On Monday 08 April 2002 03:28, Tom Marshall wrote: > The difference is that a SIP proxy will only allow stuff that looks > like SIP through the firewall. This UPnP protocol looks like it > will allow pretty much anything, including the ability to expose an > internal machine's listen sockets to the outside world and thus be > effectively in front of the firewall.
Indeed. > Choices are good, yes. If you want this UPnP thing, I don't think > anyone will fault you for writing it. But I don't think many > people here will jump on board and help you, either. It sounds > like a very insecure and dangerous protocol. Not all are here because of firewalling and locking in the users. UPnP portmapping has it's application space, mainly NAT. In precense of NAT UPnP greatly simplifies the deployment of N-directional protocols. UPnP portmapping as such do not probit firewalling. The exact same firewalling as you whould do without UPnP can still be applied, except that UPnP provides you some additional hints you can use and removes the need of having to support NAT for all the protocols. Only because the application has requested a port to be opened do not say that your firewall will allow it until it has seen further proof that this port is to be used in accordance with your firewalling policy. How to best plug UPnP into netfilter connection tracking is not entirely obvious. There is a slight conflict between the need of protocol connection tracking for firewalling and the port forwarding registration of UPnP. If something I think this discussion has made this clear. Some new concepts will be required to do this proper I think. * conntrack/nat helpers may need to be adjusted to recognise the "external" IP of a SNAT:ed connection as OK and avoid rewriting the payload in such case, but still set up a expectation. * there needs to be a method whereby the UPnP can register port mappings where external initiations will be seen as NEW unless connection tracking of other traffic has found that they will be RELATED. * there needs to be a method whereby iptables can recognise such NEW connections as UPnP registered, and look into the "internal" client IP,PORT details. Regards Henrik