Miniupnpd deprecated

After the loading 158, Miniupnpd quit working. I found where it’s being removed from Pakfire, but it hasn’t been yet and the current package no longer works. The rule tag is gone and IPFire won’t allow you to set it to come up on boot. Is there another package that allows this kind of functionality or are rules the only way to replicate it for green nat connections through the firewalls? And if so, does anyone have a set of rules that just work for both PS5 and Xbox?

1 Like

Hi,

first, welcome to the IPFire community. :slight_smile:

Indeed, both the miniupnpd add-on and the underlying libupnp are going to be removed in upcoming Core Update 158 (please refer to this and this commit for technical details). Since no testing version of this Core Update is available, yet, we did not announce this broadly, but certainly will.

Our reasons to do so are twofold:

  1. UPnP is a security risk by design. Made to tell network perimeters to establish port forwardings and firewall access rules on an internals’ device demand, it basically contradicts the reason why someone would set up a firewall like IPFire: To gain control on his/her network traffic.
    Even some commercial routers are starting to limit UPnP, or dropping the functionality entirely.

  2. UPnP support in IPFire did not receive any attention in the recent past. None of the core developers is using UPnP (for good reasons described above), so it was impossible to tell whether software updates will break anything or not. Especially not if the behaviour depends on the network devices used, which is quite a diverse area thanks to various vendors, standards, and applications.

I am sorry not to offer any better solution. In terms of security, I would recommend to place your network devices needing port forwardings in a dedicated network zone (BLUE will be fine unless already in use, ORANGE would be the second choice then), and create firewall rules for them (see this blog post for some recommendations on how to do so).

Given the worst-case scenario, only one of your networks would be compromised - systems in GREEN remain unharmed. Yes, this is more laborious, but also more secure. :slight_smile:

Thanks, and best regards,
Peter Müller

2 Likes

I’m sorry, but for gamers this is a really bad call. There is no way other than the use of upnp to allow more than one Xbox or Playstation to have full network access. You can edit miniupnpd.conf to limit upnp access to devices that need it, thus minimizing the risk.

If you’re going to deprecate features based upon them being a security risk by design, why not eliminate port forwarding entirely? Obviously, the reason you couldn’t do that is that it would completely destroy people’s ability to be connectable from the outside. So you have to give people the ability to shoot themselves in the foot, because not doing so would break their internet.

My network relied on miniupnpd and it’s removal has broken a lot of functionality. If you guys aren’t going to restore it, I’ll have to try to migrate to pfsense.

Hi,

not being a gamer myself, I am pretty sure there is one: Put the device into a dedicated network zone, and configure IPFire to forward traffic to any incoming port to this device.

You apparently have no idea what you are talking about. UPnP is completely different from manually created port forwardings.

Well, we are doing security here. This is what IPFire is for.

If you think your wisdom is greater than ours, spending hours and hours on the phone to protect our users, and having done so for years: Go ahead and use something else.

Thanks, and best regards,
Peter Müller

2 Likes