Any good network person will tell you, turn off UPnP on your router! But in many cases it comes on by default, which means that people don’t know that it is on. But what’s worse is that, for most, UPnP is really useful because it will allow applications like Skype and the Xbox Live to open up ports on your home network’s router/firewall without having to understand ports and IP addresses.
Not sure why I’m such a gluten for punishment, but I turned on UPnP recently on my FiOS issued ActionTEC router and noticed all kinds of ports being opened. At first reaction, I disabled it and deleted all the port forwarding rules, but then I started to wonder where they were all coming from. My first thought was that I let someone use my WiFi and their machine opened ’em, but I wanted to be sure so after cleaning up all these weird rules, named things like iC5900, I used this post to figure out how setup WallWatcher on my WHS so the next time it’d happened I’d be collecting Syslog data from my ActionTEC router. My thought was I wanted to make sure I had a log since I had no idea when the ports would be opened, but to my surprise when I preceded to enable UPnP, all the ports were opened almost immediately and the destination was my MacBook Air!
At this point I figured I must have a trojan or something, but then I noticed it was port forwarding to known services I had running on my Mac like VNC, Skype, and SSH. So the next thing I tried was to set firewall on the Air to essential services only — usually only enable it when I take it off my LAN — delete the UPnP created rules, and wait. This time they didn’t come back.
Now the problem is that Bonjour requests that the WAN router open up all the ports that are open on the Mac’s local firewall, which is kinda cool, but not what I want. You see while I want to be able to connect via SSH to my Mac while on my LAN, I don’t want to over the internet — otherwise I could control this by configuring the Mac’s firewall. The easy solution is to just disable UPnP on the router, but I have to say that probably won’t work for many people because they don’t understand how to manually configure their firewall. The other option is to disable Bonjour completely, but then the LAN services won’t work either.
For now I’m just going to go back to manually configureing my router’s port forwarding and turn my Mac firewall on when I take my Mac about.
There is one cool OSX command I learned along the way, like how to tell which applications are communicating on port 22.
sudo lsof -i -P | grep 22
This lsof command is basically a more useful version of netstat on the Mac, which evidently will also tell you which files are open.