miniupnp/miniupnpd/miniupnpd.conf
Sven Auhagen 2c9a645b10 NFTables: Add backwards compatibility for IPv4 NAT
NFtables uses the INET table for NAT which combines IPv4 and IPv6.
Older systems might not have this option and use the ip table instead.

This adds a flag to fall back to the ip table style.

Signed-Off-By: Sven Auhagen <sven.auhagen@voleatech.de>
2024-03-04 06:18:41 +01:00

197 lines
6.9 KiB
Plaintext

# WAN network interface
#ext_ifname=eth1
#ext_ifname=xl1
# if the WAN network interface for IPv6 is different than for IPv4,
# set ext_ifname6
#ext_ifname6=eth2
# If the WAN interface has several IP addresses, you
# can specify the one to use below.
# Setting ext_ip is also useful in double NAT setup, you can declare here
# the public IP address.
#ext_ip=
# WAN interface must have public IP address. Otherwise it is behind NAT
# and port forwarding is impossible. In some cases WAN interface can be
# behind unrestricted full-cone NAT 1:1 when all incoming traffic is NAT-ed and
# routed to WAN interfaces without any filtering. In this cases miniupnpd
# needs to know public IP address and it can be learnt by asking external
# server via STUN protocol. Following option enable retrieving external
# public IP address from STUN server and detection of NAT type. You need
# to specify also external STUN server in stun_host option below.
# This option is disabled by default.
#ext_perform_stun=yes
# Specify STUN server, either hostname or IP address
# Some public STUN servers:
# stunserver.stunprotocol.org
# stun.sipgate.net
# stun.xten.com
# stun.l.google.com (on non standard port 19302)
#ext_stun_host=stunserver.stunprotocol.org
# Specify STUN UDP port, by default it is standard port 3478.
#ext_stun_port=3478
# LAN network interfaces IPs / networks
# There can be multiple listening IPs for SSDP traffic, in that case
# use multiple 'listening_ip=...' lines, one for each network interface.
# It can be IP address or network interface name (ie. "eth0")
# It is mandatory to use the network interface name in order to enable IPv6
# HTTP is available on all interfaces.
# When MULTIPLE_EXTERNAL_IP is enabled, the external IP
# address associated with the subnet follows. For example:
# listening_ip=192.168.0.1/24 88.22.44.13
# When MULTIPLE_EXTERNAL_IP is disabled, you can list associated network
# interfaces (for bridges)
# listening_ip=bridge0 em0 wlan0
#listening_ip=192.168.0.1/24
#listening_ip=10.5.0.0/16
#listening_ip=eth0
# CAUTION: mixing up WAN and LAN interfaces may introduce security risks!
# Be sure to assign the correct interfaces to LAN and WAN and consider
# implementing UPnP permission rules at the bottom of this configuration file
# Port for HTTP (descriptions and SOAP) traffic. Set to 0 for autoselect.
#http_port=0
# Port for HTTPS. Set to 0 for autoselect (default)
#https_port=0
# Path to the UNIX socket used to communicate with MiniSSDPd
# If running, MiniSSDPd will manage M-SEARCH answering.
# default is /var/run/minissdpd.sock
#minissdpdsocket=/var/run/minissdpd.sock
# Disable IPv6 (default is no : IPv6 enabled if enabled at build time)
#ipv6_disable=yes
# Enable NAT-PMP and PCP support (default is no)
#enable_pcp_pmp=yes
# Enable UPNP support (default is yes)
#enable_upnp=no
# PCP
# Configure the minimum and maximum lifetime of a port mapping in seconds
# 120s and 86400s (24h) are suggested values from PCP-base
#min_lifetime=120
#max_lifetime=86400
# allow THIRD_PARTY Option for MAP and PEER Opcodes (default is no)
#pcp_allow_thirdparty=yes
# table names for netfilter nft. Default is "filter" for both
#upnp_table_name=
#upnp_nat_table_name=
# chain names for netfilter and netfilter nft
# netfilter : default are MINIUPNPD, MINIUPNPD, MINIUPNPD-POSTROUTING
# netfilter nft : default are miniupnpd, prerouting_miniupnpd, postrouting_miniupnpd
#upnp_forward_chain=forwardUPnP
#upnp_nat_chain=UPnP
#upnp_nat_postrouting_chain=UPnP-Postrouting
#upnp_nftables_family_split=no
# Lease file location
#lease_file=/var/log/upnp.leases
# To enable the next few runtime options, see compile time
# ENABLE_MANUFACTURER_INFO_CONFIGURATION (config.h)
# Name of this service, default is "`uname -s` router"
#friendly_name=MiniUPnPd router
# Manufacturer name, default is "`uname -s`"
#manufacturer_name=Manufacturer corp
# Manufacturer URL, default is URL of OS vendor
#manufacturer_url=https://miniupnp.tuxfamily.org/
# Model name, default is "`uname -s` router"
#model_name=Router Model
# Model description, default is "`uname -s` router"
#model_description=Very Secure Router - Model
# Model URL, default is URL of OS vendor
#model_url=https://miniupnp.tuxfamily.org/
# Bitrates reported by daemon in bits per second
# by default miniupnpd tries to get WAN interface speed
#bitrate_up=1000000
#bitrate_down=10000000
# Secure Mode, UPnP clients can only add mappings to their own IP
# Enabled by default
#secure_mode=no
# Default presentation URL is HTTP address on port 80
# If set to an empty string, no presentationURL element will appear
# in the XML description of the device, which prevents MS Windows
# from displaying an icon in the "Network Connections" panel.
#presentation_url=http://www.mylan/index.php
# Report system uptime instead of daemon uptime
system_uptime=yes
# Notify interval in seconds. default is 30 seconds.
#notify_interval=240
notify_interval=60
# Unused rules cleaning.
# never remove any rule before this threshold for the number
# of redirections is exceeded. default to 20
#clean_ruleset_threshold=10
# Clean process work interval in seconds. default to 0 (disabled).
# a 600 seconds (10 minutes) interval makes sense
clean_ruleset_interval=600
# Log packets in pf (default is no)
#packet_log=no
# Anchor name in pf (default is miniupnpd)
#anchor=miniupnpd
# ALTQ queue in pf
# Filter rules must be used for this to be used.
# compile with PF_ENABLE_FILTER_RULES (see config.h file)
#queue=queue_name1
# Tag name in pf
#tag=tag_name1
# Make filter rules in pf quick or not. default is yes
# active when compiled with PF_ENABLE_FILTER_RULES (see config.h file)
#quickrules=no
# UUID, generate your own UUID with "make genuuid"
uuid=00000000-0000-0000-0000-000000000000
# Daemon's serial and model number when reporting to clients
# (in XML description)
#serial=12345678
#model_number=1
# If compiled with IGD_V2 defined, force reporting IGDv1 in rootDesc (default
# is no)
#force_igd_desc_v1=no
# UPnP permission rules (also enforced for NAT-PMP and PCP)
# (allow|deny) (external port range) IP/mask (internal port range) (optional regex filter)
# A port range is <min port>-<max port> or <port> if there is only
# one port in the range.
# IP/mask format must be nnn.nnn.nnn.nnn/nn
# It is advised to only allow redirection of port >= 1024
# and end the rule set with "deny 0-65535 0.0.0.0/0 0-65535"
# The following default ruleset allows specific LAN side IP addresses
# to request only ephemeral ports. It is recommended that users
# modify the IP ranges to match their own internal networks, and
# also consider implementing network-specific restrictions
# CAUTION: failure to enforce any rules may permit insecure requests to be made!
allow 1024-65535 192.168.0.0/24 1024-65535
# disallow requests whose description string matches the given regex
# deny 1024-65535 192.168.1.0/24 1024-65535 "My evil app ver [[:digit:]]*"
allow 1024-65535 192.168.1.0/24 1024-65535
allow 1024-65535 192.168.0.0/23 22
allow 12345 192.168.7.113/32 54321
deny 0-65535 0.0.0.0/0 0-65535