Saturday, July 30, 2016

Limiting uPNP Functionality on pfSense Interfaces

In my previous article, I discussed limiting the outbound traffic on pfSense networks by ports. The uPNP mechanism can bypass the port limitations you have set up by opening additional ports on the interface. Typically this will be devices like gaming consoles, and it can be a needed ability that is just too complex to manage manually otherwise.

However, on pfSense networks that you may not want to allow this I will show you how to turn it off or limit the functionality by specific interface(s). You may have a neighbour on your "guest" wireless using BitTorrent to download pirated content (and you get blamed for it). That system uses uPNP to add port entries to get through your pfSense firewall!

Rules added by uPNP should be shown in the "Floating" column. To choose which network interfaces you want to allow to be modified by uPNP, select "uPnP & NAT-PNP" from the "Services" menu. You will see a page that looks like this:

Under "Interfaces"your networks with uPNP enabled will be selected. In this example, I only have my 'LAN' interface using uPNP. Below this box (not shown on my screenshot) you can also limit bandwidth or control conditions for uPNP on the interfaces where it is active.

Stay tuned for further pfSense content...

No comments:

Post a Comment