diff --git a/Shorewall-docs2/UPnP.xml b/Shorewall-docs2/UPnP.xml new file mode 100644 index 000000000..afd1c513c --- /dev/null +++ b/Shorewall-docs2/UPnP.xml @@ -0,0 +1,134 @@ + + +
+ + + + Shorewall and UPnP + + + + Tom + + Eastep + + + + 2005-05-07 + + + 2005 + + Thomas M. Eastep + + + + Permission is granted to copy, distribute and/or modify this + document under the terms of the GNU Free Documentation License, Version + 1.2 or any later version published by the Free Software Foundation; with + no Invariant Sections, with no Front-Cover, and with no Back-Cover + Texts. A copy of the license is included in the section entitled + GNU Free Documentation + License. + + + +
+ UPnP + + In Shorewall 2.2.4, support was added for UPnP (Universal Plug and + Play) using linux-igd (http://linux-idg.sourceforge.net). + UPnP is required by a number of popular applications including MSN + IM. + + + From a security architecture viewpoint, UPnP is a disaster. It + assumes that: + + + + All local systems and their users are completely + trustworthy. + + + + No local system is infected with any worm or trojan. + + + + If either of these assumptions are not true then UPnP can be used + to totally defeat your firewall and to allow incoming connections to + arbitrary local systems on any port whatsoever. In short: USE UPnP AT + YOUR OWN RISK. + + + + The linux-igd project appears to be inactive and the web site does + not display correctly on any open source browser that I've tried. + Building and installing linux-igd is not for the faint of heart. You + must download the source from CVS and be prepared to do quite a bit of + fiddling with the include files from libupnp (which is required to build + and/or run linux-igd). + + + + Before building liunx-igd, you must apply all patches found at + http://shorewall.net/pub/shorewall/contrib/linux-igd. + + + +
+ +
+ linux-idg Configuration + + In /etc/upnpd.conf, you will want: + + insert_forward_rules = yes +prerouting_chain_name = UPnP +forward_chain_name = forwardUPnP +
+ +
+ Shorewall Configuration + + In /etc/shorewall/interfaces, you need the + 'upnp' option on your external interface. + + Example: + + #ZONE INTERFACE BROADCAST OPTIONS +net eth1 detect dhcp,routefilter,norfc1918,tcpflags,upnp + + If your fw->loc policy is not ACCEPT then you need this + rule: + + #ACTION SOURCE DEST +allowoutUPnP fw loc + + + To use 'allowoutUPnP', your iptables and kernel must support the + 'owner match' feature (see the output of "shorewall show + capabilities"). + + + If your loc->fw policy is not ACCEPT then you need this + rule: + + #ACTION SOURCE DEST +allowinUPnP loc fw + + You MUST have this rule: + + #ACTION SOURCE DEST +forwardUPnP net loc + + You must also ensure that you have a route to 224.0.0.0/4 on your + internal (local) interface as described in the linux-idg + documentation. +
+
\ No newline at end of file