forked from extern/shorewall_code
138 lines
4.7 KiB
XML
138 lines
4.7 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
|
<article>
|
|
<!--$Id$-->
|
|
|
|
<articleinfo>
|
|
<title>Shorewall and UPnP</title>
|
|
|
|
<authorgroup>
|
|
<author>
|
|
<firstname>Tom</firstname>
|
|
|
|
<surname>Eastep</surname>
|
|
</author>
|
|
</authorgroup>
|
|
|
|
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
|
|
|
|
<copyright>
|
|
<year>2005</year>
|
|
|
|
<holder>Thomas M. Eastep</holder>
|
|
</copyright>
|
|
|
|
<legalnotice>
|
|
<para>Permission is granted to copy, distribute and/or modify this
|
|
document under the terms of the GNU Free Documentation License, Version
|
|
1.2 or any later version published by the Free Software Foundation; with
|
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
|
Texts. A copy of the license is included in the section entitled
|
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
|
License</ulink></quote>.</para>
|
|
</legalnotice>
|
|
</articleinfo>
|
|
|
|
<section id="UPnP">
|
|
<title>UPnP</title>
|
|
|
|
<para>Shorewall includes support for UPnP (Universal Plug and Play) using
|
|
linux-igd (<ulink
|
|
url="http://linux-igd.sourceforge.net">http://linux-igd.sourceforge.net</ulink>).
|
|
UPnP is required by a number of popular applications including MSN
|
|
IM.</para>
|
|
|
|
<warning>
|
|
<para>From a security architecture viewpoint, UPnP is a disaster. It
|
|
assumes that:</para>
|
|
|
|
<orderedlist numeration="loweralpha">
|
|
<listitem>
|
|
<para>All local systems and their users are completely
|
|
trustworthy.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>No local system is infected with any worm or trojan.</para>
|
|
</listitem>
|
|
</orderedlist>
|
|
|
|
<para>If either of these assumptions are not true then UPnP can be used
|
|
to totally defeat your firewall and to allow incoming connections to
|
|
arbitrary local systems on any port whatsoever. In short: USE
|
|
UPnP<emphasis> </emphasis> <emphasis role="bold">AT YOUR OWN
|
|
RISK.</emphasis></para>
|
|
</warning>
|
|
|
|
<warning>
|
|
<para>The linux-igd project was inactive for a long time and has just
|
|
been resurrected. I haven't tried to build using the current code (as of
|
|
2006-07-22) but the last time I did, I found that building and
|
|
installing linux-igd was not for the faint of heart. You must download
|
|
the source from CVS and I had to do quite a bit of fiddling with the
|
|
include files from libupnp (which is required to build and/or run
|
|
linux-igd).</para>
|
|
</warning>
|
|
|
|
<para></para>
|
|
</section>
|
|
|
|
<section id="linux-igd">
|
|
<title>linux-igd Configuration</title>
|
|
|
|
<para>In /etc/upnpd.conf, you will want:</para>
|
|
|
|
<programlisting>insert_forward_rules = yes
|
|
prerouting_chain_name = UPnP
|
|
forward_chain_name = forwardUPnP</programlisting>
|
|
</section>
|
|
|
|
<section id="Shorewall">
|
|
<title>Shorewall Configuration</title>
|
|
|
|
<para>In <filename>/etc/shorewall/interfaces</filename>, you need the
|
|
'upnp' option on your external interface.</para>
|
|
|
|
<para>Example:</para>
|
|
|
|
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
|
net eth1 detect dhcp,routefilter,tcpflags,<emphasis
|
|
role="bold">upnp</emphasis></programlisting>
|
|
|
|
<para>If your fw->loc policy is not ACCEPT then you need this
|
|
rule:</para>
|
|
|
|
<programlisting>#ACTION SOURCE DEST
|
|
allowoutUPnP $FW loc</programlisting>
|
|
|
|
<note>
|
|
<para>To use 'allowoutUPnP', your iptables and kernel must support the
|
|
'owner match' feature (see the output of "shorewall show capabilities")
|
|
and you may not be running kernel version 2.6.14 or later. If you are
|
|
running 2.6.14 or later, then replace the above rule with:</para>
|
|
</note>
|
|
|
|
<blockquote>
|
|
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL RATE USER/
|
|
# PORT(S) DESTINATION LIMIT GROUP
|
|
ACCEPT $FW loc all - - - - root</programlisting>
|
|
</blockquote>
|
|
|
|
<para>If your loc->fw policy is not ACCEPT then you need this
|
|
rule:</para>
|
|
|
|
<programlisting>#ACTION SOURCE DEST
|
|
allowinUPnP loc $FW</programlisting>
|
|
|
|
<para>You MUST have this rule:</para>
|
|
|
|
<programlisting>#ACTION SOURCE DEST
|
|
forwardUPnP net loc</programlisting>
|
|
|
|
<para>You must also ensure that you have a route to 224.0.0.0/4 on your
|
|
internal (local) interface as described in the linux-igd
|
|
documentation.</para>
|
|
</section>
|
|
</article>
|