UPnP - How it works and security risks



  • Hi All,

    With your experience and know how you can certainly help me.

    My question is like the subject: How does UPnP works and what security risks can I expect.

    This question comes because I have some Mac users that can't use iChat AV to work and maybe UPnP can resolve this, but I'm not sure if I should activate UPnP in my pfSense box that is in production in our corporate network.

    Pleas advise me.

    Thanks in advance.

    Regards,

    Joao



  • Actually, iChat AV does not use uPNP.  To a first approximation, it is doing STUN to open up ports for your iChat AV video and audio sessions.  Unfortunately, pfSense scrambles source ports outbound (and I'm still not entirely sure what purpose that solves, aside from closing the admittedly very tiny security hole that STUN poses).

    Anyway, the way to fix this is not super-intuitive.  There's a bit of a howto here:

    http://doc.pfsense.org/index.php/Static_Port

    -Rob



  • Hi Rob,

    Thank you very much for your prompt reply.

    I tried the suggested at the docs but the Mac clients are still stucked, now with a different error.

    Would m0n0wall be a option here or maybe some more tricking?

    Thanks again,

    Joao



  • I've tried m0n0wall and I like pfSense better.

    What error are you seeing exactly, and are you running the very latest?  (rc4)

    -Rob



  • Also do I.

    The errors that I received are at iChat, first it gived error -8, after the modification you suggested it gived error -7.

    The problem that I discovered is that after doing this mod my captive portal stopped working normally, don't know why, after authentication the client didn't load the page it requested.

    For know I will leave this like it was before.

    But if you have more clues or a different suggestion… I'll test ASAP.

    Cheers,

    Joao



  • Where's the other machine that you're trying to talk to with iChat AV?  Behind the same pfSense box?

    Just to be sure, you're trying to do some kind of audio or video chat and it's dying right?  I am not familiar with this "error 8" bit.

    Disclaimer here is that I've only tested this with Leopard…  Are you using something older?

    -r



  • Hi again Rob,

    It was Leopard and I made some tests with different connections but the last one both machines were probably behind pfsense.

    So probably not a good test.

    My only concerne was that this broke the captive portal, and i'm using pfSense mainly because of this service, also because I like it.

    I'll try to do another test, last time I was in a different city, so I'll do this test between the two cities and both behind pfSense.

    I'll report back ASAP.

    Anyway, thank you for your help, any more tips?

    Cheers,
    Joao



  • The search here is not turning up much definitive info…

    Is there a way to get ichat working behind pfsense?  I tried some manual port forwarding based on what was being shown as blocked in the logs, but no luck.  I see it does try to talk to the upnpd, but that does not seem to help.

    My end is pfsense, the other end is the Actiontec router that Verizon uses for FiOS customers.

    This works with an older Airport router and the same remote router.

    My main interest is the screen sharing feature, since it's so dumb-simple to use for doing support for relatives ("Hi, open ichat.  Yes, press the "Accept" button...").

    If there is some magic that works, it would make a great FAQ entry.



  • Not to hijack your thread but I am having the same issue.. I have posted my info here….
    http://forum.pfsense.org/index.php/topic,14501.0.html

    Have you fixed this issue yet?



  • I did this and now it works!!

    http://doc.pfsense.org/index.php/Static_Port


Log in to reply