On Sun, Aug 03, 2008 at 09:38:09AM +0200, Laurent Bigonville wrote: > hi, > > I've just recompiled linux-igd (and libupnp) under etch and it seems > that linux-igd still listening on all interfaces and not just on the > internal
Thanks for the update, I can confirm this. Sorry I didn't check sooner. It seems the patch was a bit of a red herring. It is actually libupnp's SSDP server which binds and listens to port 1900 and libupnp's miniserver which binds and listens to port 49152. There doesn't seem to be a mechanism in libupnp to bind to specific interfaces, and it may not even be appropriate if more than one SSDP service is running on the host (e.g. media servers). I would recommend instead that you use your firewall (you are running one on your internet gateway, of course ?) to restrict the access to these ports from the outside interface(s). Shorewall, for instance, has the allowinUPnP feature which adds iptables rules similar to the following, see http://www.shorewall.net/UPnP.html : *filter -A INPUT -i eth1 -j allowinUPnP -A allowinUPnP -p udp -m udp --dport 1900 -j ACCEPT -A allowinUPnP -p tcp -m tcp --dport 49152:49159 -j ACCEPT It is on my todo list (see debian/TODO.Debian) to improve linux-igd's firewalling and specifcally Shorewall integration further. I'll leave this bug open until I can update SECURITY.Debian with suitable advice. Nick -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
