View previous topic :: View next topic |
Author |
Message |
jchuit
Joined: 15 Apr 2007 Posts: 9 Location: Netherlands
|
Posted: Wed May 23, 2007 2:46 pm Post subject: Limiting the max amount of open ports. |
|
|
At the moment, I am testing the miniupnpd for use in the Tarifa (030RC7) firmware.
Miniupnpd works very well, it is stable and quick.
Some of the pc's (4 out 15) connected to the router leave ports open, after 6 days I have a list.
The MINIUPNPD chain from the iptables_display.sh output:
Chain MINIUPNPD (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.24.163 tcp dpt:12900
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.24.163 tcp dpt:14972
2 523 ACCEPT udp -- * * 0.0.0.0/0 192.168.24.160 udp dpt:45844
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.24.160 tcp dpt:45844
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.24.161 udp dpt:3333
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.24.161 udp dpt:3345
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.24.161 udp dpt:3697
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.24.163 udp dpt:16674
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.24.163 udp dpt:13208
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.24.163 tcp dpt:4670
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.24.163 tcp dpt:4670
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.24.163 udp dpt:15568
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.24.163 udp dpt:13734
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.24.163 tcp dpt:11534
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.24.163 udp dpt:10783
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.24.161 udp dpt:3083
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.24.161 udp dpt:3114
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.24.161 udp dpt:3115
1 84 ACCEPT udp -- * * 0.0.0.0/0 192.168.24.161 udp dpt:3160
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.24.161 udp dpt:3267
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.24.161 udp dpt:3291
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.24.161 udp dpt:16738
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.24.161 tcp dpt:7254
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.24.159 udp dpt:9592
I think, it would be nice to set a limit on the open ports and first delete obsolete mappings if the value is higher then the limit.
Greetings,
jchuit
http://tarifa.sourceforge.net/ |
|
Back to top |
|
|
miniupnp Site Admin
Joined: 14 Apr 2007 Posts: 1589
|
Posted: Thu Aug 30, 2007 10:57 pm Post subject: |
|
|
I'm still looking for a smart method for removing obsolete/unused port mappings.
Until then, you could try to use the 1.0-RC8 version, it improves things with XBox 360. _________________ Main miniUPnP author.
https://miniupnp.tuxfamily.org/ |
|
Back to top |
|
|
jchuit
Joined: 15 Apr 2007 Posts: 9 Location: Netherlands
|
Posted: Sat Sep 01, 2007 6:11 pm Post subject: overwrite config.h |
|
|
Thanks,
I have to say that the miniUPnPd is working very well, it never has any problem and works without any care. I use a script that restarts miniUPnPd every time something changes in the firewall rules of iptables.
Compiling: The latest releases overwrite the config.h if cross-compiling under Linux debian 3.1. This means debian values are written in the config.h instead of the MIPS kernel.
Greeting,
jchuit
http://sourceforge.net/projects/tarifa/ |
|
Back to top |
|
|
miniupnp Site Admin
Joined: 14 Apr 2007 Posts: 1589
|
Posted: Sat Sep 01, 2007 9:16 pm Post subject: Re: overwrite config.h |
|
|
jchuit wrote: |
Compiling: The latest releases overwrite the config.h if cross-compiling under Linux debian 3.1. This means debian values are written in the config.h instead of the MIPS kernel.
| It is because the genconfig.sh file has been updated more recently than the config.h file.
In order to avoid this, you should "touch config.h" just before calling make.
Anyway, what Makefile are you using for cross compiling ? I though I made a Makefile.openwrt that doesnt call genconfig.sh but maybe it doesnt suit your needs. _________________ Main miniUPnP author.
https://miniupnp.tuxfamily.org/ |
|
Back to top |
|
|
jchuit
Joined: 15 Apr 2007 Posts: 9 Location: Netherlands
|
Posted: Sun Sep 02, 2007 8:45 am Post subject: Makefile |
|
|
The openwrt config.h v1.9 is based on iptables 1.3.3, Tarifa uses iptables 1.3.5, and it uses the file rules.mk that is only available in Openwrt/Xwrt/etc.
The UUID is made with a key and the mac adress of the router, this will give an unique UUID for any wrt54g(L). The UUID value is written in the miniupnpd.conf.
The makefile that I use in Tarifa b030/b031:
Code: | # $Id: Makefile.linux,v 1.20 2007/03/01 23:00:17 nanard Exp $
# http://miniupnp.free.fr/
# Author : Thomas Bernard
# for use with GNU Make
CFLAGS = -Wall -O -D_GNU_SOURCE -g -DDEBUG -I../iptables/include
#CFLAGS = -Wall -Os -D_GNU_SOURCE
CC = mipsel-uclibc-gcc
LD = mipsel-uclibc-gcc
LDFLAGS += -L../iptables/libiptc
RM = rm -f
INSTALL = install
BASEOBJS = miniupnpd.o upnphttp.o upnpdescgen.o upnpsoap.o \
upnpreplyparse.o minixml.o \
upnpredirect.o getifaddr.o daemonize.o upnpglobalvars.o \
options.o upnppermissions.o minissdp.o
LNXOBJS = linux/getifstats.o linux/iptcrdr.o
LIBS = ../iptables/libiptc/libiptc.a
TESTUPNPDESCGENOBJS = testupnpdescgen.o upnpdescgen.o
EXECUTABLES = miniupnpd testupnpdescgen testgetifstats \
testupnppermissions miniupnpdctl
.PHONY: all clean install depend
all: $(EXECUTABLES)
clean:
$(RM) $(BASEOBJS) $(LNXOBJS) $(EXECUTABLES)
$(RM) testupnpdescgen.o testgetifstats.o
$(RM) testupnppermissions.o
install: miniupnpd genuuid
@echo no install at the moment...
# genuuid is using the uuidgen CLI tool which is part of libuuid
# from the e2fsprogs
genuuid:
sed -i -e "s/^uuid=[-0-9a-f]*/uuid=`genuuid`/" miniupnpd.conf
miniupnpd: $(BASEOBJS) $(LNXOBJS) $(LIBS)
testupnpdescgen: $(TESTUPNPDESCGENOBJS)
testgetifstats: testgetifstats.o linux/getifstats.o
testupnppermissions: testupnppermissions.o upnppermissions.o
miniupnpdctl: miniupnpdctl.o
config.h: genconfig.sh
./genconfig.sh
depend: config.h
makedepend -f$(MAKEFILE_LIST) -Y \
$(BASEOBJS:.o=.c) $(LNXOBJS:.o=.c) $(TESTUPNPDESCGENOBJS:.o=.c) \
testgetifstats.c 2>/dev/null
# DO NOT DELETE
miniupnpd.o: config.h upnpglobalvars.h upnppermissions.h upnphttp.h
miniupnpd.o: upnpdescgen.h miniupnpdpath.h getifaddr.h daemonize.h upnpsoap.h
miniupnpd.o: options.h minissdp.h
upnphttp.o: upnphttp.h config.h upnpdescgen.h miniupnpdpath.h upnpsoap.h
upnpdescgen.o: upnpdescgen.h miniupnpdpath.h upnpglobalvars.h
upnpdescgen.o: upnppermissions.h config.h upnpdescstrings.h
upnpsoap.o: upnpglobalvars.h upnppermissions.h config.h upnphttp.h upnpsoap.h
upnpsoap.o: upnpreplyparse.h upnpredirect.h getifaddr.h getifstats.h
upnpreplyparse.o: upnpreplyparse.h minixml.h
minixml.o: minixml.h
upnpredirect.o: upnpredirect.h upnpglobalvars.h upnppermissions.h config.h
upnpredirect.o: openbsd/obsdrdr.h
getifaddr.o: getifaddr.h
daemonize.o: daemonize.h
upnpglobalvars.o: upnpglobalvars.h upnppermissions.h config.h
options.o: options.h upnppermissions.h config.h upnpglobalvars.h
upnppermissions.o: config.h upnppermissions.h
minissdp.o: config.h upnpdescstrings.h miniupnpdpath.h upnphttp.h
minissdp.o: upnpglobalvars.h upnppermissions.h minissdp.h
linux/getifstats.o: getifstats.h
linux/iptcrdr.o: linux/iptcrdr.h
testupnpdescgen.o: upnpdescgen.h
upnpdescgen.o: upnpdescgen.h miniupnpdpath.h upnpglobalvars.h
upnpdescgen.o: upnppermissions.h config.h upnpdescstrings.h
testgetifstats.o: getifstats.h
|
Greetings,
jchuit
http://sourceforge.net/projects/tarifa/ |
|
Back to top |
|
|
miniupnp Site Admin
Joined: 14 Apr 2007 Posts: 1589
|
Posted: Sun Sep 02, 2007 4:53 pm Post subject: |
|
|
you should remove the lines
Code: | config.h: genconfig.sh
./genconfig.sh | from the file and you will never have problems with genconfig.sh any more. _________________ Main miniUPnP author.
https://miniupnp.tuxfamily.org/ |
|
Back to top |
|
|
miniupnp Site Admin
Joined: 14 Apr 2007 Posts: 1589
|
Posted: Mon Sep 24, 2007 8:42 pm Post subject: Re: Limiting the max amount of open ports. |
|
|
jchuit wrote: | [...]
I think, it would be nice to set a limit on the open ports and first delete obsolete mappings if the value is higher then the limit.
[...] |
I finally implemented the feature !
With the last miniupnpd version, miniupnpd 20070924 you can set a ruleset size threshold : once it is reached, the daemon will check and remove inactive rules (the delay to check inactive rules can be configured too).
It would be nice if you are able to test the feature in real conditions. _________________ Main miniUPnP author.
https://miniupnp.tuxfamily.org/ |
|
Back to top |
|
|
jchuit
Joined: 15 Apr 2007 Posts: 9 Location: Netherlands
|
|
Back to top |
|
|
jchuit
Joined: 15 Apr 2007 Posts: 9 Location: Netherlands
|
Posted: Mon Dec 10, 2007 9:12 pm Post subject: |
|
|
Today I did test the new feature for deleting unused mappings.
The threshold isn't build in the User Interface yet, I made the config file manually.
Will the NAT-PMP deamon also be a configuration option?
This is the config file I used:
---------------------------------------------------------------------------
cat /tmp/miniupnpd.conf
ext_ifname=vlan1
listening_ip=192.168.1.1
port=5000
bitrate_up=100000000
bitrate_down=100000000
system_uptime=yes
notify_interval=30
uuid=fc4ec57e-b051-000f-6651-568401d0009d
clean_ruleset_threshold=2
clean_ruleset_interval=1
allow 1024-65535 192.168.1.1/24 1024-65535
deny 0-65535 0.0.0.0/0 0-65535
-------------------------------------------------------------------------------
/tmp # miniupnpd -f /tmp/miniupnpd.conf
Reading configuration from file /tmp/miniupnpd.conf
perm rule added : allow 1024-65535 c0a80101/ffffff00 1024-65535
perm rule added : deny 0-65535 00000000/00000000 0-65535
--------------------------------------------------------------------------------
If the threshold is reached some (sometimes all) mappings are deleted.
Greetings,
jchuit |
|
Back to top |
|
|
miniupnp Site Admin
Joined: 14 Apr 2007 Posts: 1589
|
Posted: Tue Dec 11, 2007 12:44 am Post subject: |
|
|
jchuit wrote: | Today I did test the new feature for deleting unused mappings.
The threshold isn't build in the User Interface yet, I made the config file manually.
Will the NAT-PMP deamon also be a configuration option?
|
That is a good idea!
jchuit wrote: | This is the config file I used:
---------------------------------------------------------------------------
cat /tmp/miniupnpd.conf
ext_ifname=vlan1
listening_ip=192.168.1.1
port=5000
bitrate_up=100000000
bitrate_down=100000000
system_uptime=yes
notify_interval=30
uuid=fc4ec57e-b051-000f-6651-568401d0009d
clean_ruleset_threshold=2
clean_ruleset_interval=1
|
an interval of 1 second is too frequent I think. Don't put it below 60seconds or else only very very busy connections will "survive"
1 second is too little to see if packets are going
jchuit wrote: | allow 1024-65535 192.168.1.1/24 1024-65535
deny 0-65535 0.0.0.0/0 0-65535
-------------------------------------------------------------------------------
/tmp # miniupnpd -f /tmp/miniupnpd.conf
Reading configuration from file /tmp/miniupnpd.conf
perm rule added : allow 1024-65535 c0a80101/ffffff00 1024-65535
perm rule added : deny 0-65535 00000000/00000000 0-65535
--------------------------------------------------------------------------------
If the threshold is reached some (sometimes all) mappings are deleted.
Greetings,
jchuit |
seems ok
Regards _________________ Main miniUPnP author.
https://miniupnp.tuxfamily.org/ |
|
Back to top |
|
|
jchuit
Joined: 15 Apr 2007 Posts: 9 Location: Netherlands
|
|
Back to top |
|
|
liangjm_1984
Joined: 08 Jan 2008 Posts: 2
|
Posted: Tue Jan 08, 2008 8:21 am Post subject: |
|
|
thank you |
|
Back to top |
|
|
|