Firewall Wizards mailing list archives
Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP?
From: Darren Reed <darrenr () reed wattle id au>
Date: Thu, 2 Jun 2005 08:26:16 +1000 (EST)
On Jun 1, 2005, at 5:01 AM, Darren Reed wrote:An odd set of comments to make. I understand why UPnP is useful, and it is a fine thing for your LAN at home or maybe a tiny business which can't afford anyone to actually manage the network, but the people on this list ought to have some concern about security, too.Not really an odd set of comments, go ask on an openbsd or pf mailing list if someone has developed a UPnP server yet and see how many abusive replies you get back about it being insecure, etc. Luddites.If you went on an OpenBSD or PF list and started telling people to scrap OpenBSD and install Linux instead because iptables has UPnP, color me unsurprised that you'd get abusive replies.
I'm scratching my head here trying to work out why you've made this comment or are you just trying to point out that I was being irrelevant? But otherwise, this isn't an openbsd list, so telling someone to scrap openbsd and use linux if they need UPnP is entirely relevant. Heck, I'd tell them the same if they were using ipfilter, too but mark up another "must do that, someday" too.
I don't see how permitting arbitrary services to go through can be a good idea from that standpoint, any more than permitting arbitrary RPC through is a good idea....Do you let ssh through a firewall?Yes.If you let that through, with tunnelling, you may as well be letting through arbitrary services.Um, no, this argument is bogus. The potential risks from letting arbitrary services through and the risks of permitting SSH access are not similar, much less identical.
Really ? There are things I'd like to say here that I can't for reasons that would cause me as much angst if I tried to explain them, in public. Needless to say, you exhibit a very shallow understanding of what tunnelling via ssh really means/enables.
You shouldn't permit inbound HTTP to any box, just to machines which actually are intended to run an HTTP server. You shouldn't enable WebDAV and SOAP and other fancy bits unless you need them. And you hopefully shouldn't permit arbitrary outbound HTTP, either: forward those via a proxy server.
Uh huh. But you're letting ssh out so how do you enforce any of this?
To the OP: why are you trying to do UPnP through a firewall? Why can't you put the devices which are permitted/expected to talk to each other with that kind of freedom on the same subnet?Ugh. You make it sound like you really don't understand UPnP or what he wants to do at all.
..
UPnP is a firewall to host protocol/service, generally NOT something that goes through it.This much, I'd agree with.
And do you agree that in reading the paragraph that starts "To the OP:" you've most likely misunderstood what he's trying to do?
It's most often used by services running on an internal host that want to have someone connect in, but can't because of NAT.UPnP is most often used by people who simply connect a printer to their LAN and print to it without manually configuring the network settings. Using UPnP for automaticly punching holes through firewalls strikes me as a dangerous idea.
It doesn't sound dangerous to me so long as the firewall gives you some sort of control as to what it does and doesn't respond to in terms of UPnP conversation with things.
Personally, I'd prefer to be able to configure a UPnP server than just open random ports, permanently on my firewall, wouldn't you?No. I'd rather explicitly manage the services which are permitted through the firewall.
Hmmm, you've said "no" but then gone on to say exactly what I was saying, or is there some part of "configure" that doesn't imply "manage" ?
Would you rather have a static configuration for bittorrent that always redirected port 6881-6889 (and had them open, regardless of whether or not your client was running) or configure a piece of software to open those ports, as required by the application?If I cared about the security of the box in question, it wouldn't be running bittorrent or any other flavor of peer-to-peer networking.
Ok, so you're doing some gratuitious fishing for more personal remarks? Because I can't take what you've said seriously. Darren _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Darren Reed (Jun 01)
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Chuck Swiger (Jun 01)
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Darren Reed (Jun 01)
- Message not available
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Chuck Swiger (Jun 02)
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Darren Reed (Jun 02)
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Chuck Swiger (Jun 02)
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Darren Reed (Jun 04)
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Paul D. Robertson (Jun 04)
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Darren Reed (Jun 04)
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Paul D. Robertson (Jun 04)
- RE: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? FirewallAdmin (Jun 10)
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Darren Reed (Jun 01)
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Chuck Swiger (Jun 01)
- <Possible follow-ups>
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Siju George (Jun 02)
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Nils Vogels (Jun 04)