Shorewall and UPnP Tom Eastep 2005-05-07 2005 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License.
UPnP In Shorewall 2.2.4, support was added for UPnP (Universal Plug and Play) using linux-igd (http://linux-idg.sourceforge.net). UPnP is required by a number of popular applications including MSN IM. From a security architecture viewpoint, UPnP is a disaster. It assumes that: All local systems and their users are completely trustworthy. No local system is infected with any worm or trojan. If either of these assumptions are not true then UPnP can be used to totally defeat your firewall and to allow incoming connections to arbitrary local systems on any port whatsoever. In short: USE UPnP AT YOUR OWN RISK. The linux-igd project appears to be inactive and the web site does not display correctly on any open source browser that I've tried. Building and installing linux-igd is not for the faint of heart. You must download the source from CVS and be prepared to do quite a bit of fiddling with the include files from libupnp (which is required to build and/or run linux-igd). Before building liunx-igd, you must apply all patches found at http://shorewall.net/pub/shorewall/contrib/linux-igd.
linux-idg Configuration In /etc/upnpd.conf, you will want: insert_forward_rules = yes prerouting_chain_name = UPnP forward_chain_name = forwardUPnP
Shorewall Configuration In /etc/shorewall/interfaces, you need the 'upnp' option on your external interface. Example: #ZONE INTERFACE BROADCAST OPTIONS net eth1 detect dhcp,routefilter,norfc1918,tcpflags,upnp If your fw->loc policy is not ACCEPT then you need this rule: #ACTION SOURCE DEST allowoutUPnP fw loc To use 'allowoutUPnP', your iptables and kernel must support the 'owner match' feature (see the output of "shorewall show capabilities"). If your loc->fw policy is not ACCEPT then you need this rule: #ACTION SOURCE DEST allowinUPnP loc fw You MUST have this rule: #ACTION SOURCE DEST forwardUPnP net loc You must also ensure that you have a route to 224.0.0.0/4 on your internal (local) interface as described in the linux-idg documentation.