miniupnp.tuxfamily.org Forum Index miniupnp.tuxfamily.org
The forum about miniupnp and libnatpmp
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Limiting the max amount of open ports.

 
Post new topic   Reply to topic    miniupnp.tuxfamily.org Forum Index -> miniupnpd Feature Request
View previous topic :: View next topic  
Author Message
jchuit



Joined: 15 Apr 2007
Posts: 9
Location: Netherlands

PostPosted: Wed May 23, 2007 2:46 pm    Post subject: Limiting the max amount of open ports. Reply with quote

At the moment, I am testing the miniupnpd for use in the Tarifa (030RC7) firmware.
Miniupnpd works very well, it is stable and quick.

Some of the pc's (4 out 15) connected to the router leave ports open, after 6 days I have a list.

The MINIUPNPD chain from the iptables_display.sh output:
Chain MINIUPNPD (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.24.163 tcp dpt:12900
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.24.163 tcp dpt:14972
2 523 ACCEPT udp -- * * 0.0.0.0/0 192.168.24.160 udp dpt:45844
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.24.160 tcp dpt:45844
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.24.161 udp dpt:3333
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.24.161 udp dpt:3345
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.24.161 udp dpt:3697
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.24.163 udp dpt:16674
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.24.163 udp dpt:13208
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.24.163 tcp dpt:4670
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.24.163 tcp dpt:4670
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.24.163 udp dpt:15568
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.24.163 udp dpt:13734
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.24.163 tcp dpt:11534
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.24.163 udp dpt:10783
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.24.161 udp dpt:3083
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.24.161 udp dpt:3114
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.24.161 udp dpt:3115
1 84 ACCEPT udp -- * * 0.0.0.0/0 192.168.24.161 udp dpt:3160
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.24.161 udp dpt:3267
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.24.161 udp dpt:3291
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.24.161 udp dpt:16738
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.24.161 tcp dpt:7254
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.24.159 udp dpt:9592

I think, it would be nice to set a limit on the open ports and first delete obsolete mappings if the value is higher then the limit.

Greetings,
jchuit
http://tarifa.sourceforge.net/
Back to top
View user's profile Send private message Visit poster's website
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1589

PostPosted: Thu Aug 30, 2007 10:57 pm    Post subject: Reply with quote

I'm still looking for a smart method for removing obsolete/unused port mappings.
Until then, you could try to use the 1.0-RC8 version, it improves things with XBox 360.
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
jchuit



Joined: 15 Apr 2007
Posts: 9
Location: Netherlands

PostPosted: Sat Sep 01, 2007 6:11 pm    Post subject: overwrite config.h Reply with quote

Thanks,

I have to say that the miniUPnPd is working very well, it never has any problem and works without any care. I use a script that restarts miniUPnPd every time something changes in the firewall rules of iptables.

Compiling: The latest releases overwrite the config.h if cross-compiling under Linux debian 3.1. This means debian values are written in the config.h instead of the MIPS kernel.

Greeting,
jchuit
http://sourceforge.net/projects/tarifa/
Back to top
View user's profile Send private message Visit poster's website
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1589

PostPosted: Sat Sep 01, 2007 9:16 pm    Post subject: Re: overwrite config.h Reply with quote

jchuit wrote:

Compiling: The latest releases overwrite the config.h if cross-compiling under Linux debian 3.1. This means debian values are written in the config.h instead of the MIPS kernel.
It is because the genconfig.sh file has been updated more recently than the config.h file.
In order to avoid this, you should "touch config.h" just before calling make.
Anyway, what Makefile are you using for cross compiling ? I though I made a Makefile.openwrt that doesnt call genconfig.sh but maybe it doesnt suit your needs.
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
jchuit



Joined: 15 Apr 2007
Posts: 9
Location: Netherlands

PostPosted: Sun Sep 02, 2007 8:45 am    Post subject: Makefile Reply with quote

The openwrt config.h v1.9 is based on iptables 1.3.3, Tarifa uses iptables 1.3.5, and it uses the file rules.mk that is only available in Openwrt/Xwrt/etc.

The UUID is made with a key and the mac adress of the router, this will give an unique UUID for any wrt54g(L). The UUID value is written in the miniupnpd.conf.

The makefile that I use in Tarifa b030/b031:

Code:
# $Id: Makefile.linux,v 1.20 2007/03/01 23:00:17 nanard Exp $
# http://miniupnp.free.fr/
# Author : Thomas Bernard
# for use with GNU Make
CFLAGS = -Wall -O -D_GNU_SOURCE -g -DDEBUG -I../iptables/include
#CFLAGS = -Wall -Os -D_GNU_SOURCE
CC = mipsel-uclibc-gcc
LD = mipsel-uclibc-gcc
LDFLAGS += -L../iptables/libiptc
RM = rm -f
INSTALL = install

BASEOBJS = miniupnpd.o upnphttp.o upnpdescgen.o upnpsoap.o \
           upnpreplyparse.o minixml.o \
         upnpredirect.o getifaddr.o daemonize.o upnpglobalvars.o \
         options.o upnppermissions.o minissdp.o

LNXOBJS = linux/getifstats.o linux/iptcrdr.o

LIBS = ../iptables/libiptc/libiptc.a

TESTUPNPDESCGENOBJS = testupnpdescgen.o upnpdescgen.o

EXECUTABLES = miniupnpd testupnpdescgen testgetifstats \
              testupnppermissions miniupnpdctl

.PHONY:   all clean install depend

all:   $(EXECUTABLES)

clean:
   $(RM) $(BASEOBJS) $(LNXOBJS) $(EXECUTABLES)
   $(RM) testupnpdescgen.o testgetifstats.o
   $(RM) testupnppermissions.o

install:   miniupnpd genuuid
   @echo no install at the moment...

# genuuid is using the uuidgen CLI tool which is part of libuuid
# from the e2fsprogs
genuuid:
   sed -i -e "s/^uuid=[-0-9a-f]*/uuid=`genuuid`/" miniupnpd.conf

miniupnpd:   $(BASEOBJS) $(LNXOBJS) $(LIBS)

testupnpdescgen:   $(TESTUPNPDESCGENOBJS)

testgetifstats:   testgetifstats.o linux/getifstats.o

testupnppermissions:   testupnppermissions.o upnppermissions.o

miniupnpdctl:   miniupnpdctl.o

config.h:   genconfig.sh
   ./genconfig.sh

depend:   config.h
   makedepend -f$(MAKEFILE_LIST) -Y \
   $(BASEOBJS:.o=.c) $(LNXOBJS:.o=.c) $(TESTUPNPDESCGENOBJS:.o=.c) \
   testgetifstats.c 2>/dev/null

# DO NOT DELETE

miniupnpd.o: config.h upnpglobalvars.h upnppermissions.h upnphttp.h
miniupnpd.o: upnpdescgen.h miniupnpdpath.h getifaddr.h daemonize.h upnpsoap.h
miniupnpd.o: options.h minissdp.h
upnphttp.o: upnphttp.h config.h upnpdescgen.h miniupnpdpath.h upnpsoap.h
upnpdescgen.o: upnpdescgen.h miniupnpdpath.h upnpglobalvars.h
upnpdescgen.o: upnppermissions.h config.h upnpdescstrings.h
upnpsoap.o: upnpglobalvars.h upnppermissions.h config.h upnphttp.h upnpsoap.h
upnpsoap.o: upnpreplyparse.h upnpredirect.h getifaddr.h getifstats.h
upnpreplyparse.o: upnpreplyparse.h minixml.h
minixml.o: minixml.h
upnpredirect.o: upnpredirect.h upnpglobalvars.h upnppermissions.h config.h
upnpredirect.o: openbsd/obsdrdr.h
getifaddr.o: getifaddr.h
daemonize.o: daemonize.h
upnpglobalvars.o: upnpglobalvars.h upnppermissions.h config.h
options.o: options.h upnppermissions.h config.h upnpglobalvars.h
upnppermissions.o: config.h upnppermissions.h
minissdp.o: config.h upnpdescstrings.h miniupnpdpath.h upnphttp.h
minissdp.o: upnpglobalvars.h upnppermissions.h minissdp.h
linux/getifstats.o: getifstats.h
linux/iptcrdr.o: linux/iptcrdr.h
testupnpdescgen.o: upnpdescgen.h
upnpdescgen.o: upnpdescgen.h miniupnpdpath.h upnpglobalvars.h
upnpdescgen.o: upnppermissions.h config.h upnpdescstrings.h
testgetifstats.o: getifstats.h

Greetings,
jchuit
http://sourceforge.net/projects/tarifa/
Back to top
View user's profile Send private message Visit poster's website
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1589

PostPosted: Sun Sep 02, 2007 4:53 pm    Post subject: Reply with quote

you should remove the lines
Code:
config.h:   genconfig.sh
   ./genconfig.sh
from the file and you will never have problems with genconfig.sh any more.
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1589

PostPosted: Mon Sep 24, 2007 8:42 pm    Post subject: Re: Limiting the max amount of open ports. Reply with quote

jchuit wrote:
[...]
I think, it would be nice to set a limit on the open ports and first delete obsolete mappings if the value is higher then the limit.
[...]

I finally implemented the feature !
With the last miniupnpd version, miniupnpd 20070924 you can set a ruleset size threshold : once it is reached, the daemon will check and remove inactive rules (the delay to check inactive rules can be configured too).
It would be nice if you are able to test the feature in real conditions.
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
jchuit



Joined: 15 Apr 2007
Posts: 9
Location: Netherlands

PostPosted: Sat Dec 08, 2007 5:02 pm    Post subject: Tarifa 032 beta Reply with quote

New release including PMP-support can be found here:

Firmware for the WRT54GL
ftp://krumdeel.dyndns.org/WRT54GL/Tarifa032beta1.zip

Source code GPL:
ftp://krumdeel.dyndns.org/WRT54GL/Tarifa032beta1.tar

Greetings,
jchuit
http://tarifa.sourceforge.net/
Back to top
View user's profile Send private message Visit poster's website
jchuit



Joined: 15 Apr 2007
Posts: 9
Location: Netherlands

PostPosted: Mon Dec 10, 2007 9:12 pm    Post subject: Reply with quote

Today I did test the new feature for deleting unused mappings.
The threshold isn't build in the User Interface yet, I made the config file manually.

Will the NAT-PMP deamon also be a configuration option?

This is the config file I used:

---------------------------------------------------------------------------
cat /tmp/miniupnpd.conf
ext_ifname=vlan1
listening_ip=192.168.1.1
port=5000
bitrate_up=100000000
bitrate_down=100000000
system_uptime=yes
notify_interval=30
uuid=fc4ec57e-b051-000f-6651-568401d0009d
clean_ruleset_threshold=2
clean_ruleset_interval=1
allow 1024-65535 192.168.1.1/24 1024-65535
deny 0-65535 0.0.0.0/0 0-65535
-------------------------------------------------------------------------------
/tmp # miniupnpd -f /tmp/miniupnpd.conf
Reading configuration from file /tmp/miniupnpd.conf
perm rule added : allow 1024-65535 c0a80101/ffffff00 1024-65535
perm rule added : deny 0-65535 00000000/00000000 0-65535
--------------------------------------------------------------------------------

If the threshold is reached some (sometimes all) mappings are deleted.

Greetings,
jchuit
Back to top
View user's profile Send private message Visit poster's website
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1589

PostPosted: Tue Dec 11, 2007 12:44 am    Post subject: Reply with quote

jchuit wrote:
Today I did test the new feature for deleting unused mappings.
The threshold isn't build in the User Interface yet, I made the config file manually.

Will the NAT-PMP deamon also be a configuration option?

That is a good idea!

jchuit wrote:
This is the config file I used:

---------------------------------------------------------------------------
cat /tmp/miniupnpd.conf
ext_ifname=vlan1
listening_ip=192.168.1.1
port=5000
bitrate_up=100000000
bitrate_down=100000000
system_uptime=yes
notify_interval=30
uuid=fc4ec57e-b051-000f-6651-568401d0009d
clean_ruleset_threshold=2
clean_ruleset_interval=1

an interval of 1 second is too frequent I think. Don't put it below 60seconds or else only very very busy connections will "survive"
1 second is too little to see if packets are going Smile
jchuit wrote:
allow 1024-65535 192.168.1.1/24 1024-65535
deny 0-65535 0.0.0.0/0 0-65535
-------------------------------------------------------------------------------
/tmp # miniupnpd -f /tmp/miniupnpd.conf
Reading configuration from file /tmp/miniupnpd.conf
perm rule added : allow 1024-65535 c0a80101/ffffff00 1024-65535
perm rule added : deny 0-65535 00000000/00000000 0-65535
--------------------------------------------------------------------------------

If the threshold is reached some (sometimes all) mappings are deleted.

Greetings,
jchuit

seems ok Smile

Regards
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
jchuit



Joined: 15 Apr 2007
Posts: 9
Location: Netherlands

PostPosted: Sat Dec 29, 2007 9:08 pm    Post subject: Reply with quote

New release including NAT-PMP and getifstats caching miniUPnPd_20071220

Firmware for the WRT54GL
ftp://krumdeel.dyndns.org/WRT54GL/Tarifa032beta2.zip

Source code GPL:
ftp://krumdeel.dyndns.org/WRT54GL/Tarifa032beta2.tar

Greetings,
jchuit
http://tarifa.sourceforge.net/
Back to top
View user's profile Send private message Visit poster's website
liangjm_1984



Joined: 08 Jan 2008
Posts: 2

PostPosted: Tue Jan 08, 2008 8:21 am    Post subject: Reply with quote

thank you
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    miniupnp.tuxfamily.org Forum Index -> miniupnpd Feature Request All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP
© 2007 Thomas Bernard, author of MiniUPNP.