[ previous ] [ next ] [ threads ]
 From:  "James W. McKeand" <james at mckeand dot biz>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] UPnP is bad, mmkay?
 Date:  Tue, 15 Jan 2008 10:17:29 -0600
I can say my network is 100% trustworthy and 100% trojan/virus/worm
free. But, then again I am a single user environment and if I cannot
trust myself... I also NEVER bring a client machine onto my LAN segment,
that is what my DMZ is for...

As a bright spot, I think most of the Cisco Lite devices (aka Linksys) I
have had to look into recently the UPNP has been disabled by default. 

James W. McKeand 

-----Original Message-----
From: mtnbkr [mailto:waa dash m0n0wall at revpol dot com] 
Sent: Tuesday, January 15, 2008 9:33 AM
To: m0n0wall
Subject: Re: [m0n0wall] UPnP is bad, mmkay?

Lee Sharp wrote:
> How many times did people want UPnP added to m0n0wall?  How many times
> did we say it was bad?  Surprise!  It is bad.  Feel free to gloat,
> because I am. :)
> http://www.channelregister.co.uk/2008/01/15/home_router_insecurity/

LOL... I remember when I first read about UPnP on a "firewall" device. I
think I fell off my chair laughing... Not sure though since I think I
hit my head too. ;)

I also laugh (well... cringe is more like it) when I see the "DMZ"
check-box on other 'firewalls' that simple create a 1:1 map from the

Seriously. Who in their right mind thinks allowing any device inside a
network to open up arbitrary communications channels to the Internet is
a smart and/or secure way to network?

From the wikipedia page:

UPnP IGD assumes that all local systems and their users are completely
trustworthy, and that no local system is infected with any worm or

If either of these assumptions are not true then UPnP can be used to
totally defeat a UPnP-supporting firewall by allowing incoming
connections to arbitrary local systems on any port.

Ok, so a show of hands... Who has completely trustworthy users on their
network AND can guarantee 100% that the Windows machines they are using
are 100% trojan/virus/worm free?

Oh yeah... No one.

Bill Arlofski
Reverse Polarity, LLC

To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch