From 8c9bbfe7ae17bd927421ad961d3caf6463e355d5 Mon Sep 17 00:00:00 2001 From: Self Hosting Group Date: Mon, 6 Jan 2025 00:00:00 +0000 Subject: [PATCH] miniupnpd: Improve configuration generation and deny ACL by default Signed-off-by: Self Hosting Group --- net/miniupnpd/files/miniupnpd.init | 12 +++++------- net/miniupnpd/files/upnpd-migration.uci-defaults | 7 ------- net/miniupnpd/files/upnpd.config | 9 +-------- 3 files changed, 6 insertions(+), 22 deletions(-) diff --git a/net/miniupnpd/files/miniupnpd.init b/net/miniupnpd/files/miniupnpd.init index 5429bc3f8b45ff..4b4322901c5c34 100644 --- a/net/miniupnpd/files/miniupnpd.init +++ b/net/miniupnpd/files/miniupnpd.init @@ -31,14 +31,11 @@ conf_rule_add() { local ext_start ext_end int_start int_end comment config_get action "$cfg" action "deny" # allow or deny - upnpd_get_port_range "ext" "$cfg" ext_ports "0-65535" # external ports: x, x-y, x:y + upnpd_get_port_range "ext" "$cfg" ext_ports "1-65535" # external ports: x, x-y, x:y config_get int_addr "$cfg" int_addr "0.0.0.0/0" # ip or network and subnet mask (internal) - upnpd_get_port_range "int" "$cfg" int_ports "0-65535" # internal ports: x, x-y, x:y or range + upnpd_get_port_range "int" "$cfg" int_ports "1-65535" # internal ports: x, x-y, x:y or range config_get comment "$cfg" comment "ACL" # comment - # Make a single IP IP/32 so that miniupnpd.conf can use it. - [ "${int_addr%/*}" = "$int_addr" ] && int_addr="$int_addr/32" - echo "$action $ext_start${ext_end:+-}$ext_end $int_addr $int_start${int_end:+-}$int_end #$comment" } @@ -175,8 +172,6 @@ upnpd() { [ "$uuid" = "nocli" ] || echo "uuid=$uuid" - config_foreach conf_rule_add perm_rule - if [ "$FW" = "fw4" ]; then #When using nftables configure miniupnpd to use its own table and chains echo "upnp_table_name=fw4" @@ -186,6 +181,9 @@ upnpd() { echo "upnp_nat_postrouting_chain=upnp_postrouting" fi + config_foreach conf_rule_add perm_rule + echo "deny 1-65535 0.0.0.0/0 1-65535" + } > "$tmpconf" fi diff --git a/net/miniupnpd/files/upnpd-migration.uci-defaults b/net/miniupnpd/files/upnpd-migration.uci-defaults index cf0b888f14c470..a56a801870a619 100644 --- a/net/miniupnpd/files/upnpd-migration.uci-defaults +++ b/net/miniupnpd/files/upnpd-migration.uci-defaults @@ -95,13 +95,6 @@ if [ "$(uci get upnpd.@perm_rule[0].action)" = "allow" ] && set upnpd.@perm_rule[1].int_addr='0.0.0.0/0' set upnpd.@perm_rule[1].int_ports='1-1023' set upnpd.@perm_rule[1].comment='Low ports' - add upnpd perm_rule - set upnpd.@perm_rule[2]=perm_rule - set upnpd.@perm_rule[2].action='deny' - set upnpd.@perm_rule[2].ext_ports='1-65535' - set upnpd.@perm_rule[2].int_addr='0.0.0.0/0' - set upnpd.@perm_rule[2].int_ports='1-65535' - set upnpd.@perm_rule[2].comment='Deny by default' commit upnpd EOF fi diff --git a/net/miniupnpd/files/upnpd.config b/net/miniupnpd/files/upnpd.config index 4150de32729568..c1d80d97f41907 100644 --- a/net/miniupnpd/files/upnpd.config +++ b/net/miniupnpd/files/upnpd.config @@ -15,7 +15,7 @@ config upnpd 'config' #option external_iface wan option upnp_lease_file /var/run/miniupnpd.leases -# Service access control list configuration, IPv6 always allowed +# Service access control list configuration, IPv6 always allowed. Deny by default. config perm_rule option action allow @@ -30,10 +30,3 @@ config perm_rule option int_addr 0.0.0.0/0 option int_ports 1-1023 option comment 'Low ports' - -config perm_rule - option action deny - option ext_ports 1-65535 - option int_addr 0.0.0.0/0 - option int_ports 1-65535 - option comment 'Deny by default'