The UPnP server does not require, and should not be allowed any access to or from any network other than the internal client network. For UPnP to operate, your firewall must allow the following:
Table 12.1. Firewall passthroughs
| Protocol/Port | Destination | Remarks |
|---|---|---|
| UDP 1900 | fw to/from local | SSDP announcements |
| TCP 49152 | fw from local | HTTP/XML mini-server |
| TCP any port | fw to local | HTTP/XML queries of other UPnP devices |
| UDP any port | fw to local | respond to remote SSDP requests |
Additionally, both UPnP on the router and on your control-point
clients generate SSDP packets which are multicast to 239.255.255.250. Both
also send and listen to IGMP join messages on 224.0.0.22. You must have a
route covering these multicast groups pointing towards your internal
network or the announcements will be sent towards your default route,
which is almost always not what you want. The UPnP wrapper scripts
provided in this package will set up a multicast route for you, or you can
specify what you want in /etc/default/upnpd.
When a client requests NAT traversal, rules will be created in the
forwardUPnP FORWARDING
tablePREROUTINGFORWARDING and PREROUTING.
If you are not integrating with Shorewall as described in this
document, you will want to change the configuration in
/etc/upnpd.conf.