| ▲ | QtNat – Open you port with Qt UPnP(renaudguezennec.eu) |
| 42 points by jandeboevrie 14 hours ago | 35 comments |
| |
|
| ▲ | PaulKeeble 12 hours ago | parent | next [-] |
| What I wish routers did was make UPNP a pending request something I could go and approve. Limit it to the device making it, let it switch it on and off but fundamentally I want to control if I want that hole made or not. OpenWRT comes without UPNP in its base images for a reason, its a major security hole. But I think there is a middle ground here where UPNP isn't just no or yes but rather authorised which will reduce the problem and provide autoconfiguration but without automated firewall holes. |
| |
| ▲ | manwe150 5 hours ago | parent [-] | | It isn’t a security hole (the info page on why it is turned off literally says it is because people mistakenly believe is is a security hole) But if you don’t have it on, software just falls back to STUN, which achieves the same exact result as upnp, just an order of magnitude slower and less reliably (though doesn’t require any router configuration or cooperation) |
|
|
| ▲ | petiepooo 14 hours ago | parent | prev | next [-] |
| People still use UPnP? That's the first thing I disable on a new router. |
| |
| ▲ | jeroenhd 13 hours ago | parent | next [-] | | I use UPnP. My Fritz!Box router disables it by default, controls UPnP access with per-device controls, and permits using it to open IPv6 ports on the WAN side as well. None of the IoT crap can open ports but I don't need to use a web UI to temporarily open a port on my computer. I know plenty of shitty routers have terrible security on it and should have it disabled by default, but the protocol itself is pretty useful. | | |
| ▲ | drnick1 13 hours ago | parent | next [-] | | Aren't those Fritz!Box routers (common in Europe) precisely examples of "shitty routers with terrible security?" The first thing I would do with a typical residential Internet connection is to ask the ISP to give me an ONT so that I can use my own router, a commodity x86 PC running Linux. Their underpowered plastic boxes simply won't cut it when it comes to complex firewall rules and high VPN throughput. I also don't want to deal with their shitty web UIs and would rather script the setup I want. | | |
| ▲ | jeroenhd 11 hours ago | parent | next [-] | | I have yet to find a security issue with it. I know German ISPs misconfigured their management network at some point, letting the Fritz!Boxes access each other, but that would've happened with any managed modem that was misconfigured like that. I bought my Fritz!Box. My ISP has no control over it. TR-069 and other upstream management protocols have been disabled completely. So far, I'm easily getting gigabit+ speeds across both IPv4 and IPv6. VPN is too much to ask (beyond emergency LAN access, I suppose) but that's what the home server is for. The web UI is kind of nice, actually. Maybe not to everyone's taste, but the firewall management is a lot less of a clusterfuck than trying to properly configure simple port redirects over the command line. Heaps better than OpenWRT in my opinion. I've run my own Debian router box for a few years and I can say I'm doing just fine without. | |
| ▲ | BadBadJellyBean 13 hours ago | parent | prev | next [-] | | I'd say a Fritz!Box is a good router for normal users. Easy interface. Good enough hardware. Stable modems. Some nice software features. Absolutely not a device for prosumers. | |
| ▲ | izacus 13 hours ago | parent | prev | next [-] | | No, Fritzboxes have distinguished themselves by being about the best device you can hope to get from an ISP. | | |
| ▲ | drnick1 12 hours ago | parent [-] | | If this is the best you can get, you are better off not renting their stuff and buying an OpenWrt One for a time $100 investment give or take. | | |
| ▲ | ahartmetz 9 hours ago | parent [-] | | No really, they are pretty decent. I stopped running an old PC for router and firewall after I got a Fritzbox. It can traffic-shape, forward ports, configure fixed IP addresses and DNS names, provide limited guest access to the WiFi, analyze the WiFi spectrum (and show a graph) to choose uncongested channels, and do a whole bunch of things that I don't use but which are conceivably useful like VPN server, file server and such. |
|
| |
| ▲ | noAnswer 8 hours ago | parent | prev [-] | | > Aren't those Fritz!Box routers (common in Europe) precisely examples of "shitty routers with terrible security?" Not at all. They had security bugs, sure, but not constantly. Each device has a randomized admin password from the factory. Some changes require physical hardware access because one needs to press a button to confirm. They support the hardware for ages. Their 7490 model just got a feature firmware update. The model is 13 years old! In Germany, if you ask someone where his router is he might not know what you talk about. But he understand if you asked about "your fritzbox". (Even in cases where they have something else.) But enough of the glazing. In 2024 they got sold to private equity. Lets see how the enshittification will treat them. |
| |
| ▲ | miladyincontrol 12 hours ago | parent | prev | next [-] | | I do not use UPnP myself but I agree with the notion, hate the bad implementations not the protocol itself.
When limited to specific ports by specific devices it does have its uses. | |
| ▲ | imcritic 9 hours ago | parent | prev [-] | | Isn't fritz a derogatory term for Germans? That's a weird choice of a name for a router. Or is it like a joke? Or maybe Germans aren't familiar with that slur? | | |
| |
| ▲ | jcelerier 8 hours ago | parent | prev [-] | | what are the other options, if I want to open a port and don't want (or can't) to go to the router config ? | | |
| ▲ | kelnos 6 hours ago | parent [-] | | If you have the ability to disable UPnP on the router, then you presumably have the ability to set up port forwards manually. "Don't want" doesn't come into play; if you disable UPnP, that's the trade off you're making. | | |
| ▲ | jcelerier 4 hours ago | parent [-] | | I mean, I don't want to disable upnp. The whole point of it is to not have to do forward manually. So my question is : if I want automatic port forwarding, and given that apparently UPNP is bad for some reasons that I don't know, then what are the other automatic options |
|
|
|
|
| ▲ | kelnos 6 hours ago | parent | prev | next [-] |
| I'm torn on UPnP in general. If there's something malicious running on my network that could send a UPnP request to my router to open a port, then it could also open a persistent connection to some command-and-control server somewhere and achieve a similar result (and I'd possibly even be less likely to notice this). Sure, it's more taxing on a central server to have to maintain all these connections than to be able to make short-lived outgoing connections at will, but I don't think that's that much of a concern these days. Having said that, I still disable UPnP on my routers if it's enabled by default... just feels safer that way. Even if the intended use of the port forward is legitimate, other non-legitimate folks on the public internet could presumably use that port forward as well to exploit a vulnerability in the software in my network that's on the other end of that port. I'm also not sure how relevant UPnP is these days, with many people on the internet behind CGNAT, not even getting a publicly-addressable IPv4 at their home router. I suppose many of those people have routable IPv6 addresses, though, assuming UPnP port forwarding supports IPv6. |
|
| ▲ | jasongill 14 hours ago | parent | prev | next [-] |
| Ignoring concerns about the security of UPnP, and the fact that this is somewhat of a "solved" problem considering there are things like libupnp and miniupnpc, I am wondering if this is really the cleanest way to solve the problem in C++ with Qt? I'm most curious about the fact that this program has ~30,000 lines of included headers to simply generate a static string (the XML output). Obviously if you were generating large XML payloads repeatedly, then including a dependency would be a good idea, but this implementation is using "inja.hpp" which in turn requires "json.hpp" to output what is effectively a concatenated string. Why not just use Qt's built in QStringLiteral and feed it the (short) bit of XML to it along with your 4 variables, similar to a sprintf? |
| |
| ▲ | WesolyKubeczek 13 hours ago | parent [-] | | Likely a side effect of Qt trying to be an “everything” library, batteries and battery factory included. | | |
| ▲ | jasongill 13 hours ago | parent | next [-] | | I guess that's my point - the author is already using Qt which has so much included, but are still including two large header files in the project just to output a ~12 line XML snippet | |
| ▲ | jacquesm 12 hours ago | parent | prev [-] | | Qt is terrible. Since a couple of years they want a login just to download the code required for a build and I really have zero desire to get a bunch of marketeers that are wondering if I'm ripe for the plucking yet just because I've decided to fix some bugs in open source code. | | |
| ▲ | StellarScience 10 hours ago | parent | next [-] | | git clone --branch v6.10.1 https://code.qt.io/qt/qt5.git .
No login required.They do require a login to download precompiled binaries, but what self-respecting Hacker News reader wants those?! Ok, I'll admit, I've done it. And yes, I received Qt marketing at that email alias for a while, but they've stopped. And remember, Qt has an LPGL license too, not just Commercial and GPL. EDIT: Ah, ranger_danger pointed out that https://download.qt.io/archive/qt/6.10/ hosts binaries with no login required as well! | | |
| ▲ | jcelerier 8 hours ago | parent [-] | | > They do require a login to download precompiled binaries, but what self-respecting Hacker News reader wants those?! even then, they're freely accessible and there's a simple CLI to get them. uvx --from aqtinstall aqt install-qt linux desktop 6.10.1
and tada |
| |
| ▲ | ranger_danger 12 hours ago | parent | prev [-] | | IMO Qt is amazing. No login is technically required to download anything, especially code. The official SDK installer GUI does require a login, but you don't have to use it in order to download or use Qt at all. Not only can you download all the individual components that the GUI fetches via download.qt.io yourself, there's also third-party installers like aqtinstall, as well as many different OS package managers that provide Qt binaries. |
|
|
|
|
| ▲ | jmward01 13 hours ago | parent | prev | next [-] |
| Not the topic of the article, but security of opening anything up in my network is always super concerning. I really want a zero-advertise way to find and connect to my network. So, for instance, there could be a trusted server that I advertise my IP to so that I can find it when I am off my local network. Not dynamic dns, something that requires me to send them a key so that only my devices can get the IP. Then, some form of port knocking could hide the connection port actually used like I send a sequence of knocks based on my key encoding the port I will use to actually try to connect my VPN so that I can rotate that around. A bit overkill but I am paranoid now. It is a jungle out there and security is hard for experts much less people like me. |
| |
| ▲ | smw 13 hours ago | parent | next [-] | | tailscale | |
| ▲ | esseph 12 hours ago | parent | prev [-] | | Zerotier, talescale, cloudflare warp, bare wireguard | | |
| ▲ | mjevans 9 hours ago | parent [-] | | The hardest part with bare wireguard is one part _really_ wants to be static, OR you have to re-init stuff and push DNS updates every time it updates. | | |
| ▲ | esseph 9 hours ago | parent [-] | | Just the primary/hub/main site. Mobile clients do not. If this is a problem with a home connection then you'd want to use a relay. A small 1C CPU box at some cloud provider. Make that the "hub" that everything connects to and then you don't have to worry about the residential connection changing IPs |
|
|
|
|
| ▲ | lostmsu 9 hours ago | parent | prev | next [-] |
| For anyone using Windows I made a simple command line tool: https://community.chocolatey.org/packages/portopen Source: https://github.com/lostmsu/PortForwarding/blob/lost/PortOpen... (uses a custom fork of Mono.Nat). |
|
| ▲ | jeffbee 14 hours ago | parent | prev [-] |
| - |
| |
| ▲ | matt_kn 13 hours ago | parent | next [-] | | I'm looking at the code but I don't quite see that? auto start= result.indexOf("http://");
...
auto end= result.indexOf("\r", start);
...
m_describeUrl= result.sliced(start, end - start);
I don't think end can ever be < start (other than < 0 if not found, which is handled). | | | |
| ▲ | vablings 13 hours ago | parent | prev [-] | | Average "well written" C++ program that is free of bugs. |
|
