Bug#441082: linux-igd does not restrict itself to the internal interface

2010-03-07 Thread Nick Leverton 
On Sun, Aug 03, 2008 at 09:38:09AM +0200, Laurent Bigonville wrote:
 
 hi,
 
 I've just recompiled linux-igd (and libupnp) under etch and it seems
 that linux-igd still listening on all interfaces and not just on the
 internal

Thanks for the update, I can confirm this.  Sorry I didn't check sooner.
It seems the patch was a bit of a red herring.

It is actually libupnp's SSDP server which binds and listens to port
1900 and libupnp's miniserver which binds and listens to port 49152.
There doesn't seem to be a mechanism in libupnp to bind to specific
interfaces, and it may not even be appropriate if more than one SSDP
service is running on the host (e.g. media servers).

I would recommend instead that you use your firewall (you are running
one on your internet gateway, of course ?) to restrict the access to
these ports from the outside interface(s).  Shorewall, for instance,
has the allowinUPnP feature which adds iptables rules similar to the
following, see http://www.shorewall.net/UPnP.html :

*filter
-A INPUT -i eth1 -j allowinUPnP
-A allowinUPnP -p udp -m udp --dport 1900 -j ACCEPT
-A allowinUPnP -p tcp -m tcp --dport 49152:49159 -j ACCEPT

It is on my todo list (see debian/TODO.Debian) to improve linux-igd's
firewalling and specifcally Shorewall integration further.  I'll leave
this bug open until I can update SECURITY.Debian with suitable advice.

Nick



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#441082: linux-igd does not restrict itself to the internal interface

2008-08-03 Thread Laurent Bigonville 
found 441082 1.0+cvs20070630-1
thanks

hi,

I've just recompiled linux-igd (and libupnp) under etch and it seems
that linux-igd still listening on all interfaces and not just on the
internal

# netstat -taupe|grep upnp
tcp0  0 *:49153 *:* LISTEN 
root   240114 15357/upnpd 
udp0  0 localhost:37012 *:*
root   240115 15357/upnpd 
udp0  0 *:1900  *:*
root   240117 15357/upnpd

Regards

Laurent



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#441082: linux-igd does not restrict itself to the internal interface

2007-09-06 Thread Peter Naulls 
Package: linux-igd
Version: 0.cvs20060201-2
Severity: important
Tags: security, patch

linux-igd listens for UDP mutlicast packets but does not restrict
itself to just the internal interface (which has to be specified in
any case), thereby opening itself to possible external requests for
port forwarding.   In many cases this would be blocked by firewalling
rules on the same machine as the daemon, so would not be any issue
there.

This can be fixed with a simple bind() or SO_BINDTODEVICE as in the
attached patch.  Note that this patch is against the latest CVS, but
should be correct for the Debian versions.

Note that a more recent version of linux-igd has been packaged for Debian here:

http://mentors.debian.net/cgi-bin/sponsor-pkglist?action=details;package=linux-igd
Index: util.c
===
RCS file: /cvsroot/linux-igd/linux-igd/util.c,v
retrieving revision 1.3
diff -u -r1.3 util.c
--- util.c	1 Aug 2006 22:48:00 -	1.3
+++ util.c	6 Sep 2007 15:25:34 -
@@ -8,10 +8,11 @@
 #include netinet/in.h
 #include sys/ioctl.h
 #include sys/socket.h
+#include unistd.h
 #include globals.h
 
 
-static int get_sockfd(void)
+static int get_sockfd(const char *ifname)
 {
static int sockfd = -1;
 
@@ -22,18 +23,26 @@
  perror(user: socket creating failed);
  return (-1);
   }
+
+  if (setsockopt(sockfd, SOL_SOCKET, SO_BINDTODEVICE, ifname, sizeof(ifname)))
+  {
+ perror(could not bind to device);
+ close(sockfd);
+ return (-1);
+  }
+
}
return sockfd;
 }
 
-int GetIpAddressStr(char *address, char *ifname)
+int GetIpAddressStr(char *address, const char *ifname)
 {
struct ifreq ifr;
struct sockaddr_in *saddr;
int fd;
int succeeded = 0;
 
-   fd = get_sockfd();
+   fd = get_sockfd(ifname);
if (fd = 0 )
{
   strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
Index: util.h
===
RCS file: /cvsroot/linux-igd/linux-igd/util.h,v
retrieving revision 1.3
diff -u -r1.3 util.h
--- util.h	1 Aug 2006 22:48:00 -	1.3
+++ util.h	6 Sep 2007 15:25:34 -
@@ -1,8 +1,8 @@
 #ifndef _UTIL_H_
 #define _UTIL_H_
 
-int get_sockfd(void);
-int GetIpAddressStr(char *address, char *ifname);
+int get_sockfd(const char *ifname);
+int GetIpAddressStr(char *address, const char *ifname);
 void trace(int debuglevel, const char *format, ...);
 
 #endif //_UTIL_H_