> Okay, I haven't read the spec either (geez, I hope someone does ;) but I > suspect that the UPnP request contains some kind of "service-type" field > in > the request, so you can allow (for example) VoIP but not Computer games > (previous emails described it using soap, and soap is great at having > millions of fields). >
Yes, it does. And I haven't finished the specs, but it would be absolutely ignorant if a device couldn't permit/deny based on the service type. I'm pretty sure it would, but I'm open to corrections. > Am I right in assuming that once you have a UPnP service running you no > longer need conntracks? The programs themselves will poke holes in the > firewall and understand how to use them, so the SIP program (for a topical > example) would correctly reformat the SIP command stream to handle the > firewall as the external interface. If it doesn't do this, it should :) It > sounds like a great way to get around the whole NAT problem (yeah, I know, > you have to re-tool all your apps, but at least new systems can make use > of > it). > > Alfred No. The UPnP server is not a gateway/proxy. It's simply runs a service that allows the Messenger client (or any other client for that matter) to know the outside interface's address and to notify the client that it is basically behind a firewall and that it can take care of hooking into whatever it needs to (here, netfilter) to service the clients wishes. That's why is seems sort of scary, a device on the firewall allowing the client to control what goes on. What it actually does, is it would tell netfilter "Hey this program needs some UDP ports (or TCP, UDP usually, since that's what the SIP is primarily carried on if possible) and netfilter allocates some ports for it. MSN Messenger knows what ports it wants to use, it uses the UPnP to know to encapsulate the external ip in it's SIP messages (the SDP is carried within the SIP message I believe). The UPnP service would then need to be able to map the ports netfilter allocated to the ports that MSN is expecting to use and forward that traffic to the inside. (This mapping allows for the fact that many messenger clients, since the ports they request are random, won't collide for the same ports). So I believe the answer to your question is that UPnP is hooking into netfilter telling it what it needs, and then telling netfilter to conntrack this info. Netfilter would have to be involved. Glover
