<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Shorewall and UPnP</title><link rel="stylesheet" href="html.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.73.2" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title"><a id="id257523"></a>Shorewall and UPnP</h2></div><div><div class="authorgroup"><div class="author"><h3 class="author"><span class="firstname">Tom</span> <span class="surname">Eastep</span></h3></div></div></div><div><p class="copyright">Copyright © 2005 Thomas M. Eastep</p></div><div><div class="legalnotice"><a id="id292634"></a><p>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_self">GNU Free Documentation
License</a></span>”.</p></div></div><div><p class="pubdate">2008/12/15</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#UPnP">UPnP</a></span></dt><dt><span class="section"><a href="#linux-igd">linux-igd Configuration</a></span></dt><dt><span class="section"><a href="#Shorewall">Shorewall Configuration</a></span></dt></dl></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="UPnP"></a>UPnP</h2></div></div></div><p>In Shorewall 2.2.4, support was added for UPnP (Universal Plug and
Play) using linux-igd (<a class="ulink" href="http://linux-igd.sourceforge.net" target="_self">http://linux-igd.sourceforge.net</a>).
UPnP is required by a number of popular applications including MSN
IM.</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>From a security architecture viewpoint, UPnP is a disaster. It
assumes that:</p><div class="orderedlist"><ol type="a"><li><p>All local systems and their users are completely
trustworthy.</p></li><li><p>No local system is infected with any worm or trojan.</p></li></ol></div><p>If either of these assumptions are not true then UPnP can be used
to totally defeat your firewall and to allow incoming connections to
arbitrary local systems on any port whatsoever. In short: USE
UPnP<span class="emphasis"><em> </em></span> <span class="bold"><strong>AT YOUR OWN
RISK.</strong></span></p></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>The linux-igd project was inactive for a long time and has just
been resurrected. I haven't tried to build using the current code (as of
2006-07-22) but the last time I did, I found that building and
installing linux-igd was not for the faint of heart. You must download
the source from CVS and I had to do quite a bit of fiddling with the
include files from libupnp (which is required to build and/or run
linux-igd).</p></div><p></p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="linux-igd"></a>linux-igd Configuration</h2></div></div></div><p>In /etc/upnpd.conf, you will want:</p><pre class="programlisting">insert_forward_rules = yes
prerouting_chain_name = UPnP
forward_chain_name = forwardUPnP</pre></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Shorewall"></a>Shorewall Configuration</h2></div></div></div><p>In <code class="filename">/etc/shorewall/interfaces</code>, you need the
'upnp' option on your external interface.</p><p>Example:</p><pre class="programlisting">#ZONE INTERFACE BROADCAST OPTIONS
net eth1 detect dhcp,routefilter,norfc1918,tcpflags,<span class="bold"><strong>upnp</strong></span></pre><p>If your fw->loc policy is not ACCEPT then you need this
rule:</p><pre class="programlisting">#ACTION SOURCE DEST
allowoutUPnP $FW loc</pre><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>To use 'allowoutUPnP', your iptables and kernel must support the
'owner match' feature (see the output of "shorewall show capabilities")
and you may not be running kernel version 2.6.14 or later. If you are
running 2.6.14 or later, then replace the above rule with:</p></div><div class="blockquote"><blockquote class="blockquote"><pre class="programlisting">#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL RATE USER/
# PORT(S) DESTINATION LIMIT GROUP
ACCEPT $FW loc all - - - - root</pre></blockquote></div><p>If your loc->fw policy is not ACCEPT then you need this
rule:</p><pre class="programlisting">#ACTION SOURCE DEST
allowinUPnP loc $FW</pre><p>You MUST have this rule:</p><pre class="programlisting">#ACTION SOURCE DEST
forwardUPnP net loc</pre><p>You must also ensure that you have a route to 224.0.0.0/4 on your
internal (local) interface as described in the linux-igd
documentation.</p></div></div></body></html>
