• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

UPnP as a possible future option?

Scheduled Pinned Locked Moved Firewalling
10 Posts 7 Posters 4.9k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • Z
    ZPrime
    last edited by Nov 30, 2005, 6:22 AM

    I know that many people frown upon UPnP, and I agree that it has no place in a corporate setting.  However, in a home environment, it can be incredibly useful.  Are there any plans to add a UPnP daemon (with an easy on/off switch) to pfSense in the future?

    1 Reply Last reply Reply Quote 0
    • H
      hoba
      last edited by Nov 30, 2005, 7:40 AM

      We had a package that provided UPnP support but it didn't work very well if at all. UPnP is in my opinion one of the worst things to have on a network and this is something that never will make it in the basesystem for sure. If someone contributes a working package we'll possibly see it but none of the devs will spend time on getting it going I think unless it's commited ready to be used  ;)

      1 Reply Last reply Reply Quote 0
      • P
        Phobia
        last edited by Dec 1, 2005, 4:21 AM

        What about Port Triggering?  Would that be possible?

        – Phob

        1 Reply Last reply Reply Quote 0
        • S
          sullrich
          last edited by Dec 1, 2005, 6:09 PM

          @Phobia:

          What about Port Triggering?  Would that be possible?

          – Phob

          Port triggering?  You mean port knocking?

          1 Reply Last reply Reply Quote 0
          • P
            Phobia
            last edited by Dec 1, 2005, 7:05 PM

            Maybe "port triggering" is not a standard term… in other "hardware" routers, like ones from Linksys, it is possible for the router to detect when a particular pre-defined port is in use, then forward additional ports dynamically to the IP address on the LAN which made the initial request on that port.  It is especially useful with various instant messenger programs like ICQ or MSN which establish an outgoing connection on a port, but then need incoming ports opened to them for things like file transfers and voice/video communications.

            Basically, it is a feature that would allow quite a lot of the functionality of a UPNP setup, but which seems to be more secure in nature as PT can do no more than what the pre-defined rules have laid out, as opposed to UPNP which can open whatever ports a program requests.  It allows the end user a more transparent experience as they don't have to change the port forwards every time they change PCs.  It also has the added security benefit of not having lots of ranges of ports forwarded at all times as they are only active after they have been "triggered" by a request on the LAN from the specific pre-assigned port.

            In case that explanation was unclear, an example :

            1. MSN Messenger establishes its initial connection on port 1863 from LAN PC @ 192.168.1.25
            2. pfSense listens for this connection and is "triggered" into action automatically forwarding the following ports to 192.168.1.25 :
            TCP : 6891-6901 and UDP : 2001-2120, 6801, and 6901
            3. pfSense checks every so often to see if there is still traffic from these ports and when it no longer detects traffic, automatically stops the port forwards and resets to its un-triggered state.

            Obviously this is just an example, and I used ports listed for that application, but this would be applicable any application with diverse port requirements.  The only shortcoming is that only 1 user would be able to make use of each triggered application at a time as those ports would already be triggered elsewhere, until they were done.

            Is this the same thing as port knocking? I thought port knocking had something to do with the WAN side, but perhaps I'm wrong?  I downloaded doorman and took a look but it doesn't seem to be what I'm talking about as there seems to  only be 1 "special"  port being listened to... but I really don't know this feature, so perhaps I'm looking at it incorrectly.

            At any rate, I'm not sure if I've explained what it is I think Port Triggering is, but I hope I have.

            Thanks!

            -- Phob

            1 Reply Last reply Reply Quote 0
            • S
              sullrich
              last edited by Dec 1, 2005, 7:07 PM

              Okay, now I see what your speaking of.  This isn't really possible now but there is something that I have come across recently that would.  Its called the Dynamic Firewall Daemon (DFD)

              More information can be found here:
                http://www.lightconsulting.com/~travis/dfd/

              This is a candiate for a pfSense package.  Anyone wanna step up to the plate and create one?

              1 Reply Last reply Reply Quote 0
              • B
                billm
                last edited by Dec 3, 2005, 11:57 PM

                DFD uses Python btw so expect some fun with the port :)

                –Bill

                pfSense core developer
                blog - http://www.ucsecurity.com/
                twitter - billmarquette

                1 Reply Last reply Reply Quote 0
                • S
                  strgout
                  last edited by Dec 21, 2005, 4:32 AM

                  Wow check this out, i joked about making a sh!t.lst license once. Well this guys already has.

                  "http://www.lightconsulting.com/~travis/dfd/dfd_keeper/dfd_keeper/dfd_keeper.py"

                  "If I applied for a job at your company and you did
                  not hire me, you will not receive permission. "

                  hahahahaha

                  '
                  Dynamic Firewall Daemon (dfd)
                  python/pf implementation (a/k/a the bridge keeper)

                  The dynamic firewall daemon sets up and maintains your packet filter.

                  Note that using this means you don't have to remember what order the
                  pf rules must be in; it takes care of that for you.

                  TODO: Consider factoring out code common with dfd_tbk.

                  For more information:
                  <url:http: www.lightconsulting.com="" ~travis="" dfd="">Copyright 2005 solinym@gmail.com

                  Free for non-commercial use.  Contact the author for commercial inquiries.
                  Commercial entities must have explicit written permission from the author
                  to use this software.  If I applied for a job at your company and you did
                  not hire me, you will not receive permission.  Cash bounty awarded to any
                  whistleblowers whose information leads to successful prosecution or
                  settlement.  Derivative works must not change these terms.
                  '</url:http:>

                  1 Reply Last reply Reply Quote 0
                  • ?
                    Guest
                    last edited by Dec 27, 2005, 6:01 PM

                    DFD is really cool but the license sucks horribly and the idea of putting Python on the firewall along with perl (which many of the packages will probably require) gives me the heebie jeebies.  If it were carefully ported to C and the license was modified to something at least paying lip service to reality, then it would be excellent to have in pfSense.

                    1 Reply Last reply Reply Quote 0
                    • S
                      sullrich
                      last edited by Jan 12, 2007, 5:48 AM

                      UPNP is now a package on pfSense.  I am updating this thread because it seems to appear in searches.

                      Search for more active upnp threads, they are around.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                        [[user:consent.lead]]
                        [[user:consent.not_received]]