Do UPnP rules not expire?

stephenw10

@Wolf666 said in Do UPnP rules not expire?:

Tested after I removed manually the states:

Like you just deleted the firewall states in Diag > States?

Wolf666

@stephenw10
No, I just manually cleared the mapped ports from UPnP status page. I used wrong wording.

stephenw10

Hmm, it's odd that it doesn't show a session time for the port forward. Does it ever show a time? If you check just after it's been opened?

Does the error in the log appear after, say, 1 hr?

Wolf666

@stephenw10
Just clear all mapped ports while PS% was on, started to play Destiny:

PS C:\upnpc> ./upnpc-static -l
upnpc : miniupnpc library test client, version 2.2.3.
 (c) 2005-2022 Thomas Bernard.
Go to http://miniupnp.free.fr/ or https://miniupnp.tuxfamily.org/
for more information.
List of UPNP devices found on the network :
 desc: http://192.168.1.10:2189/rootDesc.xml
 st: urn:schemas-upnp-org:device:InternetGatewayDevice:1

Found valid IGD : http://192.168.1.10:2189/ctl/IPConn
Local LAN ip address : 192.168.1.81
Connection Type : IP_Routed
Status : Connected, uptime=76s, LastConnectionError : ERROR_NONE
  Time started : Mon Dec 23 18:09:32 2024
MaxBitRateDown : 1000000000 bps (1000.0 Mbps)   MaxBitRateUp 300000000 bps (300.0 Mbps)
ExternalIPAddress = 82.84.92.142
 i protocol exPort->inAddr:inPort description remoteHost leaseTime
 0 UDP  3074->192.168.1.50:3074  'DemonwarePortMapping' '' 0
GetGenericPortMappingEntry() returned 713 (SpecifiedArrayIndexInvalid)
PS C:\upnpc>

Now I will close the game, switch off the PS5 and see what's going to happen in 1 hour.

stephenw10

Still shows 0 leasetime though. I'm not sure how it determines when to 'expire' it.

Wolf666

@stephenw10
In fact the mapped port 3074 is still there.
There is only 1 state active not related to upnp:

WAN	tcp	82.84.92.142:65206 (192.168.1.50:65206) -> 34.214.130.96:443	ESTABLISHED:ESTABLISHED	714 / 364	50 KiB / 32 KiB

I am not an IT expert and I really don’t have any further idea on this.

stephenw10

Do you still see the error in the upnp logs showing it failing to remove the forward though?

It looks like the forward is being opened without a leasetime and I'm unsure what should happen in that situation. I can create a similar lease manually by defining 0s specifically:

steve@steve-NUC9i9QNX:~$ upnpc -l
upnpc : miniupnpc library test client, version 2.2.3.
 (c) 2005-2021 Thomas Bernard.
Go to http://miniupnp.free.fr/ or https://miniupnp.tuxfamily.org/
for more information.
List of UPNP devices found on the network :
 desc: http://172.21.16.1:2189/rootDesc.xml
 st: urn:schemas-upnp-org:device:InternetGatewayDevice:1

Found valid IGD : http://172.21.16.1:2189/ctl/IPConn
Local LAN ip address : 172.21.16.8
Connection Type : IP_Routed
Status : Connected, uptime=1291945s, LastConnectionError : ERROR_NONE
  Time started : Mon Dec  9 00:31:38 2024
MaxBitRateDown : 1000000000 bps (1000.0 Mbps)   MaxBitRateUp 1000000000 bps (1000.0 Mbps)
ExternalIPAddress = 45.89.45.8
 i protocol exPort->inAddr:inPort description remoteHost leaseTime
 0 UDP  8889->172.21.16.8:8889  'Test2' '' 0
GetGenericPortMappingEntry() returned 713 (SpecifiedArrayIndexInvalid)

I'll see what happens.

stephenw10

Also by omitting a lease time value.

I wonder if it should add a default and is not....

stephenw10

Mmm, this thread seems pretty revealing: https://miniupnp.tuxfamily.org/forum/viewtopic.php?p=5727#5727

Seems like the behaviour you're seeing is expected is the client opens forward with no lease time.

Wolf666

@stephenw10
Yes that forum thread explains the behavior. I cannot do anything except removing mapped port manually. From a security point of view the consoles have their own IP assigned so it is ok if the mapped port are there until I remove them manually. Only consoles have access to UPnP service with proper “allow” and IP, other IP are denied by default in the Service ACL.
Thanks for help and time.

stephenw10

Mmm, I tried added min and max lifetime options to the conf and it made absolutely no difference I could see!