ie. an application on a internal client machine needs access to ports for data coming in from the internet, so the firewall (Astaro) needs to open them dynamically.
I haven't installed Astaro yet, so if that is possible via some rules, then what are they ?
Look its pretty simple. I need software or devices to be able to open ports on Astaro (ie. "control" it) so that packets that will be coming from outside the firewall can get in [:)]
It doesn't matter who's initialising the transfer, as long is the client inside the firewall knows about it and can open the ports. Obviously, you wouldn't have it so the UPnP service was available to the internet which I don't even know if thats possible anyway.
Look all I am asking is whether the functionality of UPnP is available in Astaro, by the name of UPnP, or some sort of NAT rules or whatever. I don't claim to know what I'm talking about, but I think the answer can be a simple "yes" or "no", or "i don't know".
Sometimes solutions are not packaged as pretty as you would like them, but there are ways to get things to work; hence my questions to figure out if there is a way to make this work, without compromising security.
Your first stumbling block to doing UPNP through the firewall is that the firewall presently will not pass multicasts (required by the UPNP protocol). So you would have to add iptables commands to a script file to permit multicast forwarding. I am guessing this would be for doing UPNP from your LAN to your DMZ, and not the Internet? Some security people would have an issue even opening up that much of a hole in your firewall.
If you just want Astaro to participate in UPNP on your LAN, no way Jose. If this is what you wanted, just curious: why would you need it? Why not let the Windows devices on your LAN just UPNP amongst themselves?
uPNP would be a great feature. I have requested it previously but I am doubtful it will be implemented anytime soon [:(]
Things like MSN use uPNP to communicate.
Yes MSN is lame, but it saves us $100's on phone bills to our overseas offices. (Using voice chat etc) I have implemented this by setting up VPN links. However it would be even better if our customers could use MSN as well to talk to us.
I have a few concerns about uPNP's security but have not heard of uPNP getting hacked yet.
If you look on Sourceforge there are a few uPNP projects.
Astaro staff: Any news on uPNP being implemented as an option ??
I'm used to UPNP for printers. For VOIP I think SIP (an Asterisk proxy??) is the way to go (well, it's a standard we've all agreed on...).
Rather than knuckling under to the MSN behemouth, I think they should provide a SIP gateway, or the aftermarket should for a tad of remuneration.
I'm not averse to Astaro handling UPNP, but I definitely think it's nothing for them to get a technological inferiority complex about.
The problem with allowing MSN Messenger in is even if they use a proxy from Sourceforge and handle the ports right, it is conducive to content transfer (files and whatnot) that plays havoc with a site's security. If I'm not mistaken, there is an MSN messenger virus starting to rage as we now correspond.
The impression I'm getting is that messenging software is so hairy and ever-changing, I think it needs a company dedicated to focus their efforts on it in order to do a good job (like Akonix; though Zone has just introduced a companion product to secure messanging, and they were acquired by Checkpoint -something to consider...).
If they were to encourage a messenger security product to snap in to their product, that could be a way to get it online fast; or they may prefer to go it alone due to other logistical considerations...
I agree that the UPNP is doable; what it then ushers in after it is operational can be troubling. Though I hear you about keeping your customers happy...
Microsoft SHOULD implement SIP, but I somehow doubt they will, they seem to be in love with uPNP which I personally think should never have seen the light of day.
MSN the way it is implemented is just crazy, they should fix the ports it uses rather than dynamically allocating ports on the fly.
I just wish MSN wasnt so widely used.
a uPNP *option* on Astaro would be nice though I think. Maybe one day MS will write MSN to use SIP.... Not holding my breath.
Ok sorry for being rude. I just wanted a sort of straight answer, instead of stuff i don't understand
And I did do a search on these forums before i posted, i always do ... sorry for that too, dunno what happened there.
For all those people in the other post who said UPnP is nasty, and Astaro shouldn't support it: i can't seem to find a project similar to Astaro that has everything. Smoothwall has UPnP for Windows XP users, but its lacking the advanced usability of Astaro. IMHO, the idea of a good project is to keep focused on your goal, while trying to please as many people as possible. While UPnP may be a security risk at times, if you don't want it, you can just disable it. Its quite simple. If Astaro ever did support UPnP, its not like the feature would be forced upon all users ... and if people don't like the idea of have ANY security vulnerabilities at all, then Astaro could come with the feature disabled by default.
I am yet to find a project that has it all. Astaro is probably the best i have come across so far, but a for the use i need ... Smoothwall would easily suit me better at the moment. I would rather sacrafice some nifty features at the expense of UPnP support -- thats what it means to me, and whether or not Astaro will have UPnP support in the future, is a measure of what the customers mean to this company.
