SOLVED: Changed Network Prefix under Access Entries and TVHeadEnd couldn't communicate with itself.

K Shea

I wanted to restrict TVHeadEnd to use only on my local network and while my router's firewall probably does that I still wanted to change the Network Prefix under Access entries, to something like 192.168.10.0/24 to increase security. When I did that, everything on my local network could get in fine, BUT TVHeadEnd could not communicate with itself! Now admittedly I have a bit of an unusual situation where TVHeadEnd has to be able to access its own streaming output for additional processing, but that's not really relevant. All I would really like to know is if there any way to change my Network Prefix value so that TVHeadEnd can stream to itself, but that limits access to my local network?
<<

ProfYaffle

Not sure about whether it's the ACL that would prevent that - thought the fact that the problem appears when you change it would be suspicious, I agree... I'd guess that it's using the loopback address and not the "real" IP address, which is normal for a Linux system. That means it's using 127.0.0.1, so try adding a rule for that as well.

You can confirm whether it's the ACL in the debug messages, as I think something is written out to the log if wrong credentials are given - in this case, a not-allowed address.

K Shea

The only error message it gives is "subscription: 004D: No input source available for subscription" which I think means it doesn't receive a signal on the specified address. I also had the thought that using 127.0.0.1 might work, but how do you use two IP addresses (or ranges) for the same rule? My guess would be that when a request comes in it goes through the ACL looking for a name and password match first and if it finds one it then checks the ACL to see if access is allowed, and if not it just denies the request. So I just wondered if something like 192.168.10.0/24, 127.0.0.1 would be legal syntax (or maybe with just a space and no comma). I have to be very careful not to lock myself out of the system because there's no desktop or GUI on the actual system running TVHeadEnd, so I'd be kind of screwed if I denied myself access by using improper syntax for the Access Entries.

K Shea

After some clarification it turns out that192.168.10.0/24,127.0.0.1/32 is the correct format in this case. TVHeadEnd wants to see address ranges (it will add the /32 if you only specify a single IP address) but multiple ranges are separated by commas or semicolons.