1.4.0 Early Production Access 1
Details
Nov 21 2024
This is mentioned in https://github.com/vyos/vyos-documentation/blob/current/docs/changelog/1.3.rst as a fix in upcoming 1.3.9 - but the backport https://github.com/vyos/vyos-1x/pull/3015 had conflicts and was closed.
So, just a question - what is really the status of this in equuleus?
Nov 8 2024
Sep 6 2024
@yzguy I'm not sure about this.
But as I know, Linux Desktop will use NetworkManager with ModemManager to bring up a wwan interface.
And network-manager will check the bearer to setup the IP address.
Jul 2 2024
Jun 20 2024
May 14 2024
If someone wants, I can probably unearth my patches to 1.4 and miniupnpd to make it all work. It was technically functional and worked as expected. I just don't have the time or patience to deal with getting it merged/integrated back into the project.
Out of curiosity, will the details of the poll be public or the results being shared transparently?
A bunch to unpack here.
or how malware exfiltrates data via port 443 because enterprises can't reliably block outbound traffic on that port.
Created a poll for maintainers on this topic, and we will go with the decision made.
Not if it's not configured to do so.
I'm not sure if that summary from you @Viacheslav is fully reflecting the current state.
I'm also not sure if the original implementation never worked, might very well have been broken while refactoring some vyos internals how the firewall is structured, but I guess you should have a better understanding of (the history of) your product. Otherwise I would be very surprised if a broken feature got into your product without every working / being tested.
I fail to comprehend how a firewall that autonomously opens ports via calls from internal networks is appropriate for an enterprise.
Indeed there are some use cases but this functionality can be used by malicious code and allow bypass security configuration that is enforced otherwise
In summary, it works with custom scripts and patches, but it still does not work from CLI (not fully integrated)
The scripts that should be involved are in the repo https://github.com/miniupnp/miniupnp/tree/miniupnpd_2_3_3/miniupnpd/netfilter_nft/scripts
Until we do not have them and they do not communicate with the firewall, the feature does not work.
A patch is attached in several posts above https://vyos.dev/T5835#174066
Does it work now?
One reasons it is rarely seen is as most are not aware of it being used undercover and when not being present, nothing necessarily brakes (due to fallback to other mechanisms). For some home routers we saw this was an undocumented "feature" that you did not have any control over, more recent & reasonable implementation we have seen allow you to enable or disable it (but nothing much more like fine grained permissions)
I have rarely seen UPnP in enterprise environments and rarely at home even if the main purpose is to use it at home and let applications backdoor your firewall (which often is a bad thing in enterprise evironments).
No doubt that there are other use cases.
since 1.2 LTS, we received zero requests from customers about adding UPnP, hence, don't see any value in it
@aidan-gibson It's never worked, and demand is slim to none
main use case is games typically, which is not in priority for us
bruh
May 13 2024
@dmbaturin, I propose removal of upnp stuff from 1.5 and 1.4