UPnP question

Discussion in 'Tomato Firmware' started by Outer Marker, Oct 9, 2008.

  1. Outer Marker

    Outer Marker Guest

    This might seem like a stupid question, but I haven't been able to answer it from my understanding of the UPnP protocol. My question is this:

    Is it possible to enable UPnP on the router, but only have it respond to UPnP discovery requests from a particular LAN IP? Maybe this could b done as a script?

    Here's the scenario. I have several computers and one Playstation 3 on my LAN. The computers have their IPs assigned by DHCP, and the PS3 is statically defined. Is it possible to have the router respond to UPnP discovery requests coming ONLY from the PS3 static IP address?

    Why would I want to do that? Well, I was thinking that the only device that needs to make use of UPnP is the Playstation, so why should the router be forced to honor ALL UPnP requests on the LAN? I can effectively use the Windows firewall to disable the UPnP framework exception on the PCs, and then they would never make any requests for UPnP, but what if rogue software gets on my PCs and then adds the firewall exception for UPnP and off it goes.

    I know I'm probably being way too anal about this, but would allowing only the PS3 to make UPnP requests buy me any additional security? Isn't it better to only allow the services you need on the PCs you need them?

    Any comments or answers would be appreciated.


    -- Outer Marker
  2. mstombs

    mstombs Network Guru Member

    This is a feature provided by minupnpd which is not currently used as the upnp daemon in Tomato (used in OpenWRT and Tarifa on same platform and under review by Victek). miniupnp supports a conf file with example

    # UPnP permission rules
    # (allow|deny) (external port range) ip/mask (internal port range)
    # A port range is <min port>-<max port> or <port> if there is only
    # one port in the range.
    # ip/mask format must be nn.nn.nn.nn/nn
    allow 1024-65535 1024-65535
    allow 1024-65535 1024-65535
    allow 1024-65535 22
    allow 12345 54321
    deny 0-65535 0-65535
    miniupnpd also has a "secure mode" which prevents one lan user from setting port forwards for another - using the XP gui for example.

    In Tomato you could probably use iptables rules - port 5000 is involved?

    Paranoid? probably - if a machine on your lan is taken over by hacker, upnp wouldn't be the first target!
  3. Outer Marker

    Outer Marker Guest

    Thanks you mstombs. This is very helpful.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice