ie. an application on a internal client machine needs access to ports for data coming in from the internet, so the firewall (Astaro) needs to open them dynamically.
I haven't installed Astaro yet, so if that is possible via some rules, then what are they ?
Look its pretty simple. I need software or devices to be able to open ports on Astaro (ie. "control" it) so that packets that will be coming from outside the firewall can get in [:)]
It doesn't matter who's initialising the transfer, as long is the client inside the firewall knows about it and can open the ports. Obviously, you wouldn't have it so the UPnP service was available to the internet which I don't even know if thats possible anyway.
Look all I am asking is whether the functionality of UPnP is available in Astaro, by the name of UPnP, or some sort of NAT rules or whatever. I don't claim to know what I'm talking about, but I think the answer can be a simple "yes" or "no", or "i don't know".
Sometimes solutions are not packaged as pretty as you would like them, but there are ways to get things to work; hence my questions to figure out if there is a way to make this work, without compromising security.
Your first stumbling block to doing UPNP through the firewall is that the firewall presently will not pass multicasts (required by the UPNP protocol). So you would have to add iptables commands to a script file to permit multicast forwarding. I am guessing this would be for doing UPNP from your LAN to your DMZ, and not the Internet? Some security people would have an issue even opening up that much of a hole in your firewall.
If you just want Astaro to participate in UPNP on your LAN, no way Jose. If this is what you wanted, just curious: why would you need it? Why not let the Windows devices on your LAN just UPNP amongst themselves?
uPNP would be a great feature. I have requested it previously but I am doubtful it will be implemented anytime soon [:(]
Things like MSN use uPNP to communicate.
Yes MSN is lame, but it saves us $100's on phone bills to our overseas offices. (Using voice chat etc) I have implemented this by setting up VPN links. However it would be even better if our customers could use MSN as well to talk to us.
I have a few concerns about uPNP's security but have not heard of uPNP getting hacked yet.
If you look on Sourceforge there are a few uPNP projects.
Astaro staff: Any news on uPNP being implemented as an option ??
I'm used to UPNP for printers. For VOIP I think SIP (an Asterisk proxy??) is the way to go (well, it's a standard we've all agreed on...).
Rather than knuckling under to the MSN behemouth, I think they should provide a SIP gateway, or the aftermarket should for a tad of remuneration.
I'm not averse to Astaro handling UPNP, but I definitely think it's nothing for them to get a technological inferiority complex about.
The problem with allowing MSN Messenger in is even if they use a proxy from Sourceforge and handle the ports right, it is conducive to content transfer (files and whatnot) that plays havoc with a site's security. If I'm not mistaken, there is an MSN messenger virus starting to rage as we now correspond.
The impression I'm getting is that messenging software is so hairy and ever-changing, I think it needs a company dedicated to focus their efforts on it in order to do a good job (like Akonix; though Zone has just introduced a companion product to secure messanging, and they were acquired by Checkpoint -something to consider...).
If they were to encourage a messenger security product to snap in to their product, that could be a way to get it online fast; or they may prefer to go it alone due to other logistical considerations...
I agree that the UPNP is doable; what it then ushers in after it is operational can be troubling. Though I hear you about keeping your customers happy...
I'm used to UPNP for printers. For VOIP I think SIP (an Asterisk proxy??) is the way to go (well, it's a standard we've all agreed on...).
Rather than knuckling under to the MSN behemouth, I think they should provide a SIP gateway, or the aftermarket should for a tad of remuneration.
I'm not averse to Astaro handling UPNP, but I definitely think it's nothing for them to get a technological inferiority complex about.
The problem with allowing MSN Messenger in is even if they use a proxy from Sourceforge and handle the ports right, it is conducive to content transfer (files and whatnot) that plays havoc with a site's security. If I'm not mistaken, there is an MSN messenger virus starting to rage as we now correspond.
The impression I'm getting is that messenging software is so hairy and ever-changing, I think it needs a company dedicated to focus their efforts on it in order to do a good job (like Akonix; though Zone has just introduced a companion product to secure messanging, and they were acquired by Checkpoint -something to consider...).
If they were to encourage a messenger security product to snap in to their product, that could be a way to get it online fast; or they may prefer to go it alone due to other logistical considerations...
I agree that the UPNP is doable; what it then ushers in after it is operational can be troubling. Though I hear you about keeping your customers happy...
Microsoft SHOULD implement SIP, but I somehow doubt they will, they seem to be in love with uPNP which I personally think should never have seen the light of day.
MSN the way it is implemented is just crazy, they should fix the ports it uses rather than dynamically allocating ports on the fly.
I just wish MSN wasnt so widely used.
a uPNP *option* on Astaro would be nice though I think. Maybe one day MS will write MSN to use SIP.... Not holding my breath.
Ok sorry for being rude. I just wanted a sort of straight answer, instead of stuff i don't understand
And I did do a search on these forums before i posted, i always do ... sorry for that too, dunno what happened there.
For all those people in the other post who said UPnP is nasty, and Astaro shouldn't support it: i can't seem to find a project similar to Astaro that has everything. Smoothwall has UPnP for Windows XP users, but its lacking the advanced usability of Astaro. IMHO, the idea of a good project is to keep focused on your goal, while trying to please as many people as possible. While UPnP may be a security risk at times, if you don't want it, you can just disable it. Its quite simple. If Astaro ever did support UPnP, its not like the feature would be forced upon all users ... and if people don't like the idea of have ANY security vulnerabilities at all, then Astaro could come with the feature disabled by default.
I am yet to find a project that has it all. Astaro is probably the best i have come across so far, but a for the use i need ... Smoothwall would easily suit me better at the moment. I would rather sacrafice some nifty features at the expense of UPnP support -- thats what it means to me, and whether or not Astaro will have UPnP support in the future, is a measure of what the customers mean to this company.
I think we all need to back up a little bit here, the question was (if i understood it corectly) if astaro was a uPNP gateway or not. The answer is no. As for allowing an applet to controll what can get through a firewall or not, that is a different and interesting discussion. A uPNP enabled gateway/firewall is not really that bad, if you where to allow spesific hosts on the inside to use uPNP to controll open ports to itself, its not like you are going to let users/computers/applets create rules that affect anything other then the "one" machine that wants open ports. And it is indeed better to open them only when needed. Also, many networks opens "some" services from the outside to get in to certain machines on the inside (even big corp networks do this). And you will allways have the posibility that a machine on the inside is compromised one way or the other (iow your inside network is compromised). uPNP will not make matters any worse IMO. I am running a uPNP enabled firewall (self built) that does a lot of things. My point is that security is allways evolving, there are allways new threats. Functionality and security does not allways mix very well.
So the question is: will Astaro do it?
That's for Astaro to answer.
If you're into Linux, add iptables commands to routes.local to accomodate multicasts being transferred; 5000 tcp, 1900 UDP. The multicasts are on the TCP stream (I think?).
I didn't take offense at your brusqueness, 'sb'; it sounded to me that you were being defensive and thought that I was putting you on the spot with my questions.
I was just asking to figure out a solution (Socratic method). I knew things would chill out once you saw we were really just trying to help you get a fix...
OK, I beleive I have a solution to the UPNP problem. Below are the details for getting the UPNPD service running on my ASL4 box. It still doesn't work however due to the problem mentioned at the bottom of this post, if anyone more experienced with ASL can help, please do!!!
1) Download http://www.fastflow.it/floppinux/bering/upnpd-0.92c.lrp 2) Rename to upnpd.tar.gz 3) scp to /tmp 4) ssh on, and su to root 5) move upnpd.tar.gz to /var/chroot-report/opt: mv /tmp/upnpd.tar.gz /var/chroot-report/opt 6) make a new directory called upnpd and ungztar upnpd: mkdir upnpd cd upnpd tar -xvzf ../upnpd.tar.gz 7) go into the newly created etc directory and copy the file myupnpd.conf to /etc: cd etc cp myupnpd.conf /etc 8) edit /etc/myupnpd.conf using your favourite editor and change the lines uprate and downrate to correctly reflect your upload and download speeds in KBits/s 9) copy the linuxigd directory to /etc: cp -R linuxigd /etc 10) enter the ../usr/sbin and copy upnpd to /usr/sbin: cd ../usr/sbin cp upnpd /usr/sbin 11) create a new file called unpnd in /sbin/init.d, containg the following script: Code:
#!/bin/bash # $Id: upnpd,v 1.00 2004/01/07 00:20:00 tom Exp $
case "$1" in start) echo ":: Starting $PNAME" ip route add 239.0.0.0/8 dev $INT_IF PID=`pidof $PROG` if [ ! -z "$PID" ] ; then echo " Already running" exit 0 fi $PROG $EXT_IF $INT_IF >/dev/null 2>&1 ;; stop) echo ":: Stopping $PNAME" PID=`pidof $PROG` if [ -z "$PID" ] ; then echo " Already stopped" exit 0 fi killall $PROG sleep 20 # This timeout is required to ensure all upnpd services have shut down ip route del 239.0.0.0/8 dev $INT_IF ;; restart) echo "Restarting UPNP: " sh $0 stop sh $0 start ;; *) echo 'Usage: /sbin/init.d/upnpd {start|stop|restart}' ret_code=1 ;; esac /sbin/init.d/retcode $ret_code exit $ret_code;
12) chmod 700 upnpd 13) in rc3.d create two symbolic links named S56upnpd and K56upnpd: cd rc3.d ln -s ../upnpd S56upnpd ln -s ../upnpd k56upnpd 14) create a symbolic link for iptables in /usr/sbin: cd /usr/sbin ln -s /usr/local/bin iptables 15) Create (or add to) the file /sbin/init.d/ipfilter.local and add the following lines Code:
Replacing the 10.10.10.0/24 with your internal network range, and 10.10.10.254/32 with the internal IP address of your ASL box. 16) Ensure that your packet filter rules are configured to allow the following: Internal_Interface -> Internal_Network__ TCP 5000 Allow Internal_Network__ -> 239.255.255.250/32 UDP 1900 Allow Internal_Network__ -> Internal_Interface__ TCP 2869 Allow Internal_Network__ -> Internal_Interface__ UDP 1900 Allow Internal_Interface -> Internal_Network__ All UDP Allow Internal_Interface -> 239.255.255.250/32 UDP 1900 Allow 17) Start UPNPD manually by running ./upnpd start 18) Check your Network Connections in XP, and hey presto the Ko-hitsuji Router has appeared. If it hasn't make sure that you have UPNP installed in XP, it doesn't come installed as standard. If all else fails, start to trawl through your packet filter logs to work out what's not working.
Right now we have a problem, on attempting to start a voice connection, the UPNPD service opens up the forwarding ports succesfully. Unfortunatley, the Astaro middleware kicks in and moves these to FIX_CONNTRACK as LOGDROP.
My suspicion is the rules are not being implemented from the interface as you expected; either that or the kernel requires a patch to support multicasting.
and post it here (keep the line lengths manageable). It would be helpful if you embellished the iptables output with comments indicating which rules(s) are being handled by what commands. I know it will be a lot of output, but we have to start somewhere.
Got any log entries from the Drops??
If you can eventually get this into a ready-to-use tar, that would be nice...
