miniupnp/miniupnpd/miniupnpd.conf

194 lines
6.8 KiB
Plaintext

# WAN network interface
#ext_ifname=eth1
#ext_ifname=xl1
# if the WAN network interface for IPv6 is different than for IPv4,
# set ext_ifname6
#ext_ifname6=eth2
# If the WAN interface has several IP addresses, you
# can specify the one to use below.
# Setting ext_ip is also useful in double NAT setup, you can declare here
# the public IP address.
#ext_ip=
# WAN interface must have public IP address. Otherwise it is behind NAT
# and port forwarding is impossible. In some cases WAN interface can be
# behind unrestricted full-cone NAT 1:1 when all incoming traffic is NAT-ed and
# routed to WAN interfaces without any filtering. In this cases miniupnpd
# needs to know public IP address and it can be learnt by asking external
# server via STUN protocol. Following option enable retrieving external
# public IP address from STUN server and detection of NAT type. You need
# to specify also external STUN server in stun_host option below.
# This option is disabled by default.
#ext_perform_stun=yes
# Specify STUN server, either hostname or IP address
# Some public STUN servers:
# stunserver.stunprotocol.org
# stun.sipgate.net
# stun.xten.com
# stun.l.google.com (on non standard port 19302)
#ext_stun_host=stunserver.stunprotocol.org
# Specify STUN UDP port, by default it is standard port 3478.
#ext_stun_port=3478
# LAN network interfaces IPs / networks
# There can be multiple listening IPs for SSDP traffic, in that case
# use multiple 'listening_ip=...' lines, one for each network interface.
# It can be IP address or network interface name (ie. "eth0")
# It is mandatory to use the network interface name in order to enable IPv6
# HTTP is available on all interfaces.
# When MULTIPLE_EXTERNAL_IP is enabled, the external IP
# address associated with the subnet follows. For example:
# listening_ip=192.168.0.1/24 88.22.44.13
# When MULTIPLE_EXTERNAL_IP is disabled, you can list associated network
# interfaces (for bridges)
# listening_ip=bridge0 em0 wlan0
#listening_ip=192.168.0.1/24
#listening_ip=10.5.0.0/16
#listening_ip=eth0
# CAUTION: mixing up WAN and LAN interfaces may introduce security risks!
# Be sure to assign the correct interfaces to LAN and WAN and consider
# implementing UPnP permission rules at the bottom of this configuration file
# Port for HTTP (descriptions and SOAP) traffic. Set to 0 for autoselect.
#http_port=0
# Port for HTTPS. Set to 0 for autoselect (default)
#https_port=0
# Path to the UNIX socket used to communicate with MiniSSDPd
# If running, MiniSSDPd will manage M-SEARCH answering.
# default is /var/run/minissdpd.sock
#minissdpdsocket=/var/run/minissdpd.sock
# Disable IPv6 (default is no : IPv6 enabled if enabled at build time)
#ipv6_disable=yes
# Enable NAT-PMP and PCP support (default is no)
#enable_pcp_pmp=yes
# Enable UPNP support (default is yes)
#enable_upnp=no
# PCP
# Configure the minimum and maximum lifetime of a port mapping in seconds
# 120s and 86400s (24h) are suggested values from PCP-base
#min_lifetime=120
#max_lifetime=86400
# table names for netfilter nft. Default is "filter" for both
#upnp_table_name=
#upnp_nat_table_name=
# chain names for netfilter and netfilter nft
# netfilter : default are MINIUPNPD, MINIUPNPD, MINIUPNPD-POSTROUTING
# netfilter nft : default are miniupnpd, prerouting_miniupnpd, postrouting_miniupnpd
#upnp_forward_chain=forwardUPnP
#upnp_nat_chain=UPnP
#upnp_nat_postrouting_chain=UPnP-Postrouting
# Lease file location
#lease_file=/var/log/upnp.leases
# To enable the next few runtime options, see compile time
# ENABLE_MANUFACTURER_INFO_CONFIGURATION (config.h)
# Name of this service, default is "`uname -s` router"
#friendly_name=MiniUPnPd router
# Manufacturer name, default is "`uname -s`"
#manufacturer_name=Manufacturer corp
# Manufacturer URL, default is URL of OS vendor
#manufacturer_url=https://miniupnp.tuxfamily.org/
# Model name, default is "`uname -s` router"
#model_name=Router Model
# Model description, default is "`uname -s` router"
#model_description=Very Secure Router - Model
# Model URL, default is URL of OS vendor
#model_url=https://miniupnp.tuxfamily.org/
# Bitrates reported by daemon in bits per second
# by default miniupnpd tries to get WAN interface speed
#bitrate_up=1000000
#bitrate_down=10000000
# Secure Mode, UPnP clients can only add mappings to their own IP
# Enabled by default
#secure_mode=no
# Default presentation URL is HTTP address on port 80
# If set to an empty string, no presentationURL element will appear
# in the XML description of the device, which prevents MS Windows
# from displaying an icon in the "Network Connections" panel.
#presentation_url=http://www.mylan/index.php
# Report system uptime instead of daemon uptime
system_uptime=yes
# Notify interval in seconds. default is 30 seconds.
#notify_interval=240
notify_interval=60
# Unused rules cleaning.
# never remove any rule before this threshold for the number
# of redirections is exceeded. default to 20
#clean_ruleset_threshold=10
# Clean process work interval in seconds. default to 0 (disabled).
# a 600 seconds (10 minutes) interval makes sense
clean_ruleset_interval=600
# Log packets in pf (default is no)
#packet_log=no
# Anchor name in pf (default is miniupnpd)
#anchor=miniupnpd
# ALTQ queue in pf
# Filter rules must be used for this to be used.
# compile with PF_ENABLE_FILTER_RULES (see config.h file)
#queue=queue_name1
# Tag name in pf
#tag=tag_name1
# Make filter rules in pf quick or not. default is yes
# active when compiled with PF_ENABLE_FILTER_RULES (see config.h file)
#quickrules=no
# UUID, generate your own UUID with "make genuuid"
uuid=00000000-0000-0000-0000-000000000000
# Daemon's serial and model number when reporting to clients
# (in XML description)
#serial=12345678
#model_number=1
# If compiled with IGD_V2 defined, force reporting IGDv1 in rootDesc (default
# is no)
#force_igd_desc_v1=no
# UPnP permission rules (also enforced for NAT-PMP and PCP)
# (allow|deny) (external port range) IP/mask (internal port range) (optional regex filter)
# A port range is <min port>-<max port> or <port> if there is only
# one port in the range.
# IP/mask format must be nnn.nnn.nnn.nnn/nn
# It is advised to only allow redirection of port >= 1024
# and end the rule set with "deny 0-65535 0.0.0.0/0 0-65535"
# The following default ruleset allows specific LAN side IP addresses
# to request only ephemeral ports. It is recommended that users
# modify the IP ranges to match their own internal networks, and
# also consider implementing network-specific restrictions
# CAUTION: failure to enforce any rules may permit insecure requests to be made!
allow 1024-65535 192.168.0.0/24 1024-65535
# disallow requests whose description string matches the given regex
# deny 1024-65535 192.168.1.0/24 1024-65535 "My evil app ver [[:digit:]]*"
allow 1024-65535 192.168.1.0/24 1024-65535
allow 1024-65535 192.168.0.0/23 22
allow 12345 192.168.7.113/32 54321
deny 0-65535 0.0.0.0/0 0-65535