UPnP mappings bypass firewall rules?



  • I know from experience that firewall rules generated by uPnP bypass the traffic shaper and get sent to the default queue.  However I noticed that they also take precedence over firewall rules created.  I tested this with a Xbox.  I made a rule blocking access to the server I was on to see if I could kick myself.  I made the rule, applied changes and reset states. However I was still connected to the server.  I checked the firewall log and the rule blocked only traffic that was not on the port mapped with uPnP (in this case 3074).  The rule syntax was OK because I substituted the address for a PC on my network and was able to block its access to the internet.  I also didn't notice any entries for the firewall rules created by uPnP on Pfsense.  Are these rules hidden or something?  Am I understanding this correctly?



  • Thats the point using uPNP.

    http://en.wikipedia.org/wiki/Upnp#NAT_traversal

    /Urban



  • From what I understand, firewall and NAT are separate things.  uPnP deals with port mappings.  While port forwarding does need to let traffic through the firewall, the firewall can block whatever it wants regardless of whether or not a port is forwarded (or at least it should be able to).  I suspect it is related to the same issue that causes the traffic shaper to send uPnP traffic to default queue and that's why I mentioned it.

    Port forwarding is used globally and so if the firewall could not block certain specified traffic as the admin sees fit, I doubt that port forwarding would be used at all.



  • The point using uPNP is that it opens a hole in your firewall to let traffic trough thus bypassing any settings made.

    Upnp is not recomended to use if you want a secure firewall.

    /Urban



  • The point of uPnP is to automatically add rules and NAT.  What you're seeing is just how it works. It may be able to be done differently, patches accepted.



  • What you're seeing is just how it works. It may be able to be done differently, patches accepted.

    This makes me feel better.  Thank you both for clearing that up.  I thought it was a problem with my config.

    Anyway how do I look at the source code for the uPnP package?  I've only had a couple semesters of programming so I doubt I'll be able to help much but at least it would be a fun experience for me.



  • look in /usr/local/pkg on your box, you'll see miniupnpd.xml and miniupnpd.inc. It probably has ties in /etc/inc/filter.inc too, not for sure on that, I didn't look.



  • I also was unable to find records of upnp traffic in pftop either…  I didn't think it was possible to bypass pf.



  • @xcrustwadx:

    I also was unable to find records of upnp traffic in pftop either…  I didn't think it was possible to bypass pf.

    You aren't, the rules go into the upnp anchor, which is probably above your normal rules, hence the reason you can't override it.  I think we'd be willing to see a patch that moves it below user rules and doesn't regress anything ;)  In the meantime, I run upnp on ONLY a trusted interface with very little else on it (that poor xbox is quite lonely, but it does have the Wii and my torrent machine for company at least).

    –Bill


Locked