Related https://vyos.dev/T921

More info related to PowerDNS DNSdist: https://powerdns.org/dnsdist-md/dnsdist-diagrams.md.html

In T5835#187937, @syncer wrote:

go learn how cheap cameras open firewalls via UPnP and make them available on the internet without people being aware of that

or how malware exfiltrates data via port 443 because enterprises can't reliably block outbound traffic on that port.

In T5835#187935, @Viacheslav wrote:

If you know how to test it will be great to test it. If no one needs it even for tests, what are we talking about?

Created a poll for maintainers on this topic, and we will go with the decision made.

In T5835#187936, @simplysoft wrote:

Yes, that is exactly the point. Glad you did not suggest to remove the NAT capability of vyos because it could be used to bypass security or is not appropriate for an "enterprise"

In T5835#187934, @syncer wrote:

In T5835#187933, @simplysoft wrote:

A firewall is doing exactly this all the time when using NAT, autonomously opening ports via call from internal networks (aka internal originated traffic) to allow responses to reach the originator. Enterprises might have some strict outbound rules. For UPnP is exactly the same, an enterprise would have strict rules which services are allowed to open ports.

Not if it's not configured to do so.

In T5835#187933, @simplysoft wrote:

I'm not sure if that summary from you @Viacheslav is fully reflecting the current state.
I'm also not sure if the original implementation never worked, might very well have been broken while refactoring some vyos internals how the firewall is structured, but I guess you should have a better understanding of (the history of) your product. Otherwise I would be very surprised if a broken feature got into your product without every working / being tested.

In T5835#187933, @simplysoft wrote:

A firewall is doing exactly this all the time when using NAT, autonomously opening ports via call from internal networks (aka internal originated traffic) to allow responses to reach the originator. Enterprises might have some strict outbound rules. For UPnP is exactly the same, an enterprise would have strict rules which services are allowed to open ports.

Not if it's not configured to do so.

I'm not sure if that summary from you @Viacheslav is fully reflecting the current state.
I'm also not sure if the original implementation never worked, might very well have been broken while refactoring some vyos internals how the firewall is structured, but I guess you should have a better understanding of (the history of) your product. Otherwise I would be very surprised if a broken feature got into your product without every working / being tested.

I fail to comprehend how a firewall that autonomously opens ports via calls from internal networks is appropriate for an enterprise.
Indeed there are some use cases but this functionality can be used by malicious code and allow bypass security configuration that is enforced otherwise

In summary, it works with custom scripts and patches, but it still does not work from CLI (not fully integrated)
The scripts that should be involved are in the repo https://github.com/miniupnp/miniupnp/tree/miniupnpd_2_3_3/miniupnpd/netfilter_nft/scripts
Until we do not have them and they do not communicate with the firewall, the feature does not work.
A patch is attached in several posts above https://vyos.dev/T5835#174066

In T5835#187919, @syncer wrote:

Does it work now?

Does it work now?

One reasons it is rarely seen is as most are not aware of it being used undercover and when not being present, nothing necessarily brakes (due to fallback to other mechanisms). For some home routers we saw this was an undocumented "feature" that you did not have any control over, more recent & reasonable implementation we have seen allow you to enable or disable it (but nothing much more like fine grained permissions)

I have rarely seen UPnP in enterprise environments and rarely at home even if the main purpose is to use it at home and let applications backdoor your firewall (which often is a bad thing in enterprise evironments).

No doubt that there are other use cases.
since 1.2 LTS, we received zero requests from customers about adding UPnP, hence, don't see any value in it

In T5835#187910, @syncer wrote:

@aidan-gibson main use case is games typically, which is not in priority for us

@aidan-gibson It's never worked, and demand is slim to none
main use case is games typically, which is not in priority for us

bruh

Why just not sign repositories?

https://github.com/vyos/vyos-build/pull/615

I updated to version VyOS 1.5-rolling-202405121403 and the open-vm-tools are working again.

We have had decent progress since my last message a year back. This task can be closed for now I guess.