resolve the IP-address ........ I normally do not trust the IP-address at all !!!! :dodgy:

    • Official Post

    ConnMan checks ipv4.connman.net on boot to see if it's online or not. If the network is online Kodi will then start and numerous Kodi add-ons will check for updates by making a request to a Kodi URL which will redirect to a mirror hosted by one of 30+ independent mirror sites. Kodi uses mirrorbits which will geolocate your IP and recommend a server near to you, but you have no control over which one. The LE settings add-on will also start and check our infra for updates. This request is fulfilled by our infrastructure but if you choose to update the request will be redirected to one of our mirror sites and mirrorbrain will redirect you - and you have no control over which one. Individual add-ons that you install may also check for stuff.

    Both LE and Kodi devs are quite security conscious, but we're also a simple client OS designed for watching TV so security is a deliberate and measured compromise around ease-of-use and we're not attempting to be the most seure device possible (as that OS is a pain in the arse for noob users to work with). TL/DR; If you don't trust LE/Kodi .. place it in a separate VLAN on youor network and implement firewall rules to prevent it reaching other devices.

    Hello,

    Chewitt thanks for the answer !!

    I will try to tune my firewall.

    - allowing connman

    - I do not use add-ons, so no rules needed for that

    - your remark on "a Kodi URL is vague" which one :)

    - the role of mirrorbits is clear

    - not using the DHCP-server provided NTP-service, that it

    Problem is that I do understand your mail, but I can only partly map your explanation to the URL's / IP messages seen in the FW-log. Perhaps the DNS-log provides more info. Rather strange are the IP-adresses which could not be resolved by the DNS!

    To notice, I am using pfSense as Firewall, and the network is divided in VLAN's. LibreElec/Kodi is situated in my IOT-VLAN


    Louis

    • Official Post

    The LE settings add-on checks for updates against update.libreelec.tv which is on 46.101.13.226 which also hosts our main website, and PTR records for that server are probably wrong or out of date. Kodi uses add-ons (so you're using some, even if you don't use add-ons) and Kodi will redirect checks all over the place based on mirrorbits redirection so you will always see some "random" connections.

    Hello,

    I looked at the DNS-log

    localhost.iot.lan The device it self (OK)

    pool.ntp.org NTP (OK)

    ipv4.connman.net ???? not really needed IMHO, but probably not a risk so I did allow

    update.libreelec.tv Logical (OK)

    releases.libreelec.tv Logical (OK)

    addons.libreelec.tv Logical (OK)

    mirrors.kodi.tv Do not understand for which kind of data ? (I did allow for now)

    wpad.iot.lan Do not understand for which reason? (I did allow for now)

    raw.githubusercontent.com Does feel groovy (I did block it for the moment)

    libreelect.tv

    46.101.13.226 Hardware IP Address located in England, United Kingdom shows

    Recent Domains/Hosts on this IP: libreelec.tv
    46.101.13.226


    Louis