Bug#441082: linux-igd does not restrict itself to the internal interface
On Sun, Aug 03, 2008 at 09:38:09AM +0200, Laurent Bigonville wrote: hi, I've just recompiled linux-igd (and libupnp) under etch and it seems that linux-igd still listening on all interfaces and not just on the internal Thanks for the update, I can confirm this. Sorry I didn't check sooner. It seems the patch was a bit of a red herring. It is actually libupnp's SSDP server which binds and listens to port 1900 and libupnp's miniserver which binds and listens to port 49152. There doesn't seem to be a mechanism in libupnp to bind to specific interfaces, and it may not even be appropriate if more than one SSDP service is running on the host (e.g. media servers). I would recommend instead that you use your firewall (you are running one on your internet gateway, of course ?) to restrict the access to these ports from the outside interface(s). Shorewall, for instance, has the allowinUPnP feature which adds iptables rules similar to the following, see http://www.shorewall.net/UPnP.html : *filter -A INPUT -i eth1 -j allowinUPnP -A allowinUPnP -p udp -m udp --dport 1900 -j ACCEPT -A allowinUPnP -p tcp -m tcp --dport 49152:49159 -j ACCEPT It is on my todo list (see debian/TODO.Debian) to improve linux-igd's firewalling and specifcally Shorewall integration further. I'll leave this bug open until I can update SECURITY.Debian with suitable advice. Nick -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#441082: linux-igd does not restrict itself to the internal interface
found 441082 1.0+cvs20070630-1 thanks hi, I've just recompiled linux-igd (and libupnp) under etch and it seems that linux-igd still listening on all interfaces and not just on the internal # netstat -taupe|grep upnp tcp0 0 *:49153 *:* LISTEN root 240114 15357/upnpd udp0 0 localhost:37012 *:* root 240115 15357/upnpd udp0 0 *:1900 *:* root 240117 15357/upnpd Regards Laurent -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#441082: linux-igd does not restrict itself to the internal interface
Package: linux-igd Version: 0.cvs20060201-2 Severity: important Tags: security, patch linux-igd listens for UDP mutlicast packets but does not restrict itself to just the internal interface (which has to be specified in any case), thereby opening itself to possible external requests for port forwarding. In many cases this would be blocked by firewalling rules on the same machine as the daemon, so would not be any issue there. This can be fixed with a simple bind() or SO_BINDTODEVICE as in the attached patch. Note that this patch is against the latest CVS, but should be correct for the Debian versions. Note that a more recent version of linux-igd has been packaged for Debian here: http://mentors.debian.net/cgi-bin/sponsor-pkglist?action=details;package=linux-igd Index: util.c === RCS file: /cvsroot/linux-igd/linux-igd/util.c,v retrieving revision 1.3 diff -u -r1.3 util.c --- util.c 1 Aug 2006 22:48:00 - 1.3 +++ util.c 6 Sep 2007 15:25:34 - @@ -8,10 +8,11 @@ #include netinet/in.h #include sys/ioctl.h #include sys/socket.h +#include unistd.h #include globals.h -static int get_sockfd(void) +static int get_sockfd(const char *ifname) { static int sockfd = -1; @@ -22,18 +23,26 @@ perror(user: socket creating failed); return (-1); } + + if (setsockopt(sockfd, SOL_SOCKET, SO_BINDTODEVICE, ifname, sizeof(ifname))) + { + perror(could not bind to device); + close(sockfd); + return (-1); + } + } return sockfd; } -int GetIpAddressStr(char *address, char *ifname) +int GetIpAddressStr(char *address, const char *ifname) { struct ifreq ifr; struct sockaddr_in *saddr; int fd; int succeeded = 0; - fd = get_sockfd(); + fd = get_sockfd(ifname); if (fd = 0 ) { strncpy(ifr.ifr_name, ifname, IFNAMSIZ); Index: util.h === RCS file: /cvsroot/linux-igd/linux-igd/util.h,v retrieving revision 1.3 diff -u -r1.3 util.h --- util.h 1 Aug 2006 22:48:00 - 1.3 +++ util.h 6 Sep 2007 15:25:34 - @@ -1,8 +1,8 @@ #ifndef _UTIL_H_ #define _UTIL_H_ -int get_sockfd(void); -int GetIpAddressStr(char *address, char *ifname); +int get_sockfd(const char *ifname); +int GetIpAddressStr(char *address, const char *ifname); void trace(int debuglevel, const char *format, ...); #endif //_UTIL_H_