I was looking at UPnP for a bit to try to figure out how it works and after going though even the newest standard it still lacks any-kind of auditing or security options. I would think they would implement SOME kind of IEEE 802.1X or even just a cleartext password system but nada.
I don't know how UPnP is set up in linux (looking into it now) but I was wondering how hard it would be to have the new version of RouterOS support more than just basic Upnp options? Maybe setting up a config so that UPnP cannot allocate ports below 1024. Ip tracking on what ports were requested at what time and when they were released. IP mask blocking, etc.
Heck, it seems allot of information is moved using UPnP according to wireshark, I would like some ability to limit or mask that data and figure out who is sending it. As commented before, a virus could try upnp to open a port and I could find that out fast who is doing it.
I know, I know. Any administrator worth his salt would not use UPnP. But manufacturers are just making to many end devices that use it as the "cure all" I figure someone has to start doing something to make it manageable.
PS - Only solution I figured out right now is to put my wifi phones and game systems on a separate subnet that uses UPnP.
Re: UPnP security options?
From what I see UPnP dynamic rules are placed as last in dstnat chain. So You can insert some accept or drop rule before that to limit some upnp activity...Maybe setting up a config so that UPnP cannot allocate ports below 1024. Ip tracking on what ports were requested at what time and when they were released. IP mask blocking, etc.
Kamil
Re: UPnP security options?
That helps. Its more of an activity monitor I was wanting however.
Been looking though the code, does anyone know what version of upnp Mikrotik uses? Portable PnP? the old Intel sdk?
The code is amazingly easy to read and it wouldn't be hard to implement an ip ban list or at-least a method to log requests.
Edit - Answered my own question, looks like libpnp is the libary but upnpd is the service. I am looking at that now, it might just be easyer to modify that since the project seems to be dead for the last few years.
Been looking though the code, does anyone know what version of upnp Mikrotik uses? Portable PnP? the old Intel sdk?
The code is amazingly easy to read and it wouldn't be hard to implement an ip ban list or at-least a method to log requests.
Edit - Answered my own question, looks like libpnp is the libary but upnpd is the service. I am looking at that now, it might just be easyer to modify that since the project seems to be dead for the last few years.
Who is online
Users browsing this forum: No registered users and 59 guests