[Firewall] Firewall Digest, Vol 90, Issue 7

Gustin Johnson gustin at meganerd.ca
Mon Jul 29 08:21:36 CEST 2013


UPnP was designed exactly for this case, to allow workstations to
automatically configure the router to give themselves Internet access.
 UPnP is evil :)


On Tue, Jul 23, 2013 at 4:15 PM, <cmr at uniserve.com> wrote:

> Hi and thanks for the help. I ran into some issues / problems.
>
> I'm working on a bit of a deadline so I will only point out the flaws ...
>
> As pointed out, I installed linux-igd daemon on the router. In conjunction
> with arno's igd plugin, everything worked. Then I checked the upnpd log
> file...
>
> What I found was, to me, disturbing. Windows machines on my network with
> ZERO internet access -- read firewalled, suddenly had internet access via
> the upnp daemon.
>
> It resulted in a roll back and un-install of linux-igd until my return
> from the great white north! Since i won't be around to fix it for a couple
> of weeks and I don't wish to leave remote access on, i will simple say no
> xbox party YET!
>
> In the mean time, reading and research are in order.
>
> Other than disabling ssdp on my windows machines (last reasort), is this
> an AIF bug, because these three machines are not in NAT_INTERNAL_NET=""
> list and I took them out of the mac-address list; the results are the same
> ...
>
> reading reading research and more reading ...
>
> this is a snippet of the three win xp / 7 machines which are NOT supposed
> to reach the outside world...
>
>
> From host 192.168.1.zzz
> 2013-07-23 08:48:09 0xzzzzzzzzzzzz ssdp_server.c:814 Start of received
> multicast packet ------------------------------**--------------
> M-SEARCH * HTTP/1.1
> Host:239.255.255.250:1900
> ST:urn:schemas-upnp-org:**device:InternetGatewayDevice:1
> Man:"ssdp:discover"
> MX:3
>
>
> End of received multicast packet ------------------------------**
> ----------------
>
> snip snip snip
>
> From host 192.168.1.yyy
> 2013-07-23 08:49:45 0xyyyyyyyyyyyy ssdp_server.c:814 Start of received
> multicast packet ------------------------------**--------------
> M-SEARCH * HTTP/1.1
> Host:239.255.255.250:1900
> ST:urn:schemas-upnp-org:**device:InternetGatewayDevice:1
> Man:"ssdp:discover"
> MX:3
>
>
> End of received multicast packet ------------------------------**
> ----------------
>
> snip snip snip
>
> From host 192.168.1.www
> 2013-07-23 08:50:05 0xwwwwwwwwwwww ssdp_server.c:814 Start of received
> multicast packet ------------------------------**--------------
> M-SEARCH * HTTP/1.1
> Host:239.255.255.250:1900
> ST:urn:schemas-upnp-org:**device:InternetGatewayDevice:1
> Man:"ssdp:discover"
> MX:3
>
>
> End of received multicast packet ------------------------------**
> ----------------
>
>
>
>
> Chris
>
>
> Quoting firewall-request at rocky.eld.**leidenuniv.nl<firewall-request at rocky.eld.leidenuniv.nl>
> :
>
>  Send Firewall mailing list submissions to
>>         firewall at rocky.eld.leidenuniv.**nl<firewall at rocky.eld.leidenuniv.nl>
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>>         http://rocky.eld.leidenuniv.**nl/mailman/listinfo/firewall<http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall>
>> or, via email, send a message with subject or body 'help' to
>>         firewall-request at rocky.eld.**leidenuniv.nl<firewall-request at rocky.eld.leidenuniv.nl>
>>
>> You can reach the person managing the list at
>>         firewall-owner at rocky.eld.**leidenuniv.nl<firewall-owner at rocky.eld.leidenuniv.nl>
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of Firewall digest..."
>>
>>
>> Today's Topics:
>>
>>    1. Re: TCP / UPD port forwarding to multiple xBox's behind   the
>>       firewall (Lonnie Abelbeck)
>>    2. Re: TCP / UPD port forwarding to multiple xBox's behind the
>>       firewall (Gustin Johnson)
>>
>>
>> ------------------------------**------------------------------**
>> ----------
>>
>> Message: 1
>> Date: Sun, 21 Jul 2013 06:22:53 -0500
>> From: Lonnie Abelbeck <lists at lonnie.abelbeck.com>
>> To: Arno's IPTABLES firewall script <firewall at rocky.eld.**leidenuniv.nl<firewall at rocky.eld.leidenuniv.nl>
>> >
>> Subject: Re: [Firewall] TCP / UPD port forwarding to multiple xBox's
>>         behind  the firewall
>> Message-ID: <DCF89256-B41E-468E-84A6-**8E75AD2B92A5 at lonnie.abelbeck.**com<DCF89256-B41E-468E-84A6-8E75AD2B92A5 at lonnie.abelbeck.com>
>> >
>> Content-Type: text/plain; charset=us-ascii
>>
>> Hi Chris,
>>
>> The AIF firewall.conf file is parsed as a shell script, such that...
>> --
>> FOO="1"
>> FOO="2"
>> FOO="3"
>> --
>> results in FOO having a value of only "3", what you want to do is space
>> separate the values...
>> --
>> FOO="1 2 3"
>> --
>>
>> So, in your case:
>> --
>> NAT_FORWARD_TCP="53,80,2869,**3074,5000>192.168.1.15
>> 53,80,2869,3074,5000>192.168.**1.85 53,80,2869,3074,5000>192.168.**1.86"
>>
>> NAT_FORWARD_UDP="53,88,1900,**3074>192.168.1.15
>> 53,88,1900,3074>192.168.1.85 53,88,1900,3074>192.168.1.86"
>> --
>> etc. (the only spaces are separating multiple values within
>> double-quotes).
>>
>> Lonnie
>>
>>
>>
>> On Jul 21, 2013, at 2:00 AM, cmr at uniserve.com wrote:
>>
>>  A couple of weeks back I asked about a nat issue and port forwarding to
>>> an xbox.
>>>
>>> I found my answer in the firewall.conf file, something several of you
>>> pointed out. Other than the fact my ISP blocks inbound port 80, that
>>> solution worked flawlessly.
>>>
>>> it was these to lines and the UPnP IGD plugin that solved my problem:
>>> NAT_FORWARD_TCP="53,80,2869,**3074,5000>192.168.1.15"
>>> NAT_FORWARD_UDP="53,88,1900,**3074>192.168.1.15"
>>>
>>> ... now for today's problem ...
>>>
>>> I'm fortunate enough to have a wired house with several large tv's
>>> located in several areas of the house. One of my kids wants to host an xbox
>>> live tourney on the lan. Specifically, his friends bring over their own
>>> equipment, my dhcp server assigns addresses as needed and nat needs to be
>>> open for each xbox.
>>>
>>> The server will assign static dhcp addresses in the range of
>>> 192.168.1.85 to 192.168.1.95 based on each machines mac address.
>>>
>>> would I use the NAT_STATIC_IP="" because if I use multiple lines similar
>>> to the following it does not work for any unit other than the first one.
>>>
>>> NAT_FORWARD_TCP="53,80,2869,**3074,5000>192.168.1.15"
>>> NAT_FORWARD_TCP="53,80,2869,**3074,5000>192.168.1.85"
>>> NAT_FORWARD_TCP="53,80,2869,**3074,5000>192.168.1.86"
>>> ...
>>>
>>> NAT_FORWARD_UDP="53,88,1900,**3074>192.168.1.15"
>>> NAT_FORWARD_UDP="53,88,1900,**3074>192.168.1.85"
>>> NAT_FORWARD_UDP="53,88,1900,**3074>192.168.1.86"
>>> ...
>>>
>>> I currently use two plugins, the UPnP IGD and the mac address plugins.
>>>
>>> Something tells me this has an easy solution, I'm just unsure of where
>>> to look or start looking!
>>>
>>> Chris
>>>
>>
>>
>>
>> ------------------------------
>>
>> Message: 2
>> Date: Sun, 21 Jul 2013 05:55:58 -0600
>> From: Gustin Johnson <gustin at meganerd.ca>
>> To: "Arno's IPTABLES firewall script"
>>         <firewall at rocky.eld.**leidenuniv.nl<firewall at rocky.eld.leidenuniv.nl>
>> >
>> Subject: Re: [Firewall] TCP / UPD port forwarding to multiple xBox's
>>         behind the firewall
>> Message-ID:
>>         <CAPM=hj4HuG-dA=M0YaRB6Hdkd9jQ**-wzeA4ofE2-B40kmK+uVjg at mail.**
>> gmail.com <M0YaRB6Hdkd9jQ-wzeA4ofE2-B40kmK%2BuVjg at mail.gmail.com>>
>> Content-Type: text/plain; charset="utf-8"
>>
>> You cannot port forward the same ports to more than one IP on the LAN
>> side.
>>
>> What you probably want to do is look into UPnP which is what the other
>> Xboxes support when they need ports forwarded.  UPnP auto negotiates the
>> port forwarding so you do not need to add the other xboxes anyway.
>>
>> In addition to what you already have, you will need to install and
>> configure a UPnP daemon on the router.
>>
>> Hth,
>>
>>
>> On Sun, Jul 21, 2013 at 1:00 AM, <cmr at uniserve.com> wrote:
>>
>>  A couple of weeks back I asked about a nat issue and port forwarding to
>>> an
>>> xbox.
>>>
>>> I found my answer in the firewall.conf file, something several of you
>>> pointed out. Other than the fact my ISP blocks inbound port 80, that
>>> solution worked flawlessly.
>>>
>>> it was these to lines and the UPnP IGD plugin that solved my problem:
>>> NAT_FORWARD_TCP="53,80,2869,****3074,5000>192.168.1.15"
>>> NAT_FORWARD_UDP="53,88,1900,****3074>192.168.1.15"
>>>
>>> ... now for today's problem ...
>>>
>>> I'm fortunate enough to have a wired house with several large tv's
>>> located
>>> in several areas of the house. One of my kids wants to host an xbox live
>>> tourney on the lan. Specifically, his friends bring over their own
>>> equipment, my dhcp server assigns addresses as needed and nat needs to be
>>> open for each xbox.
>>>
>>> The server will assign static dhcp addresses in the range of 192.168.1.85
>>> to 192.168.1.95 based on each machines mac address.
>>>
>>> would I use the NAT_STATIC_IP="" because if I use multiple lines similar
>>> to the following it does not work for any unit other than the first one.
>>>
>>> NAT_FORWARD_TCP="53,80,2869,****3074,5000>192.168.1.15"
>>> NAT_FORWARD_TCP="53,80,2869,****3074,5000>192.168.1.85"
>>> NAT_FORWARD_TCP="53,80,2869,****3074,5000>192.168.1.86"
>>> ...
>>>
>>> NAT_FORWARD_UDP="53,88,1900,****3074>192.168.1.15"
>>> NAT_FORWARD_UDP="53,88,1900,****3074>192.168.1.85"
>>> NAT_FORWARD_UDP="53,88,1900,****3074>192.168.1.86"
>>> ...
>>>
>>> I currently use two plugins, the UPnP IGD and the mac address plugins.
>>>
>>> Something tells me this has an easy solution, I'm just unsure of where to
>>> look or start looking!
>>>
>>> Chris
>>>
>>>
>>>
>>> ______________________________****_________________
>>> Firewall mailing list
>>> Firewall at rocky.eld.leidenuniv.****nl <Firewall at rocky.eld.**leidenuniv.nl<Firewall at rocky.eld.leidenuniv.nl>
>>> >
>>> http://rocky.eld.leidenuniv.****nl/mailman/listinfo/firewall<h**
>>> ttp://rocky.eld.leidenuniv.nl/**mailman/listinfo/firewall<http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall>
>>> >
>>> Arno's (Linux IPTABLES Firewall) Homepage:
>>> http://rocky.eld.leidenuniv.nl
>>>
>>>  -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL: <http://rocky.eld.leidenuniv.**nl/pipermail/firewall/**
>> attachments/20130721/1906945a/**attachment-0001.html<http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20130721/1906945a/attachment-0001.html>
>> >
>>
>> ------------------------------
>>
>> ______________________________**_________________
>> Firewall mailing list
>> Firewall at rocky.eld.leidenuniv.**nl <Firewall at rocky.eld.leidenuniv.nl>
>> http://rocky.eld.leidenuniv.**nl/mailman/listinfo/firewall<http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall>
>>
>>
>> End of Firewall Digest, Vol 90, Issue 7
>> *****************************************
>>
>>
>
>
> ______________________________**_________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.**nl <Firewall at rocky.eld.leidenuniv.nl>
> http://rocky.eld.leidenuniv.**nl/mailman/listinfo/firewall<http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall>
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20130729/edf136d3/attachment-0001.html>


More information about the Firewall mailing list