[ previous ] [ next ] [ threads ]
 From:  Paul Taylor <ptaylor at addressplus dot net>
 To:  Mono Wall list <m0n0wall at lists dot m0n0 dot ch>
 Cc:  M0n0 Wall Dev list <m0n0wall dash dev at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall-dev] Re: [m0n0wall] Feature request: UPnP
 Date:  Wed, 23 Jul 2008 07:40:35 -0400
>> Quark IT - Hilton Travis wrote:
>>> Anyone who enables UPnP has no conception of security.

Now don't you think that's a bit of an over generalization?

You are probably thinking about the implementation of UPnP that is  
part of Linksys or Netgear branded products, where it is a checkbox to  
enable it, and that's it.  If you enabling UPnP in this way, then yes  
I agree with the above statement, since then any device on the network  
could open up any port on the firewall whenever it wanted, but a  
simple "On/Off" checkbox isn't what I would expect from Monowall or  
any other serious firewall.  I expect that some botnet software may  
already be using UPnP since it is so widely misused in this way.

The implementation of UPnP in PfSense has security minded features,  
including the ability to select the specific interface(s) you want it  
to be active on, to log packets handled by UPnP, to deny access to  
UPnP by default, and to specify essentially ACLs in this format:

[allow or deny] [ext port or range] [int ipaddr or ipaddr/cdir] [int  
port or range]

So, it looks like they have put some thought into the security side of  
their implementation.

Now, the average user would probably enable UPnP, and leave the "Deny  
access by Default" option unchecked, and have UPnP opening up ports  
all over the place, but if someone is security minded and wants to  
open up UPnP for one or two trusted devices on their network, even  
limiting it to a range of ports (or even individual ports), the tools  
are available in PfSense to do just that.  The same could probably be  
done very easily in Monowall.