UPnP

From securityrouter.org, an OpenBSD-based firewall
Jump to: navigation, search

Universal Plug and Play Internet Gateway Device (UPnP IGD) and NAT-PMP are protocols that enables direct IPv4 communication to devices behind NAT. Because of the security implications of UPnP, it is intended primarily for residential networks, and therefore not enabled nor installed by default in the security router software.

You may however enable UPnP and/or NAT-PMP at your own risk using skeleton files.

Begin by

  1. Enable root access and logging in for example using SSH
  2. Install Perl

Then add a few lines to /cfg/skel/rc.local by running

# echo "mount -uw /" >> /cfg/skel/rc.local
# echo "pkg_add miniupnpd" >> /cfg/skel/rc.local
# echo "miniupnpd -f /cfg/skel/miniupnpd.conf" >> /cfg/skel/rc.local

Add anchor miniupnpd to your configuration file's firewall scope, for example by running

> configure
# set firewall { anchor miniupnpd
# commit

Finally create /cfg/skel/miniupnpd.conf, by looking at the example below or its default configuration[1]

ext_ifname=rl0 # replace with your WAN interface
listening_ip=rl1 # replace with your LAN interface
secure_mode=yes
allow 1024-65535 192.168.2.0/24 1024-65535 # replace with your LAN network
deny 0-65535 0.0.0.0/0 0-65535

To start it, you can either reboot, or run the lines you added to /cfg/skel/rc.local.

You can view the dynamically created port forwarding rules by running

# pfctl -a miniupnpd -sr