Bitcoin Forum
March 24, 2017, 06:20:02 PM *
News: Latest stable version of Bitcoin Core: 0.14.0  [Torrent]. (New!)
 
   Home   Help Search Donate Login Register  
Poll
Question: UPnP on or off by default?
On by default - 14 (24.1%)
Off by default - 28 (48.3%)
On by default in the GUI, off by default in bitcoind - 16 (27.6%)
Total Voters: 58

Pages: « 1 [2]  All
  Print  
Author Topic: [PULL] UPnP  (Read 4693 times)
sebastian
Member
**
Offline Offline

Activity: 119


View Profile
March 24, 2011, 02:20:43 AM
 #21

Luke-Jr: So you are saying that computers "are supposed" to be exposed to the internet with all these worms and such auto-infecting any computer it stumbles upon by attacking random IP adresses?

In the past, the security of NAT was really not necessary, but in the today era, NAT is a essential security that provides inbound protection. Without a NAT or some sort of firewall before a computer, the computer would pretty much get totally owned in about 15 minuters of connection of to the internet, even if you are not touching the computer.

Even router packaging advertises the natural NAT firewall function by a picture of a large padlock with the word "firewall" under it.

I think a UPnP function could be there, but make sure its OFF by default. Or even better, dont have any UPnP function at all, and the end user has simply to do port forwarding manually, its not rocket science to go to http://192.168.0.1 (or whats applicable for their router) and do port forwarding of 8333 to their computer's IP adress. Then we keep code amount and possible exploit vectors at a minimum.

I wish that the stupid idea "UPnP" never got invented at all.


Yes! I know that NAT was not intended* to be a firewall from the beginning, its just a positive "bi effect" from NAT:ing multiple computers together since the NAT does not know where to send unsolicited traffic. Its not a "bug" that you call it in other threads. Call it a positive effect.

If you dont want that effect, you can always put a PC in the DMZ zone of the router. But then, if you do that, prepare for that PC to be owned by every active worm out there on the internet circulating. And then that worm will spread to all other PCs in your network since its only a switch on the LAN side of the NAT.


* At the time where NATs where invented, firewalls wasn't really necessary, the virus/worm population on the internet was relatively low. So thats why the NATs where not intended to act as firewalls. It just come as a useful feature later when virus/worm population on internet got a little too high.
1490379602
Hero Member
*
Offline Offline

Posts: 1490379602

View Profile Personal Message (Offline)

Ignore
1490379602
Reply with quote  #2

1490379602
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1490379602
Hero Member
*
Offline Offline

Posts: 1490379602

View Profile Personal Message (Offline)

Ignore
1490379602
Reply with quote  #2

1490379602
Report to moderator
1490379602
Hero Member
*
Offline Offline

Posts: 1490379602

View Profile Personal Message (Offline)

Ignore
1490379602
Reply with quote  #2

1490379602
Report to moderator
1490379602
Hero Member
*
Offline Offline

Posts: 1490379602

View Profile Personal Message (Offline)

Ignore
1490379602
Reply with quote  #2

1490379602
Report to moderator
Luke-Jr
Legendary
*
expert
Offline Offline

Activity: 2128



View Profile
March 24, 2011, 10:01:44 PM
 #22

Luke-Jr: So you are saying that computers "are supposed" to be exposed to the internet with all these worms and such auto-infecting any computer it stumbles upon by attacking random IP adresses?
Yes, computers are supposed to be connected to the internet. And people are supposed to keep their systems secure. Possibly run a firewall, if they're a target or for extra piece of mind.
In the past, the security of NAT was really not necessary, but in the today era, NAT is a essential security that provides inbound protection. Without a NAT or some sort of firewall before a computer, the computer would pretty much get totally owned in about 15 minuters of connection of to the internet, even if you are not touching the computer.
NAT is not security at all. In theory, NATs *should* pass all inbound connections-- most just don't know how. A firewall is something completely different.

If the user has a firewall, UPnP should not override it. UPnP is to fix the flaw that NATs don't know where to forward connections, nothing else.

sebastian
Member
**
Offline Offline

Activity: 119


View Profile
March 24, 2011, 11:36:52 PM
 #23

Im not saying NATs are supposed to be firewalls/security devices.
I say that the "firewall feature" in a NAT is just a bonus, that have come extremely useful.

How many dedicated hardware firewalls are sold at today's consumer hardware stores? Its zero, sometimes a store *might* sell one brand of hardware firewall. Thats because NATs provide enough protection, so hardware firewalls sells extremely bad at a consumer store.

And firewalls are really necessary. Try connecting a PC to the internet, without NAT, without firewall, without any protection ever. You will see that the PC gets "owned" in the matter of minutes if not under just one hour, even if you dont touch the PC. All those worms out of the internet are scanning and attacking random IPs without any specific "targeting".

A NAT just drops these attacks so they will never reach the PC. You have to deliberately surf into a infected site or download/accept a infected file to get infected.


I just dont understand, why use UPnP at all? Whats the problem of the end user surfing to their router administration page and opening up 8333 for their bitcoin client? Its a simple and straightforward process of opening a incoming port in a router.
Luke-Jr
Legendary
*
expert
Offline Offline

Activity: 2128



View Profile
March 25, 2011, 05:49:37 AM
 #24

I just dont understand, why use UPnP at all? Whats the problem of the end user surfing to their router administration page and opening up 8333 for their bitcoin client? Its a simple and straightforward process of opening a incoming port in a router.
Because they shouldn't have to, and for most people it isn't simple.

If Windows is vulnerable without a firewall, then it should simply be banned from the internet. Or ISPs can charge Windows users an extra fee for firewalling service.

jgarzik
Legendary
*
qt
Offline Offline

Activity: 1470


View Profile
March 25, 2011, 06:22:57 AM
 #25


As long as UPnP is off by default, it's just an easy way for the user to proactively drill a hole.  The bitcoin network will benefit from UPnP users, and other P2P technologies such as bittorrent clients already use UPnP.


Jeff Garzik, bitcoin core dev team and BitPay engineer; opinions are my own, not my employer.
Donations / tip jar: 1BrufViLKnSWtuWGkryPsKsxonV2NQ7Tcj
Matt Corallo
Hero Member
*****
expert
Offline Offline

Activity: 754


View Profile
March 30, 2011, 06:52:38 PM
 #26

Although I disagree, the latest version now has UPnP off by default.  Any other comments/concerns people have?

Bitcoin Ubuntu PPA maintainer - donate to me personally: 1JBMattRztKDF2KRS3vhjJXA7h47NEsn2c
http://bitcoinrelaynetwork.org maintainer
PGP ID: 07DF 3E57 A548 CCFB 7530  7091 89BB B866 3E2E65CE
Mike Hearn
Legendary
*
expert
Offline Offline

Activity: 1526


View Profile
March 30, 2011, 09:07:49 PM
 #27

I still think it should be on by default for Windows/Mac. UNIX can keep it off as it's not likely to make sense there. But otherwise this is great stuff ... hope it gets in soon.
Steve
Hero Member
*****
Offline Offline

Activity: 868



View Profile WWW
April 15, 2011, 02:23:41 AM
 #28

I'm not in favor of the makefile switches, #ifdefs and such...I'd much prefer to build a single flavor of the executable that has support for UPNP...whether it's on or not by default is a separate question.  Keep it simple for end users by having a single executable that can support UPNP if desired rather than having different executables (one which has support compiled in and one which doesn't).  If this was done for even a few features, it would quickly get out of hand.

(gasteve on IRC) Does your website accept cash? https://bitpay.com
Luke-Jr
Legendary
*
expert
Offline Offline

Activity: 2128



View Profile
April 15, 2011, 05:20:22 AM
 #29

Official binaries can easily be a single feature-set without breaking the ability to compile without it.

Pages: « 1 [2]  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!