Firewall uPnP support


(Magnus Andersson) #1

Well, hi there.

After reading documentation about the shorewall firewall, it´s evident to me that it is possible to enable uPnPsupport.
As far as I can understand this is not possible since the configurationfiles regenerate and the manual changes thereby is overrun.

I’m afraid my understanding of this kind of system just is not enough (yet) therefore I would like to ask you guys if there is ant chance of enableing uPnPsupport ?

I understand the security aspect of having it disabled but I still want to enable it.

Thanks.

(edit: changed from community to support)


(Stefano) #2

almost everything about conf files is “templated” and you can so create your custom template to customize your system…

search this community for “e-smith”, you’ll find some usefull posts about @stephdl and me

HTH


(Magnus Andersson) #3

Thank you.

After reading a bit and nano:ing a couple of templatefiles, I honestly feel that this is somewhere about 8 steps above my current skill/knowledge.

But, after reading this: http://fossies.org/linux/shorewall-docs-html/UPnP.html#Shorewall

I guess all I have to do is insert:

#ZONE   INTERFACE       BROADCAST       OPTIONS
net     eth1            detect          dhcp,routefilter,tcpflags,upnp
#ACTION            SOURCE  DEST
allowinUPnP        loc     $FW
#ACTION            SOURCE  DEST
forwardUPnP        net     loc

Into /etc/e-smith/templates/etc/shorewall/interfaces/10base ?


(Giacomo Sanchietti) #4

There is some info on the official site: http://shorewall.net/UPnP.html (but at the moment is not reachable).
Try to look at this in the meanwhile: http://fossies.org/linux/shorewall-docs-html/UPnP.html

Check also miniupnpc program.


(Magnus Andersson) #5

Or do I insert it here?

                 if ($role eq 'green') {
            $OUT .= "# Force GREEN + RED mode with only one interface\n";
            $OUT .= "net\t".$i->key."\tdhcp,nosmurfs,optional";
        }
        $OUT .= ",bridge" if ($type eq 'bridge');
        $OUT .= "\n";
    }
} else {
    foreach my $i ($ndb->interfaces) {
        my $role = $i->prop('role') || next;
        my $type = $i->prop('type') || '';
        next if ($role eq 'slave' || $role eq 'bridged' || $role eq 'pppoe');
        next if ($type eq 'alias');
        if ($role eq 'green') {
            $OUT .= "loc\t".$i->key."\tdhcp,nosmurfs,routeback".$mac_option;
        } elsif ($role eq 'red') {
            $OUT.="net\t".$i->key."\tdhcp,nosmurfs,**upnp**,optional";
        } else {
            $role = substr($role,0,5); #truncate zone name to 5 chars
            if ($role eq 'blue') {
                $OUT.="$role\t".$i->key."\tdhcp,nosmurfs,routeback".$mac_option;
            } else {
                $OUT.="$role\t".$i->key."\tdhcp,nosmurfs,routeback";
            }
        }
        $OUT .= ",bridge" if ($type eq 'bridge');
        $OUT .= "\n";
    }
}

}


(Giacomo Sanchietti) #6

Just make it work by modifying files under /etc/shorewall, then post the whole diff and I can make the custom templates to persist the customization. :wink: