"Fossies" - the Fresh Open Source Software Archive

Member "shorewall-docs-html-" (15 Jan 2020, 6694 Bytes) of package /linux/misc/shorewall/shorewall-docs-html-

As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) HTML source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

    1 <?xml version="1.0" encoding="UTF-8"?>
    2 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Shorewall and UPnP</title><link rel="stylesheet" type="text/css" href="html.css" /><meta name="generator" content="DocBook XSL Stylesheets V1.79.1" /></head><body><div class="article"><div class="titlepage"><div><div><h2 class="title"><a id="idm1"></a>Shorewall and UPnP</h2></div><div><div class="authorgroup"><div class="author"><h3 class="author"><span class="firstname">Tom</span> <span class="surname">Eastep</span></h3></div></div></div><div><p class="copyright">Copyright © 2005, 2010, 2013 Thomas M. Eastep</p></div><div><div class="legalnotice"><a id="idm14"></a><p>Permission is granted to copy, distribute and/or modify this
    3       document under the terms of the GNU Free Documentation License, Version
    4       1.2 or any later version published by the Free Software Foundation; with
    5       no Invariant Sections, with no Front-Cover, and with no Back-Cover
    6       Texts. A copy of the license is included in the section entitled
    7       <span class="quote"><span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
    8       License</a></span></span>.</p></div></div><div><p class="pubdate">2020/01/15</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#UPnP">UPnP</a></span></dt><dt><span class="section"><a href="#linux-igd">linux-igd Configuration</a></span></dt><dt><span class="section"><a href="#Shorewall">Shorewall Configuration</a></span></dt><dt><span class="section"><a href="#idm62">Shorewall on a UPnP Client</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="UPnP"></a>UPnP</h2></div></div></div><p>Shorewall includes support for UPnP (Universal Plug and Play) using
    9     linux-igd (<a class="ulink" href="http://linux-igd.sourceforge.net" target="_top">http://linux-igd.sourceforge.net</a>).
   10     UPnP is required by a number of popular applications including MSN
   11     IM.</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>From a security architecture viewpoint, UPnP is a disaster. It
   12       assumes that:</p><div class="orderedlist"><ol class="orderedlist" type="a"><li class="listitem"><p>All local systems and their users are completely
   13           trustworthy.</p></li><li class="listitem"><p>No local system is infected with any worm or trojan.</p></li></ol></div><p>If either of these assumptions are not true then UPnP can be used
   14       to totally defeat your firewall and to allow incoming connections to
   15       arbitrary local systems on any port whatsoever. In short: USE UPnP
   16       <span class="bold"><strong>AT YOUR OWN RISK.</strong></span></p></div><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p>Shorewall and linux-igd implement a UPnP <em class="firstterm">Internet
   17       Gateway Device</em>. It will not allow clients on one LAN subnet
   18       to access a UPnP Media Server on another subnet.</p></div></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="linux-igd"></a>linux-igd Configuration</h2></div></div></div><p>In /etc/upnpd.conf, you will want:</p><pre class="programlisting">create_forward_rules = yes
   19 prerouting_chain_name = UPnP
   20 forward_chain_name = forwardUPnP</pre></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Shorewall"></a>Shorewall Configuration</h2></div></div></div><p>In <code class="filename">/etc/shorewall/interfaces</code>, you need the
   21     'upnp' option on your external interface.</p><p>Example:</p><pre class="programlisting">#ZONE   INTERFACE       OPTIONS
   22 net     eth1            dhcp,routefilter,tcpflags,<span class="bold"><strong>upnp</strong></span></pre><p>If your loc-&gt;fw policy is not ACCEPT then you need this
   23     rule:</p><pre class="programlisting">#ACTION            SOURCE  DEST
   24 allowinUPnP        loc     $FW</pre><p>You MUST have this rule:</p><pre class="programlisting">#ACTION            SOURCE  DEST
   25 forwardUPnP        net     loc</pre><p>You must also ensure that you have a route to on your
   26     internal (local) interface as described in the linux-igd
   27     documentation.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>The init script included with the Debian linux-idg package adds
   28       this route during <span class="command"><strong>start</strong></span> and deletes it during
   29       <span class="command"><strong>stop</strong></span>.</p></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p>Shorewall versions prior to 4.4.10 do not retain the dynamic rules
   30       added by linux-idg over a <span class="command"><strong>shorewall restart</strong></span>.</p></div><p>If your firewall-&gt;loc policy is not ACCEPT, then you also need to
   31     allow UDP traffic from the fireawll to the local zone.</p><pre class="programlisting">ACCEPT      $FW          loc        udp            -         &lt;<em class="replaceable"><code>dynamic port range</code></em>&gt;</pre><p>The dynamic port range is obtained by <span class="bold"><strong>cat
   32     /proc/sys/net/ip_local_port_range</strong></span>.</p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm62"></a>Shorewall on a UPnP Client</h2></div></div></div><p>It is sometimes desirable to run UPnP-enabled client programs like
   33     <a class="ulink" href="http://www.transmissionbt.com/" target="_top">Transmission</a>
   34     (BitTorrent client) on a Shorewall-protected system. Shorewall provides
   35     support for UPnP client access in the form of the <span class="bold"><strong>upnpclient</strong></span> option in <a class="ulink" href="manpages/shorewall-interfaces.html" target="_top">shorewall-interfaces</a>
   36     (5).</p><p>The <span class="bold"><strong>upnpclient</strong></span> option causes
   37     Shorewall to detect the default gateway through the interface and to
   38     accept UDP packets from that gateway. Note that, like all aspects of UPnP,
   39     this is a security hole so use this option at your own risk.</p><p>Note that when multiple clients behind the firewall use UPnP, they
   40     must configure their applications to use unique ports.</p></div></div></body></html>