Linksys Router Port 80. Are you kidding me?

[+InsaneNutter MVC]

2 minutes ago, BinaryData said:

Strange because I've opened the ports for the XBOX Network and forwarded them to a specific IP. My brother can host games, and connect to others parties. His best friend recently came over and was hosting parties without having ports forwarded. Believe me, UPnP was NOT enabled. The XBOX network has multiple ports that can be connected to, if one is busy, another can be used. The only time I've had issues is when we have LAN Parties, at that point I have to do some wonky stuff.

 

Opening up a port to the XBOX Live Servers doesn't always increase your connectivity, or your ability to host games. NAT is the biggest issue WITH hosting games. My ISP gives me a bulk set of IP Addresses, I pay a bit extra for them but it's well worth it.

It may well have changed, as ive not done too many Xbox Lans since the Xbox 360 days, however upnp was the only way i could get 4x consoles to have an open connection for Xbox Lans. I think the Xbox One relies less on P2P for hosting games now too, the Xbox 360 was P2P for everything, when matchmaking the player with the fastest open connection got host.

22 minutes ago, adrynalyne said:

Isn't OnHub dead?

I dont think so? i thought it only just came out a couple of months ago.

[adrynalyne]

2 minutes ago, InsaneNutter said:

It may well have changed, as ive not done too many Xbox Lans since the Xbox 360 days, however upnp was the only way i could get 4x consoles to have an open connection for Xbox Lans. I think the Xbox One relies less on P2P for hosting games now too, the Xbox 360 was P2P for everything, when matchmaking the player with the fastest open connection got host.

I dont think so? i thought it only just came out a couple of months ago.

No that is Google Wifi. OnHub came out last year. 

[BinaryData]

Just now, InsaneNutter said:

It may well have changed, as ive not done too many Xbox Lans since the Xbox 360 days, however upnp was the only way i could get 4x consoles to have an open connection for Xbox Lans. I think the Xbox One relies less on P2P for hosting games now too, the Xbox 360 was P2P for everything, when matchmaking the player with the fastest open connection got host.

Mmm... I'll have to look into it more. I believe one person needs to have an "open" connection, and the others will just hit your gateway and get the connection to the game. My XBOX One gets an Open connection when I drop it in the DMZ, and people can connect straight to me. If I don't do DMZ, I have moderate and struggle to connect to people that aren't in the US.

[+InsaneNutter MVC]

5 minutes ago, adrynalyne said:

No that is Google Wifi. OnHub came out last year. 

Ah yes your right I was confusing them.

 

The idea of it doing all the hard stuff and having an easy to use app for configuring everything from a phone was a great idea for your average home user.

 

Not saying it's something i'd ever buy, but that level of simplicity is really where home networking stuff needs to be. Exactly like the Chromecast which is really easy for a non technical person to get online just using a smart phone.

[Joe User]

7 hours ago, BinaryData said:

You're forgetting something major here. Most "average users" don't ever need to forward ports. So your whole argument of having UPnP Enabled my default is kaput. Our Senior Network Engineer, who just left Cisco, said that UPnP should be removed permanently from SOHO gear. It's cause a lot of issues in the past. You're handing people devices with UPnP Enabled who have very little knowledge of Security, hell my neighbor never changed her router password, camera passwords, etc. I was using her printer from my house. She's one of your "Average" users. She had no idea that I was able to rotate her camera and disable it. So again, why the hell do you think this is a good idea?

 

What companies need to do is have;

 

1. Better Support.

2. Explain things in a logical and easy to understand manner, without making the customer feel stupid (I do this often, thus why I don't do CSR)

3. IDIOT proof it.

 

Shark007 Codec installation specifically asks you "Hey, do you use XBOXs to stream media from your PC? Yes/No", it'll configure your settings for you depending on what answer you give. Routers should be the same way, when you set them up, it should REQUIRE you to login before being able to enable the internet. No internet until it's configured. Believe me, this is by far better than enabling UPnP. I see how "special" my brothers generation is, and my god it freaking scares me.

 

The other practice that needs to be stopped is using a customers name and ph # as their WiFi Password. For one, that's easily forced with a bruteforce attack, and their aren't any time outs or enter chances. I'm not trying to fight, but I disagree with your "reasons" and "logic" simply because I deal a lot with those "average" users. My mom pimps my skills and cell phone # out like it's going out of style. I have about 40 different login credentials for different networks, one I've been managing for 5+ years now. With LOTS of trial and error, I've upgraded them from daisy chained AC Routers to Ubiquiti APs, and a proper router/switch. Though, I still suck with FW Rules.

 

@BudMan With pfSense can I enable UPnP for a specific VLAN only, or will it open it for everything? (I'm curious, don't think I'm going to do it!)

We still doing this? I thought you were too busy hating me for over arguing my point. Glad to see you agree with me though.

 

[sc302 Veteran]

Every company has a different interface and language.  While similar to each other, they are different enough to screw with people who don't really know what they are looking at. 

 

Similar to how it is with mobile phones, computers, and tablets. 

Different lines and devices have a different way to get to the same information and/or configuration. How depends on you your knowledge and ability to adapt. 

[Joe User]

5 hours ago, BinaryData said:

Mmm... I'll have to look into it more. I believe one person needs to have an "open" connection, and the others will just hit your gateway and get the connection to the game. My XBOX One gets an Open connection when I drop it in the DMZ, and people can connect straight to me. If I don't do DMZ, I have moderate and struggle to connect to people that aren't in the US.

So, you turn the firewall off for the XBox because it's too complicated to configure it properly.

 

If only there was some kind of protocol to do this...something plug and play that worked universally.

 

Just to mention, the XBox one is a Windows 10 device that you connected directly to the Internet without a hardware firewall.

[LUTZIFER]

Port 80 is for running a web server.

At least it was years ago when I used to run my own servers.

I always had to set port 80 to open and other ports for the different types of servers I ran on my router.

Port 80 was always the default for server programs.

[sc302 Veteran]

80 is your standard http port. 

[+BudMan MVC]

16 hours ago, BinaryData said:

@BudMan With pfSense can I enable UPnP for a specific VLAN only, or will it open it for everything? (I'm curious, don't think I'm going to do it!)

As I stated early, yes you can setup rules and only listen on specific interfaces..

 

I currently have it just off, because my son moved out on his own year ago or so - and have zero use for UPnP.  Most people would have ZERO use for it.. Most people do not need to allow inbound unsolicited traffic..  Your typical user does not need to port forward.  Hosting some game on xbox, playstation sure.  Running a http server, opening up ###### they shouldn't like rdp to their box, their cameras, etc..

[Joe User]

3 hours ago, BudMan said:

 Your typical user does not need to port forward.  Hosting some game on xbox, playstation sure.  Running a http server, opening up ###### they shouldn't like rdp to their box, their cameras, etc..

There are over 30 million Xbox 360s out there.  I'm going to say there are at least several million users that need incoming connections.

[adrynalyne]

18 minutes ago, Joe User said:

There are over 30 million Xbox 360s out there.  I'm going to say there are at least several million users that need incoming connections.

I doubt there are several million hosting their own game server and I bet those who do know how to setup their routers. 

Ive yet to need to open ports for any game I've played online. 

 

[+BudMan MVC]

And there are HOW many internet users in the US, on the planet?  Several million is a drop in the bucket..  And of those million, how many % wise of them actually play games online where they HOST the game?

 

Here is one thing that is very annoying about the whole console game industry and hosting games or anything on them to be honest..   Why don't they just clearly and correctly list the ports that are needed INBOUND, in an unsolicited manner vs just listing ports that need to be open..

 

For example..

http://support.xbox.com/en-US/xbox-one/networking/network-ports-used-xbox-live

 

These ports must be open for Xbox Live to work:

Port 88 (UDP)

Port 3074 (UDP and TCP)

Port 53 (UDP and TCP)

Port 80 (TCP)

Port 500 (UDP)

Port 3544 (UDP)

Port 4500 (UDP)

 

Can tell you for FACT that it sure and the hell does not need 53 inbound.. Its not running dns.. As to 80 - inbound?  I find that really hard to believe.. A vast majority of ISPs block inbound 80.. I don't think 88 (kerberos) is needed inbound either..   Are any of these actually need unsolicited inbound (ie port forward)??  Or are they just needed outbound?  Which pretty much every single default router out there is default any any for outbound traffic.

 

You have plenty of BS guides out there telling users to forward port 53 for example..  Come on - it doesn't need that!!

 

So maybe if the provided clear instructions, you wouldn't have to rely on unsecure protocols UPnP for their games to work..

[adrynalyne]

5 minutes ago, BudMan said:

And there are HOW many internet users in the US, on the planet?  Several million is a drop in the bucket..  And of those million, how many % wise of them actually play games online where they HOST the game?

 

Here is one thing that is very annoying about the whole console game industry and hosting games or anything on them to be honest..   Why don't they just clearly and correctly list the ports that are needed INBOUND, in an unsolicited manner vs just listing ports that need to be open..

 

For example..

http://support.xbox.com/en-US/xbox-one/networking/network-ports-used-xbox-live

 

These ports must be open for Xbox Live to work:

Port 88 (UDP)

Port 3074 (UDP and TCP)

Port 53 (UDP and TCP)

Port 80 (TCP)

Port 500 (UDP)

Port 3544 (UDP)

Port 4500 (UDP)

 

Can tell you for FACT that it sure and the hell does not need 53 inbound.. Its not running dns.. As to 80 - inbound?  I find that really hard to believe.. A vast majority of ISPs block inbound 80.. I don't think 88 (kerberos) is needed inbound either..   Are any of these actually need unsolicited inbound (ie port forward)??  Or are they just needed outbound?  Which pretty much every single default router out there is default any any for outbound traffic.

 

You have plenty of BS guides out there telling users to forward port 53 for example..  Come on - it doesn't need that!!

 

So maybe if the provided clear instructions, you wouldn't have to rely on unsecure protocols UPnP for their games to work..

I've seen my cousin play Destiny, Call of Duty, and The Division online and I not only did not enable  upnp for him, I didn't open ports for him either. So I question whether these ports need to be open at all inbound. The only time I've needed to open ports is for my daughter and her minecraft server and that's only to her IP. 

[+BudMan MVC]

^ exactly!!  So what specific xbox or ps game actually needs ports inbound??  Its sure not all of them..

 

I had enabled UPnP for my son's PS more of an exercise on how I could enable it and be secure as possible, and more just curiosity on their stupid listing of your "nat" type and how to get it to show open - you would think they would come up with better terms.. When they clearly know the user base they are dealing with  

 

I know for sure it was not enabled for long time and he never complained.. And he did play online games - just don't think "hosted" ??

 

All of the nat issues go away if they just use ipv6.. Which seems doesn't work as seemless as MS says - there was a thread somewhere else games don't work with just IPv6 and no ipv4 running multiple consoles on the same network still ran into the ipv4 issues when clearly all the devices were fully accessible on their global IPv6 address for all traffic both inbound and outbound and the devices could talk to each other, etc etc..

[dragon2611]

On 28/12/2016 at 8:49 PM, BinaryData said:

Nope. Never. Notta. UPNP shouldn't EVER be enabled by Default. I believe I have it setup for a single VLAN, and that's for my XBOX360/One. That was the FIRST thing BudMan told me when I got my RV320, "DO NOT ENABLE UPNP AT ALL". 

 

Also, you bought a Linksys, which isn't owned by Cisco anymore. So enjoy the craptastic support, and just an fyi, their WebUI BLOWS. It's owned by Belkin, which ripped out all of the Cisco Firmware and put theirs on it. After going through several routers, I simply upgraded to a Business Class router. If I suggest ANY SOHO router, it'll be TP-Link.

I did have a massive moan on their forum for the LRT224 where a power forward will open up that port to the whole internet dispite the firewall settings, Not sure if they fixed it in a beta firmware or not in the end as i'd moved back to the edgerouter before they'd come out with the next beta

[Bryan R.]

I think @Joe User really doesn't understand that you don't need a firewall rule to allow solicited traffic. Remote support programs like LogMeIn and TeamViewer do not need firewall rules because the request originates from the program on the computer - hence solicited traffic and the appropriate ports are opened. It keeps being said, you don't need to bother with any ports unless you're actually hosting something.

[Joe User]

4 hours ago, Bryan R. said:

I think @Joe User really doesn't understand that you don't need a firewall rule to allow solicited traffic. Remote support programs like LogMeIn and TeamViewer do not need firewall rules because the request originates from the program on the computer - hence solicited traffic and the appropriate ports are opened. It keeps being said, you don't need to bother with any ports unless you're actually hosting something.

*sigh* Okay, let me explain this one last time. UPnP is not the problem, the problem is poorly designed software or hardware devices. The average user doesn't need to be fiddling with firewalls, it leads to them doing stupid things like turning off their firewall. Prime example, putting a console or PC into the DMZ.

 

LogMe In and Teamviewer are the proof of my argument. A hacked Teamviewer account can destroy your local PC and network.

 

Most people have a paper tiger NAT firewall and that's good enough for most people, as long as they don't start changing the local software firewall settings. When they decide to start changing settings is when the problem starts. 

[Bryan R.]

 

4 hours ago, Joe User said:

LogMe In and Teamviewer are the proof of my argument. A hacked Teamviewer account can destroy your local PC and network.

How? This "vulnerability" has nothing to do with ports and firewalls.

 

You said:

On ‎12‎/‎31‎/‎2016 at 11:04 AM, Joe User said:

There are over 30 million Xbox 360s out there.  I'm going to say there are at least several million users that need incoming connections.

What you don't understand is that incoming connections are not going to be blocked because the console is going to be initiating (soliciting) those connections.

[Joe User]

29 minutes ago, Bryan R. said:

 

How? This "vulnerability" has nothing to do with ports and firewalls.

 

You said:

What you don't understand is that incoming connections are not going to be blocked because the console is going to be initiating (soliciting) those connections.

Explain how you establish a p2p connection when both users are behind NAT and no inbound ports are open because of the advice to turn off UPnP.

[Bryan R.]

1 hour ago, Joe User said:

Explain how you establish a p2p connection when both users are behind NAT and no inbound ports are open because of the advice to turn off UPnP.

Through the wonders of the cloud. All these users are communicating through Microsoft.

[+BudMan MVC]

6 hours ago, Joe User said:

Explain how you establish a p2p connection when both users are behind NAT

Because you have a broker - ie the teamviewer service.. Both P's make a connection to TV server.. They initiated the connection, so now the "broker" TV can allow you to connect to each other in couple different ways.. They can create a udp hole punch, if that doesn't work then do tunnel the connection through their servers.  The point of TV, quite often to the dismay of enterprise security is to get that connection to work.. Kind of hard to block http/https out - which it can use to tunnel back in.

 

TV uses multiple ways to establish the connection. Sure if UPnP is there it could use that, but it doesn't need too.  Most soho firewalls will allow for a UDP hole punch.. Which the console games could do is a well most of the time..

 

12 hours ago, Joe User said:

UPnP is not the problem, the problem is poorly designed software or hardware devices.

In one sense I agree, A simple solution to allow for non tech users to allow for unsolicited inbound traffic can be quite handy.. The problem is the complete and utter lack of any sort of controls that UPnP quite often is deployed with, so the problem is a poorly designed UPnP..  If its going to use zero control and ANY device/software behind the router can say hey open up and send traffic to port Y to this IP...  Then it is a PROBLEM!!!

 

If the user just had to set a password.. And then give this password to the device/application - hey great!!  Now the user had to do something to acknowledge and allow device/software X to open up ports inbound.  The problem with UPnP is not that it can open up inbound traffic - the problem is there no control of it.  Having it on by default in the router just means that like the OP they plug in a device, and next thing its open to the public net on port 80..  That is what the PROBLEM is!!!  Now if said user had to configure the device with "password" to use his UPnP that would be a completely different story..  And sorry if your too stupid to be able to put in that password, then no it shouldn't be open to the internet.. So guess grandma won't be able to access her camera's from the public internet until she can get her grandson to come over and put in the password..

 

What I would suggest to anyone.. Is disable UPnP on your router if it is on by default - you should know if its on or off that is for sure!!!  Then before you turn it on.. Actually validate that you "NEED" it.. More times than not the typical user has no need for it.. Unless your having a specific issue that it can solve for you because your not technical enough to reserve an IP for your device or forward a port then its should be OFF!!!  But you need to be aware that its on.  And you should be concerned when you start buying and connecting all the fancy new iot devices.. If your not savy enough to understand how it works - then reach out to your friends and family, you more than likely have an 8 year old niece or nephew that gets it hehehe

[sc302 Veteran]

 

16 hours ago, Joe User said:

*sigh* Okay, let me explain this one last time. UPnP is not the problem, the problem is poorly designed software or hardware devices. The average user doesn't need to be fiddling with firewalls, it leads to them doing stupid things like turning off their firewall. Prime example, putting a console or PC into the DMZ.

 

LogMe In and Teamviewer are the proof of my argument. A hacked Teamviewer account can destroy your local PC and network.

 

Most people have a paper tiger NAT firewall and that's good enough for most people, as long as they don't start changing the local software firewall settings. When they decide to start changing settings is when the problem starts. 

I think the problem is UPNP and your lack of understanding security.  Anything that automatically opens ports and allows software to function without user acknowledgement is a security hole.  Security is about control and knowing what things are doing, when you have no control of what is happening on your network, you do not have a secure network.  A hacked logmein account does not automatically give them access to your computers....you still have to auth to the computer and hopefully your logmein account and your computer password/id is not the same....you can say that this is 2fa in a way.  Using services like TV or logmein gives users the ability to agree to disagree to use the service, it gives them a chance to opt out vs simply putting a piece of equipment or unknowingly loading software on your computer (bho's anyone?).  To make things easy for users, software firewalls automatically create rules and allow things through....software firewalls aren't really a good thing (if anything, another layer of complexity), it is just another thing that you don't have 100% control over.  Can you say your network is secure when you don't know what is going on with it?  Perhaps for the average home user it isn't a big deal, but for the rest of us it is a big deal.

 

 

disclaimer: I deal with network (edge firewalls, vlan security rules, content monitoring/filtering) + computer security daily, constantly screwing with the software firewalls (either microsoft firewalls or endpoint security software friewalls) to allow things through when they don't automagically allow things through and figuring out what ports to open or executables to allow (or both) when something fails to automatically work.   Some vendors go as far as saying to disable the software firewalls on the servers that they want their software installed on, how would you deal with that?

[Joe User]

I'm no longer arguing this point.

 

UPnP is not a top security risk for the average home user. They're FAR more likely to get malware from their browser.

 

Is it a risk, yes. It's a minor risk.

 

 

[sc302 Veteran]

Not that I want to encourage tin foil hat wearers, but I think some further education is needed. Google

 

upnp exploit 

 

that search phrase will bring up enough for someone determine how much of a security risk it is or isn't. Happy bathroom reading.