>> Quark IT - Hilton Travis wrote:
>>> Anyone who enables UPnP has no conception of security.
Now don't you think that's a bit of an over generalization?
You are probably thinking about the implementation of UPnP that is
part of Linksys or Netgear branded products, where it is a checkbox to
enable it, and that's it. If you enabling UPnP in this way, then yes
I agree with the above statement, since then any device on the network
could open up any port on the firewall whenever it wanted, but a
simple "On/Off" checkbox isn't what I would expect from Monowall or
any other serious firewall. I expect that some botnet software may
already be using UPnP since it is so widely misused in this way.
The implementation of UPnP in PfSense has security minded features,
including the ability to select the specific interface(s) you want it
to be active on, to log packets handled by UPnP, to deny access to
UPnP by default, and to specify essentially ACLs in this format:
[allow or deny] [ext port or range] [int ipaddr or ipaddr/cdir] [int
port or range]
So, it looks like they have put some thought into the security side of
Now, the average user would probably enable UPnP, and leave the "Deny
access by Default" option unchecked, and have UPnP opening up ports
all over the place, but if someone is security minded and wants to
open up UPnP for one or two trusted devices on their network, even
limiting it to a range of ports (or even individual ports), the tools
are available in PfSense to do just that. The same could probably be
done very easily in Monowall.