[ previous ] [ next ] [ threads ]
 From:  sylikc <sylikc at gmail dot com>
 To:  Fernando Costa <cusquinho at gmail dot com>
 Cc:  m0n0wall dash dev at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall-dev] UPNP
 Date:  Wed, 19 Oct 2005 11:20:17 -0700
 On 10/19/05, Fernando Costa <cusquinho at gmail dot com> wrote:

> Ok, I'll not talk about this topic anymore. Don't think "horrible
> idea" is the best way to describe it. I see it as an optional function
> that could be used in some cases, such as home users. I know Cisco
> wont put that in their routers, but they do put UPNP in their home
> users Linksys routers. And still, lots of applications come with UPNP
> and Windows Vista has a good work on that.

 uPNP is a feature that makes it easier for things on OSI Layer 7 to have
direct control over Layer 3/4. As usual, with anything that makes it
"easier" to do something, there's usually a good deal of security
 Many vendors have to "follow the market" when it comes to their
consumer-end products because they are out for profit, have to sell as much
as possible. Things like content-filtering, parental controls and other
oddball features that don't really belong on a firewall have worked their
way into consumer routers/firewalls.
 m0n0wall, as Manuel has described time and time again is designed as simple
and fundamental. m0n0wall doesn't have to follow the market in terms of
features because the latest cutting edge (take FreeBSD 5's support for
802.11g) isn't almost the most stable and time-tested solution.
 To build a good core router/firewall, it's probably a good idea to follow
the steps of the enterprise world. If the enterprises start adding uPNP to
their firewalls, then it might be worth revisiting the issue (I doubt it'll
ever happen, some aren't even stateful yet!).

> I also want to mention that I do agree this is not a high priority
> TODO. It's just a cool feature that could be added (again, as
> optional) in the future. There is no need to be "rude" about that.

 I agree uPNP is a "cool" feature to give userland applications direct
access to NAT traversal configurations. It makes configuration really easy,
painless and is usually marketted for no-hassle firewall configuration for
end-users. It allows some app devs to be sloppy and open all types of ports
with ease by making NAT transparent (most uPNP apps afaik are Windows-based,
usually p2p).
 But, not too long ago, it was "cool" too to make everyone a computer
administrator to relieve the hassles of being a limited user...
  my 2 cents.

> On 10/19/05, Aaron K. Moore <amoore at dekalbmemorial dot com> wrote:
> >
> > I agree. UPNP is a horrible idea, which is why common security
> > practices have you turn it off on any workstations and on the router if
> > it's supported. It's bad enough that a bunch of applications can now
> > encapsulate their data in http packets.