View previous topic :: View next topic |
Author |
Message |
trickv
Joined: 29 Feb 2012 Posts: 1 Location: United States
|
Posted: Wed Feb 29, 2012 6:18 pm Post subject: Allowing NAT/UPnP requests only for specific software? |
|
|
I've recently been considering rolling out miniupnpd on our corporate edge routers / firewalls as a way to allow users inside our private network to get the highest quality Skype connections as possible.
However the implications of allowing 200 users to enable arbitrary port forwards for *any* application makes me cringe. While we control software installation tightly, there's always the risk that someone will end up with a virus that uses upnp to map ports, or that someone will sneak in a bittorrent client and quickly saturate our Internet connection.
I've done a bit of tcpdump inspection on the UPnP protocol and it appears that it does send a description string with the request to create a port mapping. In theory, I could modify miniupnpd to filter on this description field and only allow requests with Skype in the description and reject all other requests. This would limit the amount of software in the wild that might use UPnP; although not bulletproof, it'd be some sense of control.
Is this a bad idea? Advice would be appreciated! |
|
Back to top |
|
|
miniupnp Site Admin
Joined: 14 Apr 2007 Posts: 1593
|
Posted: Tue Mar 25, 2014 11:31 am Post subject: |
|
|
MiniUPnPd has a few features to mitigate the security problems that can be caused by allowing any application to ask for a port mapping :
1 - forbid client to make mappings to another IP (secure_mode=yes in .conf file)
2 - only allow mapping to some clients and ports (thanks to permissions rules in .conf file)
your problem is to only allow skype, that is a bit special.
Indeed you could add code in miniupnpd to filter on the description. _________________ Main miniUPnP author.
https://miniupnp.tuxfamily.org/ |
|
Back to top |
|
|
|