ClearFoundation

FastLaneJB wrote:

I imagine this should be quite easy to test. Just need 2 computers and any uPnP capable application like a BitTorrent app. Set them both to open the same port, fire it up on one and then on the other then check iptables.

I tested the theory with utorrent set to 49160 port number with UPNP enabled in ClearOS.

fired it up on two different computers... waited.. watched the logs... and bam.

four iptable lines were added

udp 192.168.19.10 49152
tcp 192.168.19.10 49152
udp 192.168.19.11 49152
tcp 192.168.19.11 49152


so it just hands out the port to whoever asks for it.

That's a pretty bad flaw! thanks for testing, although most applications will let you choose which port (or randomise) for UPNP that would be a temporary work around. Devices like the XBox presumably are hard wired for one port?

To update i've manageed to build and run miniupnpd here

I had to rehash the init script a lot to get it to work, but it seems to be working very well!

Due to it's design it creates another iptables table in both the filter and nat tables to manage the UPNP connections, so it needs to have it's rules added to the custom firewall so they are not lost after a firewall restart

I'll post more in due course

Tim Burgess wrote:
That's a pretty bad flaw! thanks for testing, although most applications will let you choose which port (or randomise) for UPNP that would be a temporary work around. Devices like the XBox presumably are hard wired for one port?

To update i've manageed to build and run miniupnpd here

I had to rehash the init script a lot to get it to work, but it seems to be working very well!

Due to it's design it creates another iptables table in both the filter and nat tables to manage the UPNP connections, so it needs to have it's rules added to the custom firewall so they are not lost after a firewall restart

I'll post more in due course

That's one great news Can't wait to try it out

Just wanted to update this thread after starting a new XBox on Christmas...I had to bypass the proxy with the iptables rule in the rc.firewall.local script in order to get it to work. It would be nice not having to bypass the proxy and the content filter.

Terribly sorry to bump and Hi-Jack someone else's thread but I am having the same problem here, firstly can I say, this is by far the best gateway/router I have ever used.
I have just bought another xbox and would like that online also, I have just installed a 3rd network card and since I'm new to all this stuff I was wondering if there was a way to make eth2 totally bypass the content filter and web proxy as I am going to make eth2 for games consoles only or is this not possible? Taking the content filtering off is a no go as we have small people at home Any help or advice would be greatly appreciated sorry for the total noob question but you guys seem like the correct people to ask

Kind Regards James.

www.clearfoundation.com/component/option...it,10/limitstart,10/

Give the Xbox its own static IP address in your DHCP server and then follow the script in the post above that LaneJB submitted, substituting your static IP address and restart your firewall service.

Thank you for your response that worked a treat, I totally overlooked the obvious that had already been mentioned sorry about that.!