<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article>
  <!--$Id$-->

  <articleinfo>
    <title>Shorewall and UPnP</title>

    <authorgroup>
      <author>
        <firstname>Tom</firstname>

        <surname>Eastep</surname>
      </author>
    </authorgroup>

    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>

    <copyright>
      <year>2005</year>

      <holder>Thomas M. Eastep</holder>
    </copyright>

    <legalnotice>
      <para>Permission is granted to copy, distribute and/or modify this
      document under the terms of the GNU Free Documentation License, Version
      1.2 or any later version published by the Free Software Foundation; with
      no Invariant Sections, with no Front-Cover, and with no Back-Cover
      Texts. A copy of the license is included in the section entitled
      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
      License</ulink></quote>.</para>
    </legalnotice>
  </articleinfo>

  <section id="UPnP">
    <title>UPnP</title>

    <para>In Shorewall 2.2.4, support was added for UPnP (Universal Plug and
    Play) using linux-igd (<ulink
    url="http://linux-igd.sourceforge.net">http://linux-igd.sourceforge.net</ulink>).
    UPnP is required by a number of popular applications including MSN
    IM.</para>

    <warning>
      <para>From a security architecture viewpoint, UPnP is a disaster. It
      assumes that:</para>

      <orderedlist numeration="loweralpha">
        <listitem>
          <para>All local systems and their users are completely
          trustworthy.</para>
        </listitem>

        <listitem>
          <para>No local system is infected with any worm or trojan.</para>
        </listitem>
      </orderedlist>

      <para>If either of these assumptions are not true then UPnP can be used
      to totally defeat your firewall and to allow incoming connections to
      arbitrary local systems on any port whatsoever. In short: USE
      UPnP<emphasis> </emphasis> <emphasis role="bold">AT YOUR OWN
      RISK.</emphasis></para>
    </warning>

    <warning>
      <para>The linux-igd project was inactive for a long time and has just
      been resurrected. I haven't tried to build using the current code (as of
      2006-07-22) but the last time I did, I found that building and
      installing linux-igd was not for the faint of heart. You must download
      the source from CVS and I had to do quite a bit of fiddling with the
      include files from libupnp (which is required to build and/or run
      linux-igd).</para>
    </warning>

    <para></para>
  </section>

  <section id="linux-igd">
    <title>linux-igd Configuration</title>

    <para>In /etc/upnpd.conf, you will want:</para>

    <programlisting>insert_forward_rules = yes
prerouting_chain_name = UPnP
forward_chain_name = forwardUPnP</programlisting>
  </section>

  <section id="Shorewall">
    <title>Shorewall Configuration</title>

    <para>In <filename>/etc/shorewall/interfaces</filename>, you need the
    'upnp' option on your external interface.</para>

    <para>Example:</para>

    <programlisting>#ZONE   INTERFACE       BROADCAST       OPTIONS
net     eth1            detect          dhcp,routefilter,norfc1918,tcpflags,<emphasis
        role="bold">upnp</emphasis></programlisting>

    <para>If your fw-&gt;loc policy is not ACCEPT then you need this
    rule:</para>

    <programlisting>#ACTION            SOURCE  DEST
allowoutUPnP       $FW     loc</programlisting>

    <note>
      <para>To use 'allowoutUPnP', your iptables and kernel must support the
      'owner match' feature (see the output of "shorewall show capabilities")
      and you may not be running kernel version 2.6.14 or later. If you are
      running 2.6.14 or later, then replace the above rule with:</para>
    </note>

    <blockquote>
      <programlisting>#ACTION            SOURCE  DEST   PROTO     DEST PORT(S)     SOURCE     ORIGINAL     RATE     USER/
#                                                            PORT(S)    DESTINATION  LIMIT    GROUP
ACCEPT             $FW     loc    all       -                -          -            -        root</programlisting>
    </blockquote>

    <para>If your loc-&gt;fw policy is not ACCEPT then you need this
    rule:</para>

    <programlisting>#ACTION            SOURCE  DEST
allowinUPnP        loc     $FW</programlisting>

    <para>You MUST have this rule:</para>

    <programlisting>#ACTION            SOURCE  DEST
forwardUPnP        net     loc</programlisting>

    <para>You must also ensure that you have a route to 224.0.0.0/4 on your
    internal (local) interface as described in the linux-igd
    documentation.</para>
  </section>
</article>