miniupnpd/miniupnpd.conf: add comments regarding security

comment values, to force people to configure themselves

miniupnpd/miniupnpd.conf

@@ -1,5 +1,5 @@
 # WAN network interface
-ext_ifname=eth1
+#ext_ifname=eth1
 #ext_ifname=xl1
 # if the WAN interface has several IP addresses, you
 # can specify the one to use below
@@ -15,10 +15,14 @@ ext_ifname=eth1
 # address associated with the subnet follows. for example :
 #  listening_ip=192.168.0.1/24 88.22.44.13
 #listening_ip=192.168.0.1/24
-listening_ip=192.168.10.109/24
+#listening_ip=10.5.0.0/16
 #listening_ip=eth0
+# CAUTION: mixing up WAN and LAN interfaces may introduce security risks!
+# be sure to assign the correct interfaces to LAN and WAN and consider
+# implementing UPnP permission rules at the bottom of this configuration file
+
 # port for HTTP (descriptions and SOAP) traffic. set 0 for autoselect.
-http_port=0
+#http_port=0
 # port for HTTPS. set to 0 for autoselect (default)
 #https_port=0
 
@@ -28,15 +32,16 @@ http_port=0
 #minissdpdsocket=/var/run/minissdpd.sock
 
 # enable NAT-PMP support (default is no)
-enable_natpmp=yes
+#enable_natpmp=yes
 
 # enable UPNP support (default is yes)
-enable_upnp=yes
+#enable_upnp=no
 
+# PCP :
 # configure minimal and maximal lifetime of the port mapping in seconds
 # 120s and 86400s (24h) are suggested values from PCP-base
-min_lifetime=120
-max_lifetime=86400
+#min_lifetime=120
+#max_lifetime=86400
 
 # chain names for netfilter (not used for pf or ipf).
 # default is MINIUPNPD for both
@@ -68,8 +73,9 @@ max_lifetime=86400
 #model_url=http://miniupnp.free.fr/
 
 # bitrates reported by daemon in bits per second
-bitrate_up=1000000
-bitrate_down=10000000
+# by default miniupnpd tries to get WAN interface speed
+#bitrate_up=1000000
+#bitrate_down=10000000
 
 # "secure" mode : when enabled, UPnP client are allowed to add mappings only
 # to their IP.
@@ -116,12 +122,12 @@ clean_ruleset_interval=600
 #quickrules=no
 
 # uuid : generate your own with "make genuuid"
-uuid=3d3cec3a-8cf0-11e0-98ee-001a6bd2d07b
+uuid=00000000-0000-0000-0000-000000000000
 
 # serial and model number the daemon will report to clients
 # in its XML description
-serial=12345678
-model_number=1
+#serial=12345678
+#model_number=1
 
 # UPnP permission rules
 # (allow|deny) (external port range) ip/mask (internal port range)
@@ -130,6 +136,11 @@ model_number=1
 # ip/mask format must be nn.nn.nn.nn/nn
 # it is advised to only allow redirection of port above 1024
 # and to finish the rule set with "deny 0-65535 0.0.0.0/0 0-65535"
+# The following default ruleset allows specific LAN side IP addresses
+# to request only ephemeral ports. it is recommended that users
+# modify the IP ranges to match their own internal networks, and
+# also consider implementing network-specific restrictions
+# CAUTION: failure to enforce any rules may permit insecure requests to be made!
 allow 1024-65535 192.168.0.0/24 1024-65535
 allow 1024-65535 192.168.1.0/24 1024-65535
 allow 1024-65535 192.168.0.0/23 22