When I wanted to get this particular feature working to chat with my Dad, I wrote a quickie script to -j ACCEPT his IP. Then I use another one to reset my rules when we're done chatting. Worked fine after that, NAT and all. IIRC, UPnP was the reason for that first 'big' XP patch right after it came out. So, yes, it is probably a vulnerability. Bob -----Original Message----- From: netfilter-admin@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx]On Behalf Of Chris Brenton Sent: Sunday, February 22, 2004 6:33 AM To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: RE: Anybody heard about UP&P ? This sounds *really* fishy to me. Sounds to me like what they are looking to do is setup a 1 to 1 NAT mapping (or possibly port forwarding) to the host needing "remote assistance" and probably punch open the filtering as well. Do you know how how much access gets opened up? Any authentication or encryption being used during the management session? Any guarantee that the hole gets closed up when they are done? Any logging of the access as well as what gets changed during the session? You could always ask what level of access is required and just manually create the rules yourself. At least that way you know what is going on. I think I'm real glad Netfilter does not support this. Sounds like a compromise waiting to happen. C On Fri, 2004-02-20 at 14:35, Carl Farrington wrote: > UPNP means Universal Plug'n'Play. I guess WinXP looks to automagically reconfigure the NAT rules via upnp. > > No idea about the netfilter stuff myself I'm afraid. > > > -----Original Message----- > > From: Marc Rechté [mailto:mrechte@xxxxxxxxxxxxxxxx] > > Sent: 20 February 2004 07:14 > > To: netfilter@xxxxxxxxxxxxxxxxxxx > > Subject: Anybody heard about UP&P ? > > > > To enable remote assistance from Internet of a WinXP PC on a LAN using > > NAT one must have a UP&P NAT compatible router. > > > > Can Netfilter act as such a router, and if so do you have an idea of the > > chain to apply ? > > > > Thanks for your help > > > > Marc. > > > >
