View previous topic :: View next topic |
Author |
Message |
sseidel
Joined: 10 Feb 2015 Posts: 8
|
Posted: Tue Feb 10, 2015 9:40 am Post subject: WANIPv6Firewallcontrol |
|
|
I tried to use the method AddPinhole with the upnpc Sample client but my requests get refused with the error code
606 Action not authorized
This error occurs everytime the lease time is unequal zero
example:
upnpc -A 2::2 40000 2001:db8::2 4000 TCP 5
The upnpd says
client :: tried to access pinhole for internal 2001:db8::2 and is not authorized to do it.
My Question is what I have to do to create an IPv6 Pinhole?
Are their any settings in the daemon I have to set to allow it?
I tried to insert the line
allow 0-10000 ::/0 0-10000
but the upnp daemon reported a parsing error
What I have to create a pinhole for all remote clients? |
|
Back to top |
|
|
miniupnp Site Admin
Joined: 14 Apr 2007 Posts: 1592
|
Posted: Tue Feb 10, 2015 1:31 pm Post subject: |
|
|
what versions are you using as daemon / client.
Which OS ? _________________ Main miniUPnP author.
https://miniupnp.tuxfamily.org/ |
|
Back to top |
|
|
sseidel
Joined: 10 Feb 2015 Posts: 8
|
Posted: Tue Feb 10, 2015 2:01 pm Post subject: |
|
|
okay, I get it running. I discovered that I have to use IPv6 to perform AddPinhole successfully.
The following worked.
upnpc -6 2001:db8:0:1::2 0 2001:db8::2 2222 TCP 10
Where 2001:db8::2 is the client.
Nevertheless I am missing a few features.
http://upnp.org/specs/gw/UPnP-gw-WANIPv6FirewallControl-v1-Service.pdf tells that the remote Host can be wildcarded. This would be a every nice feature but up to now I couldn't find any possibility to do this.
Another issue:
The upnp daemon checks whether the Source IPv6 address of the IPv6 Packets equals the IPv6 address of the InternalClient when perfoming the operation AddPinhole(). This is problematic because hosts usually use privacy extensions to send packets, but for a listening service it would be better to use the EUI-64 address of the interface.
I would be every happy if this to aspects could be changed. |
|
Back to top |
|
|
miniupnp Site Admin
Joined: 14 Apr 2007 Posts: 1592
|
Posted: Tue Feb 10, 2015 2:13 pm Post subject: |
|
|
you can remove/comment the following code in upnpsoap.c, function PinholeVerification()
Code: | if(strcmp(senderAddr, int_ip) != 0)
if(h->clientaddr_v6.s6_addr != result_ip.s6_addr)
{
syslog(LOG_INFO, "Client %s tried to access pinhole for internal %s and is not authorized to do it",
senderAddr, int_ip);
SoapError(h, 606, "Action not authorized");
return 0;
}
|
_________________ Main miniUPnP author.
https://miniupnp.tuxfamily.org/ |
|
Back to top |
|
|
sseidel
Joined: 10 Feb 2015 Posts: 8
|
Posted: Tue Feb 10, 2015 2:32 pm Post subject: |
|
|
okay, sounds good. I will modified it that only the first 64bits will be checked.
In upnppinhole.c I saw the following lines
Code: | static const char cmdval_full_udptcp[] = "ip6tables -I %s %d -p %s -i %s -s %s --sport %hu -d %s --dport %hu -j ACCEPT";
static const char cmdval_udptcp[] = "ip6tables -I %s %d -p %s -i %s --sport %hu -d %s --dport %hu -j ACCEPT";
static const char cmdval_full_udplite[] = "ip6tables -I %s %d -p %s -i %s -s %s -d %s -j ACCEPT";
static const char cmdval_udplite[] = "ip6tables -I %s %d -p %s -i %s -d %s -j ACCEPT";
// raw table command
static const char cmdval_full_udptcp_raw[] = "ip6tables -t raw -I PREROUTING %d -p %s -i %s -s %s --sport %hu -d %s --dport %hu -j TRACE";
static const char cmdval_udptcp_raw[] = "ip6tables -t raw -I PREROUTING %d -p %s -i %s --sport %hu -d %s --dport %hu -j TRACE";
static const char cmdval_full_udplite_raw[] = "ip6tables -t raw -I PREROUTING %d -p %s -i %s -s %s -d %s -j TRACE";
static const char cmdval_udplite_raw[] = "ip6tables -t raw -I PREROUTING %d -p %s -i %s -d %s -j TRACE"; |
You are just creating "plain" netfilter rules right?
I have the aim to have rules which looks like the following
Source-IP--------SourcePort---destionation-IP---Destination-Port
2001:db8::/32---anyPort------2001:db7::1/128---22
or
::/0---------------anyPort------2001:db7::1/128---22
up to now i can wildcard the sourceport, but I also need to wildcard the source IP or specify a prefix and a prefix-length, where the prefix-length can have any value from 0 to 128
Maybe you could give me a hint, where I can change this?
EDIT:
maybe this needs a modification in the client an not in the server. |
|
Back to top |
|
|
miniupnp Site Admin
Joined: 14 Apr 2007 Posts: 1592
|
Posted: Tue Feb 10, 2015 2:41 pm Post subject: |
|
|
try empty string as source ip (remote host)
Code: | upnpc -6 -A "" 0 2001:db8::2 2222 TCP 10 |
_________________ Main miniUPnP author.
https://miniupnp.tuxfamily.org/ |
|
Back to top |
|
|
sseidel
Joined: 10 Feb 2015 Posts: 8
|
Posted: Tue Feb 10, 2015 2:45 pm Post subject: |
|
|
Doesn't work. The result is ::/128
I also tried the following with the same result. The prefix-length is always 128
Code: | upnpc -6 -A "::/0" 0 2001:db8::2 2222 TCP 10 |
|
|
Back to top |
|
|
miniupnp Site Admin
Joined: 14 Apr 2007 Posts: 1592
|
|
Back to top |
|
|
sseidel
Joined: 10 Feb 2015 Posts: 8
|
Posted: Tue Feb 10, 2015 3:19 pm Post subject: |
|
|
It works. Perfect, thank you very much. |
|
Back to top |
|
|
|