On Monday 08 April 2002 03:28, Tom Marshall wrote:

> The difference is that a SIP proxy will only allow stuff that looks
> like SIP through the firewall.  This UPnP protocol looks like it
> will allow pretty much anything, including the ability to expose an
> internal machine's listen sockets to the outside world and thus be
> effectively in front of the firewall.

Indeed.

> Choices are good, yes.  If you want this UPnP thing, I don't think
> anyone will fault you for writing it.  But I don't think many
> people here will jump on board and help you, either.  It sounds
> like a very insecure and dangerous protocol.

Not all are here because of firewalling and locking in the users.

UPnP portmapping has it's application space, mainly NAT. In precense 
of NAT UPnP greatly simplifies the deployment of N-directional 
protocols.

UPnP portmapping as such do not probit firewalling. The exact same 
firewalling as you whould do without UPnP can still be applied, 
except that UPnP provides you some additional hints you can use and 
removes the need of having to support NAT for all the protocols. Only 
because the application has requested a port to be opened do not say 
that your firewall will allow it until it has seen further proof that 
this port is to be used in accordance with your firewalling policy.

How to best plug UPnP into netfilter connection tracking is not 
entirely obvious. There is a slight conflict between the need of 
protocol connection tracking for firewalling and the port forwarding 
registration of UPnP. If something I think this discussion has made 
this clear. Some new concepts will be required to do this proper I 
think.

 * conntrack/nat helpers may need to be adjusted to recognise the 
"external" IP of a SNAT:ed connection as OK and avoid rewriting the 
payload in such case, but still set up a expectation.
 * there needs to be a method whereby the UPnP can register port 
mappings where external initiations will be seen as NEW unless 
connection tracking of other traffic has found that they will be 
RELATED.
 * there needs to be a method whereby iptables can recognise such NEW 
connections as UPnP registered, and look into the "internal" client 
IP,PORT details.

Regards
Henrik


Reply via email to