Hi Sergey,
Op dinsdag 25 januari 2022 om 15u27 schreef Sergey Ponomarev
<stok...@gmail.com>:
Hi,
Most routers support port forwarding via UPnP IDG or/and NAT-PMP/PCP.
And many vendors use the MiniUPnPd http://miniupnp.free.fr This daemon
is kind of standard de-facto.
This is necessary for any p2p application but OpenWrt builds don't
have it pre-installed and pre-configured. While it's not so difficult
to install, this is an additional step and still something that users
must know. For example, I didn't know about it for about two years
while already using OpenWrt. For many users this makes life after
switching to OpenWrt worse than it was before because, for example,
now their gaming console works slower. Even if someone will try to
install it there is a risk to configure it incorrectly and expose WAN
to LAN forwarding.
Could you include the MiniUPnPd into OpenWrt?
Given the inherent flaws and threats the concept of UPnP poses, I don't
think it stands a chance to be included by default. Just the fact that
any application in your LAN can open ports and poke holes at will in
your firewall is reason enough to *never* do that.
A lot of people in the community advise users to find out what ports
they need to open and do that manually, keeping control over what's
open and what not, instead of relying on an easy (but risky) protocol
like UPnP.
Of course, that's just my 2 cents.
Cheers
Stijn
There may be few concerns:
1. The UPnP IDG protocol has a very bad reputation. See "Universal Pwn
n Play" talk.
2. The MiniUPnPd also had a security issue in 2014 when the WAN to LAN
forwarding was enabled for NAT-PMP.
3. A disk space usage: I checked on OpenWrt with WR1043N (MIPS) and
after installing the miniupnpd and it's dependency libcap-ng the disk
size usage increased to 72Kb. The binary itself is 98565 bytes, in
contrast with uhttpd 46212 and lighttpd 221413. Maybe for Tiny builds
this may be too much.
To make it smaller and easier for a code audit we may strip the UPnP
and leave only NAT-PMP/PCP. See
https://github.com/miniupnp/miniupnp/issues/545
In July 2014 there was two discussions about IPv6 firewall policy for
direct connections:
"OpenWRT IPv6 firewall"
http://lists.openwrt.org/pipermail/openwrt-devel/2014-July/000763.html
"IPv6 firewall and Port Control Protocol"
http://lists.openwrt.org/pipermail/openwrt-devel/2014-July/000671.html
The MiniUPnPd can solve the problem at least partially.
See also: a forum discussion
https://forum.openwrt.org/t/port-control-protocol-support/114411
Regards,
Sergey
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
