What's new

Suggested upnp.postconf, so that /jffs/config/upnp.add actually works as you think it should

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Karl Perkins

Occasional Visitor
Code:
#!/bin/sh
# Karl Perkins - 25.9.2022
# This postconf (usually placed in /jffs/scripts/upnp.postconf, and then chmod a+x /jffs/scripts/upnp.postconf)
# enables /jffs/configis/upnp.add to actually work.  I've written this to hopefully still work, even if the issue
# with the placement of the global allow and deny rule is fixed in a subsequent release of the merlin firmware.

if [ $# == 0 ] ; then
        echo "$(basename $0) <path to upnp config file>"
        echo "            This is usually /etc/upnp/config"
        exit 1
fi

CONFIG=$1
LAN_IP=$(ip -4 -o a show dev br0 | cut -d " " -f 7 | cut -d "/" -f 1)
source /usr/sbin/helper.sh

# Copy the original config, so we can see what it looked like before this postconf script ran
cp $CONFIG /tmp/upnp.old.$(basename $CONFIG)

# Get the current allow and deny all rules, and correct the subnet mask to CIDR if it's wrong
allow_all_line="$(grep "allow .-65535 $LAN_IP" $CONFIG | sed 's/\/255.255.255.0/\/24/')"
deny_all_line="$(grep "deny .-65535 0.0.0.0" $CONFIG | sed 's/\/0.0.0.0/\/0/')"

# Add a line before the beginning of the /jffs/configs/upnp.add in case anyone wants to insert rules before this
pc_insert "deny .-65535 0.0.0.0" "# START.OF.RULES" $CONFIG
pc_insert "START.OF.RULES" "" $CONFIG

# Removes the current allow all and deny all rules
pc_delete "allow .-65535 $LAN_IP" $CONFIG
pc_delete "deny .-65535 0.0.0.0" $CONFIG

cat <<EOF >> $CONFIG

# There's some code in $0 to move the global allow rule here
# END.OF.RULES.1

# There's some code in $0 to move the global deny rule here
# END.OF.RULES.2
EOF

# Adds in the right "allow all" rule, with the correct CIDR in the right place, almost at the end.
# If you comment out this following line, then every host will be denied, and then /jffs/configs/upnp.add
# should contain "allow" rules, rather than "deny" rules.
pc_insert "END.OF.RULES.1" "$allow_all_line" $CONFIG

# Adds in the right "deny all" rule, with the correct CIDR, right at the end
pc_insert "END.OF.RULES.2" "$deny_all_line" $CONFIG
 
Last edited:
What the config looked like before the upnp.postconf ran: -
Code:
> cat /tmp/upnp.old.config
ext_ifname=eth0
listening_ip=br0
port=0
enable_upnp=yes
enable_natpmp=yes
secure_mode=yes
upnp_nat_postrouting_chain=PUPNP
upnp_forward_chain=FUPNP
upnp_nat_chain=VUPNP
notify_interval=60
system_uptime=yes
friendly_name=Firewall
model_name=RT-AC86U
model_description=ASUS Wireless Router
model_number=384.15
serial=40:b0:76:c3:03:00
uuid=3ddcd1d3-2380-45f5-b069-40b076c30300
lease_file=/tmp/upnp.leases
clean_ruleset_interval=600
clean_ruleset_threshold=20
presentation_url=http://192.168.1.1:80/
deny <removed> 0.0.0.0/0 0-65535
deny <removed> 0.0.0.0/0 0-65535
deny <removed> 0.0.0.0/0 0-65535
deny <removed> 0.0.0.0/0 0-65535
deny <removed> 0.0.0.0/0 0-65535
deny <removed> 0.0.0.0/0 0-65535
deny <removed> 0.0.0.0/0 0-65535
deny <removed> 0.0.0.0/0 0-65535
deny <removed> 0.0.0.0/0 0-65535
allow 1-65535 192.168.1.1/255.255.255.0 1024-65535
min_lifetime=120
max_lifetime=86400

deny 0-65535 0.0.0.0/0 0-65535
# Karl Perkins - 23.9.2022 - /jffs/config/upnp.add
# Example deny rule below
# deny 0-65535 192.168.1.20/32 1024-65535

# FrontDoor_Camera_HD wants some dodgy port forward via UPNP, so let's block it!
deny 0-65535 192.168.1.17/32 1024-65535

What the config looks like after the upnp.postconf ran: -
Code:
> cat /etc/upnp/config
ext_ifname=eth0
listening_ip=br0
port=0
enable_upnp=yes
enable_natpmp=yes
secure_mode=yes
upnp_nat_postrouting_chain=PUPNP
upnp_forward_chain=FUPNP
upnp_nat_chain=VUPNP
notify_interval=60
system_uptime=yes
friendly_name=Firewall
model_name=RT-AC86U
model_description=ASUS Wireless Router
model_number=384.15
serial=40:b0:76:c3:03:00
uuid=3ddcd1d3-2380-45f5-b069-40b076c30300
lease_file=/tmp/upnp.leases
clean_ruleset_interval=600
clean_ruleset_threshold=20
presentation_url=http://192.168.1.1:80/
deny <removed> 0.0.0.0/0 0-65535
deny <removed> 0.0.0.0/0 0-65535
deny <removed> 0.0.0.0/0 0-65535
deny <removed> 0.0.0.0/0 0-65535
deny <removed> 0.0.0.0/0 0-65535
deny <removed> 0.0.0.0/0 0-65535
deny <removed> 0.0.0.0/0 0-65535
deny <removed> 0.0.0.0/0 0-65535
deny <removed> 0.0.0.0/0 0-65535
min_lifetime=120
max_lifetime=86400

# START.OF.RULES

# Karl Perkins - 23.9.2022 - /jffs/config/upnp.add
# Example deny rule below
# deny 0-65535 192.168.1.20/32 1024-65535

# FrontDoor_Camera_HD wants some dodgy port forward via UPNP, so let's block it!
deny 0-65535 192.168.1.17/32 1024-65535

# There's some code in /jffs/scripts/upnp.postconf to move the global allow rule here
# END.OF.RULES.1
allow 1-65535 192.168.1.1/24 1024-65535

# There's some code in /jffs/scripts/upnp.postconf to move the global deny rule here
# END.OF.RULES.2
deny 0-65535 0.0.0.0/0 0-65535

I can confirm it works, and is now blocking 192.168.1.17 from accessing UPNP. If I have any other troublesome hosts, I can just add them to /jffs/config/upnp.add, and I don't need to fiddle with the postconf script any more.
 
Last edited:
Please also note you can also use this script to enable a global deny for all hosts to UPNP (just by commenting out one line in the script), and then /jffs/config/upnp.add can have allow rules to selectively allow various hosts access to UPNP.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top