Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:firewall:miniupnpd [2018/03/04 13:03] – ↷ Page moved from docs:guide-user:services:firewall:miniupnpd to docs:guide-user:firewall:miniupnpd bobafetthotmaildocs:guide-user:firewall:upnp:miniupnpd [2024/09/03 21:51] – [NAT-PMP/PCP] copied from upnp_setup page stokito
Line 1: Line 1:
 {{page>meta:infobox:wip&noheader&nofooter&noeditbtn}} {{page>meta:infobox:wip&noheader&nofooter&noeditbtn}}
 +
 ====== miniupnpd ====== ====== miniupnpd ======
 +MiniUPnPd is a lightweight implementation of a UPnP IGD daemon. More info at http://miniupnp.free.fr
  
-<WRAP alert> +See also [[docs:user-guide:services:minidlna]] and [[docs:user-guide:services:upnp]]
-  * **<color #960000>Please be aware, UPnP on WAN facing devices is a //__massive security risk__// and is not recommended fort utilization</color>** +
-    * Please take the time, figure out what devices need port redirects (most do not), and manually configure [[docs:guide-user:firewall:port.forwarding|firewall redirect rules]]+
-      * Specific ports for devices/services which need redirects can either be found on the device’s/service’s website or [[https://portforward.com|PortForward.com]]+
  
-  * [[https://security.stackexchange.com/questions/38631/what-are-the-security-implications-of-enabling-upnp-in-my-home-router/38661#38661|What are the security implications of enabling UPnP in my home router?]] +===== Default =====
-    * //Other such explanations can be found via any search engine// +
-</WRAP>+
  
-  * Mini UPnPd is a lightweight implementation of a UPnP IGD daemon. More info at http://miniupnp.free.fr +<code>
-    * See also [[docs:guide-user:services:media_server:minidlna]] and [[docs:guide-user:services:firewall:upnp]] +
- +
-===== after r25955 2011/03/08 ===== +
-==== Default ==== +
- +
-| ''+
 config upnpd config config upnpd config
         option enable_natpmp  1         option enable_natpmp  1
Line 32: Line 23:
         option int_addr  0.0.0.0/0         option int_addr  0.0.0.0/0
         option int_ports 0:65535         option int_ports 0:65535
-'' |+</code>
  
-==== config upnpd 'config' ====+===== config upnpd 'config' =====
 ^ Name ^ Type ^ Required ^ Default ^ Description ^ ^ Name ^ Type ^ Required ^ Default ^ Description ^
 | ''clean_ruleset_threshold'' | integer | no | //(none)// | Minimum number of redirections before clearing rules table of old (active) redirections.  Code default is 20. | | ''clean_ruleset_threshold'' | integer | no | //(none)// | Minimum number of redirections before clearing rules table of old (active) redirections.  Code default is 20. |
Line 40: Line 31:
 | ''config_file'' | string | no | //(none)// | Use the specified configuration file if present.  If specified the uci options are not used, except that external_iface determines the iptables table used. | | ''config_file'' | string | no | //(none)// | Use the specified configuration file if present.  If specified the uci options are not used, except that external_iface determines the iptables table used. |
 | ''download'' | integer | no | //(none)// | Bandwidth available for traffic coming in from the external interface in kilobytes per second.  Note that this only information given to clients, it doesn't control the speed. |   | ''download'' | integer | no | //(none)// | Bandwidth available for traffic coming in from the external interface in kilobytes per second.  Note that this only information given to clients, it doesn't control the speed. |  
-| ''enable_natpmp'' | boolean | no | ''1'' | Enable NAT-PMP. |+| ''upload'' | integer | no | //(none)// | Bandwidth available for traffic out the external interface in kilobytes per second. Note that this only information given to clients, it doesn't control the speed. | 
 +| ''enable_natpmp'' | boolean | no | ''1'' | Enable NAT-[[https://tools.ietf.org/html/rfc6886|PMP]] and [[https://tools.ietf.org/html/rfc6887|PCP]]. |
 | ''enable_upnp'' | boolean | no | ''1'' | Enable UPnP. | | ''enable_upnp'' | boolean | no | ''1'' | Enable UPnP. |
-| ''external_iface'' | string | no | ''wan''External interface (wan) | +| ''external_iface'' | string | no | //(auto)// | External interface. The default is to autodetect the first interface with a default route, which usually is ''wan''| 
-| ''external_ip'' | ipv4addr | no | //(none)// | Manually specified external IP - if not specified the default ipv4 address of the external interface is used.|+| ''external_iface6'' | string | no | //(auto)// | External ipv6 interface. The default is to autodetect the first interface with a default route, which usually is ''wan6''
 +| ''external_ip'' | ipv4addr | no | //(none)// | Manually specified external IP - if not specified the default ipv4 address of the external interface is used. Conflicts with ''use_stun'' option. |
 |''internal_iface'' | string | no | ''lan'' | Space separated list of internal interfaces (lans) | |''internal_iface'' | string | no | ''lan'' | Space separated list of internal interfaces (lans) |
 | ''log_output'' | boolean | no | ''0'' | Log messages normally sent to stderr/out to syslog. | | ''log_output'' | boolean | no | ''0'' | Log messages normally sent to stderr/out to syslog. |
Line 52: Line 45:
 | ''secure_mode'' | boolean | no | ''1'' | Secure mode; client can only redirect an incoming port to the client itself (same IP as the request comes from). | | ''secure_mode'' | boolean | no | ''1'' | Secure mode; client can only redirect an incoming port to the client itself (same IP as the request comes from). |
 | ''serial_number'' | string | no | //(none)// | Specify serial number for XML Root Desc. | | ''serial_number'' | string | no | //(none)// | Specify serial number for XML Root Desc. |
-| ''upload''integer | no | //(none)// | Bandwidth available for traffic out the external interface in kilobytes per second. Note that this only information given to clients, it doesn't control the speed. |+| ''use_stun''boolean | no | ''0'' | Use the STUN server to resolve an external IP.  Conflicts with ''external_ip'' option. | 
 +| ''stun_host'' | string | no | //(none)// | The STUN server to use e.g. ''stun.cloudflare.com'' or ''stun2.l.google.com''. | 
 +| ''stun_port'' | integer | no | ''3478'' | The STUN server port. |
 | ''upnp_lease_file'' | string | no | //(none)// | Store active UPnP redirects in a lease file (specified), like DHCP leases. | | ''upnp_lease_file'' | string | no | //(none)// | Store active UPnP redirects in a lease file (specified), like DHCP leases. |
 | ''system_uptime'' | boolean | no | ''1'' | Use system uptime as UPnP uptime instead of miniupnpd daemon uptime. | | ''system_uptime'' | boolean | no | ''1'' | Use system uptime as UPnP uptime instead of miniupnpd daemon uptime. |
 | ''uuid'' | string | no | //UUID autogenerated on first launch of miniupnpd// | UUID for UPnP IGD.  If none specified one will be autogenerated and added to the config file.  'nocli' means a non-unique UUID from the code will be used (previous default behaviour). | | ''uuid'' | string | no | //UUID autogenerated on first launch of miniupnpd// | UUID for UPnP IGD.  If none specified one will be autogenerated and added to the config file.  'nocli' means a non-unique UUID from the code will be used (previous default behaviour). |
  
-==== config 'perm_rule' ====+===== config 'perm_rule' =====
  
 These rules define what holes may be opened by UPnP or NAT-PMP clients on the internal interfaces.  Note that if secure_mode is set above, then a client may only open a hole to itself (the same IP as it makes the UPnP request from).  Rules are applied in the order they appear in the configuration file (so the above deny rule before anything else will block all UPnP actions). These rules define what holes may be opened by UPnP or NAT-PMP clients on the internal interfaces.  Note that if secure_mode is set above, then a client may only open a hole to itself (the same IP as it makes the UPnP request from).  Rules are applied in the order they appear in the configuration file (so the above deny rule before anything else will block all UPnP actions).
Line 67: Line 62:
 | ''int_ports'' | portrange | no | ''0-65535'' | Range of ports on the internal side (destination) for this rule.  Can be x, x-y, or x:y. | | ''int_ports'' | portrange | no | ''0-65535'' | Range of ports on the internal side (destination) for this rule.  Can be x, x-y, or x:y. |
  
-===== prior to  r25887 2011/03/06 ===== 
-==== Default ==== 
  
-| '' +===== NAT-PMP/PCP =====
-config upnpd config +
-        option enable         0 +
-        option enable_natpmp +
-        option secure_mode    1 +
-        option log_output     0 +
-        option download       1024 +
-        option upload         512 +
-        option external_iface wan +
-        option internal_iface lan +
-'' |+
  
-==== config upnpd 'config==== +To enable NAT-PMP and disable the UPnP edit the ''/etc/config/upnpd'' file: 
-^ Name ^ Type ^ Required ^ Default ^ Description ^ + 
-| ''download'' | integer | no | //(none)// | Bandwidth available for traffic coming in from the external interface in kilobytes per second. |   +<code> 
-''enabled'' | boolean | no | ''0'' | MiniUPnPd is will be started when launched by the init script. | +        option 'enable_natpmp' '1
-| ''external_iface'' | string | no | ''wan'' | External interface (wan) | +        option 'enable_upnp' '0' 
-|''internal_iface'' | string | no | ''lan'' | Space separated list of internal interfaces (lans) | +</code> 
-''log_output'' | boolean | no | ''0'' | Log messages normally sent to stderr/out to syslog. | + 
-| ''secure_mode'' | boolean | no | ''0'' | Secure mode; client can only redirect an incoming port to the client itself (same IP as the request comes from)| + 
-| ''upload'' | integer | no | //(none)// | Bandwidth available for traffic out the external interface in kilobytes per second. |+Or you can do this with following command: 
 + 
 +<code> 
 +uci set upnpd.config.enable_natpmp=1 
 +uci set upnpd.config.enable_upnp=0 
 +/etc/init.d/miniupnpd restart 
 +</code>
  
 ===== Notes ===== ===== Notes =====
-after installing and enabling, dont forget to restart the firewall.+After installing and enabling, do not forget to restart the firewall. 
  
 ===== Security ===== ===== Security =====
 CAUTION: mixing up WAN and LAN interfaces may introduce [[https://community.rapid7.com/community/metasploit/blog/2014/10/21/r7-2014-17-nat-pmp-implementation-and-configuration-vulnerabilities|security risks]]! See also [[https://www.kb.cert.org/vuls/id/184540|Incorrect implementation of NAT-PMP in multiple devices]]. CAUTION: mixing up WAN and LAN interfaces may introduce [[https://community.rapid7.com/community/metasploit/blog/2014/10/21/r7-2014-17-nat-pmp-implementation-and-configuration-vulnerabilities|security risks]]! See also [[https://www.kb.cert.org/vuls/id/184540|Incorrect implementation of NAT-PMP in multiple devices]].
  
-Some versions of the MiniUPnP library is vulnerable to remote code execution ([[http://www.cvedetails.com/cve/CVE-2013-0230|CVE-2013-0230]]). You can check your device with Metasploit: 
-<code>msfconsole 
-msf> 
-msf > use auxiliary/scanner/upnp/ssdp_msearch 
-msf auxiliary(ssdp_msearch) > set RHOSTS 192.168.0.0/24 
-msf auxiliary(ssdp_msearch) > run 
-</code> 
-See something like 
-<code> 
-[*] 192.168.0.9:1900 SSDP Net-OS 5.xx UPnP/1.0 | 192.168.0.9:3278/etc/linuxigd/gatedesc.xml 
-[+] 192.168.0.254:1900 SSDP miniupnpd/1.0 UPnP/1.0 | vulns:2 (CVE-2013-0229, CVE-2013-0230) 
-</code> 
  • Last modified: 2024/09/04 14:32
  • by stokito