Discussion in 'Tomato Firmware' started by jsmiddleton4, Jun 16, 2012.
I'm sorry but what does that actually mean or what does that look like for clients if enabled?
Try the windows tool when it detects a upnp device - without this you can manage upnp port forwards for any device on your network.
It prevents clients from setting up port forwards to a client other than itself.
e.g. a device at 192.168.1.20 cannot setup a port forward to 192.168.1.25, but it can to itself.
I would call that sensible from a security standpoint, what legitimate reason does a client have for setting up a port forward to somewhere else?
Thanks for the explanations. Still not sure what setting this looks like within a network.
I tell the router that clients can only map to their own IP. I get on my laptop, it wants to map some ports. It can only map those ports to its own IP. When would my laptop want to map ports to something other than its own IP?
Its just what upnp running on the server can do. When the spec was written the idea was that an administrator could configure the router from their own machine, security and hacking activities were not considered. A full upnp router can even have its DNS servers or outgoing diverts changed - there was a proof-of-concept virus for the UK BT home-hub that used this exploit.
Tomato uses miniupnpd which sensibly limits what can be done via the lan upnp interface - all it can do is set port forwards!. One feature is the secure mode we are discussing here, another is the programmable limit on what devices can use what ports which can be changed by nvram vars - see other threads re WHS which appears to need low ports