Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP?

[Darren Reed <darrenr () reed wattle id au>]

> On Jun 1, 2005, at 5:01 AM, Darren Reed wrote:
> > > An odd set of comments to make.  I understand why UPnP is useful, and
> > > it is a fine thing for your LAN at home or maybe a tiny business
> > > which can't afford anyone to actually manage the network, but the
> > > people on this list ought to have some concern about security, too.
> >
> > Not really an odd set of comments, go ask on an openbsd or pf mailing
> > list if someone has developed a UPnP server yet and see how many  
> > abusive
> > replies you get back about it being insecure, etc.  Luddites.
>
> If you went on an OpenBSD or PF list and started telling people to  
> scrap OpenBSD and install Linux instead because iptables has UPnP,  
> color me unsurprised that you'd get abusive replies.

I'm scratching my head here trying to work out why you've made this
comment or are you just trying to point out that I was being irrelevant?

But otherwise, this isn't an openbsd list, so telling someone to
scrap openbsd and use linux if they need UPnP is entirely relevant.
Heck, I'd tell them the same if they were using ipfilter, too but
mark up another "must do that, someday" too.

> > > I don't see how permitting arbitrary services to go through can be a
> > > good idea from that standpoint, any more than permitting arbitrary
> > > RPC through is a good idea....
> >
> > Do you let ssh through a firewall?
>
> Yes.
>
> > If you let that through, with tunnelling, you may as well be letting
> > through arbitrary services.
>
> Um, no, this argument is bogus.  The potential risks from letting  
> arbitrary services through and the risks of permitting SSH access are  
> not similar, much less identical.

Really ?

There are things I'd like to say here that I can't for reasons
that would cause me as much angst if I tried to explain them,
in public.  Needless to say, you exhibit a very shallow
understanding of what tunnelling via ssh really means/enables.

> You shouldn't permit inbound HTTP to any box, just to machines which  
> actually are intended to run an HTTP server.  You shouldn't enable  
> WebDAV and SOAP and other fancy bits unless you need them.  And you  
> hopefully shouldn't permit arbitrary outbound HTTP, either: forward  
> those via a proxy server.

Uh huh.  But you're letting ssh out so how do you enforce any of this?

> > > To the OP: why are you trying to do UPnP through a firewall?  Why
> > > can't you put the devices which are permitted/expected to talk to
> > > each other with that kind of freedom on the same subnet?
> >
> > Ugh.
> > You make it sound like you really don't understand UPnP or what
> > he wants to do at all.
..
> > UPnP is a firewall to host protocol/service,
> > generally NOT something that goes through it.
>
> This much, I'd agree with.

And do you agree that in reading the paragraph that starts "To the OP:"
you've most likely misunderstood what he's trying to do?

> > It's most often used by services running on an internal host that want
> > to have someone connect in, but can't because of NAT.
>
> UPnP is most often used by people who simply connect a printer to  
> their LAN and print to it without manually configuring the network  
> settings.  Using UPnP for automaticly punching holes through  
> firewalls strikes me as a dangerous idea.

It doesn't sound dangerous to me so long as the firewall gives you
some sort of control as to what it does and doesn't respond to in
terms of UPnP conversation with things.

> > Personally, I'd prefer to be able to configure a UPnP server than just
> > open random ports, permanently on my firewall, wouldn't you?
>
> No.  I'd rather explicitly manage the services which are permitted  
> through the firewall.

Hmmm, you've said "no" but then gone on to say exactly what I was
saying, or is there some part of "configure" that doesn't imply
"manage" ?

> > Would you rather have a static configuration for bittorrent that  
> > always
> > redirected port 6881-6889 (and had them open, regardless of whether or
> > not your client was running) or configure a piece of software to open
> > those ports, as required by the application?
>
> If I cared about the security of the box in question, it wouldn't be  
> running bittorrent or any other flavor of peer-to-peer networking.

Ok, so you're doing some gratuitious fishing for more personal remarks?
Because I can't take what you've said seriously.

Darren
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards