Miniupnpd deprecated

After the loading 158, Miniupnpd quit working. I found where it’s being removed from Pakfire, but it hasn’t been yet and the current package no longer works. The rule tag is gone and IPFire won’t allow you to set it to come up on boot. Is there another package that allows this kind of functionality or are rules the only way to replicate it for green nat connections through the firewalls? And if so, does anyone have a set of rules that just work for both PS5 and Xbox?

Hi,

first, welcome to the IPFire community. :slight_smile:

Indeed, both the miniupnpd add-on and the underlying libupnp are going to be removed in upcoming Core Update 158 (please refer to this and this commit for technical details). Since no testing version of this Core Update is available, yet, we did not announce this broadly, but certainly will.

Our reasons to do so are twofold:

  1. UPnP is a security risk by design. Made to tell network perimeters to establish port forwardings and firewall access rules on an internals’ device demand, it basically contradicts the reason why someone would set up a firewall like IPFire: To gain control on his/her network traffic.
    Even some commercial routers are starting to limit UPnP, or dropping the functionality entirely.

  2. UPnP support in IPFire did not receive any attention in the recent past. None of the core developers is using UPnP (for good reasons described above), so it was impossible to tell whether software updates will break anything or not. Especially not if the behaviour depends on the network devices used, which is quite a diverse area thanks to various vendors, standards, and applications.

I am sorry not to offer any better solution. In terms of security, I would recommend to place your network devices needing port forwardings in a dedicated network zone (BLUE will be fine unless already in use, ORANGE would be the second choice then), and create firewall rules for them (see this blog post for some recommendations on how to do so).

Given the worst-case scenario, only one of your networks would be compromised - systems in GREEN remain unharmed. Yes, this is more laborious, but also more secure. :slight_smile:

Thanks, and best regards,
Peter Müller

2 Likes