2005-05-09 18:46:45 +02:00
|
|
|
<?xml version="1.0" encoding="UTF-8"?>
|
2008-07-07 22:42:54 +02:00
|
|
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
|
|
|
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
2005-05-09 18:46:45 +02:00
|
|
|
<article>
|
|
|
|
<!--$Id$-->
|
|
|
|
|
|
|
|
<articleinfo>
|
|
|
|
<title>Shorewall and UPnP</title>
|
|
|
|
|
|
|
|
<authorgroup>
|
|
|
|
<author>
|
|
|
|
<firstname>Tom</firstname>
|
|
|
|
|
|
|
|
<surname>Eastep</surname>
|
|
|
|
</author>
|
|
|
|
</authorgroup>
|
|
|
|
|
2006-07-07 03:04:16 +02:00
|
|
|
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
|
2005-05-09 18:46:45 +02:00
|
|
|
|
|
|
|
<copyright>
|
|
|
|
<year>2005</year>
|
|
|
|
|
2010-04-17 17:51:57 +02:00
|
|
|
<year>2010</year>
|
|
|
|
|
2005-05-09 18:46:45 +02:00
|
|
|
<holder>Thomas M. Eastep</holder>
|
|
|
|
</copyright>
|
|
|
|
|
|
|
|
<legalnotice>
|
|
|
|
<para>Permission is granted to copy, distribute and/or modify this
|
|
|
|
document under the terms of the GNU Free Documentation License, Version
|
|
|
|
1.2 or any later version published by the Free Software Foundation; with
|
|
|
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
|
|
|
Texts. A copy of the license is included in the section entitled
|
|
|
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
|
|
|
License</ulink></quote>.</para>
|
|
|
|
</legalnotice>
|
|
|
|
</articleinfo>
|
|
|
|
|
2007-06-29 00:06:10 +02:00
|
|
|
<section id="UPnP">
|
2005-05-09 18:46:45 +02:00
|
|
|
<title>UPnP</title>
|
|
|
|
|
2009-02-28 04:45:43 +01:00
|
|
|
<para>Shorewall includes support for UPnP (Universal Plug and Play) using
|
|
|
|
linux-igd (<ulink
|
2005-05-18 23:12:46 +02:00
|
|
|
url="http://linux-igd.sourceforge.net">http://linux-igd.sourceforge.net</ulink>).
|
2005-05-09 18:46:45 +02:00
|
|
|
UPnP is required by a number of popular applications including MSN
|
|
|
|
IM.</para>
|
|
|
|
|
|
|
|
<warning>
|
|
|
|
<para>From a security architecture viewpoint, UPnP is a disaster. It
|
|
|
|
assumes that:</para>
|
|
|
|
|
|
|
|
<orderedlist numeration="loweralpha">
|
|
|
|
<listitem>
|
|
|
|
<para>All local systems and their users are completely
|
|
|
|
trustworthy.</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>No local system is infected with any worm or trojan.</para>
|
|
|
|
</listitem>
|
|
|
|
</orderedlist>
|
|
|
|
|
|
|
|
<para>If either of these assumptions are not true then UPnP can be used
|
|
|
|
to totally defeat your firewall and to allow incoming connections to
|
2010-04-17 17:54:37 +02:00
|
|
|
arbitrary local systems on any port whatsoever. In short: USE UPnP
|
|
|
|
<emphasis role="bold">AT YOUR OWN RISK.</emphasis></para>
|
2005-05-09 18:46:45 +02:00
|
|
|
</warning>
|
2011-04-10 19:29:10 +02:00
|
|
|
|
|
|
|
<important>
|
|
|
|
<para>Shorewall and linux-igd implement a UPnP <firstterm>Internet
|
|
|
|
Gateway Device</firstterm>. It will not allow clients on one LAN subnet
|
|
|
|
to access a UPnP Media Server on another subnet.</para>
|
|
|
|
</important>
|
2005-05-09 18:46:45 +02:00
|
|
|
</section>
|
|
|
|
|
2007-06-29 00:06:10 +02:00
|
|
|
<section id="linux-igd">
|
2005-05-18 23:12:46 +02:00
|
|
|
<title>linux-igd Configuration</title>
|
2005-05-09 18:46:45 +02:00
|
|
|
|
|
|
|
<para>In /etc/upnpd.conf, you will want:</para>
|
|
|
|
|
2009-06-08 23:21:47 +02:00
|
|
|
<programlisting>create_forward_rules = yes
|
2005-05-09 18:46:45 +02:00
|
|
|
prerouting_chain_name = UPnP
|
|
|
|
forward_chain_name = forwardUPnP</programlisting>
|
|
|
|
</section>
|
|
|
|
|
2007-06-29 00:06:10 +02:00
|
|
|
<section id="Shorewall">
|
2005-05-09 18:46:45 +02:00
|
|
|
<title>Shorewall Configuration</title>
|
|
|
|
|
|
|
|
<para>In <filename>/etc/shorewall/interfaces</filename>, you need the
|
|
|
|
'upnp' option on your external interface.</para>
|
|
|
|
|
|
|
|
<para>Example:</para>
|
|
|
|
|
|
|
|
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
2009-06-05 19:51:30 +02:00
|
|
|
net eth1 detect dhcp,routefilter,tcpflags,<emphasis
|
2005-05-09 18:46:45 +02:00
|
|
|
role="bold">upnp</emphasis></programlisting>
|
|
|
|
|
|
|
|
<para>If your loc->fw policy is not ACCEPT then you need this
|
|
|
|
rule:</para>
|
|
|
|
|
|
|
|
<programlisting>#ACTION SOURCE DEST
|
2005-09-12 20:43:26 +02:00
|
|
|
allowinUPnP loc $FW</programlisting>
|
2005-05-09 18:46:45 +02:00
|
|
|
|
|
|
|
<para>You MUST have this rule:</para>
|
|
|
|
|
|
|
|
<programlisting>#ACTION SOURCE DEST
|
|
|
|
forwardUPnP net loc</programlisting>
|
|
|
|
|
|
|
|
<para>You must also ensure that you have a route to 224.0.0.0/4 on your
|
2005-05-18 23:12:46 +02:00
|
|
|
internal (local) interface as described in the linux-igd
|
2005-05-09 18:46:45 +02:00
|
|
|
documentation.</para>
|
2009-06-08 23:21:47 +02:00
|
|
|
|
|
|
|
<note>
|
|
|
|
<para>The init script included with the Debian linux-idg package adds
|
|
|
|
this route during <command>start</command> and deletes it during
|
|
|
|
<command>stop</command>.</para>
|
|
|
|
</note>
|
2010-06-08 20:34:37 +02:00
|
|
|
|
|
|
|
<caution>
|
|
|
|
<para>Shorewall versions prior to 4.4.10 do not retain the dynamic rules
|
|
|
|
added by linux-idg over a <command>shorewall restart</command>.</para>
|
|
|
|
</caution>
|
2005-05-09 18:46:45 +02:00
|
|
|
</section>
|
2009-08-10 18:42:00 +02:00
|
|
|
|
|
|
|
<section>
|
|
|
|
<title>Shorewall on a UPnP Client</title>
|
|
|
|
|
|
|
|
<para>It is sometimes desirable to run UPnP-enabled client programs like
|
2010-04-17 17:51:11 +02:00
|
|
|
<ulink url="http://www.transmissionbt.com/">Transmission</ulink>
|
|
|
|
(BitTorrent client) on a Shorewall-protected system. Shorewall provides
|
|
|
|
support for UPnP client access in the form of the <emphasis
|
|
|
|
role="bold">upnpclient</emphasis> option in <ulink
|
2009-08-10 18:42:00 +02:00
|
|
|
url="manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
|
|
|
|
(5).</para>
|
|
|
|
|
|
|
|
<para>The <emphasis role="bold">upnpclient</emphasis> option causes
|
|
|
|
Shorewall to detect the default gateway through the interface and to
|
|
|
|
accept UDP packets from that gateway. Note that, like all aspects of UPnP,
|
2010-04-17 17:51:11 +02:00
|
|
|
this is a security hole so use this option at your own risk.</para>
|
|
|
|
|
|
|
|
<para>Note that when multiple clients behind the firewall use UPnP, they
|
|
|
|
must configure their applications to use unique ports.</para>
|
2009-08-10 18:42:00 +02:00
|
|
|
</section>
|
2008-07-07 22:42:54 +02:00
|
|
|
</article>
|