Do you recognize a good idea when you see one? We want to hear from you!
Header Image

I suggest you ...

Network Security: Automatic uPNP Support

Adding NAT rules automatically through UPnP service would be also great for home users and probably some other small companies.

256 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    I agree to the terms of service
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    pattontpattont shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    28 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      Submitting...
      • Anonymous commented  ·   ·  Flag as inappropriate

        I honestly see no reason why this can't or shouldn't be implemented on a per-IP or per-MAC basis!

        Yes general uPNP support defeats the purpose of a firewall but if i really want a specific device to be able to open ports on it's own then why not enter it's IP-Adress or MAC-Adress into a table?

        Problem solved without compromising general firewall security.

        The smaller UTM's are aimed at the SMB market so why not make it easier for SMB's to acutally use typical SMB devices and services?

        QNAP NAS Servers: myQNAPcloud requires uPNP (no workaround)
        WD Sentinel DX Series: Breaks Setup Wizard (Server 2k12 Essentials)
        MS Server 2k12 Essentials: Wizard requires uPNP for smooth setup

        All this just cost the SMB's more money and will make them think twice about adding other Sophos UTM's to their branch offices.

      • BrcBrc commented  ·   ·  Flag as inappropriate

        I hope UPNP will never be implemented as it totally defeats the purpose of a real firewall and the UTM will be blamed to much for being vulnerable while it was merely due to UPNP even if it was just opt-in. It is a little extra work but the UTM works perfect even with multiple complicated appliances at home and in most cases UIPNP is not enough exception rules for web traffic are also needed partially defeating UPNP and leading to more complaints instead of resolving. Just my two little cents nothing more.

      • Carter RowleyCarter Rowley commented  ·   ·  Flag as inappropriate

        Setting up a web cam, UPNP would be great. I like a lot of the features of UTM but sometimes miss my old PFsense system.

      • AlphavilAlphavil commented  ·   ·  Flag as inappropriate

        For home use it is a must have, all devices (NAS, TV....) have uPNP. So it would be nice but for company's I am not sure if they need that or if it is really secure

      • JoeJoe commented  ·   ·  Flag as inappropriate

        Until (if ever) ASG gains *optional* UPnP support, home users could optionally use a higher-end "home" wifi/router and install an aftermarket OS on it, such as DD-WRT. That will provide VPN and many other more professional features, but still give you popular home-oriented features like UPnP.

      • Eric R.Eric R. commented  ·   ·  Flag as inappropriate

        As Chester Wisniewski commented, I think it defeats the purpose of the firewall as well. So please don't!

        But! as 'Anonymous' said, "This would be a great feature to add. I would even be open to paying for this feature as a licensed add-on!"
        If people want to pay money to disregard their firewall, be my guest. At least if you paid you háve to know you bought insecurity, right?

      • RossRoss commented  ·   ·  Flag as inappropriate

        I think you have missed the point. These devices are increasingly being deployed at end user's homes. When a $40 Belkin special works better with their Xbox/Apple/Sony device then it's a problem. I don't want to spend my entire life putting in port forwards to make personal devices work at their home but I do wan't be able to offer them a firewall which can do IPSec/SSL VPN and control what access they get back to my work network. Not to mention traffic inspection, web filtering etc.

        I'm not saying it isn't a security risk and I'm not saying enable it by default. I am saying offer it as an option to be enabled but with some controls about it. E.g. let only certain IP's request UPnP port mappings, or only certain ports. As some have mentioned identify the requests and admin approve which would be great instead of having to trawl forums to figure out what ports an Xbox uses or the next new device a client has brought home uses.

      • Anonymous commented  ·   ·  Flag as inappropriate

        UPnP is required fro server 2012 essentials and while you can make it work without it breaks the wizards pretty bad.

      • AnonymousAnonymous commented  ·   ·  Flag as inappropriate

        This would be a great feature to add. I would even be open to paying for this feature as a licensed add-on!

      • RossRoss commented  ·   ·  Flag as inappropriate

        For anyone saying that it is a security risk, well it is. However for those saying that it's a reason not to have the feature, well that's poor form.

        UPnP is great for home use and ideally you'd have your astaro still setup to do packet filtering and pickup if any trojans were going out based on the signatures.

        To put things in perspective, this wouldn't be enabled at a business but for home users. Those who are running Astaro to support remote VPN access it would be handy. A few times now I have had clients tell me their little home billion/netgear router worked better, and it was due to UPnP and automatic mappings for things like game consoles, chat applications and video streaming. Granted most of this can be sorted by adding manual NAT rules, this isn't really feasible when there is a cost associated for someone to go set these rules up, which is then worse when it just "worked" on their home router.

        In any case it should be disabled by default but there are options from these comments which could be done to mitigate some of the risks of having it on.

      • FlorentFlorent commented  ·   ·  Flag as inappropriate

        having this feature for home users will be perfect and disabled by default

      • Christian StubberudChristian Stubberud commented  ·   ·  Flag as inappropriate

        This would be nice to have for homeusers. :) And as others have said, it should be disabled by default.
        Other firewalls like astaro supports this.

      • ChrisChris commented  ·   ·  Flag as inappropriate

        I agree that upnp would be a good addition, especially for those of us who use astaro at home, and also agree it should be disabled by default.

      ← Previous 1

      Feedback and Knowledge Base