summaryrefslogtreecommitdiff
path: root/data/templates/firewall/upnpd.conf.j2
blob: e964fc696c8038691361f6ca075e6dfa27de91c6 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
# This is the UPNP configuration file

# WAN network interface
ext_ifname={{ wan_interface }}
{% if wan_ip is vyos_defined %}
# If the WAN interface has several IP addresses, you
# can specify the one to use below
{%     for addr in wan_ip %}
ext_ip={{ addr }}
{%     endfor  %}
{% endif %}

# LAN network interfaces IPs / networks
{% if listen is vyos_defined %}
# There can be multiple listening IPs for SSDP traffic, in that case
# use multiple 'listening_ip=...' lines, one for each network interface.
# It can be IP address or network interface name (ie. "eth0")
# It is mandatory to use the network interface name in order to enable IPv6
# HTTP is available on all interfaces.
# When MULTIPLE_EXTERNAL_IP is enabled, the external IP
# address associated with the subnet follows. For example:
#  listening_ip=192.168.0.1/24 88.22.44.13
{%     for addr in listen %}
{%         if addr | is_ipv4  %}
listening_ip={{ addr }}
{%         elif addr | is_ipv6  %}
ipv6_listening_ip={{ addr }}
{%         else %}
listening_ip={{ addr }}
{%         endif  %}
{%     endfor  %}
{% endif %}

# CAUTION: mixing up WAN and LAN interfaces may introduce security risks!
# Be sure to assign the correct interfaces to LAN and WAN and consider
# implementing UPnP permission rules at the bottom of this configuration file

# Port for HTTP (descriptions and SOAP) traffic. Set to 0 for autoselect.
#http_port=0
# Port for HTTPS. Set to 0 for autoselect (default)
#https_port=0

# Path to the UNIX socket used to communicate with MiniSSDPd
# If running, MiniSSDPd will manage M-SEARCH answering.
# default is /var/run/minissdpd.sock
#minissdpdsocket=/var/run/minissdpd.sock

{% if nat_pmp is vyos_defined %}
# Enable NAT-PMP support (default is no)
enable_natpmp=yes
{% endif %}

# Enable UPNP support (default is yes)
enable_upnp=yes

{% if pcp_lifetime is vyos_defined %}
# PCP
# Configure the minimum and maximum lifetime of a port mapping in seconds
# 120s and 86400s (24h) are suggested values from PCP-base
{%     if pcp_lifetime.max is vyos_defined %}
max_lifetime={{ pcp_lifetime.max }}
{%     endif %}
{%     if pcp_lifetime.min is vyos_defined %}
min_lifetime={{ pcp_lifetime.min }}
{%     endif %}
{% endif %}


# To enable the next few runtime options, see compile time
# ENABLE_MANUFACTURER_INFO_CONFIGURATION (config.h)

{% if friendly_name is vyos_defined %}
# Name of this service, default is "`uname -s` router"
friendly_name={{ friendly_name }}
{% endif  %}

# Manufacturer name, default is "`uname -s`"
manufacturer_name=VyOS

# Manufacturer URL, default is URL of OS vendor
manufacturer_url=https://vyos.io/

# Model name, default is "`uname -s` router"
model_name=VyOS Router Model

# Model description, default is "`uname -s` router"
model_description=Vyos open source enterprise router/firewall operating system

# Model URL, default is URL of OS vendor
model_url=https://vyos.io/

{% if secure_mode is vyos_defined %}
# Secure Mode, UPnP clients can only add mappings to their own IP
secure_mode=yes
{% else %}
# Secure Mode, UPnP clients can only add mappings to their own IP
secure_mode=no
{% endif %}

{% if presentation_url is vyos_defined %}
# Default presentation URL is HTTP address on port 80
# If set to an empty string, no presentationURL element will appear
# in the XML description of the device, which prevents MS Windows
# from displaying an icon in the "Network Connections" panel.
#presentation_url= {{ presentation_url }}
{% endif %}

# Report system uptime instead of daemon uptime
system_uptime=yes

# Unused rules cleaning.
# never remove any rule before this threshold for the number
# of redirections is exceeded. default to 20
clean_ruleset_threshold=10
# Clean process work interval in seconds. default to 0 (disabled).
# a 600 seconds (10 minutes) interval makes sense
clean_ruleset_interval=600

# Anchor name in pf (default is miniupnpd)
# Something wrong with this option "anchor", comment it out
#   vyos@r14# miniupnpd -vv -f /run/upnp/miniupnp.conf
#   invalid option in file /run/upnp/miniupnp.conf line 74 : anchor=VyOS
#anchor=VyOS

uuid={{ uuid }}

# Lease file location
lease_file=/config/upnp.leases

# Daemon's serial and model number when reporting to clients
# (in XML description)
#serial=12345678
#model_number=1

{% if rule is vyos_defined %}
# UPnP permission rules
# (allow|deny) (external port range) IP/mask (internal port range)
# A port range is <min port>-<max port> or <port> if there is only
# one port in the range.
# IP/mask format must be nnn.nnn.nnn.nnn/nn
# It is advised to only allow redirection of port >= 1024
# and end the rule set with "deny 0-65535 0.0.0.0/0 0-65535"
# The following default ruleset allows specific LAN side IP addresses
# to request only ephemeral ports. It is recommended that users
# modify the IP ranges to match their own internal networks, and
# also consider implementing network-specific restrictions
# CAUTION: failure to enforce any rules may permit insecure requests to be made!
{%     for rule, config in rule.items() %}
{%         if config.disable is not vyos_defined %}
{{ config.action }} {{ config.external_port_range }} {{ config.ip }}{{ '/32' if '/' not in config.ip else '' }} {{ config.internal_port_range }}
{%         endif %}
{%     endfor %}
{% endif %}

{% if stun is vyos_defined %}
# WAN interface must have public IP address. Otherwise it is behind NAT
# and port forwarding is impossible. In some cases WAN interface can be
# behind unrestricted NAT 1:1 when all incoming traffic is NAT-ed and
# routed to WAN interfaces without any filtering. In this cases miniupnpd
# needs to know public IP address and it can be learnt by asking external
# server via STUN protocol. Following option enable retrieving external
# public IP address from STUN server and detection of NAT type. You need
# to specify also external STUN server in stun_host option below.
# This option is disabled by default.
ext_perform_stun=yes
# Specify STUN server, either hostname or IP address
# Some public STUN servers:
#  stun.stunprotocol.org
#  stun.sipgate.net
#  stun.xten.com
#  stun.l.google.com (on non standard port 19302)
ext_stun_host={{ stun.host }}
# Specify STUN UDP port, by default it is standard port 3478.
ext_stun_port={{ stun.port }}
{% endif %}