# WAN network interface #ext_ifname=eth1 #ext_ifname=xl1 # if the WAN network interface for IPv6 is different than for IPv4, # set ext_ifname6 #ext_ifname6=eth2 # If the WAN interface has several IP addresses, you # can specify the one to use below. # Setting ext_ip is also useful in double NAT setup, you can declare here # the public IP address. #ext_ip= # WAN interface must have public IP address. Otherwise it is behind NAT # and port forwarding is impossible. In some cases WAN interface can be # behind unrestricted full-cone NAT 1:1 when all incoming traffic is NAT-ed and # routed to WAN interfaces without any filtering. In this cases miniupnpd # needs to know public IP address and it can be learnt by asking external # server via STUN protocol. Following option enable retrieving external # public IP address from STUN server and detection of NAT type. You need # to specify also external STUN server in stun_host option below. # This option is disabled by default. #ext_perform_stun=yes # Specify STUN server, either hostname or IP address # Some public STUN servers: # stunserver.stunprotocol.org # stun.sipgate.net # stun.xten.com # stun.l.google.com (on non standard port 19302) #ext_stun_host=stunserver.stunprotocol.org # Specify STUN UDP port, by default it is standard port 3478. #ext_stun_port=3478 # LAN network interfaces IPs / networks # There can be multiple listening IPs for SSDP traffic, in that case # use multiple 'listening_ip=...' lines, one for each network interface. # It can be IP address or network interface name (ie. "eth0") # It is mandatory to use the network interface name in order to enable IPv6 # HTTP is available on all interfaces. # When MULTIPLE_EXTERNAL_IP is enabled, the external IP # address associated with the subnet follows. For example: # listening_ip=192.168.0.1/24 88.22.44.13 # When MULTIPLE_EXTERNAL_IP is disabled, you can list associated network # interfaces (for bridges) # listening_ip=bridge0 em0 wlan0 #listening_ip=192.168.0.1/24 #listening_ip=10.5.0.0/16 #listening_ip=eth0 # CAUTION: mixing up WAN and LAN interfaces may introduce security risks! # Be sure to assign the correct interfaces to LAN and WAN and consider # implementing UPnP permission rules at the bottom of this configuration file # Port for HTTP (descriptions and SOAP) traffic. Set to 0 for autoselect. #http_port=0 # Port for HTTPS. Set to 0 for autoselect (default) #https_port=0 # Path to the UNIX socket used to communicate with MiniSSDPd # If running, MiniSSDPd will manage M-SEARCH answering. # default is /var/run/minissdpd.sock #minissdpdsocket=/var/run/minissdpd.sock # Disable IPv6 (default is no : IPv6 enabled if enabled at build time) #ipv6_disable=yes # Enable NAT-PMP and PCP support (default is no) #enable_pcp_pmp=yes # Enable UPNP support (default is yes) #enable_upnp=no # PCP # Configure the minimum and maximum lifetime of a port mapping in seconds # 120s and 86400s (24h) are suggested values from PCP-base #min_lifetime=120 #max_lifetime=86400 # table names for netfilter nft. Default is "filter" for both #upnp_table_name= #upnp_nat_table_name= # chain names for netfilter and netfilter nft # netfilter : default are MINIUPNPD, MINIUPNPD, MINIUPNPD-POSTROUTING # netfilter nft : default are miniupnpd, prerouting_miniupnpd, postrouting_miniupnpd #upnp_forward_chain=forwardUPnP #upnp_nat_chain=UPnP #upnp_nat_postrouting_chain=UPnP-Postrouting # Lease file location #lease_file=/var/log/upnp.leases # To enable the next few runtime options, see compile time # ENABLE_MANUFACTURER_INFO_CONFIGURATION (config.h) # Name of this service, default is "`uname -s` router" #friendly_name=MiniUPnPd router # Manufacturer name, default is "`uname -s`" #manufacturer_name=Manufacturer corp # Manufacturer URL, default is URL of OS vendor #manufacturer_url=https://miniupnp.tuxfamily.org/ # Model name, default is "`uname -s` router" #model_name=Router Model # Model description, default is "`uname -s` router" #model_description=Very Secure Router - Model # Model URL, default is URL of OS vendor #model_url=https://miniupnp.tuxfamily.org/ # Bitrates reported by daemon in bits per second # by default miniupnpd tries to get WAN interface speed #bitrate_up=1000000 #bitrate_down=10000000 # Secure Mode, UPnP clients can only add mappings to their own IP # Enabled by default #secure_mode=no # Default presentation URL is HTTP address on port 80 # If set to an empty string, no presentationURL element will appear # in the XML description of the device, which prevents MS Windows # from displaying an icon in the "Network Connections" panel. #presentation_url=http://www.mylan/index.php # Report system uptime instead of daemon uptime system_uptime=yes # Notify interval in seconds. default is 30 seconds. #notify_interval=240 notify_interval=60 # Unused rules cleaning. # never remove any rule before this threshold for the number # of redirections is exceeded. default to 20 #clean_ruleset_threshold=10 # Clean process work interval in seconds. default to 0 (disabled). # a 600 seconds (10 minutes) interval makes sense clean_ruleset_interval=600 # Log packets in pf (default is no) #packet_log=no # Anchor name in pf (default is miniupnpd) #anchor=miniupnpd # ALTQ queue in pf # Filter rules must be used for this to be used. # compile with PF_ENABLE_FILTER_RULES (see config.h file) #queue=queue_name1 # Tag name in pf #tag=tag_name1 # Make filter rules in pf quick or not. default is yes # active when compiled with PF_ENABLE_FILTER_RULES (see config.h file) #quickrules=no # UUID, generate your own UUID with "make genuuid" uuid=00000000-0000-0000-0000-000000000000 # Daemon's serial and model number when reporting to clients # (in XML description) #serial=12345678 #model_number=1 # If compiled with IGD_V2 defined, force reporting IGDv1 in rootDesc (default # is no) #force_igd_desc_v1=no # UPnP permission rules (also enforced for NAT-PMP and PCP) # (allow|deny) (external port range) IP/mask (internal port range) (optional regex filter) # A port range is - or if there is only # one port in the range. # IP/mask format must be nnn.nnn.nnn.nnn/nn # It is advised to only allow redirection of port >= 1024 # and end the rule set with "deny 0-65535 0.0.0.0/0 0-65535" # The following default ruleset allows specific LAN side IP addresses # to request only ephemeral ports. It is recommended that users # modify the IP ranges to match their own internal networks, and # also consider implementing network-specific restrictions # CAUTION: failure to enforce any rules may permit insecure requests to be made! allow 1024-65535 192.168.0.0/24 1024-65535 # disallow requests whose description string matches the given regex # deny 1024-65535 192.168.1.0/24 1024-65535 "My evil app ver [[:digit:]]*" allow 1024-65535 192.168.1.0/24 1024-65535 allow 1024-65535 192.168.0.0/23 22 allow 12345 192.168.7.113/32 54321 deny 0-65535 0.0.0.0/0 0-65535