ie. an application on a internal client machine needs access to ports for data coming in from the internet, so the firewall (Astaro) needs to open them dynamically.
I haven't installed Astaro yet, so if that is possible via some rules, then what are they ?
Look its pretty simple. I need software or devices to be able to open ports on Astaro (ie. "control" it) so that packets that will be coming from outside the firewall can get in [:)]
It doesn't matter who's initialising the transfer, as long is the client inside the firewall knows about it and can open the ports. Obviously, you wouldn't have it so the UPnP service was available to the internet which I don't even know if thats possible anyway.
Look all I am asking is whether the functionality of UPnP is available in Astaro, by the name of UPnP, or some sort of NAT rules or whatever. I don't claim to know what I'm talking about, but I think the answer can be a simple "yes" or "no", or "i don't know".
Sometimes solutions are not packaged as pretty as you would like them, but there are ways to get things to work; hence my questions to figure out if there is a way to make this work, without compromising security.
Your first stumbling block to doing UPNP through the firewall is that the firewall presently will not pass multicasts (required by the UPNP protocol). So you would have to add iptables commands to a script file to permit multicast forwarding. I am guessing this would be for doing UPNP from your LAN to your DMZ, and not the Internet? Some security people would have an issue even opening up that much of a hole in your firewall.
If you just want Astaro to participate in UPNP on your LAN, no way Jose. If this is what you wanted, just curious: why would you need it? Why not let the Windows devices on your LAN just UPNP amongst themselves?
uPNP would be a great feature. I have requested it previously but I am doubtful it will be implemented anytime soon [:(]
Things like MSN use uPNP to communicate.
Yes MSN is lame, but it saves us $100's on phone bills to our overseas offices. (Using voice chat etc) I have implemented this by setting up VPN links. However it would be even better if our customers could use MSN as well to talk to us.
I have a few concerns about uPNP's security but have not heard of uPNP getting hacked yet.
If you look on Sourceforge there are a few uPNP projects.
Astaro staff: Any news on uPNP being implemented as an option ??
I'm used to UPNP for printers. For VOIP I think SIP (an Asterisk proxy??) is the way to go (well, it's a standard we've all agreed on...).
Rather than knuckling under to the MSN behemouth, I think they should provide a SIP gateway, or the aftermarket should for a tad of remuneration.
I'm not averse to Astaro handling UPNP, but I definitely think it's nothing for them to get a technological inferiority complex about.
The problem with allowing MSN Messenger in is even if they use a proxy from Sourceforge and handle the ports right, it is conducive to content transfer (files and whatnot) that plays havoc with a site's security. If I'm not mistaken, there is an MSN messenger virus starting to rage as we now correspond.
The impression I'm getting is that messenging software is so hairy and ever-changing, I think it needs a company dedicated to focus their efforts on it in order to do a good job (like Akonix; though Zone has just introduced a companion product to secure messanging, and they were acquired by Checkpoint -something to consider...).
If they were to encourage a messenger security product to snap in to their product, that could be a way to get it online fast; or they may prefer to go it alone due to other logistical considerations...
I agree that the UPNP is doable; what it then ushers in after it is operational can be troubling. Though I hear you about keeping your customers happy...
