how to block outgoing UPNP?

How do I specifically *block* outoing UPNP from my linux box?

I do not want UPNP. But my router may have it enabled. How can I
check? Using Zyxel X-550 with 1.5 firmware. There is no UPNP check
box AFAICT so I can't uncheck it. I don't know if it is enabled. How
would I check?

The reason I ask is that aparently newer flashplayer playing malicious
content can send UPNP to tear my firewall a new hole. I can't
re-compile the offending flashplayer. And I still don't want any UPNP.

Is iptables the right solution? What protocol/ports do I drop? What
kind of collateral damage should I expect?

I googled for 15 minutes but I didn't see anything on websites or
newgroups. They were all about enabling it via some magic wrapper
script. That was the opposite direction from where I want to go.

--
Johan KULLSTAM <kullstj-nn@comcast.net> sysengr

Am Wed, 16 Jan 2008 10:08:52 -0500 schrieb Johan Kullstam:
[color=blue]
> I do not want UPNP. But my router may have it enabled. How can I
> re-compile the offending flashplayer. And I still don't want any UPNP.[/color]

good idea
[color=blue]
> Is iptables the right solution? What protocol/ports do I drop? What
> kind of collateral damage should I expect?
>
> I googled for 15 minutes but I didn't see anything on websites or[/color]

I googled only 1 minute, guess that's what you're looking for:
[url]http://gentoo-wiki.com/HOWTO_Setup_UPnP_with_IPTables[/url]
Turn ACCEPT to REJECT or DROP

Burkhard Ott <postmaster@derith.de> writes:
[color=blue]
> Am Wed, 16 Jan 2008 10:08:52 -0500 schrieb Johan Kullstam:
>[color=green]
>> I do not want UPNP. But my router may have it enabled. How can I
>> re-compile the offending flashplayer. And I still don't want any UPNP.[/color]
>
> good idea
>[color=green]
>> Is iptables the right solution? What protocol/ports do I drop? What
>> kind of collateral damage should I expect?
>>
>> I googled for 15 minutes but I didn't see anything on websites or[/color]
>
> I googled only 1 minute, guess that's what you're looking for:
> [url]http://gentoo-wiki.com/HOWTO_Setup_UPnP_with_IPTables[/url]
> Turn ACCEPT to REJECT or DROP[/color]

So UPNP uses IP 239.0.0.0/8 on TCP 49152 and UPD 1900?

It's kind of strange. Why would my computer or router listen to IP
packets going to 239.0.0.0/8? Maybe that is the easiest thing.

Is this right?

iptables -A OUTPUT -d 239.0.0.0/8 -j DROP

--
Johan KULLSTAM

Am Wed, 16 Jan 2008 17:41:40 -0500 schrieb Johan Kullstam:
[color=blue]
> So UPNP uses IP 239.0.0.0/8 on TCP 49152 and UPD 1900?
>
> It's kind of strange. Why would my computer or router listen to IP
> packets going to 239.0.0.0/8? Maybe that is the easiest thing.
>
> Is this right?
>
> iptables -A OUTPUT -d 239.0.0.0/8 -j DROP
>[/color]

should work, depends on your traffic.
The rule means all packets wich comes from this machine and has
$destinationIP will be dropped.
For packets from your clients you should also make a forward rule and if
you want drop those packets on the incoming table drop those either in
INPUT.
A good idea either is to make a logging rule for tose packets just to see
if and how it works you can disable that later.

Also interesting article about upnp, afaik m$ developed that crappy
protocol.
[url]http://technet.microsoft.com/en-us/library/bb457049.aspx#EDAA[/url]

cheers

Hello,

Johan Kullstam a écrit :[color=blue]
> Burkhard Ott <postmaster@derith.de> writes:[color=green]
>>
>>[url]http://gentoo-wiki.com/HOWTO_Setup_UPnP_with_IPTables[/url][/color]
>
> So UPNP uses IP 239.0.0.0/8 on TCP 49152 and UPD 1900?[/color]

According to the rules on the page, UPnP may use any protocol and port
on 239.0.0.0/8, and TCP port 49152 and UDP port 1900 on any address. I
thought it used port 5000 too.
[color=blue]
> It's kind of strange. Why would my computer or router listen to IP
> packets going to 239.0.0.0/8?[/color]

It's a multicast range.

Pascal Hambourg <boite-a-spam@plouf.fr.eu.org> writes:
[color=blue]
> Hello,
>
> Johan Kullstam a écrit :[color=green]
>> Burkhard Ott <postmaster@derith.de> writes:[color=darkred]
>>>
>>>[url]http://gentoo-wiki.com/HOWTO_Setup_UPnP_with_IPTables[/url][/color]
>>
>> So UPNP uses IP 239.0.0.0/8 on TCP 49152 and UPD 1900?[/color]
>
> According to the rules on the page, UPnP may use any protocol and port
> on 239.0.0.0/8, and TCP port 49152 and UDP port 1900 on any address. I
> thought it used port 5000 too.[/color]

So, if I drop 239.0.0.0/8 and TCP ports 5000 and 49152 and UDP 1900 on
outgoing, I should be safe(r)?

Are there any other things using this? Is, for example, TCP port 5000
be used for anything else?
[color=blue][color=green]
>> It's kind of strange. Why would my computer or router listen to IP
>> packets going to 239.0.0.0/8?[/color]
>
> It's a multicast range.[/color]

And this avahi crap that the cups dragged in (thanks apt!). Can I get
rid of it too? I already know the IP address of all 1 (count them!)
printers on my home network.

--
Johan KULLSTAM <kullstj-nn@comcast.net> sysengr

Am Thu, 17 Jan 2008 10:51:08 -0500 schrieb Johan Kullstam:

[color=blue]
> So, if I drop 239.0.0.0/8 and TCP ports 5000 and 49152 and UDP 1900 on
> outgoing, I should be safe(r)?[/color]

I would say that, to be sure check it out with tcpdump or similar.[color=blue]
>
> Are there any other things using this? Is, for example, TCP port 5000
> be used for anything else?
>[/color]

usually not
[color=blue][color=green][color=darkred]
>>> It's kind of strange. Why would my computer or router listen to IP
>>> packets going to 239.0.0.0/8?[/color]
>>
>> It's a multicast range.[/color][/color]


If you have multicat enabled, the it would answer, that is the reason why
we have multicastadresses. If you don't need that disable it, depends on
your kernel
[color=blue]
> And this avahi crap that the cups dragged in (thanks apt!). Can I get
> rid of it too? I already know the IP address of all 1 (count them!)
> printers on my home network.[/color]

I don't know which distibution you use, but in my installation i never got
that while i installed cups, usually cups listen on 631.
Avahi has nothing to do with cups (afaik).

cheers