1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
|
MiniUPnP project.
(c) 2006-2025 Thomas Bernard
Homepage : http://miniupnp.free.fr/
Mirror: https://miniupnp.tuxfamily.org/
github: https://github.com/miniupnp/miniupnp
If you find some outdated information in this documentation, please fix
or report the issue on https://github.com/miniupnp/miniupnp or the web
forum https://miniupnp.tuxfamily.org/
================================ *BSD/pf =================================
To Build and Install :
- first use ./configure
For more details about options :
> ./configure -h
then edit config.h to fine tune to your preferences.
- use BSD make to compile.
- add "rdr-anchor miniupnpd" or/and "anchor miniupnpd" lines to /etc/pf.conf
(Since OpenBSD 4.7, rdr-anchor lines are no longer used and should be
removed, leaving only the anchor lines).
- some FreeBSD users reported that it is also necessary for them
to explicitly allow udp traffic on 239.0.0.0/8 by adding the two following
lines to /etc/pf.conf :
pass out on $int_if from any to 239.0.0.0/8 keep state
pass in on $int_if from any to 239.0.0.0/8 keep state
- don't forget to " pfctl -f /etc/pf.conf "
- you can check your modifications are taken into account with
"pfctl -s nat" and "pfctl -s rule". Look for the "rdr-anchor miniupnpd"
(if applicable) and/or "anchor miniupnpd" lines.
- OpenBSD users may need to add a multicast_host= line to /etc/rc.conf.local
see $man 8 netstart
- install as root using :
# make install
or
# PREFIX=/usr/local make install
- run as root : The daemon needs rights to modify pf rules.
=========================== *BSD,*Solaris/ipf =============================
configure tries to detect wether ipf or pf should be
used. If it fails, you can use ./configure --firewall=ipf
Installation steps are allmost the same as with pf.
*Solaris users would be interested in reading informations from :
http://blogs.sun.com/avalon/category/IPFilter
============================= Mac OS X/ipfw ===============================
- To enable non standard compilation options,
> ./configure -h
- use either 'bsdmake -f Makefile.bsd' (if available) or 'make' to build
============================== Mac OS X/pf ================================
Starting with Mac OS X 10.7 Lion, pf replaced ipfw as the OS X firewall.
also bsdmake is not available anymore.
Make sure you have installed the Xcode commande line tools (from the
Xcode Preferences menu or using 'xcode-select --install' command)
You need to download xnu sources : https://opensource.apple.com/tarballs/xnu/
- If version of xnu >= 4570,
> ./configure
Then edit config.h, adding line "#define PFVAR_NEW_STYLE" to it.
> INCLUDES="-I.../xnu/bsd -I.../xnu/libkern" make
============================ Linux/netfilter ==============================
To Build and install :
- make sure you have libiptc available on your system :
if you are using debian :
> apt-get install iptables-dev
or
> apt-get install libxtables-dev libiptc-dev
Other useful debian packages : libmnl-dev, libnetfilter-conntrack-dev.
Some versions of the iptables-dev package don't include the
necessary files : read "how to get libiptc with its headers on debian" below.
In anycase, libiptc is available in iptables sources packages
from http://netfilter.org
- You should also have libcap/libcap-ng for privilege dropping:
> apt-get install libcap-ng-dev
And libuuid to generate uuid at runtimes for events:
> apt-get install uuid-dev
- edit and run netfilter/iptables_init.sh shell script.
This script must allways be run before the daemon
to set up initial rules and chains.
- Build and edit the config.h file
> ./configure
> vi config.h
- Build the daemon
> make
If not using iptables from your system,
> ./configure --iptablespath=/path/to/iptables-1.4.1
> make
- install as root using :
> make install
- A miniupnpd script should be installed to /etc/init.d
and the configuration files to /etc/miniupnpd
- anytime, you can use the netfilter/iptables_flush.sh
script to flush all rules added by the daemon.
- after killing the daemon, you can get back to
iptables initial state by running the netfilter/iptables_removeall.sh
script. Don't forget to edit the script to your convenience.
NOTE: a /etc/init.d/miniupnpd script will be installed.
If it suits you, you can use is with start, stop or restart argument.
# /etc/init.d/miniupnpd restart
How to get libiptc with its headers on debian :
(Note: that should be useless now that netfilter/tiny_nf_nat.h is included)
- Use apt-get to get sources :
> apt-get source iptables
you should then have an iptables-x.x.x/ directory.
- configure and compile :
> cd iptables-x.x.x/
> ./configure --enable-static
> make
- it is now possible to compile miniupnpd using the following command :
> ./configure --iptablespath=/path/to/iptables-x.x.x
> make
======================== Linux/netfilter nftables =========================
install the required development libraries. For debian :
> apt-get install libnftnl-dev libmnl-dev
Also useful :
> apt-get install libnetfilter-conntrack-dev
> apt-get install libcap-ng-dev
> apt-get install uuid-dev
To build :
> ./configure --firewall=nftables
> make
see :
https://miniupnp.tuxfamily.org/forum/viewtopic.php?p=4370
https://github.com/miniupnp/miniupnp/pull/114
=========================== Configuration =============================
The configuration file is either installed to /etc/miniupnpd.conf (BSD)
or /etc/miniupnpd/miniupnpd.conf (Linux)
Almost all options are also available through command line switches.
A basic configuration would set :
ext_ifname : WAN network interface (interface connected to the internet)
listening_ip : LAN network interface (network where to supply NAT traversal)
enable_pcp_pmp=yes
enable_upnp=yes
and the permission rules (see below).
Historically, LAN had to be specified by IP/mask, such as
listening_ip=192.168.0.1/24
but if you compiled with IPv6 support, you need to specify an interface name :
listening_ip=eth0
The current code assumes there is only one IPv4 address assigned to LAN
interfaces. That is not the case with some CARP setup, there is then a risk
the wrong mask would be picked. You can force the mask when using interface
names :
listening_ip=eth0/24
Some users want to use miniupnpd on a NAT router which is connected to the
internet through another NAT router (NAT behind NAT). This kind of setup is
strongly discouraged. miniupnpd will refuses to launch when detecting a
private (RFC1918) "WAN" IP address. The ext_ip option sould be added :
ext_ifname=eth1 # "WAN" network interface, whose IP could be 192.168.1.22
ext_ip=80.1.2.3 # Real public IP address
listening_ip=eth0
Please note that miniupnpd doesn't redirect any port on the other NAT router.
UPNP requests forwarding is not implemented.
It is however possible to use STUN. See the ext_perform_stun / ext_stun_host
/ ext_stun_port options.
it is also possible to set a different interface for IPv6 WAN
ext_ifname=eth0
ext_ifname6=sit0
miniupnpd supports some kind of security check for allowing or disallowing
redirection to be made. The UPnP permission rules are read from the
miniupnpd.conf configuration file.
When a new redirection is requested, permission rules are evaluated in
top-down order and the first permission rule matched gives the response :
redirection allowed or denied. If no rule is matching, the redirection is
allowed, so it is a good practice to have a "catch all" deny permission
rule at the end of your permission ruleset.
Sample permission ruleset :
allow 4662-4672 192.168.1.34/32 4662-4672
deny 0-65535 192.168.1.34/32 0-65535
allow 1024-65535 192.168.1.0/24 1024-65535
deny 0-65535 0.0.0.0/0 0-65535
With this ruleset, redirections are allowed only for host on the subnet
192.168.1.0/255.255.255.0 for the ports 1024 or above. There is an exception
for the host 192.168.1.34 for which only redirections from/to port 4662 to
4672 are allowed.
You can generate the uuid for your UPnP device with the uuidgen available
under linux. The following following OpenBSD package is also providing
a "uuid" tool :
http://www.openbsd.org/4.0_packages/i386/uuid-1.5.0.tgz-long.html
An web based uuid generator is also available :
http://kruithof.xs4all.nl/uuid/uuidgen
On linux systems, one could also use the command
'cat /proc/sys/kernel/random/uuid' to generate an uuid.
More simple, use the genuuid makefile target :
> make genuuid
This target is needed by the "install" target, so it is done automatically
during install.
To stop the daemon use :
# kill `cat /var/run/miniupnpd.pid`
or if your linux system use /etc/init.d/
# /etc/init.d/miniupnpd stop
* Signals :
miniupnpd handles the following signals :
SIGUSR1: Send public IP address change notification
SIGUSR2: Handle special actions in Tomato Firmware version
Or rewrite the lease_file
SIGINT: Close gracefully
SIGTERM: Close gracefully
SIGPIPE: Ignore
There is code to detect change in network interfaces bsd/ifacewatcher.c and
linux/ifacewatcher.c, but if that code doesn't work for you, you may want to
send SIGUSR1 to miniupnpd if your public IP address changed.
|
