[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Review of new English templates for miniupnpd

Yangfl wrote:
> Justin B Rye wrote:
>>    Be aware that the default settings for this package are only suitable for
>>    a system where the ports required are accessible. If a firewall has
>>    been set up blocking them, you should reject this option now, edit
>>    /etc/miniupnpd/miniupnpd.conf and the scripts in /etc/miniupnpd/*.sh
>>    appropriately, and enable the daemon later with "service miniupnpd enable".
>>
>> (I've no idea what the relevant ports are, so I hope your users can
>> think of some better search engine queries than I could.)
> 
> I should clarify that, upnpd daemon does nothing than maintaining a list of
> allow/deny rules.

Well, *and* actively setting up port-mappings/redirections, right?
But it all works through netfilter rules of some sort...

> Whether to use these rules, where these rules are placed,
> and what to do if no rules are match against the traffic is up to external
> configures, ie /etc scripts. As always, these scripts expect a very
> specific layout of firewall chains, if users have custom firewall
> rules/chains, things will break down.

In that case it might as well keep it simple:

 Be aware that the default settings for this package are only suitable for
 a system with no pre-existing firewall. If a firewall has already been set
 up, you should reject this option now, edit /etc/miniupnpd/miniupnpd.conf
 and the scripts in /etc/miniupnpd/ appropriately, and enable the daemon
 later with "service miniupnpd enable".
 
>>   .
>>>  Be extremely careful if you don't have physical access to the machine, as you
>>>  may be blocked by the firewall immediately.
>>
>> Because I might be using UPnP port redirection for my SSH connection?
>> Except that I haven't started the miniUPnP daemon yet, so how does
>> that work?
> 
> For some reasons the default action for unmatched traffic is drop.

I suspect the thing that's confusing me here is that "the firewall" in
this paragraph isn't the pre-existing firewall that we were talking
about above - instead you're talking about a new set of rules that
would be activated if I accepted this option?  If so, say something
more like:

 If you don't have physical access to the machine, be careful not to
 activate the daemon with rules that will block your connection.


So that would be:

 Template: miniupnpd/start_daemon
 Type: boolean
 Default: false
 _Description: Start the MiniUPnP daemon automatically?
  Choose this option if the MiniUPnP daemon should start automatically,
  now and at boot time.
  .
  Be aware that the default settings for this package are only suitable for
  a system with no pre-existing firewall. If a firewall has already been set
  up, you should reject this option now, edit /etc/miniupnpd/miniupnpd.conf
  and the scripts in /etc/miniupnpd/ appropriately, and enable the daemon
  later with "service miniupnpd enable".
  .
  If you don't have physical access to the machine, be careful not to
  activate the daemon with rules that will block your connection.
  .
  If in doubt, reject this option.

-- 
JBR	with qualifications in linguistics, experience as a Debian
	sysadmin, and probably no clue about this particular package
Reply to: