<snip> > > But this thread is about how we can provide UPnP port mapping within > iptables/netfilter in a sensible manner, not how poor the reality of > Internet security actually is when you do not trust your clients at > all. I say providing UPnP with a adequate level of security for the > scope where UPnP is useful is entirely possible. >
On a different, but related point, has anyone ever looked into the usage profiles for netfilter? Is it mainly big iron networks, or small NAT'd home networks? I personally use netfilter to NAT my home network to the world via ADSL. In this situation UPnP could be useful. For an ISP, it probably isn't (but you shouldn't really be NAT'ing then either...). Perhaps this argument can be settled by saying its for small, home users who want to have a home lan connected. Not for large ISP/Corporate environments :)
