miniupnp.tuxfamily.org Forum Index miniupnp.tuxfamily.org
The forum about miniupnp and libnatpmp
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

WANIPv6Firewallcontrol

 
Post new topic   Reply to topic    miniupnp.tuxfamily.org Forum Index -> miniupnpd Compilation/Installation
View previous topic :: View next topic  
Author Message
sseidel



Joined: 10 Feb 2015
Posts: 8

PostPosted: Tue Feb 10, 2015 9:40 am    Post subject: WANIPv6Firewallcontrol Reply with quote

I tried to use the method AddPinhole with the upnpc Sample client but my requests get refused with the error code

606 Action not authorized
This error occurs everytime the lease time is unequal zero
example:
upnpc -A 2::2 40000 2001:db8::2 4000 TCP 5

The upnpd says
client :: tried to access pinhole for internal 2001:db8::2 and is not authorized to do it.


My Question is what I have to do to create an IPv6 Pinhole?
Are their any settings in the daemon I have to set to allow it?
I tried to insert the line
allow 0-10000 ::/0 0-10000

but the upnp daemon reported a parsing error


What I have to create a pinhole for all remote clients?
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1592

PostPosted: Tue Feb 10, 2015 1:31 pm    Post subject: Reply with quote

what versions are you using as daemon / client.
Which OS ?
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
sseidel



Joined: 10 Feb 2015
Posts: 8

PostPosted: Tue Feb 10, 2015 2:01 pm    Post subject: Reply with quote

okay, I get it running. I discovered that I have to use IPv6 to perform AddPinhole successfully.

The following worked.

upnpc -6 2001:db8:0:1::2 0 2001:db8::2 2222 TCP 10

Where 2001:db8::2 is the client.

Nevertheless I am missing a few features.

http://upnp.org/specs/gw/UPnP-gw-WANIPv6FirewallControl-v1-Service.pdf tells that the remote Host can be wildcarded. This would be a every nice feature but up to now I couldn't find any possibility to do this.


Another issue:
The upnp daemon checks whether the Source IPv6 address of the IPv6 Packets equals the IPv6 address of the InternalClient when perfoming the operation AddPinhole(). This is problematic because hosts usually use privacy extensions to send packets, but for a listening service it would be better to use the EUI-64 address of the interface.


I would be every happy if this to aspects could be changed.
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1592

PostPosted: Tue Feb 10, 2015 2:13 pm    Post subject: Reply with quote

you can remove/comment the following code in upnpsoap.c, function PinholeVerification()
Code:
if(strcmp(senderAddr, int_ip) != 0)
   if(h->clientaddr_v6.s6_addr != result_ip.s6_addr)
   {
      syslog(LOG_INFO, "Client %s tried to access pinhole for internal %s and is not authorized to do it",
             senderAddr, int_ip);
      SoapError(h, 606, "Action not authorized");
      return 0;
   }

_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
sseidel



Joined: 10 Feb 2015
Posts: 8

PostPosted: Tue Feb 10, 2015 2:32 pm    Post subject: Reply with quote

okay, sounds good. I will modified it that only the first 64bits will be checked.

In upnppinhole.c I saw the following lines
Code:
static const char cmdval_full_udptcp[] = "ip6tables -I %s %d -p %s -i %s -s %s --sport %hu -d %s --dport %hu -j ACCEPT";
   static const char cmdval_udptcp[] = "ip6tables -I %s %d -p %s -i %s --sport %hu -d %s --dport %hu -j ACCEPT";
   static const char cmdval_full_udplite[] = "ip6tables -I %s %d -p %s -i %s -s %s -d %s -j ACCEPT";
   static const char cmdval_udplite[] = "ip6tables -I %s %d -p %s -i %s -d %s -j ACCEPT";
   // raw table command
   static const char cmdval_full_udptcp_raw[] = "ip6tables -t raw -I PREROUTING %d -p %s -i %s -s %s --sport %hu -d %s --dport %hu -j TRACE";
   static const char cmdval_udptcp_raw[] = "ip6tables -t raw -I PREROUTING %d -p %s -i %s --sport %hu -d %s --dport %hu -j TRACE";
   static const char cmdval_full_udplite_raw[] = "ip6tables -t raw -I PREROUTING %d -p %s -i %s -s %s -d %s -j TRACE";
   static const char cmdval_udplite_raw[] = "ip6tables -t raw -I PREROUTING %d -p %s -i %s -d %s -j TRACE";


You are just creating "plain" netfilter rules right?

I have the aim to have rules which looks like the following

Source-IP--------SourcePort---destionation-IP---Destination-Port
2001:db8::/32---anyPort------2001:db7::1/128---22

or
::/0---------------anyPort------2001:db7::1/128---22


up to now i can wildcard the sourceport, but I also need to wildcard the source IP or specify a prefix and a prefix-length, where the prefix-length can have any value from 0 to 128

Maybe you could give me a hint, where I can change this?

EDIT:
maybe this needs a modification in the client an not in the server.
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1592

PostPosted: Tue Feb 10, 2015 2:41 pm    Post subject: Reply with quote

try empty string as source ip (remote host)
Code:
upnpc -6 -A "" 0 2001:db8::2 2222 TCP 10

_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
sseidel



Joined: 10 Feb 2015
Posts: 8

PostPosted: Tue Feb 10, 2015 2:45 pm    Post subject: Reply with quote

Doesn't work. The result is ::/128

I also tried the following with the same result. The prefix-length is always 128
Code:
upnpc -6 -A "::/0" 0 2001:db8::2 2222 TCP 10
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1592

PostPosted: Tue Feb 10, 2015 3:04 pm    Post subject: Reply with quote

sseidel wrote:
Doesn't work. The result is ::/128

I also tried the following with the same result. The prefix-length is always 128
Code:
upnpc -6 -A "::/0" 0 2001:db8::2 2222 TCP 10

Check this patch :
https://github.com/miniupnp/miniupnp/commit/6e5d8ce9540221b894b77de0a3c5b582b673a2d2
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
sseidel



Joined: 10 Feb 2015
Posts: 8

PostPosted: Tue Feb 10, 2015 3:19 pm    Post subject: Reply with quote

It works. Perfect, thank you very much.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    miniupnp.tuxfamily.org Forum Index -> miniupnpd Compilation/Installation All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP
© 2007 Thomas Bernard, author of MiniUPNP.