Difference between revisions of "Bering-uClibc 5.x - User Guide - Advanced Topics - Setting Up a Network Emulator"

From bering-uClibc
Jump to: navigation, search
(Created page with '{| summary="Navigation header" width="100%" ! colspan="3" align="center" | [[Bering-uClibc 5.x - User Guide - Advanced Topics - Setting Up Universal Plug and Play|Advanced Topics…')
 
(Blanked the page)
Line 1: Line 1:
{| summary="Navigation header" width="100%"
 
! colspan="3" align="center" | [[Bering-uClibc 5.x - User Guide - Advanced Topics - Setting Up Universal Plug and Play|Advanced Topics - Setting Up Universal Plug and Play]]
 
|-
 
| width="20%" align="left"  | [[Bering-uClibc 5.x - User Guide - Advanced Topics - Setting Up Zeroconf Networking|Prev]]
 
! width="60%" align="center" | [[Bering-uClibc 5.x - User Guide]]
 
| width="20%" align="right"  | [[Bering-uClibc 5.x - User Guide - Advanced Topics - Setting Up Tor|Next]]
 
|}
 
----
 
  
 
'''This material copied directly from http://leaf.sourceforge.net/doc/bucu-upnpd.html - needs to be checked/updated for Bering-uClibc 5.x!'''
 
 
==Overview of UPnP==
 
''Universal Plug and Play'' is intended to automate the installation and configuration of a small network as much as possible. This means that UPnP capable devices can join and leave a network without any effort of a network administrator.
 
 
The <code class="filename">upnpd.lrp</code> Package provides ''Internet Gateway Device'' services to the network. It is a port of the [http://linux-igd.sourceforge.net/ linux-igd project] and [http://upnp.sourceforge.net/ UPnP SDK project] to the LEAF environment. The firewall will advertise itself as an ''Internet Gateway''to all UPnP control points (clients). The clients can query the firewall to learn more about its status (bandwidth, traffic statistics), but one of the most useful features is the ability for client applications to request NAT/firewall traversal.
 
 
While many common applications running on the Internet are simple client requests which are NAT and firewall friendly (e.g. http), some applications require the host behind the NAT/firewall device to receive inbound sessions. Common examples of this include ''direct connect'' features for instant messaging/multimedia conferencing (e.g. AIM, MSN, Y! Messenger). Other examples include peer-to-peer applications like Bittorrent and Gnutella. In each of these cases, the clients act as temporary servers, but these clients may be desktop machines that are assigned dynamic addresses and use dynamic port assignment. Hand configured <code class="code">DNAT</code> and <code class="code">FORWARD</code> rules on the firewall don't work well in such an environment.
 
 
For more information on UPnP, search the Intel and Microsoft websites for descriptions of UPnP. Alcatel has provided a [http://www.speedtouch.nl/docs/AppNotes/AppNote_UPnP.pdf good overview] of the internals of the UPnP protocol and how it works with their SOHO routers, the basic concepts are similar and can be used to understand this implementation.
 
 
'''Warning:''' The Universal Plug-n-Play IGD protocol assumes that the devices on the inside of your firewall are trusted, -and- that there is only one exterior interface that requires NAT traversal. This is the common case in small offices and homes. Most SOHO routers shipped today support UPnP because it is such a useful feature. However, a malicious or compromised control point (client on your internal network) can potentially open up a hole in your firewall from the Internet to any port on any machine on your internal network. Additionally, this particular implementation has not undergone rigorous security testing and may be vulnerable to buffer overflows, allowing a malicious control point to gain unauthorized access to the firewall. It is imperative that only trusted hosts be allowed to interact with the UPnP services running on the firewall.
 
 
This implementation of UPnP IGD services assumes that there is a single UPnP client network (internal network) and a single external (Internet) connection. While it will run on a multi-port firewall, only one internal interface should be allowed to interact with the UPnP daemon. If you wish to use this on a firewall with multiple interfaces with different security policies, it is your responsibility to insure that your firewall policy does not allow a UPnP client on one interface to open up a hole in your firewall to a host on another interface.
 
 
==Firewalling UPnP==
 
The UPnP server does not require, and should not be allowed any access to or from any network other than the internal client network. For UPnP to operate, your firewall must allow the following:
 
 
{| summary="Firewall passthroughs" border="1"
 
|-
 
! align="left" | Protocol/Port
 
! align="left" | Destination
 
! align="left" | Remarks
 
|-
 
| align="left" | UDP 1900
 
| align="left" | fw to/from local
 
| align="left" | SSDP announcements
 
|-
 
| align="left" | TCP 49152
 
| align="left" | fw from local
 
| align="left" | HTTP/XML mini-server
 
|-
 
| align="left" | TCP <span class="emphasis">''any port''</span>
 
| align="left" | fw to local
 
| align="left" | HTTP/XML queries of other UPnP devices
 
|-
 
| align="left" | UDP <span class="emphasis">''any port''</span>
 
| align="left" | fw to local
 
| align="left" | respond to remote SSDP requests
 
|}
 
 
Additionally, both UPnP on the router and on your control-point clients generate SSDP packets which are multicast to 239.255.255.250. Both also send and listen to IGMP join messages on 224.0.0.22. You must have a route covering these multicast groups pointing towards your internal network or the announcements will be sent towards your default route, which is almost always not what you want. The UPnP wrapper scripts provided in this package will set up a multicast route for you, or you can specify what you want in <code class="filename">/etc/default/upnpd</code>.
 
 
When a client requests NAT traversal, rules will be created in the <code class="code">forwardUPnP</code> <code class="code">FORWARDING</code> table and UPnP <code class="code">PREROUTING</code> table. This is not the default behavior for UPnP -- it normally writes directly to <code class="code">FORWARDING</code> and <code class="code">PREROUTING</code>.
 
 
'''Important:''' If you are not integrating with [http://www.shorewall.net/ Shorewall] as described in this document, you will want to change the configuration in <code class="filename">/etc/upnpd.conf</code>.
 
 
==Installation==
 
* load the <code class="filename">upnpd.lrp</code> Package
 
* edit <code class="filename">/etc/default/upnpd</code> to specify your external and internal network interfaces and to disable/modify multicast route generation
 
* edit <code class="filename">/etc/upnpd.conf</code> to describe your bandwidth available upstream and downstream (optional)
 
* install and configure <code class="filename">shorwall.lrp</code> if you have not already done so (Shorewall is suggested, not required)
 
 
==Shorewall integration==
 
Proper integration with your firewall policy can be a complex matter requiring local thought. This example should be reviewed for your local conditions and is a good starting place.
 
 
Shorewall uses the <code class="filename">ipt_owner.o</code> kernel Module for UPnP support. <code class="filename">ipt_owner.o</code> can be found in the Bering-uClibc kernel Modules tarball. Add it to <code class="filename">/lib/modules</code> and make sure it is loaded in <code class="filename">/etc/modules</code> at system startup. If you see an error message when Shorewall runs trying to add an iptables rule with the <code class="code">--cmd-owner</code> option, <code class="filename">ipt_owner.o</code> is not loaded.
 
 
Specify in <code class="filename">/etc/shorewall/interfaces</code> which interface is your upstream interface (your Internet interface) which will receive inbound connection requests after UPnP has authorized them. Add the "upnp" option to that interface.
 
 
Example:
 
net  ppp0  -    upnp,tcpflags,blacklist,routefilter,norfc1918,nosmurfs
 
 
Apply the UPnP specific rules in your shorewall rules file. In this example, <span class="emphasis">''loc''</span> is your internal network zone where UPnP clients are located, <span class="emphasis">''net''</span> is the upstream network (Internet):
 
 
forwardUPnP    net    loc  # dynamic rules inserted here
 
allowinUPnP    loc    fw  # allow from control points
 
allowoutUPnP    fw      loc  # allow communication to control points
 
 
 
----
 
{| summary="Navigation footer" width="100%"
 
| width="40%" align="left"  | [[Bering-uClibc 5.x - User Guide - Advanced Topics - Setting Up Zeroconf Networking|Prev]]
 
| width="20%" align="center" | [[Bering-uClibc 5.x - User Guide - Advanced Topics|Up]]
 
| width="40%" align="right"  | [[Bering-uClibc 5.x - User Guide - Advanced Topics - Setting Up Tor|Next]]
 
|}
 
 
[[Category:Bering-uClibc 5.x]]
 
[[Category:User Guide]]
 

Revision as of 09:37, 27 October 2012