| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision |
| docs:guide-user:firewall:upnp:miniupnpd [2019/09/12 21:25] – tmomas | docs:guide-user:firewall:upnp:miniupnpd [2024/09/03 21:51] – [NAT-PMP/PCP] copied from upnp_setup page stokito |
|---|
| |
| ====== miniupnpd ====== | ====== miniupnpd ====== |
| Mini UPnPd is a lightweight implementation of a UPnP IGD daemon. More info at http://miniupnp.free.fr | MiniUPnPd is a lightweight implementation of a UPnP IGD daemon. More info at http://miniupnp.free.fr |
| |
| See also [[docs:user-guide:services:minidlna]] and [[docs:user-guide:services:upnp]] | See also [[docs:user-guide:services:minidlna]] and [[docs:user-guide:services:upnp]] |
| |
| ===== after r25955 2011/03/08 ===== | ===== Default ===== |
| ==== Default ==== | |
| |
| | '' | <code> |
| config upnpd config | config upnpd config |
| option enable_natpmp 1 | option enable_natpmp 1 |
| option int_addr 0.0.0.0/0 | option int_addr 0.0.0.0/0 |
| option int_ports 0:65535 | option int_ports 0:65535 |
| '' | | </code> |
| |
| ==== config upnpd 'config' ==== | ===== config upnpd 'config' ===== |
| ^ Name ^ Type ^ Required ^ Default ^ Description ^ | ^ Name ^ Type ^ Required ^ Default ^ Description ^ |
| | ''clean_ruleset_threshold'' | integer | no | //(none)// | Minimum number of redirections before clearing rules table of old (active) redirections. Code default is 20. | | | ''clean_ruleset_threshold'' | integer | no | //(none)// | Minimum number of redirections before clearing rules table of old (active) redirections. Code default is 20. | |
| | ''config_file'' | string | no | //(none)// | Use the specified configuration file if present. If specified the uci options are not used, except that external_iface determines the iptables table used. | | | ''config_file'' | string | no | //(none)// | Use the specified configuration file if present. If specified the uci options are not used, except that external_iface determines the iptables table used. | |
| | ''download'' | integer | no | //(none)// | Bandwidth available for traffic coming in from the external interface in kilobytes per second. Note that this only information given to clients, it doesn't control the speed. | | | ''download'' | integer | no | //(none)// | Bandwidth available for traffic coming in from the external interface in kilobytes per second. Note that this only information given to clients, it doesn't control the speed. | |
| | ''enable_natpmp'' | boolean | no | ''1'' | Enable NAT-PMP. | | | ''upload'' | integer | no | //(none)// | Bandwidth available for traffic out the external interface in kilobytes per second. Note that this only information given to clients, it doesn't control the speed. | |
| | | ''enable_natpmp'' | boolean | no | ''1'' | Enable NAT-[[https://tools.ietf.org/html/rfc6886|PMP]] and [[https://tools.ietf.org/html/rfc6887|PCP]]. | |
| | ''enable_upnp'' | boolean | no | ''1'' | Enable UPnP. | | | ''enable_upnp'' | boolean | no | ''1'' | Enable UPnP. | |
| | ''external_iface'' | string | no | ''wan'' | External interface (wan) | | | ''external_iface'' | string | no | //(auto)// | External interface. The default is to autodetect the first interface with a default route, which usually is ''wan''. | |
| | ''external_ip'' | ipv4addr | no | //(none)// | Manually specified external IP - if not specified the default ipv4 address of the external interface is used.| | | ''external_iface6'' | string | no | //(auto)// | External ipv6 interface. The default is to autodetect the first interface with a default route, which usually is ''wan6''. | |
| | | ''external_ip'' | ipv4addr | no | //(none)// | Manually specified external IP - if not specified the default ipv4 address of the external interface is used. Conflicts with ''use_stun'' option. | |
| |''internal_iface'' | string | no | ''lan'' | Space separated list of internal interfaces (lans) | | |''internal_iface'' | string | no | ''lan'' | Space separated list of internal interfaces (lans) | |
| | ''log_output'' | boolean | no | ''0'' | Log messages normally sent to stderr/out to syslog. | | | ''log_output'' | boolean | no | ''0'' | Log messages normally sent to stderr/out to syslog. | |
| | ''secure_mode'' | boolean | no | ''1'' | Secure mode; client can only redirect an incoming port to the client itself (same IP as the request comes from). | | | ''secure_mode'' | boolean | no | ''1'' | Secure mode; client can only redirect an incoming port to the client itself (same IP as the request comes from). | |
| | ''serial_number'' | string | no | //(none)// | Specify serial number for XML Root Desc. | | | ''serial_number'' | string | no | //(none)// | Specify serial number for XML Root Desc. | |
| | ''upload'' | integer | no | //(none)// | Bandwidth available for traffic out the external interface in kilobytes per second. Note that this only information given to clients, it doesn't control the speed. | | | ''use_stun'' | boolean | no | ''0'' | Use the STUN server to resolve an external IP. Conflicts with ''external_ip'' option. | |
| | | ''stun_host'' | string | no | //(none)// | The STUN server to use e.g. ''stun.cloudflare.com'' or ''stun2.l.google.com''. | |
| | | ''stun_port'' | integer | no | ''3478'' | The STUN server port. | |
| | ''upnp_lease_file'' | string | no | //(none)// | Store active UPnP redirects in a lease file (specified), like DHCP leases. | | | ''upnp_lease_file'' | string | no | //(none)// | Store active UPnP redirects in a lease file (specified), like DHCP leases. | |
| | ''system_uptime'' | boolean | no | ''1'' | Use system uptime as UPnP uptime instead of miniupnpd daemon uptime. | | | ''system_uptime'' | boolean | no | ''1'' | Use system uptime as UPnP uptime instead of miniupnpd daemon uptime. | |
| | ''uuid'' | string | no | //UUID autogenerated on first launch of miniupnpd// | UUID for UPnP IGD. If none specified one will be autogenerated and added to the config file. 'nocli' means a non-unique UUID from the code will be used (previous default behaviour). | | | ''uuid'' | string | no | //UUID autogenerated on first launch of miniupnpd// | UUID for UPnP IGD. If none specified one will be autogenerated and added to the config file. 'nocli' means a non-unique UUID from the code will be used (previous default behaviour). | |
| |
| ==== config 'perm_rule' ==== | ===== config 'perm_rule' ===== |
| |
| These rules define what holes may be opened by UPnP or NAT-PMP clients on the internal interfaces. Note that if secure_mode is set above, then a client may only open a hole to itself (the same IP as it makes the UPnP request from). Rules are applied in the order they appear in the configuration file (so the above deny rule before anything else will block all UPnP actions). | These rules define what holes may be opened by UPnP or NAT-PMP clients on the internal interfaces. Note that if secure_mode is set above, then a client may only open a hole to itself (the same IP as it makes the UPnP request from). Rules are applied in the order they appear in the configuration file (so the above deny rule before anything else will block all UPnP actions). |
| | ''int_ports'' | portrange | no | ''0-65535'' | Range of ports on the internal side (destination) for this rule. Can be x, x-y, or x:y. | | | ''int_ports'' | portrange | no | ''0-65535'' | Range of ports on the internal side (destination) for this rule. Can be x, x-y, or x:y. | |
| |
| ===== prior to r25887 2011/03/06 ===== | |
| ==== Default ==== | |
| |
| | '' | ===== NAT-PMP/PCP ===== |
| config upnpd config | |
| option enable 0 | |
| option enable_natpmp 1 | |
| option secure_mode 1 | |
| option log_output 0 | |
| option download 1024 | |
| option upload 512 | |
| option external_iface wan | |
| option internal_iface lan | |
| '' | | |
| |
| ==== config upnpd 'config' ==== | To enable NAT-PMP and disable the UPnP edit the ''/etc/config/upnpd'' file: |
| ^ Name ^ Type ^ Required ^ Default ^ Description ^ | |
| | ''download'' | integer | no | //(none)// | Bandwidth available for traffic coming in from the external interface in kilobytes per second. | | <code> |
| | ''enabled'' | boolean | no | ''0'' | MiniUPnPd is will be started when launched by the init script. | | option 'enable_natpmp' '1' |
| | ''external_iface'' | string | no | ''wan'' | External interface (wan) | | option 'enable_upnp' '0' |
| |''internal_iface'' | string | no | ''lan'' | Space separated list of internal interfaces (lans) | | </code> |
| | ''log_output'' | boolean | no | ''0'' | Log messages normally sent to stderr/out to syslog. | | |
| | ''secure_mode'' | boolean | no | ''0'' | Secure mode; client can only redirect an incoming port to the client itself (same IP as the request comes from). | | |
| | ''upload'' | integer | no | //(none)// | Bandwidth available for traffic out the external interface in kilobytes per second. | | Or you can do this with following command: |
| | |
| | <code> |
| | uci set upnpd.config.enable_natpmp=1 |
| | uci set upnpd.config.enable_upnp=0 |
| | /etc/init.d/miniupnpd restart |
| | </code> |
| |
| ===== Notes ===== | ===== Notes ===== |
| after installing and enabling, dont forget to restart the firewall. | After installing and enabling, do not forget to restart the firewall. |
| |
| ===== Security ===== | ===== Security ===== |
| CAUTION: mixing up WAN and LAN interfaces may introduce [[https://community.rapid7.com/community/metasploit/blog/2014/10/21/r7-2014-17-nat-pmp-implementation-and-configuration-vulnerabilities|security risks]]! See also [[https://www.kb.cert.org/vuls/id/184540|Incorrect implementation of NAT-PMP in multiple devices]]. | CAUTION: mixing up WAN and LAN interfaces may introduce [[https://community.rapid7.com/community/metasploit/blog/2014/10/21/r7-2014-17-nat-pmp-implementation-and-configuration-vulnerabilities|security risks]]! See also [[https://www.kb.cert.org/vuls/id/184540|Incorrect implementation of NAT-PMP in multiple devices]]. |
| |
| Some versions of the MiniUPnP library is vulnerable to remote code execution ([[http://www.cvedetails.com/cve/CVE-2013-0230|CVE-2013-0230]]). You can check your device with Metasploit: | |
| <code>msfconsole | |
| msf> | |
| msf > use auxiliary/scanner/upnp/ssdp_msearch | |
| msf auxiliary(ssdp_msearch) > set RHOSTS 192.168.0.0/24 | |
| msf auxiliary(ssdp_msearch) > run | |
| </code> | |
| See something like | |
| <code> | |
| [*] 192.168.0.9:1900 SSDP Net-OS 5.xx UPnP/1.0 | 192.168.0.9:3278/etc/linuxigd/gatedesc.xml | |
| [+] 192.168.0.254:1900 SSDP miniupnpd/1.0 UPnP/1.0 | vulns:2 (CVE-2013-0229, CVE-2013-0230) | |
| </code> | |
| |