On 19.10.2005, at 22:46, Chad R. Larson wrote:
> Fernando Costa wrote:
> I don't think he was saying your request was a horrible idea. I think
> he was saying UPnP was a horrible idea. I agree. It's another
> of Microsoft engineers dreaming up "cool things" with no thought
Ok, let's be honest for a moment. Where do you think m0n0wall is used
the most? Enterprise? Small- and medium-sized businesses? SoHo?
Enthusiast? Well, I couldn't pinpoint it clearly to one group but I
would say based on my experience, it's definitively not the
enterprise group and may be a big part on home users and enthusiasts.
Given this, I would say that uPNP could be a very nice "feature" for
those users. Of course some people might think of it as a "security
hole" but if it's not enabled by default and can only be turned on by
people who know what they are doing (I would say those who install a
m0n0wall should already know what they are doing) then it can be
considered as a "safe" feature.
I really think that some people here are losing the focus on the main
user group... I really don't see m0n0wall as an alternative for high-
security environments in enterprises. So uPNP should be a natural
step to take and to offer it to those users who might want it.
By the way, there are quite some scenarios where uPNP is almost a
required feature. For example, if you have multiple machines that use
apps which all require to have forwarded the same ports like voip
clients, things like iChat or bittorrent behind a nat-ed connection
to the net, then it's not a viable solution to enter port forwardings
for those apps manually. Well, it's even not possible because you can
only forward the ports to one client at a time. Take iChat for
example. If a user wants to make a filetransfer or a video chat they
need to have several ports forwarded to their internal machine. When
some other user wants to do the same 10 minutes later, you would have
to reconfigure every forwarding manually. This is simply not
bearable. In such situations it really makes sense to have some
dynamic configuration that does the job. Also, it makes possible for
an app like iChat to request other external ports when the default
ones are already forwarded to another active iChat user.
Of course uPNP should be implemented safely, so that only certain
addresses or ports may be opened. I don't know uPNP fully, but maybe
it's even possible to restrict the apps that may use it. And then
there is common sense of the users. If you don't turn uPNP on by
default and tell the users, that it's potentially unsafe if they open
it, well then that's all you can do. It's still better than when
people just start to open all ports on the firewall, just to not have
any more hassles. And there are such people who do this with a
m0n0wall. I've seen those installations...! That's far worse than
having a potentially unsafe feature like uPNP which would make those
people's live easier for a smaller trade-off of security. Maybe the
critics of uPNP might start to consider those arguments and try to
remember who is using m0n0wall in the first place.