Shorewall and UPnP

Tom Eastep

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License.

2020/02/16


UPnP

Shorewall includes support for UPnP (Universal Plug and Play) using linux-igd (http://linux-igd.sourceforge.net). UPnP is required by a number of popular applications including MSN IM.

Warning

From a security architecture viewpoint, UPnP is a disaster. It assumes that:

  1. All local systems and their users are completely trustworthy.

  2. No local system is infected with any worm or trojan.

If either of these assumptions are not true then UPnP can be used to totally defeat your firewall and to allow incoming connections to arbitrary local systems on any port whatsoever. In short: USE UPnP AT YOUR OWN RISK.

Important

Shorewall and linux-igd implement a UPnP Internet Gateway Device. It will not allow clients on one LAN subnet to access a UPnP Media Server on another subnet.

linux-igd Configuration

In /etc/upnpd.conf, you will want:

create_forward_rules = yes
prerouting_chain_name = UPnP
forward_chain_name = forwardUPnP

Shorewall Configuration

In /etc/shorewall/interfaces, you need the 'upnp' option on your external interface.

Example:

#ZONE   INTERFACE       OPTIONS
net     eth1            dhcp,routefilter,tcpflags,upnp

If your loc->fw policy is not ACCEPT then you need this rule:

#ACTION            SOURCE  DEST
allowinUPnP        loc     $FW

You MUST have this rule:

#ACTION            SOURCE  DEST
forwardUPnP        net     loc

You must also ensure that you have a route to 224.0.0.0/4 on your internal (local) interface as described in the linux-igd documentation.

Note

The init script included with the Debian linux-idg package adds this route during start and deletes it during stop.

Caution

Shorewall versions prior to 4.4.10 do not retain the dynamic rules added by linux-idg over a shorewall restart.

If your firewall->loc policy is not ACCEPT, then you also need to allow UDP traffic from the fireawll to the local zone.

ACCEPT      $FW          loc        udp            -         <dynamic port range>

The dynamic port range is obtained by cat /proc/sys/net/ip_local_port_range.

Shorewall on a UPnP Client

It is sometimes desirable to run UPnP-enabled client programs like Transmission (BitTorrent client) on a Shorewall-protected system. Shorewall provides support for UPnP client access in the form of the upnpclient option in shorewall-interfaces (5).

The upnpclient option causes Shorewall to detect the default gateway through the interface and to accept UDP packets from that gateway. Note that, like all aspects of UPnP, this is a security hole so use this option at your own risk.

Note that when multiple clients behind the firewall use UPnP, they must configure their applications to use unique ports.

Documentation


Frequently Used Articles

- FAQs - Manpages - Configuration File Basics - Beginner Documentation - Troubleshooting

Shorewall 4.4/4.5/4.6 Documentation

Shorewall 4.0/4.2 Documentation


Shorewall 5.0/5.1/5.2 HOWTOs and Other Articles

- 6to4 and 6in4 Tunnels - Accounting - Actions - Aliased (virtual) Interfaces (e.g., eth0:0) - Anatomy of Shorewall - Anti-Spoofing Measures - AUDIT Target support - Bandwidth Control - Blacklisting/Whitelisting - Bridge/Firewall - Building Shorewall from GIT - Commands - Compiled Programs - Configuration File Basics - DHCP - DNAT - Docker - Dynamic Zones - ECN Disabling by host or subnet - Events - Extension Scripts - Fallback/Uninstall - FAQs - Features - Fool's Firewall - Forwarding Traffic on the Same Interface - FTP and Shorewall - Helpers/Helper Modules - Installation/Upgrade - IPP2P - IPSEC - Ipsets - IPv6 Support - ISO 3661 Country Codes - Kazaa Filtering - Kernel Configuration - KVM (Kernel-mode Virtual Machine) - Limiting Connection Rates - Linux Containers (LXC) - Linux-vserver - Logging - Macros - MAC Verification - Manpages - Manual Chains - Masquerading - Multiple Internet Connections from a Single Firewall - Multiple Zones Through One Interface - My Shorewall Configuration - Netfilter Overview - Network Mapping - No firewalling of traffic between bridge port - One-to-one NAT - Operating Shorewall - OpenVPN - OpenVZ - Packet Marking - Packet Processing in a Shorewall-based Firewall - 'Ping' Management - Port Forwarding - Port Information - Port Knocking (deprecated) - Port Knocking, Auto Blacklisting and Other Uses of the 'Recent Match' - PPTP - Proxy ARP - QuickStart Guides - Release Model - Requirements - Routing and Shorewall - Routing on One Interface - Samba - Shared Shorewall/Shorewall6 Configuration - Shorewall Events - Shorewall Init - Shorewall Lite - Shorewall on a Laptop - Shorewall Perl - Shorewall Setup Guide - SMB - SNAT - Split DNS the Easy Way - Squid with Shorewall - Starting/stopping the Firewall - Static (one-to-one) NAT - Support - Tips and Hints - Traffic Shaping/QOS - Simple - Traffic Shaping/QOS - Complex - Transparent Proxy - UPnP - Upgrade Issues - Upgrading to Shorewall 4.4 (Upgrading Debian Lenny to Squeeze) - VPN - VPN Passthrough - White List Creation - Xen - Shorewall in a Bridged Xen DomU - Xen - Shorewall in Routed Xen Dom0

Top of Page