On Mon, Apr 08, 2002 at 11:16:38AM +0200, Harald Welte wrote: > > I totally agree. Of course those 'orders' would need to go through some > firewall-admin defined policy, before hitting netfilter/iptables.
If it is indeed possible to do this. How does the UPnP determine for what purposes a client request is being made? If the answer is "well the client says what it is for" then again, that is useless. When a certain application is excluded from the security policy it will be changed to announce itself as something different -- something that is allowed -- not at all unlike all of the applications that were made to tunnel through HTTP to be able to circumvent the firewall. > This is the job done by configuration of the upnp-daemon. I should read (or at least peruse) the spec. For some reason I really doubt there is a trustworthy way of determining what the client application is, and from the description given a few messages ago about how Messenger works with UPnp, it seems like there will be no "fixed" ports for anything, so using port numbers to administer the security policy won't work either. b. -- Brian J. Murrell
msg00608/pgp00000.pgp
Description: PGP signature
