Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP?

[Darren Reed <darrenr () reed wattle id au>]

> On May 30, 2005, at 10:31 PM, Darren Reed wrote:
> > > Is the NAT in PF UPnP enabled??
> > >
> > > or could someone tell me how I can accomplish this with OpenBSD.
> >
> > The only free, unix-based, UPnP implementation is for Linux and  
> > iptables,
> > so your solution is to wipe OpenBSD and install Linux.
> >
> > When it comes to things like UPnP, there are a lot of luddites in  
> > the *BSD
> > community.  Others of us, who have benefited from it and understand  
> > why it
> > is useful, just don't have time.
>
> An odd set of comments to make.  I understand why UPnP is useful, and  
> it is a fine thing for your LAN at home or maybe a tiny business  
> which can't afford anyone to actually manage the network, but the  
> people on this list ought to have some concern about security, too.

Not really an odd set of comments, go ask on an openbsd or pf mailing
list if someone has developed a UPnP server yet and see how many abusive
replies you get back about it being insecure, etc.  Luddites.

> I don't see how permitting arbitrary services to go through can be a  
> good idea from that standpoint, any more than permitting arbitrary  
> RPC through is a good idea....

Do you let ssh through a firewall?

If you let that through, with tunnelling, you may as well be letting
through arbitrary services.

If you're letting HTTP thorugh a firewall, you're letting RPC through
(remember SOAP ?)


> To the OP: why are you trying to do UPnP through a firewall?  Why  
> can't you put the devices which are permitted/expected to talk to  
> each other with that kind of freedom on the same subnet?

Ugh.
You make it sound like you really don't understand UPnP or what
he wants to do at all.  UPnP is a firewall to host protocol/service,
generally NOT something that goes through it.

It's most often used by services running on an internal host that want
to have someone connect in, but can't because of NAT.

Personally, I'd prefer to be able to configure a UPnP server than just
open random ports, permanently on my firewall, wouldn't you?

Would you rather have a static configuration for bittorrent that always
redirected port 6881-6889 (and had them open, regardless of whether or
not your client was running) or configure a piece of software to open
those ports, as required by the application?

People seem to think "oh no, devices can control the firewall and make
it open everything!" - bah, that's just an implementation detail.

Anyway, I could go on but I gotta run...

Darren
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards