Pre-install MiniUPnPd on OpenWrt by default

Stijn Segers foss at volatilesystems.org
Tue Jan 25 05:51:02 PST 2022


Hi Sergey,

Op dinsdag 25 januari 2022 om 15u27 schreef Sergey Ponomarev 
<stokito at gmail.com>:
> Hi,
> 
> Most routers support port forwarding via UPnP IDG or/and NAT-PMP/PCP.
> And many vendors use the MiniUPnPd http://miniupnp.free.fr This daemon
> is kind of standard de-facto.
> This is necessary for any p2p application but OpenWrt builds don't
> have it pre-installed and pre-configured. While it's not so difficult
> to install, this is an additional step and still something that users
> must know. For example, I didn't know about it for about two years
> while already using OpenWrt. For many users this makes life after
> switching to OpenWrt worse than it was before because, for example,
> now their gaming console works slower. Even if someone will try to
> install it there is a risk to configure it incorrectly and expose WAN
> to LAN forwarding.
> 
> Could you include the MiniUPnPd into OpenWrt?

Given the inherent flaws and threats the concept of UPnP poses, I don't 
think it stands a chance to be included by default. Just the fact that 
any application in your LAN can open ports and poke holes at will in 
your firewall is reason enough to *never* do that.

A lot of people in the community advise users to find out what ports 
they need to open and do that manually, keeping control over what's 
open and what not, instead of relying on an easy (but risky) protocol 
like UPnP.

Of course, that's just my 2 cents.

Cheers

Stijn


> 
> There may be few concerns:
> 1. The UPnP IDG protocol has a very bad reputation. See "Universal Pwn
> n Play" talk.
> 2. The MiniUPnPd also had a security issue in 2014 when the WAN to LAN
> forwarding was enabled for NAT-PMP.
> 3. A disk space usage: I checked on OpenWrt with WR1043N  (MIPS) and
> after installing the miniupnpd and it's dependency libcap-ng the disk
> size usage increased to 72Kb. The binary itself is 98565 bytes, in
> contrast with uhttpd 46212 and lighttpd 221413. Maybe for Tiny builds
> this may be too much.
> 
> To make it smaller and easier for a code audit we may strip the UPnP
> and leave only NAT-PMP/PCP. See
> https://github.com/miniupnp/miniupnp/issues/545
> 
> In July 2014 there was two discussions about IPv6 firewall policy for
> direct connections:
> "OpenWRT IPv6 firewall"
> http://lists.openwrt.org/pipermail/openwrt-devel/2014-July/000763.html
> "IPv6 firewall and Port Control Protocol"
> http://lists.openwrt.org/pipermail/openwrt-devel/2014-July/000671.html
> 
> The MiniUPnPd can solve the problem at least partially.
> 
> See also: a forum discussion
> https://forum.openwrt.org/t/port-control-protocol-support/114411
> 
> Regards,
> Sergey
> 
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel





More information about the openwrt-devel mailing list