[ previous ] [ next ] [ threads ]
 From:  "Paul Taylor" <PaulTaylor at winn dash dixie dot com>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Future plans after 1.3?
 Date:  Fri, 4 Dec 2009 10:47:41 -0500
Unfortunately, there are a few apps out there that require UPnP to work
properly.  I can't remember the specifics, but I think there are
features of iChat that only work well when it is enabled.  (Video
related, if memory serves me correctly)  There have been a couple other
apps I've ran across over the last few years, but I can't recall them
right now.

The problem with forwarding the required ports to an internal IP is that
the apps that require UPnP usually have a range of ports that you'd need
to forward.  So, if you only need the app to work on the one machine,
you might be able to forward all incoming traffic for that range of
ports to that machine and it would probably work.  If you need it on
multiple machines and there's no way to specify which ports it will use,
what then?  Plus, this approach means you have a whole range of ports
that you are opening up from the internet to a specific internal

I used pfSense back a year or two ago and really liked their
implementation of UPnP.  I believe it was disabled completely by
default, and when you enable it, you could specify individual machines
or networks to allow UPnP with.  Better than that, you could even
specify which ranges of ports the machines could perform UPnP with, so
if you know an app uses ports 5000-5500, you could let your machines use
UPnP in that range, and it wouldn't let some virus or malware open up
ports outside that range.  I even believe you could specify different
port ranges for different machines.  

Of course, then my boss gave me a CheckPoint Safe@Office.  It even does
802.1X for wireless clients without a radius server, plus L2TP VPN.  It
doesn't do UPnP, though, so I still have issues with apps that require
it.  The included subscription just ran out though, and so far they
aren't jumping to renew it for free, so I might have to come up with
some other firewall before long.  

-----Original Message-----
From: Lee Sharp [mailto:leesharp at hal dash pc dot org] 
Sent: Friday, December 04, 2009 10:08 AM
To: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] Future plans after 1.3?

Many of us will argue that any device with UPnP is NOT a security 
device.  There are more than a few UPnP aware viruses and malware.  It 
is like a gun in the hand of a child.  And I HATE applications that 
"need" it.  Luckily, right now we don't have it, so I actually have to 
do things in the firewall the right way.  I am afraid that if it is 
enabled, I will be forced to do things the wrong way by people who do 
not understand the risk, just because I can.

OpenVPN and load balancing would be nice, however. :)


To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch