how to block outgoing UPNP? - Networking

This is a discussion on how to block outgoing UPNP? - Networking ; How do I specifically *block* outoing UPNP from my linux box? I do not want UPNP. But my router may have it enabled. How can I check? Using Zyxel X-550 with 1.5 firmware. There is no UPNP check box AFAICT ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: how to block outgoing UPNP?

  1. how to block outgoing UPNP?


    How do I specifically *block* outoing UPNP from my linux box?

    I do not want UPNP. But my router may have it enabled. How can I
    check? Using Zyxel X-550 with 1.5 firmware. There is no UPNP check
    box AFAICT so I can't uncheck it. I don't know if it is enabled. How
    would I check?

    The reason I ask is that aparently newer flashplayer playing malicious
    content can send UPNP to tear my firewall a new hole. I can't
    re-compile the offending flashplayer. And I still don't want any UPNP.

    Is iptables the right solution? What protocol/ports do I drop? What
    kind of collateral damage should I expect?

    I googled for 15 minutes but I didn't see anything on websites or
    newgroups. They were all about enabling it via some magic wrapper
    script. That was the opposite direction from where I want to go.

    --
    Johan KULLSTAM sysengr

  2. Re: how to block outgoing UPNP?

    Am Wed, 16 Jan 2008 10:08:52 -0500 schrieb Johan Kullstam:

    > I do not want UPNP. But my router may have it enabled. How can I
    > re-compile the offending flashplayer. And I still don't want any UPNP.


    good idea

    > Is iptables the right solution? What protocol/ports do I drop? What
    > kind of collateral damage should I expect?
    >
    > I googled for 15 minutes but I didn't see anything on websites or


    I googled only 1 minute, guess that's what you're looking for:
    http://gentoo-wiki.com/HOWTO_Setup_UPnP_with_IPTables
    Turn ACCEPT to REJECT or DROP

  3. Re: how to block outgoing UPNP?

    Burkhard Ott writes:

    > Am Wed, 16 Jan 2008 10:08:52 -0500 schrieb Johan Kullstam:
    >
    >> I do not want UPNP. But my router may have it enabled. How can I
    >> re-compile the offending flashplayer. And I still don't want any UPNP.

    >
    > good idea
    >
    >> Is iptables the right solution? What protocol/ports do I drop? What
    >> kind of collateral damage should I expect?
    >>
    >> I googled for 15 minutes but I didn't see anything on websites or

    >
    > I googled only 1 minute, guess that's what you're looking for:
    > http://gentoo-wiki.com/HOWTO_Setup_UPnP_with_IPTables
    > Turn ACCEPT to REJECT or DROP


    So UPNP uses IP 239.0.0.0/8 on TCP 49152 and UPD 1900?

    It's kind of strange. Why would my computer or router listen to IP
    packets going to 239.0.0.0/8? Maybe that is the easiest thing.

    Is this right?

    iptables -A OUTPUT -d 239.0.0.0/8 -j DROP

    --
    Johan KULLSTAM

  4. Re: how to block outgoing UPNP?

    Am Wed, 16 Jan 2008 17:41:40 -0500 schrieb Johan Kullstam:

    > So UPNP uses IP 239.0.0.0/8 on TCP 49152 and UPD 1900?
    >
    > It's kind of strange. Why would my computer or router listen to IP
    > packets going to 239.0.0.0/8? Maybe that is the easiest thing.
    >
    > Is this right?
    >
    > iptables -A OUTPUT -d 239.0.0.0/8 -j DROP
    >


    should work, depends on your traffic.
    The rule means all packets wich comes from this machine and has
    $destinationIP will be dropped.
    For packets from your clients you should also make a forward rule and if
    you want drop those packets on the incoming table drop those either in
    INPUT.
    A good idea either is to make a logging rule for tose packets just to see
    if and how it works you can disable that later.

    Also interesting article about upnp, afaik m$ developed that crappy
    protocol.
    http://technet.microsoft.com/en-us/l...7049.aspx#EDAA

    cheers

  5. Re: how to block outgoing UPNP?

    Hello,

    Johan Kullstam a écrit :
    > Burkhard Ott writes:
    >>
    >>http://gentoo-wiki.com/HOWTO_Setup_UPnP_with_IPTables

    >
    > So UPNP uses IP 239.0.0.0/8 on TCP 49152 and UPD 1900?


    According to the rules on the page, UPnP may use any protocol and port
    on 239.0.0.0/8, and TCP port 49152 and UDP port 1900 on any address. I
    thought it used port 5000 too.

    > It's kind of strange. Why would my computer or router listen to IP
    > packets going to 239.0.0.0/8?


    It's a multicast range.

  6. Re: how to block outgoing UPNP?

    Pascal Hambourg writes:

    > Hello,
    >
    > Johan Kullstam a écrit :
    >> Burkhard Ott writes:
    >>>
    >>>http://gentoo-wiki.com/HOWTO_Setup_UPnP_with_IPTables

    >>
    >> So UPNP uses IP 239.0.0.0/8 on TCP 49152 and UPD 1900?

    >
    > According to the rules on the page, UPnP may use any protocol and port
    > on 239.0.0.0/8, and TCP port 49152 and UDP port 1900 on any address. I
    > thought it used port 5000 too.


    So, if I drop 239.0.0.0/8 and TCP ports 5000 and 49152 and UDP 1900 on
    outgoing, I should be safe(r)?

    Are there any other things using this? Is, for example, TCP port 5000
    be used for anything else?

    >> It's kind of strange. Why would my computer or router listen to IP
    >> packets going to 239.0.0.0/8?

    >
    > It's a multicast range.


    And this avahi crap that the cups dragged in (thanks apt!). Can I get
    rid of it too? I already know the IP address of all 1 (count them!)
    printers on my home network.

    --
    Johan KULLSTAM sysengr

  7. Re: how to block outgoing UPNP?

    Am Thu, 17 Jan 2008 10:51:08 -0500 schrieb Johan Kullstam:


    > So, if I drop 239.0.0.0/8 and TCP ports 5000 and 49152 and UDP 1900 on
    > outgoing, I should be safe(r)?


    I would say that, to be sure check it out with tcpdump or similar.
    >
    > Are there any other things using this? Is, for example, TCP port 5000
    > be used for anything else?
    >


    usually not

    >>> It's kind of strange. Why would my computer or router listen to IP
    >>> packets going to 239.0.0.0/8?

    >>
    >> It's a multicast range.



    If you have multicat enabled, the it would answer, that is the reason why
    we have multicastadresses. If you don't need that disable it, depends on
    your kernel

    > And this avahi crap that the cups dragged in (thanks apt!). Can I get
    > rid of it too? I already know the IP address of all 1 (count them!)
    > printers on my home network.


    I don't know which distibution you use, but in my installation i never got
    that while i installed cups, usually cups listen on 631.
    Avahi has nothing to do with cups (afaik).

    cheers

+ Reply to Thread