Skip to content
Permalink
Browse files

miniupnpd/miniupnpd.conf: add comments regarding security

comment values, to force people to configure themselves
  • Loading branch information...
miniupnp committed Oct 13, 2014
1 parent 17dabcc commit 82604ec5d0a12e87cb5326ac2a34acda9f83e837
Showing with 23 additions and 12 deletions.
  1. +23 −12 miniupnpd/miniupnpd.conf
@@ -1,5 +1,5 @@
# WAN network interface
ext_ifname=eth1
#ext_ifname=eth1
#ext_ifname=xl1
# if the WAN interface has several IP addresses, you
# can specify the one to use below
@@ -15,10 +15,14 @@ ext_ifname=eth1
# address associated with the subnet follows. for example :
# listening_ip=192.168.0.1/24 88.22.44.13
#listening_ip=192.168.0.1/24
listening_ip=192.168.10.109/24
#listening_ip=10.5.0.0/16
#listening_ip=eth0
# CAUTION: mixing up WAN and LAN interfaces may introduce security risks!
# be sure to assign the correct interfaces to LAN and WAN and consider
# implementing UPnP permission rules at the bottom of this configuration file

# port for HTTP (descriptions and SOAP) traffic. set 0 for autoselect.
http_port=0
#http_port=0
# port for HTTPS. set to 0 for autoselect (default)
#https_port=0

@@ -28,15 +32,16 @@ http_port=0
#minissdpdsocket=/var/run/minissdpd.sock

# enable NAT-PMP support (default is no)
enable_natpmp=yes
#enable_natpmp=yes

# enable UPNP support (default is yes)
enable_upnp=yes
#enable_upnp=no

# PCP :
# configure minimal and maximal lifetime of the port mapping in seconds
# 120s and 86400s (24h) are suggested values from PCP-base
min_lifetime=120
max_lifetime=86400
#min_lifetime=120
#max_lifetime=86400

# chain names for netfilter (not used for pf or ipf).
# default is MINIUPNPD for both
@@ -68,8 +73,9 @@ max_lifetime=86400
#model_url=http://miniupnp.free.fr/

# bitrates reported by daemon in bits per second
bitrate_up=1000000
bitrate_down=10000000
# by default miniupnpd tries to get WAN interface speed
#bitrate_up=1000000
#bitrate_down=10000000

# "secure" mode : when enabled, UPnP client are allowed to add mappings only
# to their IP.
@@ -116,12 +122,12 @@ clean_ruleset_interval=600
#quickrules=no

# uuid : generate your own with "make genuuid"
uuid=3d3cec3a-8cf0-11e0-98ee-001a6bd2d07b
uuid=00000000-0000-0000-0000-000000000000

# serial and model number the daemon will report to clients
# in its XML description
serial=12345678
model_number=1
#serial=12345678
#model_number=1

# UPnP permission rules
# (allow|deny) (external port range) ip/mask (internal port range)
@@ -130,6 +136,11 @@ model_number=1
# ip/mask format must be nn.nn.nn.nn/nn
# it is advised to only allow redirection of port above 1024
# and to finish the rule set with "deny 0-65535 0.0.0.0/0 0-65535"
# The following default ruleset allows specific LAN side IP addresses
# to request only ephemeral ports. it is recommended that users
# modify the IP ranges to match their own internal networks, and
# also consider implementing network-specific restrictions
# CAUTION: failure to enforce any rules may permit insecure requests to be made!
allow 1024-65535 192.168.0.0/24 1024-65535
allow 1024-65535 192.168.1.0/24 1024-65535
allow 1024-65535 192.168.0.0/23 22

0 comments on commit 82604ec

Please sign in to comment.
You can’t perform that action at this time.