UPnP as a possible future option?

ZPrime · Nov 30, 2005, 6:22 AM

I know that many people frown upon UPnP, and I agree that it has no place in a corporate setting. However, in a home environment, it can be incredibly useful. Are there any plans to add a UPnP daemon (with an easy on/off switch) to pfSense in the future?

hoba · Nov 30, 2005, 7:40 AM

We had a package that provided UPnP support but it didn't work very well if at all. UPnP is in my opinion one of the worst things to have on a network and this is something that never will make it in the basesystem for sure. If someone contributes a working package we'll possibly see it but none of the devs will spend time on getting it going I think unless it's commited ready to be used ;)

Phobia · Dec 1, 2005, 4:21 AM

What about Port Triggering? Would that be possible?

– Phob

sullrich · Dec 1, 2005, 6:09 PM

@Phobia:

What about Port Triggering? Would that be possible?

– Phob

Port triggering? You mean port knocking?

Phobia · Dec 1, 2005, 7:05 PM

Maybe "port triggering" is not a standard term… in other "hardware" routers, like ones from Linksys, it is possible for the router to detect when a particular pre-defined port is in use, then forward additional ports dynamically to the IP address on the LAN which made the initial request on that port. It is especially useful with various instant messenger programs like ICQ or MSN which establish an outgoing connection on a port, but then need incoming ports opened to them for things like file transfers and voice/video communications.

Basically, it is a feature that would allow quite a lot of the functionality of a UPNP setup, but which seems to be more secure in nature as PT can do no more than what the pre-defined rules have laid out, as opposed to UPNP which can open whatever ports a program requests. It allows the end user a more transparent experience as they don't have to change the port forwards every time they change PCs. It also has the added security benefit of not having lots of ranges of ports forwarded at all times as they are only active after they have been "triggered" by a request on the LAN from the specific pre-assigned port.

In case that explanation was unclear, an example :

1. MSN Messenger establishes its initial connection on port 1863 from LAN PC @ 192.168.1.25
2. pfSense listens for this connection and is "triggered" into action automatically forwarding the following ports to 192.168.1.25 :
TCP : 6891-6901 and UDP : 2001-2120, 6801, and 6901
3. pfSense checks every so often to see if there is still traffic from these ports and when it no longer detects traffic, automatically stops the port forwards and resets to its un-triggered state.

Obviously this is just an example, and I used ports listed for that application, but this would be applicable any application with diverse port requirements. The only shortcoming is that only 1 user would be able to make use of each triggered application at a time as those ports would already be triggered elsewhere, until they were done.

Is this the same thing as port knocking? I thought port knocking had something to do with the WAN side, but perhaps I'm wrong? I downloaded doorman and took a look but it doesn't seem to be what I'm talking about as there seems to only be 1 "special" port being listened to... but I really don't know this feature, so perhaps I'm looking at it incorrectly.

At any rate, I'm not sure if I've explained what it is I think Port Triggering is, but I hope I have.

Thanks!

-- Phob

sullrich · Dec 1, 2005, 7:07 PM

Okay, now I see what your speaking of. This isn't really possible now but there is something that I have come across recently that would. Its called the Dynamic Firewall Daemon (DFD)

More information can be found here:
http://www.lightconsulting.com/~travis/dfd/

This is a candiate for a pfSense package. Anyone wanna step up to the plate and create one?

billm · Dec 3, 2005, 11:57 PM

DFD uses Python btw so expect some fun with the port :)

–Bill

strgout · Dec 21, 2005, 4:32 AM

Wow check this out, i joked about making a sh!t.lst license once. Well this guys already has.

"http://www.lightconsulting.com/~travis/dfd/dfd_keeper/dfd_keeper/dfd_keeper.py"

"If I applied for a job at your company and you did
not hire me, you will not receive permission. "

hahahahaha

'
Dynamic Firewall Daemon (dfd)
python/pf implementation (a/k/a the bridge keeper)

The dynamic firewall daemon sets up and maintains your packet filter.

Note that using this means you don't have to remember what order the
pf rules must be in; it takes care of that for you.

TODO: Consider factoring out code common with dfd_tbk.

For more information:
<url:http: www.lightconsulting.com="" ~travis="" dfd="">Copyright 2005 solinym@gmail.com

Free for non-commercial use. Contact the author for commercial inquiries.
Commercial entities must have explicit written permission from the author
to use this software. If I applied for a job at your company and you did
not hire me, you will not receive permission. Cash bounty awarded to any
whistleblowers whose information leads to successful prosecution or
settlement. Derivative works must not change these terms.
'</url:http:>

Guest · Dec 27, 2005, 6:01 PM

DFD is really cool but the license sucks horribly and the idea of putting Python on the firewall along with perl (which many of the packages will probably require) gives me the heebie jeebies. If it were carefully ported to C and the license was modified to something at least paying lip service to reality, then it would be excellent to have in pfSense.

sullrich · Jan 12, 2007, 5:48 AM

UPNP is now a package on pfSense. I am updating this thread because it seems to appear in searches.

Search for more active upnp threads, they are around.