how to block outgoing UPNP?

How do I specifically *block* outoing UPNP from my linux box?

I do not want UPNP. But my router may have it enabled. How can I
check? Using Zyxel X-550 with 1.5 firmware. There is no UPNP check
box AFAICT so I can't uncheck it. I don't know if it is enabled. How
would I check?

The reason I ask is that aparently newer flashplayer playing malicious
content can send UPNP to tear my firewall a new hole. I can't
re-compile the offending flashplayer. And I still don't want any UPNP.

Is iptables the right solution? What protocol/ports do I drop? What
kind of collateral damage should I expect?

I googled for 15 minutes but I didn't see anything on websites or
newgroups. They were all about enabling it via some magic wrapper
script. That was the opposite direction from where I want to go.

--
Johan KULLSTAM <kullstj-(E-Mail Removed)> sysengr

Am Wed, 16 Jan 2008 10:08:52 -0500 schrieb Johan Kullstam:

> I do not want UPNP. But my router may have it enabled. How can I
> re-compile the offending flashplayer. And I still don't want any UPNP.

good idea

> Is iptables the right solution? What protocol/ports do I drop? What
> kind of collateral damage should I expect?
>
> I googled for 15 minutes but I didn't see anything on websites or

I googled only 1 minute, guess that's what you're looking for:
http://gentoo-wiki.com/HOWTO_Setup_UPnP_with_IPTables
Turn ACCEPT to REJECT or DROP

Burkhard Ott <(E-Mail Removed)> writes:

> Am Wed, 16 Jan 2008 10:08:52 -0500 schrieb Johan Kullstam:
>
>> I do not want UPNP. But my router may have it enabled. How can I
>> re-compile the offending flashplayer. And I still don't want any UPNP.
>
> good idea
>
>> Is iptables the right solution? What protocol/ports do I drop? What
>> kind of collateral damage should I expect?
>>
>> I googled for 15 minutes but I didn't see anything on websites or
>
> I googled only 1 minute, guess that's what you're looking for:
> http://gentoo-wiki.com/HOWTO_Setup_UPnP_with_IPTables
> Turn ACCEPT to REJECT or DROP

So UPNP uses IP 239.0.0.0/8 on TCP 49152 and UPD 1900?

It's kind of strange. Why would my computer or router listen to IP
packets going to 239.0.0.0/8? Maybe that is the easiest thing.

Is this right?

iptables -A OUTPUT -d 239.0.0.0/8 -j DROP

--
Johan KULLSTAM

Am Wed, 16 Jan 2008 17:41:40 -0500 schrieb Johan Kullstam:

> So UPNP uses IP 239.0.0.0/8 on TCP 49152 and UPD 1900?
>
> It's kind of strange. Why would my computer or router listen to IP
> packets going to 239.0.0.0/8? Maybe that is the easiest thing.
>
> Is this right?
>
> iptables -A OUTPUT -d 239.0.0.0/8 -j DROP
>

should work, depends on your traffic.
The rule means all packets wich comes from this machine and has
$destinationIP will be dropped.
For packets from your clients you should also make a forward rule and if
you want drop those packets on the incoming table drop those either in
INPUT.
A good idea either is to make a logging rule for tose packets just to see
if and how it works you can disable that later.

Also interesting article about upnp, afaik m$ developed that crappy
protocol.
http://technet.microsoft.com/en-us/l...7049.aspx#EDAA

cheers

Hello,

Johan Kullstam a écrit :
> Burkhard Ott <(E-Mail Removed)> writes:
>>
>>http://gentoo-wiki.com/HOWTO_Setup_UPnP_with_IPTables
>
> So UPNP uses IP 239.0.0.0/8 on TCP 49152 and UPD 1900?

According to the rules on the page, UPnP may use any protocol and port
on 239.0.0.0/8, and TCP port 49152 and UDP port 1900 on any address. I
thought it used port 5000 too.

> It's kind of strange. Why would my computer or router listen to IP
> packets going to 239.0.0.0/8?

It's a multicast range.

Pascal Hambourg <boite-a-(E-Mail Removed)> writes:

> Hello,
>
> Johan Kullstam a écrit :
>> Burkhard Ott <(E-Mail Removed)> writes:
>>>
>>>http://gentoo-wiki.com/HOWTO_Setup_UPnP_with_IPTables
>>
>> So UPNP uses IP 239.0.0.0/8 on TCP 49152 and UPD 1900?
>
> According to the rules on the page, UPnP may use any protocol and port
> on 239.0.0.0/8, and TCP port 49152 and UDP port 1900 on any address. I
> thought it used port 5000 too.

So, if I drop 239.0.0.0/8 and TCP ports 5000 and 49152 and UDP 1900 on
outgoing, I should be safe(r)?

Are there any other things using this? Is, for example, TCP port 5000
be used for anything else?

>> It's kind of strange. Why would my computer or router listen to IP
>> packets going to 239.0.0.0/8?
>
> It's a multicast range.

And this avahi crap that the cups dragged in (thanks apt!). Can I get
rid of it too? I already know the IP address of all 1 (count them!)
printers on my home network.

--
Johan KULLSTAM <kullstj-(E-Mail Removed)> sysengr

Am Thu, 17 Jan 2008 10:51:08 -0500 schrieb Johan Kullstam:


> So, if I drop 239.0.0.0/8 and TCP ports 5000 and 49152 and UDP 1900 on
> outgoing, I should be safe(r)?

I would say that, to be sure check it out with tcpdump or similar.
>
> Are there any other things using this? Is, for example, TCP port 5000
> be used for anything else?
>

usually not

>>> It's kind of strange. Why would my computer or router listen to IP
>>> packets going to 239.0.0.0/8?
>>
>> It's a multicast range.


If you have multicat enabled, the it would answer, that is the reason why
we have multicastadresses. If you don't need that disable it, depends on
your kernel

> And this avahi crap that the cups dragged in (thanks apt!). Can I get
> rid of it too? I already know the IP address of all 1 (count them!)
> printers on my home network.

I don't know which distibution you use, but in my installation i never got
that while i installed cups, usually cups listen on 631.
Avahi has nothing to do with cups (afaik).

cheers