Firewall uPnP support

trouble · December 3, 2015, 1:26pm

Well, hi there.

After reading documentation about the shorewall firewall, it´s evident to me that it is possible to enable uPnPsupport.
As far as I can understand this is not possible since the configurationfiles regenerate and the manual changes thereby is overrun.

I’m afraid my understanding of this kind of system just is not enough (yet) therefore I would like to ask you guys if there is ant chance of enableing uPnPsupport ?

I understand the security aspect of having it disabled but I still want to enable it.

Thanks.

(edit: changed from community to support)

zamboni · December 3, 2015, 1:41pm

almost everything about conf files is “templated” and you can so create your custom template to customize your system…

search this community for “e-smith”, you’ll find some usefull posts about @stephdl and me

HTH

trouble · December 3, 2015, 2:04pm

Thank you.

After reading a bit and nano:ing a couple of templatefiles, I honestly feel that this is somewhere about 8 steps above my current skill/knowledge.

But, after reading this: http://fossies.org/linux/shorewall-docs-html/UPnP.html#Shorewall

I guess all I have to do is insert:

#ZONE   INTERFACE       BROADCAST       OPTIONS
net     eth1            detect          dhcp,routefilter,tcpflags,upnp
#ACTION            SOURCE  DEST
allowinUPnP        loc     $FW
#ACTION            SOURCE  DEST
forwardUPnP        net     loc

Into /etc/e-smith/templates/etc/shorewall/interfaces/10base ?

giacomo · December 3, 2015, 2:04pm

There is some info on the official site: http://shorewall.net/UPnP.html (but at the moment is not reachable).
Try to look at this in the meanwhile: http://fossies.org/linux/shorewall-docs-html/UPnP.html

Check also miniupnpc program.

trouble · December 3, 2015, 2:20pm

Or do I insert it here?

                 if ($role eq 'green') {
            $OUT .= "# Force GREEN + RED mode with only one interface\n";
            $OUT .= "net\t".$i->key."\tdhcp,nosmurfs,optional";
        }
        $OUT .= ",bridge" if ($type eq 'bridge');
        $OUT .= "\n";
    }
} else {
    foreach my $i ($ndb->interfaces) {
        my $role = $i->prop('role') || next;
        my $type = $i->prop('type') || '';
        next if ($role eq 'slave' || $role eq 'bridged' || $role eq 'pppoe');
        next if ($type eq 'alias');
        if ($role eq 'green') {
            $OUT .= "loc\t".$i->key."\tdhcp,nosmurfs,routeback".$mac_option;
        } elsif ($role eq 'red') {
            $OUT.="net\t".$i->key."\tdhcp,nosmurfs,**upnp**,optional";
        } else {
            $role = substr($role,0,5); #truncate zone name to 5 chars
            if ($role eq 'blue') {
                $OUT.="$role\t".$i->key."\tdhcp,nosmurfs,routeback".$mac_option;
            } else {
                $OUT.="$role\t".$i->key."\tdhcp,nosmurfs,routeback";
            }
        }
        $OUT .= ",bridge" if ($type eq 'bridge');
        $OUT .= "\n";
    }
}

}

giacomo · December 3, 2015, 2:25pm

Just make it work by modifying files under /etc/shorewall, then post the whole diff and I can make the custom templates to persist the customization.

mojolacerator1 · December 25, 2019, 5:21pm

I have been having trouble getting open NAT for my xbox, tried the link here, it seems to have solved all my problems !!!

capote · January 11, 2020, 6:52pm

unfortunately …
[root@nethserver ~]# yum install snapd
.
.
.
Complete!
[root@nethserver ~]# systemctl enable --now snapd.socket
Created symlink from /etc/systemd/system/sockets.target.wants/snapd.socket to /usr/lib/systemd/system/snapd.socket.
[root@nethserver ~]# ln -s /var/lib/snapd/snap /snap
[root@nethserver ~]# snap install upnp-server
error: too early for operation, device not yet seeded or device model not acknowledged

capote · January 11, 2020, 7:10pm

resolved by:
[root@nethserver ~]# yum reinstall snapd
[root@nethserver ~]# snap install upnp-server
020-01-11T19:59:48+01:00 INFO Waiting for restart…
Warning: /var/lib/snapd/snap/bin was not found in your $PATH. If you’ve not restarted your
** session since you installed snapd, try doing that.** Please see
https://forum.snapcraft.io/t/9469 for more details.

upnp-server 0.1.0 from Oliver Grawert (ogra) installed

restarting the termal session resolves the problem

[root@nethserver ~]# echo $PATH
/sbin/e-smith:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/opt/puppetlabs/bin:/var/lib/snapd/snap/bin:/root/bin

mojolacerator1 · January 12, 2020, 7:12pm

Not sure what your post meant. It worked fine for me.

capote
Marko Dargel

    January 11

mojolacerator1:
Install upnp-server on CentOS using the Snap Store | Snapcraft

unfortunately …
[root@nethserver ~]# yum install snapd
.
.
.
Complete!
[root@nethserver ~]# systemctl enable --now snapd.socket
Created symlink from /etc/systemd/system/sockets.target.wants/snapd.socket to /usr/lib/systemd/system/snapd.socket.
[root@nethserver ~]# ln -s /var/lib/snapd/snap /snap
[root@nethserver ~]# snap install upnp-server
error: too early for operation, device not yet seeded or device model not acknowledged

bwdjames · January 13, 2020, 9:13am

After running , wait for a couple of minutes before running . It takes a couple of seconds/minutes for snapd to catch up and fully initialise itself. This one gets me every time.

capote · January 13, 2020, 11:13am

Thank you guys,
I installed the service, all is fine now.

yum reinstall snapd

was the joker.