shorewall_code/docs/UPnP.xml

154 lines
5.2 KiB
XML
Raw Permalink Normal View History

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<article>
<!--$Id$-->
<articleinfo>
<title>Shorewall and UPnP</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
<copyright>
<year>2005</year>
<year>2010</year>
<year>2013</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<section id="UPnP">
<title>UPnP</title>
<para>Shorewall includes support for UPnP (Universal Plug and Play) using
linux-igd (<ulink
url="http://linux-igd.sourceforge.net">http://linux-igd.sourceforge.net</ulink>).
UPnP is required by a number of popular applications including MSN
IM.</para>
<warning>
<para>From a security architecture viewpoint, UPnP is a disaster. It
assumes that:</para>
<orderedlist numeration="loweralpha">
<listitem>
<para>All local systems and their users are completely
trustworthy.</para>
</listitem>
<listitem>
<para>No local system is infected with any worm or trojan.</para>
</listitem>
</orderedlist>
<para>If either of these assumptions are not true then UPnP can be used
to totally defeat your firewall and to allow incoming connections to
arbitrary local systems on any port whatsoever. In short: USE UPnP
<emphasis role="bold">AT YOUR OWN RISK.</emphasis></para>
</warning>
<important>
<para>Shorewall and linux-igd implement a UPnP <firstterm>Internet
Gateway Device</firstterm>. It will not allow clients on one LAN subnet
to access a UPnP Media Server on another subnet.</para>
</important>
</section>
<section id="linux-igd">
<title>linux-igd Configuration</title>
<para>In /etc/upnpd.conf, you will want:</para>
2009-06-08 23:21:47 +02:00
<programlisting>create_forward_rules = yes
prerouting_chain_name = UPnP
forward_chain_name = forwardUPnP</programlisting>
</section>
<section id="Shorewall">
<title>Shorewall Configuration</title>
<para>In <filename>/etc/shorewall/interfaces</filename>, you need the
'upnp' option on your external interface.</para>
<para>Example:</para>
<programlisting>#ZONE INTERFACE OPTIONS
net eth1 dhcp,routefilter,tcpflags,<emphasis role="bold">upnp</emphasis></programlisting>
<para>If your loc-&gt;fw policy is not ACCEPT then you need this
rule:</para>
<programlisting>#ACTION SOURCE DEST
allowinUPnP loc $FW</programlisting>
<para>You MUST have this rule:</para>
<programlisting>#ACTION SOURCE DEST
forwardUPnP net loc</programlisting>
<para>You must also ensure that you have a route to 224.0.0.0/4 on your
internal (local) interface as described in the linux-igd
documentation.</para>
2009-06-08 23:21:47 +02:00
<note>
<para>The init script included with the Debian linux-idg package adds
this route during <command>start</command> and deletes it during
<command>stop</command>.</para>
</note>
<caution>
<para>Shorewall versions prior to 4.4.10 do not retain the dynamic rules
added by linux-idg over a <command>shorewall restart</command>.</para>
</caution>
<para>If your firewall-&gt;loc policy is not ACCEPT, then you also need to
allow UDP traffic from the fireawll to the local zone.</para>
<programlisting>ACCEPT $FW loc udp - &lt;<replaceable>dynamic port range</replaceable>&gt;</programlisting>
<para>The dynamic port range is obtained by <emphasis role="bold">cat
/proc/sys/net/ip_local_port_range</emphasis>.</para>
</section>
<section>
<title>Shorewall on a UPnP Client</title>
<para>It is sometimes desirable to run UPnP-enabled client programs like
<ulink url="http://www.transmissionbt.com/">Transmission</ulink>
(BitTorrent client) on a Shorewall-protected system. Shorewall provides
support for UPnP client access in the form of the <emphasis
role="bold">upnpclient</emphasis> option in <ulink
url="manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
(5).</para>
<para>The <emphasis role="bold">upnpclient</emphasis> option causes
Shorewall to detect the default gateway through the interface and to
accept UDP packets from that gateway. Note that, like all aspects of UPnP,
this is a security hole so use this option at your own risk.</para>
<para>Note that when multiple clients behind the firewall use UPnP, they
must configure their applications to use unique ports.</para>
</section>
</article>