Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
docs:guide-user:firewall:upnp:miniupnpd [2018/12/19 12:56] – old revision restored (2018/02/17 21:49) per @tmomas' view jw0914docs:guide-user:firewall:upnp:miniupnpd [2024/09/04 14:32] (current) – [NAT-PMP/PCP] stokito
Line 1: Line 1:
 {{page>meta:infobox:wip&noheader&nofooter&noeditbtn}} {{page>meta:infobox:wip&noheader&nofooter&noeditbtn}}
 +
 ====== miniupnpd ====== ====== miniupnpd ======
-Mini UPnPd is a lightweight implementation of a UPnP IGD daemon. More info at http://miniupnp.free.fr+MiniUPnPd is a lightweight implementation of a UPnP IGD daemon. More info at http://miniupnp.free.fr
  
-See also [[docs:user-guide:services:minidlna]] and [[docs:user-guide:services:upnp]]+See also [[docs:user-guide:services:minidlna]] and [[:docs:guide-user:firewall:upnp:upnp_setup]]
  
-===== after r25955 2011/03/08 ===== +===== Default =====
-==== Default ====+
  
-| ''+<code>
 config upnpd config config upnpd config
         option enable_natpmp  1         option enable_natpmp  1
Line 23: Line 23:
         option int_addr  0.0.0.0/0         option int_addr  0.0.0.0/0
         option int_ports 0:65535         option int_ports 0:65535
-'' |+</code>
  
-==== config upnpd 'config' ====+===== config upnpd 'config' =====
 ^ Name ^ Type ^ Required ^ Default ^ Description ^ ^ Name ^ Type ^ Required ^ Default ^ Description ^
 | ''clean_ruleset_threshold'' | integer | no | //(none)// | Minimum number of redirections before clearing rules table of old (active) redirections.  Code default is 20. | | ''clean_ruleset_threshold'' | integer | no | //(none)// | Minimum number of redirections before clearing rules table of old (active) redirections.  Code default is 20. |
Line 31: Line 31:
 | ''config_file'' | string | no | //(none)// | Use the specified configuration file if present.  If specified the uci options are not used, except that external_iface determines the iptables table used. | | ''config_file'' | string | no | //(none)// | Use the specified configuration file if present.  If specified the uci options are not used, except that external_iface determines the iptables table used. |
 | ''download'' | integer | no | //(none)// | Bandwidth available for traffic coming in from the external interface in kilobytes per second.  Note that this only information given to clients, it doesn't control the speed. |   | ''download'' | integer | no | //(none)// | Bandwidth available for traffic coming in from the external interface in kilobytes per second.  Note that this only information given to clients, it doesn't control the speed. |  
-| ''enable_natpmp'' | boolean | no | ''1'' | Enable NAT-PMP. |+| ''upload'' | integer | no | //(none)// | Bandwidth available for traffic out the external interface in kilobytes per second. Note that this only information given to clients, it doesn't control the speed. | 
 +| ''enable_natpmp'' | boolean | no | ''1'' | Enable NAT-[[https://tools.ietf.org/html/rfc6886|PMP]] and [[https://tools.ietf.org/html/rfc6887|PCP]]. |
 | ''enable_upnp'' | boolean | no | ''1'' | Enable UPnP. | | ''enable_upnp'' | boolean | no | ''1'' | Enable UPnP. |
-| ''external_iface'' | string | no | ''wan''External interface (wan) | +| ''external_iface'' | string | no | //(auto)// | External interface. The default is to autodetect the first interface with a default route, which usually is ''wan''| 
-| ''external_ip'' | ipv4addr | no | //(none)// | Manually specified external IP - if not specified the default ipv4 address of the external interface is used.|+| ''external_iface6'' | string | no | //(auto)// | External ipv6 interface. The default is to autodetect the first interface with a default route, which usually is ''wan6''
 +| ''external_ip'' | ipv4addr | no | //(none)// | Manually specified external IP - if not specified the default ipv4 address of the external interface is used. Conflicts with ''use_stun'' option. |
 |''internal_iface'' | string | no | ''lan'' | Space separated list of internal interfaces (lans) | |''internal_iface'' | string | no | ''lan'' | Space separated list of internal interfaces (lans) |
 | ''log_output'' | boolean | no | ''0'' | Log messages normally sent to stderr/out to syslog. | | ''log_output'' | boolean | no | ''0'' | Log messages normally sent to stderr/out to syslog. |
Line 43: Line 45:
 | ''secure_mode'' | boolean | no | ''1'' | Secure mode; client can only redirect an incoming port to the client itself (same IP as the request comes from). | | ''secure_mode'' | boolean | no | ''1'' | Secure mode; client can only redirect an incoming port to the client itself (same IP as the request comes from). |
 | ''serial_number'' | string | no | //(none)// | Specify serial number for XML Root Desc. | | ''serial_number'' | string | no | //(none)// | Specify serial number for XML Root Desc. |
-| ''upload''integer | no | //(none)// | Bandwidth available for traffic out the external interface in kilobytes per second. Note that this only information given to clients, it doesn't control the speed. |+| ''use_stun''boolean | no | ''0'' | Use the STUN server to resolve an external IP.  Conflicts with ''external_ip'' option. | 
 +| ''stun_host'' | string | no | //(none)// | The STUN server to use e.g. ''stun.cloudflare.com'' or ''stun2.l.google.com''. | 
 +| ''stun_port'' | integer | no | ''3478'' | The STUN server port. |
 | ''upnp_lease_file'' | string | no | //(none)// | Store active UPnP redirects in a lease file (specified), like DHCP leases. | | ''upnp_lease_file'' | string | no | //(none)// | Store active UPnP redirects in a lease file (specified), like DHCP leases. |
 | ''system_uptime'' | boolean | no | ''1'' | Use system uptime as UPnP uptime instead of miniupnpd daemon uptime. | | ''system_uptime'' | boolean | no | ''1'' | Use system uptime as UPnP uptime instead of miniupnpd daemon uptime. |
 | ''uuid'' | string | no | //UUID autogenerated on first launch of miniupnpd// | UUID for UPnP IGD.  If none specified one will be autogenerated and added to the config file.  'nocli' means a non-unique UUID from the code will be used (previous default behaviour). | | ''uuid'' | string | no | //UUID autogenerated on first launch of miniupnpd// | UUID for UPnP IGD.  If none specified one will be autogenerated and added to the config file.  'nocli' means a non-unique UUID from the code will be used (previous default behaviour). |
  
-==== config 'perm_rule' ====+===== config 'perm_rule' =====
  
 These rules define what holes may be opened by UPnP or NAT-PMP clients on the internal interfaces.  Note that if secure_mode is set above, then a client may only open a hole to itself (the same IP as it makes the UPnP request from).  Rules are applied in the order they appear in the configuration file (so the above deny rule before anything else will block all UPnP actions). These rules define what holes may be opened by UPnP or NAT-PMP clients on the internal interfaces.  Note that if secure_mode is set above, then a client may only open a hole to itself (the same IP as it makes the UPnP request from).  Rules are applied in the order they appear in the configuration file (so the above deny rule before anything else will block all UPnP actions).
  
 ^ Name ^ Type ^ Required ^ Default ^ Description ^ ^ Name ^ Type ^ Required ^ Default ^ Description ^
-| ''action'' | string | no | ''deny'' | One of ''allow'' or ''deny'' .  Allow or deny the redirection(s) described by this rule. |+| ''action'' | string | no | ''deny'' | One of ''allow'' or ''deny'' Allow or deny the redirection(s) described by this rule. |
 | ''ext_ports'' | portrange | no | ''0-65535'' | Range of ports on the external side (incoming) for this rule.  Can be x, x-y, or x:y. | | ''ext_ports'' | portrange | no | ''0-65535'' | Range of ports on the external side (incoming) for this rule.  Can be x, x-y, or x:y. |
 | ''int_addr'' | cidr | no | ''0.0.0.0/0'' | CIDR of address or addresses to which the redirection may be directed.   Must be of the form n.n.n.n/n even for single IPs.  Note that doesn't allow redirections that aren't allowed because of secure_mode. | | ''int_addr'' | cidr | no | ''0.0.0.0/0'' | CIDR of address or addresses to which the redirection may be directed.   Must be of the form n.n.n.n/n even for single IPs.  Note that doesn't allow redirections that aren't allowed because of secure_mode. |
 | ''int_ports'' | portrange | no | ''0-65535'' | Range of ports on the internal side (destination) for this rule.  Can be x, x-y, or x:y. | | ''int_ports'' | portrange | no | ''0-65535'' | Range of ports on the internal side (destination) for this rule.  Can be x, x-y, or x:y. |
 +| ''comment'' | string | no | '''' | Comment to show in luci-app-upnp |
  
-===== prior to  r25887 2011/03/06 ===== +===== NAT-PMP/PCP =====
-===Default ====+
  
-'' +To enable NAT-PMP and disable the UPnP edit the ''/etc/config/upnpd'' file:
-config upnpd config +
-        option enable         0 +
-        option enable_natpmp +
-        option secure_mode    1 +
-        option log_output     0 +
-        option download       1024 +
-        option upload         512 +
-        option external_iface wan +
-        option internal_iface lan +
-'' |+
  
-==== config upnpd 'config' ==== +<code> 
-^ Name ^ Type ^ Required ^ Default ^ Description ^ +option 'enable_natpmp' '1
-''download'' | integer | no | //(none)// | Bandwidth available for traffic coming in from the external interface in kilobytes per second. |   +option 'enable_upnp' '0' 
-| ''enabled'| boolean | no | ''0'' | MiniUPnPd is will be started when launched by the init script. | +</code> 
-| ''external_iface'' | string | no | ''wan'' | External interface (wan) | + 
-|''internal_iface'' | string | no | ''lan'' | Space separated list of internal interfaces (lans) | + 
-| ''log_output'' | boolean | no | ''0'' | Log messages normally sent to stderr/out to syslog. | +Or you can do this with following command: 
-| ''secure_mode'' | boolean | no | ''0'' | Secure mode; client can only redirect an incoming port to the client itself (same IP as the request comes from)| + 
-| ''upload'' | integer | no | //(none)// | Bandwidth available for traffic out the external interface in kilobytes per second. |+<code bash> 
 +uci set upnpd.config.enable_natpmp=1 
 +uci set upnpd.config.enable_upnp=0 
 +/etc/init.d/miniupnpd restart 
 +</code>
  
 ===== Notes ===== ===== Notes =====
-after installing and enabling, dont forget to restart the firewall.+After installing and enabling, do not forget to restart the firewall. 
  
 ===== Security ===== ===== Security =====
 CAUTION: mixing up WAN and LAN interfaces may introduce [[https://community.rapid7.com/community/metasploit/blog/2014/10/21/r7-2014-17-nat-pmp-implementation-and-configuration-vulnerabilities|security risks]]! See also [[https://www.kb.cert.org/vuls/id/184540|Incorrect implementation of NAT-PMP in multiple devices]]. CAUTION: mixing up WAN and LAN interfaces may introduce [[https://community.rapid7.com/community/metasploit/blog/2014/10/21/r7-2014-17-nat-pmp-implementation-and-configuration-vulnerabilities|security risks]]! See also [[https://www.kb.cert.org/vuls/id/184540|Incorrect implementation of NAT-PMP in multiple devices]].
  
-Some versions of the MiniUPnP library is vulnerable to remote code execution ([[http://www.cvedetails.com/cve/CVE-2013-0230|CVE-2013-0230]]). You can check your device with Metasploit: 
-<code>msfconsole 
-msf> 
-msf > use auxiliary/scanner/upnp/ssdp_msearch 
-msf auxiliary(ssdp_msearch) > set RHOSTS 192.168.0.0/24 
-msf auxiliary(ssdp_msearch) > run 
-</code> 
-See something like 
-<code> 
-[*] 192.168.0.9:1900 SSDP Net-OS 5.xx UPnP/1.0 | 192.168.0.9:3278/etc/linuxigd/gatedesc.xml 
-[+] 192.168.0.254:1900 SSDP miniupnpd/1.0 UPnP/1.0 | vulns:2 (CVE-2013-0229, CVE-2013-0230) 
-</code> 
  • Last modified: 2018/12/19 12:56
  • by jw0914