-
Notifications
You must be signed in to change notification settings - Fork 363
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
miniupnpd: fw3 integration places MINIUPNPD chain at the top #286
Comments
Did you have any thoughts on how to attack this problem? |
@ldir-EDB0 other than fixing the code so that the MINIUPNPD chain ends at the bottom? No 😛 As far as I'm concerned this is a security issue and I'm surprised nobody seems to care... |
I understand your concern ;-) jow & I are looking at it. |
So what's the downside of adding the hooks at the end of the chains? |
It complicates the ruleset even further, causes increased cpu usage and this particular issue can be solved without adding extra hooks. |
"So what's the downside of adding the hooks at the end of the chains?" I take it you mean putting the user pre_routing_wan rule at the end of the chain? Yes if fw3 added a user 'penultimate' before its generate DNAT rule then miniupnpd could live there, but that requires a change to fw3 and all of jow's comments apply. |
This was addressed by openwrt/packages#6001 |
Haven't tested the updated package but I'll take your word that it solves this issue 😉 |
Import miniupnpd from routing repo and bump to 20180422. Drop 102-ipv6-ext-port.patch as this looks upstreamed in the pinhole code to me. Consolidate all other patches & update with a view to sending upstream. Add support for runtime IGDv1 mode switch (default to IGDv2) (not extensively) Tested-on: ar71xx Archer C7 v2 in IGDv1 compatibility mode. A variety of devices/applications appear to be able to create mappings. Have an attempt at resolving openwrt/routing#286 TL;DR miniupnpd rules get processed before fw3 rules and thus can override existing/intended redirects. Ideally the miniupnpd rules would be last in the relevant chains, unfortunately fw3 can sometimes use the last rule as a REJECT. Put miniupnpd rules as penultimate. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
As illustrated below, the miniupnpd firewall3 integration brings the MINIUPNPD chains at the very top of the parent chain (for prerouting, postrouting and forward).
This has the potential of enabling UPnP clients to override locally set port redirections, as illustrated in the following example (for prerouting).
I believe the local port redirections should always have priority and MINIUPNPD chains always be last, as also evidenced by the "iptables_init.sh" script provided by miniupnpd upstream which appends (
-A
) these chains instead of inserting them at the top (-I 1
).HTH
The text was updated successfully, but these errors were encountered: