SSDP requires UDP packages beeing sent and beeing received. I know UDP can be used to completely defeat the firewall. So being careful enabling it is important. This question deals with an embedded device/camera which uses SSDP to discover a backup server running on a router in the network.

I modified the server config like described below. The question is: Can I do that without compromising security?

Although SSDP requires UDP packages beeing sent, in the servers/routers /etc/shorewall/interfaces file I did not enable UDP.

net     enp2s0            dhcp,tcpflags,nosmurfs,routefilter,logmartians
loc     enp3s0            dhcp,tcpflags,nosmurfs,routefilter,logmartians

The communication between the embedded device and the servers application works like this.

UDP 192.168.1.150:24234 (Device) --> 239.255.255.250:1900 (SSDP Multicast) 
UDP 192.168.1.20:1900 (Server) --> 192.168.1.150:24234 (Device). (includes server port number, in this case 52235) 
tcp http GET 192.168.1.150:24234 (Device) -->  192.168.1.20:52235 (server:port)
tcp http POST 192.168.1.150:24234 (Device) -->  192.168.1.20:52235 (server:port)
....

What I did was to create a new zone which allows the server to listen to multicast packages.

/etc/shorewall/zones added a zone mc ipv4

/etc/shorewall/hosts added a host mc enp3s0:224.0.0.0/4 destonly

/etc/shorewall/policy file: added a host mc all REJECT INFO and

all mc REJECT INFO.

/etc/shorewall/rules file: added a rule ACCEPT $FW mc udp 1900 and ACCEPT loc $FW udp 1900

I also added a route to make the multicast address reachable from the server.

route add -net 239.0.0.0 netmask 255.0.0.0 enp3s0

I also enabled multicast in the shorewall config:

/etc/shorewall/conf file: MULTICAST=Yes

With this setup, the device can use the backup-application on the server.

However, is there now an obvious security issue i missed?