Suggested upnp.postconf, so that /jffs/config/upnp.add actually works as you think it should

Karl Perkins

Occasional Visitor
Code:
#!/bin/sh
# Karl Perkins - 25.9.2022
# This postconf (usually placed in /jffs/scripts/upnp.postconf, and then chmod a+x /jffs/scripts/upnp.postconf)
# enables /jffs/configis/upnp.add to actually work.  I've written this to hopefully still work, even if the issue
# with the placement of the global allow and deny rule is fixed in a subsequent release of the merlin firmware.

if [ $# == 0 ] ; then
        echo "$(basename $0) <path to upnp config file>"
        echo "            This is usually /etc/upnp/config"
        exit 1
fi

CONFIG=$1
LAN_IP=$(ip -4 -o a show dev br0 | cut -d " " -f 7 | cut -d "/" -f 1)
source /usr/sbin/helper.sh

# Copy the original config, so we can see what it looked like before this postconf script ran
cp $CONFIG /tmp/upnp.old.$(basename $CONFIG)

# Get the current allow and deny all rules, and correct the subnet mask to CIDR if it's wrong
allow_all_line="$(grep "allow .-65535 $LAN_IP" $CONFIG | sed 's/\/255.255.255.0/\/24/')"
deny_all_line="$(grep "deny .-65535 0.0.0.0" $CONFIG | sed 's/\/0.0.0.0/\/0/')"

# Add a line before the beginning of the /jffs/configs/upnp.add in case anyone wants to insert rules before this
pc_insert "deny .-65535 0.0.0.0" "# START.OF.RULES" $CONFIG
pc_insert "START.OF.RULES" "" $CONFIG

# Removes the current allow all and deny all rules
pc_delete "allow .-65535 $LAN_IP" $CONFIG
pc_delete "deny .-65535 0.0.0.0" $CONFIG

cat <<EOF >> $CONFIG

# There's some code in $0 to move the global allow rule here
# END.OF.RULES.1

# There's some code in $0 to move the global deny rule here
# END.OF.RULES.2
EOF

# Adds in the right "allow all" rule, with the correct CIDR in the right place, almost at the end.
# If you comment out this following line, then every host will be denied, and then /jffs/configs/upnp.add
# should contain "allow" rules, rather than "deny" rules.
pc_insert "END.OF.RULES.1" "$allow_all_line" $CONFIG

# Adds in the right "deny all" rule, with the correct CIDR, right at the end
pc_insert "END.OF.RULES.2" "$deny_all_line" $CONFIG
 
Last edited:

Karl Perkins

Occasional Visitor
What the config looked like before the upnp.postconf ran: -
Code:
> cat /tmp/upnp.old.config
ext_ifname=eth0
listening_ip=br0
port=0
enable_upnp=yes
enable_natpmp=yes
secure_mode=yes
upnp_nat_postrouting_chain=PUPNP
upnp_forward_chain=FUPNP
upnp_nat_chain=VUPNP
notify_interval=60
system_uptime=yes
friendly_name=Firewall
model_name=RT-AC86U
model_description=ASUS Wireless Router
model_number=384.15
serial=40:b0:76:c3:03:00
uuid=3ddcd1d3-2380-45f5-b069-40b076c30300
lease_file=/tmp/upnp.leases
clean_ruleset_interval=600
clean_ruleset_threshold=20
presentation_url=http://192.168.1.1:80/
deny <removed> 0.0.0.0/0 0-65535
deny <removed> 0.0.0.0/0 0-65535
deny <removed> 0.0.0.0/0 0-65535
deny <removed> 0.0.0.0/0 0-65535
deny <removed> 0.0.0.0/0 0-65535
deny <removed> 0.0.0.0/0 0-65535
deny <removed> 0.0.0.0/0 0-65535
deny <removed> 0.0.0.0/0 0-65535
deny <removed> 0.0.0.0/0 0-65535
allow 1-65535 192.168.1.1/255.255.255.0 1024-65535
min_lifetime=120
max_lifetime=86400

deny 0-65535 0.0.0.0/0 0-65535
# Karl Perkins - 23.9.2022 - /jffs/config/upnp.add
# Example deny rule below
# deny 0-65535 192.168.1.20/32 1024-65535

# FrontDoor_Camera_HD wants some dodgy port forward via UPNP, so let's block it!
deny 0-65535 192.168.1.17/32 1024-65535

What the config looks like after the upnp.postconf ran: -
Code:
> cat /etc/upnp/config
ext_ifname=eth0
listening_ip=br0
port=0
enable_upnp=yes
enable_natpmp=yes
secure_mode=yes
upnp_nat_postrouting_chain=PUPNP
upnp_forward_chain=FUPNP
upnp_nat_chain=VUPNP
notify_interval=60
system_uptime=yes
friendly_name=Firewall
model_name=RT-AC86U
model_description=ASUS Wireless Router
model_number=384.15
serial=40:b0:76:c3:03:00
uuid=3ddcd1d3-2380-45f5-b069-40b076c30300
lease_file=/tmp/upnp.leases
clean_ruleset_interval=600
clean_ruleset_threshold=20
presentation_url=http://192.168.1.1:80/
deny <removed> 0.0.0.0/0 0-65535
deny <removed> 0.0.0.0/0 0-65535
deny <removed> 0.0.0.0/0 0-65535
deny <removed> 0.0.0.0/0 0-65535
deny <removed> 0.0.0.0/0 0-65535
deny <removed> 0.0.0.0/0 0-65535
deny <removed> 0.0.0.0/0 0-65535
deny <removed> 0.0.0.0/0 0-65535
deny <removed> 0.0.0.0/0 0-65535
min_lifetime=120
max_lifetime=86400

# START.OF.RULES

# Karl Perkins - 23.9.2022 - /jffs/config/upnp.add
# Example deny rule below
# deny 0-65535 192.168.1.20/32 1024-65535

# FrontDoor_Camera_HD wants some dodgy port forward via UPNP, so let's block it!
deny 0-65535 192.168.1.17/32 1024-65535

# There's some code in /jffs/scripts/upnp.postconf to move the global allow rule here
# END.OF.RULES.1
allow 1-65535 192.168.1.1/24 1024-65535

# There's some code in /jffs/scripts/upnp.postconf to move the global deny rule here
# END.OF.RULES.2
deny 0-65535 0.0.0.0/0 0-65535

I can confirm it works, and is now blocking 192.168.1.17 from accessing UPNP. If I have any other troublesome hosts, I can just add them to /jffs/config/upnp.add, and I don't need to fiddle with the postconf script any more.
 
Last edited:

Karl Perkins

Occasional Visitor
Please also note you can also use this script to enable a global deny for all hosts to UPNP (just by commenting out one line in the script), and then /jffs/config/upnp.add can have allow rules to selectively allow various hosts access to UPNP.
 
Similar threads
Thread starter Title Forum Replies Date
M Suggested sticky Asuswrt-Merlin AddOns 3

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top