UPnP + Firewall + NAT Questions

Deathcon1 · 02-07-2010, 11:20 AM

I have a few questions relating to what's going on under the hood of Untangle., all depending on each other so...here goes!

First question: Is IPTables responsible for handling both NAT and the Firewall? Being the standard tool for both I'll assume it is, but it doesn't hurt to double check.

Second question: if the above is true then will setting the firewall to default log+block still allow UPnP-mapped ports to function (assuming there is a UPnP daemon running)

Third question: I do have some static ports that need to be forwarded. If I set the default rules to log+blockk, will I have to explicitly allow those in both the firewall and port forward panels?

Fourth question: I can't remember if NAT happens before or after the Firewall function, so if I have to explicitly open the ports up in the firewall will the source be $EXTIF with the destination the $EXTIP, $INTIP, or the internal address of the destination machine? (Note; the $ is local to the Untangle box, i.e. $INTIP is the internal IP of the box, $EXTIP is the WAN IP, etc...)

Thanks in advance,

Solignis · 02-07-2010, 01:52 PM

As far as I am aware NAT happens before the firewall app.

As far as using UPnP, why do you need to use that? I have always been told to stay away from UPnP because if a virus gets loose it will have the ability to map ports it needs for itself. That being the biggest one, I have heard other things also.

Instead of UPnP why not use just static port forwards for everything. Usually a quick Google search can give you the answer to which port does what.

pirateghost · 02-07-2010, 02:06 PM

Quote:

Originally Posted by Solignis

Instead of UPnP why not use just static port forwards for everything. Usually a quick Google search can give you the answer to which port does what.

unfortunately having multiple consoles and/or gaming pcs, sometimes they require UPNP due to the nature of the game/app in question.

i stayed away from UPNP for the longest time, until i got Call of Duty Modern Warfare2. I play it and my wife plays it. Unlike the older versions of Call of Duty where you could force it to use a different port (and thereby use static port forwards for multiple machines), it will not allow you to force a different port. i had to enable UPNP on my pfsense router....uggh, and it only works for about 60% of the time. i think its horrible that more game makers will be moving toward this model and require more of this in the future. i would love to see an alternative way to make this happen.

i think its stupid that to play a game you have to open ports on your firewall/router, this requires non-technical people to open up their systems to the world not fully understanding the consequences of what could happen.

Deathcon1 · 02-07-2010, 06:44 PM

That's exactly right - this is in my current house and I'd rather not be woken up at 4AM so buddy can play the newest game his other buddy brought over - hence the UPnP.

Does anyone have the answers for my other questions regarding default block on the firewall? Thanks for your answers about NAT before the firewall (thought it was that way but wanted to be sure.)

sky-knight · 02-07-2010, 07:04 PM

The answer to uPnP is for people to stop buying the games that require it. There is no known way to get multiple Modern Warfare 2 games operating behind an Untangle server. For that matter, there is no known way to get anything that is that badly coded to work behind ANY business class routing equipment.

PFSense and Monowall support uPnP, but it has to be enabled manually. It's a terrible idea, terrible technology, and it is leveraged by developers that don't have a clue.

I've been fighting this fight with multiple game developers over the years... it will never get any better until the customers of these companies start demanding they fix their crap.

P.S. If you haven't gathered this by reading between the lines. Untangle does NOT support uPnP.

Solignis · 02-07-2010, 07:31 PM

I realize I am not the OP but I think I still may have solution to this issue.

What if you had m0n0wall / pfsense as the border router and used UT in bridge mode?

Deathcon1 · 02-10-2010, 08:26 PM

Quote:

Originally Posted by sky-knight

P.S. If you haven't gathered this by reading between the lines. Untangle does NOT support uPnP.

I agree that UPnP is terrible, but again it's worth not having a roommate knock on my door at 2:30AM so he/she can play their latest game. Thanks for the solid answer on whether UPnP is supported or not though. I prefer solid answers to guesswork

What about my 3rd question, i.e. will I have to create duplicate rules for port forwarding within the firewall tab or will that be taken care of transparently?

Solignis · 02-10-2010, 09:27 PM

Hmmm. If you put a routet in front of ut I am under the impression that ut will just inspect the traffic. I don't think the bridge mode preforms any NAT unless you configure it.

sky-knight · 02-11-2010, 12:03 AM

Firewall manipulation isn't the issue. uPnP dynamically programs port forwards. You can't forward a port to more than one internal address. So no matter how open your firewall is, the packets will never survive NAT.

pirateghost · 02-11-2010, 07:48 AM

i have read that you can forward a port to a broadcast address and get a psuedo upnp, so that when a machine requests the port it will allow it, but i havent gotten it to work in my tests.

am i barking up the wrong tree here or is this possible?

02-07-2010, 11:20 AM	#1 (permalink)
Deathcon1 Untanglit Join Date: Feb 2010 Posts: 19	UPnP + Firewall + NAT Questions I have a few questions relating to what's going on under the hood of Untangle., all depending on each other so...here goes! First question: Is IPTables responsible for handling both NAT and the Firewall? Being the standard tool for both I'll assume it is, but it doesn't hurt to double check. Second question: if the above is true then will setting the firewall to default log+block still allow UPnP-mapped ports to function (assuming there is a UPnP daemon running) Third question: I do have some static ports that need to be forwarded. If I set the default rules to log+blockk, will I have to explicitly allow those in both the firewall and port forward panels? Fourth question: I can't remember if NAT happens before or after the Firewall function, so if I have to explicitly open the ports up in the firewall will the source be $EXTIF with the destination the $EXTIP, $INTIP, or the internal address of the destination machine? (Note; the $ is local to the Untangle box, i.e. $INTIP is the internal IP of the box, $EXTIP is the WAN IP, etc...) Thanks in advance,

02-07-2010, 01:52 PM	#2 (permalink)
Solignis Join Date: Jul 2008 Location: Hudson, Ohio, USA Posts: 1,417	As far as I am aware NAT happens before the firewall app. As far as using UPnP, why do you need to use that? I have always been told to stay away from UPnP because if a virus gets loose it will have the ability to map ports it needs for itself. That being the biggest one, I have heard other things also. Instead of UPnP why not use just static port forwards for everything. Usually a quick Google search can give you the answer to which port does what. __________________ With sufficient thrust, pigs fly just fine. However, this is not necessarily a good idea. It is hard to be sure where they are going to land, and it could be dangerous sitting under them as they fly overhead.

02-07-2010, 07:04 PM	#5 (permalink)
sky-knight Join Date: Apr 2008 Location: Phoenix, AZ URLs submitted: 7 Posts: 9,951	The answer to uPnP is for people to stop buying the games that require it. There is no known way to get multiple Modern Warfare 2 games operating behind an Untangle server. For that matter, there is no known way to get anything that is that badly coded to work behind ANY business class routing equipment. PFSense and Monowall support uPnP, but it has to be enabled manually. It's a terrible idea, terrible technology, and it is leveraged by developers that don't have a clue. I've been fighting this fight with multiple game developers over the years... it will never get any better until the customers of these companies start demanding they fix their crap. P.S. If you haven't gathered this by reading between the lines. Untangle does NOT support uPnP. __________________ Intouch Technology Rob Sandling, BS:SWE, MCP Office: 480-272-9889 rob@intouchtechllc.com Last edited by sky-knight; 02-07-2010 at 07:07 PM..

02-07-2010, 07:31 PM	#6 (permalink)
Solignis Join Date: Jul 2008 Location: Hudson, Ohio, USA Posts: 1,417	I realize I am not the OP but I think I still may have solution to this issue. What if you had m0n0wall / pfsense as the border router and used UT in bridge mode? __________________ With sufficient thrust, pigs fly just fine. However, this is not necessarily a good idea. It is hard to be sure where they are going to land, and it could be dangerous sitting under them as they fly overhead.

02-10-2010, 09:27 PM	#8 (permalink)
Solignis Join Date: Jul 2008 Location: Hudson, Ohio, USA Posts: 1,417	Hmmm. If you put a routet in front of ut I am under the impression that ut will just inspect the traffic. I don't think the bridge mode preforms any NAT unless you configure it. __________________ With sufficient thrust, pigs fly just fine. However, this is not necessarily a good idea. It is hard to be sure where they are going to land, and it could be dangerous sitting under them as they fly overhead.

02-07-2010, 06:44 PM	#4 (permalink)
Deathcon1 Untanglit Join Date: Feb 2010 Posts: 19	That's exactly right - this is in my current house and I'd rather not be woken up at 4AM so buddy can play the newest game his other buddy brought over - hence the UPnP. Does anyone have the answers for my other questions regarding default block on the firewall? Thanks for your answers about NAT before the firewall (thought it was that way but wanted to be sure.)

02-11-2010, 12:03 AM	#9 (permalink)
sky-knight Join Date: Apr 2008 Location: Phoenix, AZ URLs submitted: 7 Posts: 9,951	Firewall manipulation isn't the issue. uPnP dynamically programs port forwards. You can't forward a port to more than one internal address. So no matter how open your firewall is, the packets will never survive NAT. __________________ Intouch Technology Rob Sandling, BS:SWE, MCP Office: 480-272-9889 rob@intouchtechllc.com

02-11-2010, 07:48 AM	#10 (permalink)
pirateghost Master Untangler Join Date: Oct 2008 Posts: 603	i have read that you can forward a port to a broadcast address and get a psuedo upnp, so that when a machine requests the port it will allow it, but i havent gotten it to work in my tests. am i barking up the wrong tree here or is this possible?