UPnP X Port Forwarding + question on windows UPnP services

Discussion in 'other firewalls' started by Jomsviking, Jan 6, 2008.

Thread Status:
Not open for further replies.
  1. Jomsviking

    Jomsviking Registered Member

    Joined:
    Apr 16, 2007
    Posts:
    55
    Note to Mods: I place this question here because these kind of discussions seem to appear frequently in this area; please move the topic if you think this discussion is better suited to another section of the forum.


    Hello Wilders friends.

    I have a number of questions regarding UPnP x Port Forwarding in routers and UPnP services in Windows (XP), maybe you can help me (I have searched this and other sites, but I am still confused).

    1. I have a Linksys WRT54GL. Works fine and has UPnP enabled by default, which will in principle allow applications to automatically forward ports on the router. I am aware of the possible security risks (malware automatically opening up ports on the router, for example). Do you think it is better to do port forwarding manually, as per portforward.com's guides? I have seen opinions favouring both approaches.

    2. I understand that manually forwarding ports requires disabling the router's DHCP server and assigning IPs manually to each computer in the network. So I suppose that disabling the DHCP server in the router is not necessary if we use UPnP instead ? I guess that the applications which need port forwarding and have support for UPnP will "talk" to the router at the beginning of each session and arrange ports automatically. Am I correct?

    3. Do we in some way need to disable the router's firewall ability (I am aware - I think - of the differences between NAT and firewalling) when we want to manually forward ports? I know that we must not block anonymous internet requests, per:
    http://portforward.com/english/routers/port_forwarding/Linksys/WRT54GL/default.htm

    4. I understand that the windows UPnP framework had serious flaws and that these were patched a long time ago and that there are no known active problems now. I have disabled the SSDP discovery service and have UPnP device Host on manual. I do not use instant messaging, but I will soon have to install a client (Miranda or Pidgin, still have to decide). Blackviper and other sources (http://www.blackviper.com/WinXP/Services/SSDP_Discovery_Service.htm) mention that these services are used by MSN Messenger. So I take it that I have to have them enabled (or at least on manual) to be able to use an instant messaging client?

    5. Applications like SKype (I will have to install this thing too, damn...) or utorrent have UPnP support. Does this mean that they use the windows UPnP framework to talk to a UPnP-enabled router? So I guess that they too require SSDP and UPnP device Host on manual?
    I know that Skype can alternatively use port 80 or 443: does this mean that it will work regardless of UPnP settings in computer and router?
    Which settings have you Skype and utorrent users found trouble free?

    Right now my overall feelings are that it's best to have a good security application in place, use good sense on the web and let UPnP work its magic. It seems that if we go around disabling this and that we will have to use a lot of workarounds to make some simple things work...

    I will also post this at DSLreports to see what the good networking people there have to offer.

    Sorry for the long post and for any stumbling english. Any ideas you might have are much appreciated.
    Good sunday to all.
     
  2. Jomsviking

    Jomsviking Registered Member

    Joined:
    Apr 16, 2007
    Posts:
    55
    Well, I guess that either my questions were not properly formulated, or they were just too dumb to answer, or maybe people are more interested in A X B threads. Anyway, after some more searching on the internet I have found some answers (I think) which I will post here in case someone with the same questions finds this thread.

    No significant problems with UPnP if we exercise care and use updated applications and firmware. For a good discussion on the subject, see:
    http://nitecruzr.blogspot.com/2006/01/nat-routers-with-upnp-security-risk-or.html

    Yes. Using UPnP does not require (unlique manually port forwarding) a static IP, we can use DHCP. See the article mentioned above.

    Generally speaking, disabling the router's firewalling ability is not needed in order to manually forward ports.

    Disabling the SSDP and UPnP Device Host services will only have effect on applications which require Windows' own UPnP implementation to communicate with a UPnP-enabled router, like MSN Live Messenger. Most applications which require port forwarding, like Miranda, Azureus, uTorrent etc... do so using their own UPnP implementation, and will in principle not be affected by the two windows' services mentioned above.

    Regarding torrent clients, see answer to 4.
    As for Skype, it does implement NAT-traversal techniques, but not specifically through their own UPnP implementation, I think. I could not find much info on this topic. For further info, see:

    http://www.skype.com/security/guide-for-network-admins.pdf

    Any ideas and corrections are always welcome.
     
  3. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hello Jomsviking,
    I think more a case of who as been online since your origin post.

    Most users will actually disable uPnP within the router, to block the possibility of ports being opened without user knowledge, I admit (If I used a router as gateway) that this is a path I would follow myself, and have in the past advised to others.

    I would expect that is really down to the knowledge/trust of software on the system with this capability.

    I would agree that from a user side, that with any type of software that requires unsolicited inbound that uses random ports, then using uPnP is certainly easier. I cannot comment on this, as I have never taken time to check these types of applications with such an option enabled.
    I do personally prefer to manually control any port that is to be opened.
     
  4. Jomsviking

    Jomsviking Registered Member

    Joined:
    Apr 16, 2007
    Posts:
    55
    Thanks for your comments Stem.
     
Loading...
Thread Status:
Not open for further replies.