miniupnp.tuxfamily.org Forum Index miniupnp.tuxfamily.org
The forum about miniupnp and libnatpmp
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Allowing NAT/UPnP requests only for specific software?

 
Post new topic   Reply to topic    miniupnp.tuxfamily.org Forum Index -> NAT/UPnP
View previous topic :: View next topic  
Author Message
trickv



Joined: 29 Feb 2012
Posts: 1
Location: United States

PostPosted: Wed Feb 29, 2012 6:18 pm    Post subject: Allowing NAT/UPnP requests only for specific software? Reply with quote

I've recently been considering rolling out miniupnpd on our corporate edge routers / firewalls as a way to allow users inside our private network to get the highest quality Skype connections as possible.

However the implications of allowing 200 users to enable arbitrary port forwards for *any* application makes me cringe. While we control software installation tightly, there's always the risk that someone will end up with a virus that uses upnp to map ports, or that someone will sneak in a bittorrent client and quickly saturate our Internet connection.

I've done a bit of tcpdump inspection on the UPnP protocol and it appears that it does send a description string with the request to create a port mapping. In theory, I could modify miniupnpd to filter on this description field and only allow requests with Skype in the description and reject all other requests. This would limit the amount of software in the wild that might use UPnP; although not bulletproof, it'd be some sense of control.

Is this a bad idea? Advice would be appreciated!
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1452

PostPosted: Tue Mar 25, 2014 11:31 am    Post subject: Reply with quote

MiniUPnPd has a few features to mitigate the security problems that can be caused by allowing any application to ask for a port mapping :
1 - forbid client to make mappings to another IP (secure_mode=yes in .conf file)
2 - only allow mapping to some clients and ports (thanks to permissions rules in .conf file)

your problem is to only allow skype, that is a bit special.
Indeed you could add code in miniupnpd to filter on the description.
_________________
Main miniUPnP author.
http://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    miniupnp.tuxfamily.org Forum Index -> NAT/UPnP All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP
© 2007 Thomas Bernard, author of MiniUPNP.