uPnP snitch? Is there any way to "see" pnp requests?

gcbwrt · June 28, 2024, 5:59pm

Hi. I try not to use uPnP but sometimes a client might be failing because of a closed port and it is annoying to figure it out.

So i was wondering... is there something that do nothing but listen and logs uPnP requests? So if anything is not working properly, i just look at the logs and immediately know what to open up?

...not to mention getting to know if there's something malicious running on the clients trying to open things it is not supposed to.

brada4 · June 29, 2024, 4:40am

Please post output of

ubus call system board

Arie · June 29, 2024, 6:10am

LuCI shows ports opened by uPnP in "Services -> uPnP". From the same screen you can enable additional logging.

gcbwrt · June 30, 2024, 1:13am

why that would help? I'm looking for a generic service (also have several modems i want this for)

all modems are on "23.05.3" though, on ARMv8 cpus.

gcbwrt · June 30, 2024, 1:14am

That is only available after you install a full blown uPnP service. which I do not want as it is a blatant security hole.

brada4 · June 30, 2024, 4:33am

Please post output of

ubus call system board

And explain how upnp is a security hole?

psherman · June 30, 2024, 4:41am

upnp is indeed considered a security risk. The wikipedia article has several mentions of flaws and vulnerabilities.

There are two major issues with the standard from a security standpoint (not counting any general implementation flaws):

The first generation of the standard could request ports be opened/forwarded to any host on the network by any other host. This means that an infected PC could, for example, poke holes in the firewall aimed at another PC, thus allowing remote exploitation of other vulnerabilities in a given OS. This was fixed in the subsequent revisions (OpenWrt has a "secure" or "strict" mode or something like that) such that a host can only ask for ports forwarded to itself.
Even notwithstanding the issue above, there is no user/admin notification of or control over the ports being opened/forwarded. Therefore, a bit of malware could open ports on the local machine, and in that case it could have specifically started services for whatever purpose it wants.

brada4 · June 30, 2024, 6:22am

Got it, other nat traversal does not traverse nat

Arie · June 30, 2024, 6:38am

If you are worried about unauthorized network traffic on LAN, you have bigger issues than uPnP.
Sadly it's the only option for things like multiple Xboxes playing p2p networked games.

I think miniupnpd is not automatically enabled after install, and you could even create the config to have it disabled before installing it, if you are truly worried about a LAN device opening a port the very second you install uPnP.