Page MenuHomeVyOS Platform

VyOS 1.4 Sagitta (1.4.0-epa1)Milestone
ActivePublic

Watchers

  • This project does not have any watchers.
  • View All

Details

Description

1.4.0 Early Production Access 1

Recent Activity

Tue, May 14

Unknown Object (User) added a comment to T5835: UPnP port mapping / rule installation fails.

If you are really that curious, I can attach a screenshot.

Tue, May 14, 4:04 PM
dylanneild added a comment to T5835: UPnP port mapping / rule installation fails.

If someone wants, I can probably unearth my patches to 1.4 and miniupnpd to make it all work. It was technically functional and worked as expected. I just don't have the time or patience to deal with getting it merged/integrated back into the project.

Tue, May 14, 3:59 PM
dmbaturin added a comment to T5835: UPnP port mapping / rule installation fails.

Out of curiosity, will the details of the poll be public or the results being shared transparently?

Tue, May 14, 3:48 PM
Unknown Object (User) added a comment to T5835: UPnP port mapping / rule installation fails.

A bunch to unpack here.
[...]

Tue, May 14, 3:41 PM
Unknown Object (User) added a comment to T5835: UPnP port mapping / rule installation fails.

Created a poll for maintainers on this topic, and we will go with the decision made.

Tue, May 14, 3:36 PM
dylanneild added a comment to T5835: UPnP port mapping / rule installation fails.

A bunch to unpack here.

Tue, May 14, 3:33 PM
Unknown Object (User) added a comment to T5835: UPnP port mapping / rule installation fails.

go learn how cheap cameras open firewalls via UPnP and make them available on the internet without people being aware of that

or how malware exfiltrates data via port 443 because enterprises can't reliably block outbound traffic on that port.

Tue, May 14, 2:48 PM
Unknown Object (User) added a comment to T5835: UPnP port mapping / rule installation fails.

If you know how to test it will be great to test it. If no one needs it even for tests, what are we talking about?

Tue, May 14, 2:29 PM
syncer added a comment to T5835: UPnP port mapping / rule installation fails.

Created a poll for maintainers on this topic, and we will go with the decision made.

Tue, May 14, 2:27 PM
syncer added a comment to T5835: UPnP port mapping / rule installation fails.
In T5835#187936, @simplysoft wrote:

Yes, that is exactly the point. Glad you did not suggest to remove the NAT capability of vyos because it could be used to bypass security or is not appropriate for an "enterprise"

Tue, May 14, 2:24 PM
Unknown Object (User) added a comment to T5835: UPnP port mapping / rule installation fails.
In T5835#187933, @simplysoft wrote:

A firewall is doing exactly this all the time when using NAT, autonomously opening ports via call from internal networks (aka internal originated traffic) to allow responses to reach the originator. Enterprises might have some strict outbound rules. For UPnP is exactly the same, an enterprise would have strict rules which services are allowed to open ports.

Not if it's not configured to do so.

Tue, May 14, 2:20 PM
Viacheslav added a comment to T5835: UPnP port mapping / rule installation fails.
In T5835#187933, @simplysoft wrote:

I'm not sure if that summary from you @Viacheslav is fully reflecting the current state.
I'm also not sure if the original implementation never worked, might very well have been broken while refactoring some vyos internals how the firewall is structured, but I guess you should have a better understanding of (the history of) your product. Otherwise I would be very surprised if a broken feature got into your product without every working / being tested.

Tue, May 14, 2:18 PM
syncer added a comment to T5835: UPnP port mapping / rule installation fails.
In T5835#187933, @simplysoft wrote:

A firewall is doing exactly this all the time when using NAT, autonomously opening ports via call from internal networks (aka internal originated traffic) to allow responses to reach the originator. Enterprises might have some strict outbound rules. For UPnP is exactly the same, an enterprise would have strict rules which services are allowed to open ports.

Not if it's not configured to do so.

Tue, May 14, 2:07 PM
Unknown Object (User) added a comment to T5835: UPnP port mapping / rule installation fails.

I'm not sure if that summary from you @Viacheslav is fully reflecting the current state.
I'm also not sure if the original implementation never worked, might very well have been broken while refactoring some vyos internals how the firewall is structured, but I guess you should have a better understanding of (the history of) your product. Otherwise I would be very surprised if a broken feature got into your product without every working / being tested.

Tue, May 14, 2:03 PM
syncer added a comment to T5835: UPnP port mapping / rule installation fails.

I fail to comprehend how a firewall that autonomously opens ports via calls from internal networks is appropriate for an enterprise.
Indeed there are some use cases but this functionality can be used by malicious code and allow bypass security configuration that is enforced otherwise

Tue, May 14, 1:13 PM
Viacheslav added a comment to T5835: UPnP port mapping / rule installation fails.

In summary, it works with custom scripts and patches, but it still does not work from CLI (not fully integrated)
The scripts that should be involved are in the repo https://github.com/miniupnp/miniupnp/tree/miniupnpd_2_3_3/miniupnpd/netfilter_nft/scripts
Until we do not have them and they do not communicate with the firewall, the feature does not work.
A patch is attached in several posts above https://vyos.dev/T5835#174066

Tue, May 14, 12:40 PM
Unknown Object (User) added a comment to T5835: UPnP port mapping / rule installation fails.

Does it work now?

Tue, May 14, 11:04 AM
Viacheslav lowered the priority of T5497: Add ability to resequence rule numbers for firewall from Normal to Wishlist.
Tue, May 14, 10:57 AM · VyOS 1.4 Sagitta (1.4.0-epa1)
n.fort placed T5497: Add ability to resequence rule numbers for firewall up for grabs.
Tue, May 14, 10:56 AM · VyOS 1.4 Sagitta (1.4.0-epa1)
syncer added a comment to T5835: UPnP port mapping / rule installation fails.

Does it work now?

Tue, May 14, 10:43 AM
Unknown Object (User) added a comment to T5835: UPnP port mapping / rule installation fails.

One reasons it is rarely seen is as most are not aware of it being used undercover and when not being present, nothing necessarily brakes (due to fallback to other mechanisms). For some home routers we saw this was an undocumented "feature" that you did not have any control over, more recent & reasonable implementation we have seen allow you to enable or disable it (but nothing much more like fine grained permissions)

Tue, May 14, 10:36 AM
Apachez added a comment to T5835: UPnP port mapping / rule installation fails.

I have rarely seen UPnP in enterprise environments and rarely at home even if the main purpose is to use it at home and let applications backdoor your firewall (which often is a bad thing in enterprise evironments).

Tue, May 14, 10:23 AM
syncer added a comment to T5835: UPnP port mapping / rule installation fails.

No doubt that there are other use cases.
since 1.2 LTS, we received zero requests from customers about adding UPnP, hence, don't see any value in it

Tue, May 14, 9:50 AM
Unknown Object (User) added a comment to T5835: UPnP port mapping / rule installation fails.

@aidan-gibson main use case is games typically, which is not in priority for us

Tue, May 14, 9:17 AM
syncer added a comment to T5835: UPnP port mapping / rule installation fails.

@aidan-gibson It's never worked, and demand is slim to none
main use case is games typically, which is not in priority for us

Tue, May 14, 7:45 AM
aidan-gibson added a comment to T5835: UPnP port mapping / rule installation fails.

bruh

Tue, May 14, 7:42 AM

Mon, May 13

syncer edited projects for T1070: SWANCTL: DMVPN: ALL peers are deleted in swan when opennhrp tries to delete ONE peer, added: VyOS 1.3 Equuleus (1.3.8); removed VyOS 1.3 Equuleus (1.3.7).
Mon, May 13, 7:36 PM · VyOS 1.4 Sagitta (1.4.0-GA), VyOS 1.3 Equuleus (1.3.8), Restricted Project
syncer edited projects for T1311: WAN load-balancing can't flush connections when conntrack-sync is enabled, added: VyOS 1.3 Equuleus (1.3.8); removed VyOS 1.3 Equuleus (1.3.7).
Mon, May 13, 7:35 PM · VyOS 1.3 Equuleus (1.3.8), VyOS 1.4 Sagitta (1.4.0-epa1), Restricted Project, test
syncer edited projects for T2145: openvpn: server default topology net30 is incompatible with static client IPs for Windows clients, added: VyOS 1.3 Equuleus (1.3.8); removed VyOS 1.3 Equuleus (1.3.7).
Mon, May 13, 7:34 PM · VyOS 1.4 Sagitta (1.4.0-GA), VyOS 1.3 Equuleus (1.3.8), Restricted Project, openvpn
syncer edited projects for T2207: IPv6 route install failed, added: VyOS 1.3 Equuleus (1.3.8); removed VyOS 1.3 Equuleus (1.3.7).
Mon, May 13, 7:34 PM · VyOS 1.4 Sagitta (1.4.0-GA), VyOS 1.3 Equuleus (1.3.8), Restricted Project, VyOS 1.5 Circinus
syncer edited projects for T2251: VRF communication breaks when utilizing zone-based firewalling, added: VyOS 1.3 Equuleus (1.3.8); removed VyOS 1.3 Equuleus (1.3.7).
Mon, May 13, 7:34 PM · VyOS 1.4 Sagitta (1.4.0-GA), VyOS 1.3 Equuleus (1.3.8), Restricted Project
syncer edited projects for T2287: LLDP not working on X710 adapter, i40e driver, added: VyOS 1.3 Equuleus (1.3.8); removed VyOS 1.3 Equuleus (1.3.7).
Mon, May 13, 7:34 PM · VyOS 1.4 Sagitta (1.4.0-GA), VyOS 1.3 Equuleus (1.3.8), Restricted Project, VyOS 1.5 Circinus
syncer edited projects for T2760: In a load-balanced multi-wan configuration with DHCP assigned addresses, IPsec "dhcp-interface" does not work, added: VyOS 1.3 Equuleus (1.3.8); removed VyOS 1.3 Equuleus (1.3.7).
Mon, May 13, 7:34 PM · VyOS 1.4 Sagitta (1.4.0-GA), VyOS 1.3 Equuleus (1.3.8), Restricted Project
syncer edited projects for T2762: VRF: when SSHd is VRF bound all commands are executed in VRF context, added: VyOS 1.3 Equuleus (1.3.8); removed VyOS 1.3 Equuleus (1.3.7).
Mon, May 13, 7:34 PM · VyOS 1.4 Sagitta (1.4.0-GA), VyOS 1.3 Equuleus (1.3.8), Restricted Project
syncer edited projects for T2840: "beep-if-fully-booted" beeps too early, added: VyOS 1.3 Equuleus (1.3.8); removed VyOS 1.3 Equuleus (1.3.7).
Mon, May 13, 7:33 PM · VyOS 1.4 Sagitta (1.4.0-GA), VyOS 1.3 Equuleus (1.3.8), Restricted Project, VyOS 1.5 Circinus
syncer edited projects for T3824: Ethernet offload options are not populated in new installs, added: VyOS 1.3 Equuleus (1.3.8); removed VyOS 1.3 Equuleus (1.3.7).
Mon, May 13, 7:33 PM · VyOS 1.4 Sagitta (1.4.0-GA), VyOS 1.3 Equuleus (1.3.8), Restricted Project
syncer edited projects for T3933: The firewall does not filter incoming traffic on the interface with vrf., added: VyOS 1.3 Equuleus (1.3.8); removed VyOS 1.3 Equuleus (1.3.7).
Mon, May 13, 7:33 PM · VyOS 1.4 Sagitta (1.4.0-GA), VyOS 1.3 Equuleus (1.3.8), Restricted Project
syncer edited projects for T5444: R8169 driver crash, added: VyOS 1.3 Equuleus (1.3.8); removed VyOS 1.3 Equuleus (1.3.7).
Mon, May 13, 7:32 PM · VyOS 1.4 Sagitta (1.4.0-GA), VyOS 1.3 Equuleus (1.3.8), Restricted Project
syncer edited projects for T5926: IPSEC does not apply after l2tp configuration was changed, added: VyOS 1.3 Equuleus (1.3.8); removed VyOS 1.3 Equuleus (1.3.7).
Mon, May 13, 7:32 PM · VyOS 1.3 Equuleus (1.3.8), VyOS 1.4 Sagitta (1.4.0-epa1), VyOS 1.5 Circinus
syncer edited projects for T5881: IPv6 addresses jumbled in flow accounting, added: VyOS 1.3 Equuleus (1.3.8); removed VyOS 1.3 Equuleus (1.3.7).
Mon, May 13, 7:32 PM · VyOS 1.4 Sagitta (1.4.0-GA), VyOS 1.3 Equuleus (1.3.8)
dmbaturin edited projects for T4915: Minisign verification failure == pass??, added: VyOS 1.4 Sagitta (1.4.0-epa1); removed VyOS 1.4 Sagitta (1.4.0-epa3).
Mon, May 13, 1:43 PM · VyOS 1.4 Sagitta (1.4.0-epa1)
syncer assigned T5835: UPnP port mapping / rule installation fails to dmbaturin.

@dmbaturin, I propose removal of upnp stuff from 1.5 and 1.4

Mon, May 13, 11:17 AM
aidan-gibson added a comment to T5835: UPnP port mapping / rule installation fails.

Any update on this PR? (thanks for the work put into this!!)

Mon, May 13, 8:39 AM

Sat, May 11

dmbaturin changed Why the issue appeared? from none to implementation-mistake on T6056: Applying 'system static-host-mapping' command calls unnecessary snmpd restart.
Sat, May 11, 8:06 PM · VyOS 1.4 Sagitta (1.4.0-epa1), VyOS 1.3 Equuleus (1.3.7)
dmbaturin edited projects for T3642: PKI configuration, added: VyOS 1.4 Sagitta (1.4.0-epa1); removed VyOS 1.4 Sagitta.
Sat, May 11, 4:53 PM · VyOS 1.4 Sagitta (1.4.0-epa1)
DerEnderKeks added a comment to T4923: Zebra sends router advertisements even though it's not supposed to.

I finally managed to narrow this down further. This problem is caused by enabling the extended nexthop capability. FRR intentionally sends RAs when this capability is enabled, althought so far I don't understand why. I opened a discussion in the FRR repo: https://github.com/FRRouting/frr/discussions/15994

Sat, May 11, 11:38 AM · VyOS 1.4 Sagitta (1.4.0-GA), Restricted Project

Fri, May 10

dmbaturin changed Issue type from documentation to improvement on T5418: Allow arbitrary subnets in PPPoE client IP pools.
Fri, May 10, 8:10 PM · VyOS 1.4 Sagitta (1.4.0-epa1), VyOS 1.3 Equuleus (1.3.7)
dmbaturin edited projects for T2801: conntrack-tools flooding logs, added: VyOS 1.4 Sagitta (1.4.0-epa1); removed VyOS 1.5 Circinus, VyOS 1.4 Sagitta.
Fri, May 10, 8:09 PM · VyOS 1.4 Sagitta (1.4.0-epa1), VyOS 1.3 Equuleus (1.3.7)
dmbaturin removed a project from T6056: Applying 'system static-host-mapping' command calls unnecessary snmpd restart: VyOS 1.5 Circinus.
Fri, May 10, 7:51 PM · VyOS 1.4 Sagitta (1.4.0-epa1), VyOS 1.3 Equuleus (1.3.7)
dmbaturin renamed T6261: Typo in the operational mode connect and disconnect command output from Typo in op_mode connect_disconnect print statement for check_ppp_running to Typo in the operational mode connect and disconnect command output.
Fri, May 10, 7:49 PM · VyOS 1.4 Sagitta (1.4.0-epa3), VyOS 1.3 Equuleus (1.3.7)