Discussion in 'Tomato Firmware' started by landa, Nov 30, 2009.
What is the difference between them? Which is better to activate in Tomato?
The miniupnpd daemon built into Tomato supports both, so it'll use whichever one the client piece (e.g. chat client, bit torrent client, Xbox 360, etc.) tries to use. It's been my experience that NAT-PMP protocol is the better of the two because it seems to clean up old port openings better and also just works better in my home Mac environment (NAT-PMP protocol was partially written by or started by Apple).
Does miniUPnP include these security risks?
Or only port forwarding is implemented?
I don't want to that a riskware change my DNS server or enable the routers web admin interface to the whole internet, or terminate my connections...
Oh ffs. Upnp is not security risk and never has been. What those people you find running around touting it as such conveniently forget to mention are two very simple things. For upnp to be abused the commands must come from the lan thus the security issue is not upnp, but the virus/twit who allowed outside access on their pc. Secondly home routers firewalls allow all outbound connections by default meaning that once the network has been compromised there's no need to use upnp to talk to the outside world.
If you're worried about security use the raf mod with secure mode enable (only allow port forwards to the device that requests them) but really, tomato's upnp is deliberately limited. The developers aren't daft, unlike the Microsoft ones that though it'd be smart to write a protocol for automatically reconfiguring an entire network without authentication or any way for the user to know what parts of the protocol their device supports.
Fully agree with you Azuse.
The only issue that has ever been confirmed was in the UK with the BT home-hub, which had a full upnp implementation for auto configuration. Pretty large installed base - but I believe the specific backdoor fixed pretty quickly.
I don't think any Tomato upnp has been that 'feature rich', but I also bet there's a lot of folk out there whose routers still have the "cross-site scripting vulnerability" - if you are logged into the router GUI in one window a script from a website in another could configure anything on your router for you!
I think Intel were the ones behind the original upnp...
Just enable both - some applications such as uTorrent can use NAT-PMP, along with any Apple devices. The rest will use UPnP. No problem...