pfSense Forum

General Category => General Discussion => Topic started by: repomanz on December 04, 2017, 08:14:32 pm

Title: pfsense 2.4.2 upnp bug?
Post by: repomanz on December 04, 2017, 08:14:32 pm
Hi everyone.

I have UPNP enabled but have two IP and ports defined in the configuration for access control to upnp.  However, I see that another client on the network has a upnp session open (and is not in the access rule).  Is this a bug?

JJ
Title: Re: pfsense 2.4.2 upnp bug?
Post by: jimp on December 05, 2017, 09:44:55 am
What are your exact ACL rules in UPnP?

Clients are allowed by default so unless you have a rule denying access to everyone after your allow entries, then others can still make connections.
Title: Re: pfsense 2.4.2 upnp bug?
Post by: repomanz on December 05, 2017, 07:40:05 pm
Here is an example ACL i have in place:

allow 53-65535 10.180.24.28/32 53-65535

However another IP not on this rule has an open upnp session open.
Title: Re: pfsense 2.4.2 upnp bug?
Post by: jimp on December 05, 2017, 07:51:19 pm
But do you have a deny rule? It allows by default. You need a deny to stop others from getting access.
Title: Re: pfsense 2.4.2 upnp bug?
Post by: repomanz on December 05, 2017, 08:26:04 pm
Maybe my understanding is incorrect.  I thought pfsense was a deny by default unless granted rule base?  Does this not apply to upnp?  What would a deny rule look like?

** edit - i totally missed the deny by default check box :).  Thanks for pointing out the hole :)
Title: Re: pfsense 2.4.2 upnp bug?
Post by: Harvy66 on December 06, 2017, 04:01:33 pm
pfSense by default trusts the LAN and not the WAN. The deny by default logic only applies for untrusted interfaces. LAN side, UPNP, DHCP, DNS, management, SSH, etc are all allowed.