[ previous ] [ next ] [ threads ]
 
 From:  "Charlie Barker" <CharlieBarker at RedlineSoftware dot co dot uk>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Re: UPnP as a possible future option?
 Date:  Wed, 30 Nov 2005 18:18:29 -0000
I understand the concept of UPnP and why it creates a big security risk, it
represents perfectly the Usablity vs Security balancing act that all
firewall vendors face.

If it cannot be denied that home users make up a significant % of the
m0n0wall user base then maybe the rearchitecting process could make possible
two versions; a home user friendly one and a more secure buisness version
mimicking both Netgear and Cisco in their respective approaches and
targeting of customers. I realise this is a big ask but a one size fits all
version of m0n0wall will never please everyone.



-----Original Message-----
From: Mas Libman [mailto:mas at masandwendy dot com] 
Sent: 30 November 2005 17:58
To: 'Giobbi, Ryan'; m0n0wall at lists dot m0n0 dot ch
Subject: RE: [m0n0wall] Re: UPnP as a possible future option?

Many of us are also using m0n0wall at home where UPNP support is the norm
(many apps require it to work properly.) From a security standpoint,
application-specific firewalls on each client are better at preventing some
worm or virus from opening up ports. If the argument against UPNP is simply
that it is insecure, then how is it so much worse than the recommendations
I've seen to punch any # of holes in the firewall or to put a machine in the
DMZ? 

Cheers,

/Mas

-----Original Message-----
From: Giobbi, Ryan [mailto:rgiobbi at AGOC dot com]
Sent: Wednesday, November 30, 2005 9:11 AM
To: m0n0wall at lists dot m0n0 dot ch
Subject: RE: [m0n0wall] Re: UPnP as a possible future option?

> Name a single *real* firewall that supports UPNP. There aren't any, 
> because it's a ridiculously bad idea.
>
> I'm sufficiently tired of hearing people ask for something to make
them
> horribly insecure though, so at this point if somebody wants to add 
> support that's disabled by default, more power to 'em. ;)
>
> -Chris

I saw the above challenge in the list archives and found two real firewall
configuration tools (both use IPTables on the backend) that support UPnP.

- Shorewall
http://www.shorewall.net/UPnP.html

- Firewall Builder
http://www.fwbuilder.org/archives/cat_about.html
 

-----Original Message-----
From: news [mailto:news at sea dot gmane dot org] On Behalf Of Braden McGrath
Sent: Wednesday, November 30, 2005 9:30 AM
To: m0n0wall at lists dot m0n0 dot ch
Subject: [m0n0wall] Re: UPnP as a possible future option?

Mas Libman <mas <at> masandwendy.com> writes:

> (Braden, you might take a look at Smoothwall.org if UPNP is that
> important.)

I'll keep it in mind, but last I was aware Smoothwall doesn't run on Soekris
hardware.  :(  I have a net48xx and the silence and low heat output are
important due to the location of the router.  If I could get Smoothwall to
run on it, then I'd go that route, but to my knowledge it's not a supported
configuration, even if I throw a huge CF card in it.

It's kind of sad when most $50 cheap-o home routers support UPnP, but it
isn't even offered as an *option* in m0n0, which is supposed to be a
superior solution.  I'm not suggesting that UPnP should be enabled by
default or anything insane like that, but I can't imagine that it is too
hard to add...

Or maybe it is, I can say after checking out the current (sorry) state of
UPnP development for BSD.  :(

Guess I'll just have to live with it then.


---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch

---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
lp at lists dot m0n0 dot ch


---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch



This message has been scanned for unacceptable content by 'VITANIUM'
the industry leading email virus and content management service from
Vitanium Systems. Contact details are available at www.vitanium.com.