pfSense Gold Subscription

Author Topic: pfsense 2.4.2 upnp bug?  (Read 192 times)

0 Members and 1 Guest are viewing this topic.

Offline repomanz

  • Jr. Member
  • **
  • Posts: 26
  • Karma: +0/-0
    • View Profile
pfsense 2.4.2 upnp bug?
« on: December 04, 2017, 08:14:32 pm »
Hi everyone.

I have UPNP enabled but have two IP and ports defined in the configuration for access control to upnp.  However, I see that another client on the network has a upnp session open (and is not in the access rule).  Is this a bug?

JJ

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21387
  • Karma: +1432/-26
    • View Profile
Re: pfsense 2.4.2 upnp bug?
« Reply #1 on: December 05, 2017, 09:44:55 am »
What are your exact ACL rules in UPnP?

Clients are allowed by default so unless you have a rule denying access to everyone after your allow entries, then others can still make connections.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline repomanz

  • Jr. Member
  • **
  • Posts: 26
  • Karma: +0/-0
    • View Profile
Re: pfsense 2.4.2 upnp bug?
« Reply #2 on: December 05, 2017, 07:40:05 pm »
Here is an example ACL i have in place:

allow 53-65535 10.180.24.28/32 53-65535

However another IP not on this rule has an open upnp session open.

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21387
  • Karma: +1432/-26
    • View Profile
Re: pfsense 2.4.2 upnp bug?
« Reply #3 on: December 05, 2017, 07:51:19 pm »
But do you have a deny rule? It allows by default. You need a deny to stop others from getting access.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline repomanz

  • Jr. Member
  • **
  • Posts: 26
  • Karma: +0/-0
    • View Profile
Re: pfsense 2.4.2 upnp bug?
« Reply #4 on: December 05, 2017, 08:26:04 pm »
Maybe my understanding is incorrect.  I thought pfsense was a deny by default unless granted rule base?  Does this not apply to upnp?  What would a deny rule look like?

** edit - i totally missed the deny by default check box :).  Thanks for pointing out the hole :)
« Last Edit: December 05, 2017, 08:30:23 pm by repomanz »

Offline Harvy66

  • Hero Member
  • *****
  • Posts: 2212
  • Karma: +204/-12
    • View Profile
Re: pfsense 2.4.2 upnp bug?
« Reply #5 on: December 06, 2017, 04:01:33 pm »
pfSense by default trusts the LAN and not the WAN. The deny by default logic only applies for untrusted interfaces. LAN side, UPNP, DHCP, DNS, management, SSH, etc are all allowed.