clients are allowed to add mappings only to their IP ?

Discussion in 'Tomato Firmware' started by jsmiddleton4, Jun 16, 2012.

  1. jsmiddleton4

    jsmiddleton4 Network Guru Member

    I'm sorry but what does that actually mean or what does that look like for clients if enabled?
  2. mstombs

    mstombs Network Guru Member

    Try the windows tool when it detects a upnp device - without this you can manage upnp port forwards for any device on your network.
  3. Kevin Darbyshire-Bryant

    Kevin Darbyshire-Bryant Networkin' Nut Member

    It prevents clients from setting up port forwards to a client other than itself.

    e.g. a device at cannot setup a port forward to, but it can to itself.

    I would call that sensible from a security standpoint, what legitimate reason does a client have for setting up a port forward to somewhere else?
  4. jsmiddleton4

    jsmiddleton4 Network Guru Member

    Thanks for the explanations. Still not sure what setting this looks like within a network.

    I tell the router that clients can only map to their own IP. I get on my laptop, it wants to map some ports. It can only map those ports to its own IP. When would my laptop want to map ports to something other than its own IP?
  5. mstombs

    mstombs Network Guru Member

    Its just what upnp running on the server can do. When the spec was written the idea was that an administrator could configure the router from their own machine, security and hacking activities were not considered. A full upnp router can even have its DNS servers or outgoing diverts changed - there was a proof-of-concept virus for the UK BT home-hub that used this exploit.
    Tomato uses miniupnpd which sensibly limits what can be done via the lan upnp interface - all it can do is set port forwards!. One feature is the secure mode we are discussing here, another is the programmable limit on what devices can use what ports which can be changed by nvram vars - see other threads re WHS which appears to need low ports
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice