Don't UPnP being bound to 0.0.0.0

Miniupnp version: miniupnpd 2.1.20200510 HEAD-787ced8d0b Jul 1 2022
Since the security reason, we don't miniupnpd being bound to 0.0.0.0, as the below check.

/etc/init.d # netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:9999            0.0.0.0:*               LISTEN      14990/dnsmasq
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      10895/lighttpd
tcp        0      0 127.0.0.1:62000         0.0.0.0:*               LISTEN      10656/qt_AppAdaptor
tcp        0      0 127.0.0.1:62001         0.0.0.0:*               LISTEN      10653/network_daemo
tcp        0      0 127.0.0.1:17171         0.0.0.0:*               LISTEN      12450/atcid
tcp        0      0 0.0.0.0:5555            0.0.0.0:*               LISTEN      8767/adbd_usb
tcp        0      0 192.168.1.1:53          0.0.0.0:*               LISTEN      11076/dnsmasq
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      11076/dnsmasq
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      9035/dropbear
tcp        0      0 127.0.0.1:52000         0.0.0.0:*               LISTEN      10653/network_daemo
tcp        0      0 :::9999                 :::*                    LISTEN      14990/dnsmasq
tcp        0      0 :::50000                :::*                    LISTEN      28489/miniupnpd
tcp        0      0 :::80                   :::*                    LISTEN      10895/lighttpd
tcp        0      0 fe80::366f:24ff:fec0:c342:53 :::*                    LISTEN      11076/dnsmasq
tcp        0      0 fe80::366f:24ff:fec0:c343:53 :::*                    LISTEN      11076/dnsmasq
tcp        0      0 fe80::2871:58ff:fe5e:9877:53 :::*                    LISTEN      11076/dnsmasq
tcp        0      0 ::1:53                  :::*                    LISTEN      11076/dnsmasq
tcp        0      0 :::22                   :::*                    LISTEN      9035/dropbear
tcp        0      0 :::23                   :::*                    LISTEN      12734/telnetd
tcp        0      0 :::12865                :::*                    LISTEN      10905/netserver
udp        0      0 192.168.1.1:53          0.0.0.0:*                           11076/dnsmasq
udp        0      0 127.0.0.1:53            0.0.0.0:*                           11076/dnsmasq
udp        0      0 0.0.0.0:67              0.0.0.0:*                           11076/dnsmasq
udp        0      0 0.0.0.0:9999            0.0.0.0:*                           14990/dnsmasq
udp        0      0 127.0.0.1:52013         0.0.0.0:*                           28635/dmclient
`udp        0      0 0.0.0.0:1900            0.0.0.0:*                           28489/miniupnpd`
udp        0      0 192.168.1.1:46487       0.0.0.0:*                           28489/miniupnpd
udp        0      0 :::547                  :::*                                10520/odhcpd
udp        0      0 fe80::366f:24ff:fec0:c342:53 :::*                                11076/dnsmasq
udp        0      0 fe80::366f:24ff:fec0:c343:53 :::*                                11076/dnsmasq
udp        0      0 fe80::2871:58ff:fe5e:9877:53 :::*                                11076/dnsmasq
udp        0      0 ::1:53                  :::*                                11076/dnsmasq
udp        0      0 :::9999                 :::*                                14990/dnsmasq

I had changed the int_addr in config perm_rule to192.168.1.1 instead of 0.0.0.0/0.
However, the 0.0.0.0 still exists in security checking after restarting miniupnpd.

config upnpd 'config'
        option enabled '1'
        option enable_natpmp '0'
        option secure_mode '1'
        option log_output '0'
        option download '1024'
        option upload '512'
        option internal_iface 'lan'
        option port '50000'
        option upnp_lease_file '/var/run/miniupnpd.leases'
        option igdv1 '0'
        option friendly_name '5G WiFi'
        option manufacturer_name 'AAA'
        option manufacturer_url 'http://www.AAA.com'
        option model_name '5G WiFi'
        option presentation_url 'http://5g.wifi'
        option notify_interval '60'
        option clean_ruleset_interval '600'
        option uuid '6aaa0dcc-eeee-4a68-80f1-3d37f86c7645'
        option enable_upnp '1'

config perm_rule
        option action 'allow'
        option ext_ports '1024-65535'
        option int_addr '0.0.0.0/0'
        option int_ports '1024-65535'
        option comment 'Allow high ports'

config perm_rule
        option action 'deny'
        option ext_ports '0-65535'
        option int_addr '0.0.0.0/0'
        option int_ports '0-65535'
        option comment 'Default deny'

???

You run the firewall, correct?

Hi @lleachii
Yes, our systeme had turn on the firewall

Okay...

Did you fix what I showed you?

The settings shown don't match what you told us.

Hi @lleachii ,
Let me describle the purpose clearer.
You could see the above netstat table, there are two records for upnp functionality.
udp 0 0 0.0.0.0:1900 0.0.0.0:* 28489/miniupnpd
udp 0 0 192.168.1.1:46487 0.0.0.0:* 28489/miniupnpd

We would like to remove this one record due to 0.0.0.0:1900 is not secure.
udp 0 0 0.0.0.0:1900 0.0.0.0:* 28489/miniupnpd

How to achieve it by changing the configuration.
(Our upnp configuraion is also showed on above post.)

thanks

did you study https://openwrt.org/docs/guide-user/firewall/upnp/miniupnpd ?

You can't. Due to the nature of the protocol, miniupnpd cannot bind to specific IP addresses, it needs to send and receive certain UDP traffic on the interface, regardless of the underlying IPv4 address config of the particular interface.

It does use SO_BINDTODEVICE to bind to specific netdevs though, so while you see 0.0.0.0 in netstat, it does not mean that miniupnpd will accept traffic on any interface.