1# WAN network interface 2#ext_ifname=eth1 3#ext_ifname=xl1 4# if the WAN network interface for IPv6 is different than for IPv4, 5# set ext_ifname6 6#ext_ifname6=eth2 7# If the WAN interface has several IP addresses, you 8# can specify the one to use below. 9# Setting ext_ip is also useful in double NAT setup, you can declare here 10# the public IP address. 11#ext_ip= 12# WAN interface must have public IP address. Otherwise it is behind NAT 13# and port forwarding is impossible. In some cases WAN interface can be 14# behind unrestricted full-cone NAT 1:1 when all incoming traffic is NAT-ed and 15# routed to WAN interfaces without any filtering. In this cases miniupnpd 16# needs to know public IP address and it can be learnt by asking external 17# server via STUN protocol. Following option enable retrieving external 18# public IP address from STUN server and detection of NAT type. You need 19# to specify also external STUN server in stun_host option below. 20# This option is disabled by default. 21#ext_perform_stun=yes 22# Specify STUN server, either hostname or IP address 23# Some public STUN servers: 24# stun.stunprotocol.org 25# stun.sipgate.net 26# stun.xten.com 27# stun.l.google.com (on non standard port 19302) 28#ext_stun_host=stun.stunprotocol.org 29# Specify STUN UDP port, by default it is standard port 3478. 30#ext_stun_port=3478 31 32# LAN network interfaces IPs / networks 33# There can be multiple listening IPs for SSDP traffic, in that case 34# use multiple 'listening_ip=...' lines, one for each network interface. 35# It can be IP address or network interface name (ie. "eth0") 36# It is mandatory to use the network interface name in order to enable IPv6 37# HTTP is available on all interfaces. 38# When MULTIPLE_EXTERNAL_IP is enabled, the external IP 39# address associated with the subnet follows. For example: 40# listening_ip=192.168.0.1/24 88.22.44.13 41# When MULTIPLE_EXTERNAL_IP is disabled, you can list associated network 42# interfaces (for bridges) 43# listening_ip=bridge0 em0 wlan0 44#listening_ip=192.168.0.1/24 45#listening_ip=10.5.0.0/16 46#listening_ip=eth0 47# CAUTION: mixing up WAN and LAN interfaces may introduce security risks! 48# Be sure to assign the correct interfaces to LAN and WAN and consider 49# implementing UPnP permission rules at the bottom of this configuration file 50 51# Port for HTTP (descriptions and SOAP) traffic. Set to 0 for autoselect. 52#http_port=0 53# Port for HTTPS. Set to 0 for autoselect (default) 54#https_port=0 55 56# Path to the UNIX socket used to communicate with MiniSSDPd 57# If running, MiniSSDPd will manage M-SEARCH answering. 58# default is /var/run/minissdpd.sock 59#minissdpdsocket=/var/run/minissdpd.sock 60 61# Disable IPv6 (default is no : IPv6 enabled if enabled at build time) 62#ipv6_disable=yes 63 64# Enable NAT-PMP support (default is no) 65#enable_natpmp=yes 66 67# Enable UPNP support (default is yes) 68#enable_upnp=no 69 70# PCP 71# Configure the minimum and maximum lifetime of a port mapping in seconds 72# 120s and 86400s (24h) are suggested values from PCP-base 73#min_lifetime=120 74#max_lifetime=86400 75 76# Chain names for netfilter (not used for pf or ipf). 77# default is MINIUPNPD for both 78#upnp_forward_chain=forwardUPnP 79#upnp_nat_chain=UPnP 80#upnp_nat_postrouting_chain=UPnP-Postrouting 81 82# Lease file location 83#lease_file=/var/log/upnp.leases 84 85# To enable the next few runtime options, see compile time 86# ENABLE_MANUFACTURER_INFO_CONFIGURATION (config.h) 87 88# Name of this service, default is "`uname -s` router" 89#friendly_name=MiniUPnPd router 90 91# Manufacturer name, default is "`uname -s`" 92#manufacturer_name=Manufacturer corp 93 94# Manufacturer URL, default is URL of OS vendor 95#manufacturer_url=http://miniupnp.free.fr/ 96 97# Model name, default is "`uname -s` router" 98#model_name=Router Model 99 100# Model description, default is "`uname -s` router" 101#model_description=Very Secure Router - Model 102 103# Model URL, default is URL of OS vendor 104#model_url=http://miniupnp.free.fr/ 105 106# Bitrates reported by daemon in bits per second 107# by default miniupnpd tries to get WAN interface speed 108#bitrate_up=1000000 109#bitrate_down=10000000 110 111# Secure Mode, UPnP clients can only add mappings to their own IP 112#secure_mode=yes 113secure_mode=no 114 115# Default presentation URL is HTTP address on port 80 116# If set to an empty string, no presentationURL element will appear 117# in the XML description of the device, which prevents MS Windows 118# from displaying an icon in the "Network Connections" panel. 119#presentation_url=http://www.mylan/index.php 120 121# Report system uptime instead of daemon uptime 122system_uptime=yes 123 124# Notify interval in seconds. default is 30 seconds. 125#notify_interval=240 126notify_interval=60 127 128# Unused rules cleaning. 129# never remove any rule before this threshold for the number 130# of redirections is exceeded. default to 20 131#clean_ruleset_threshold=10 132# Clean process work interval in seconds. default to 0 (disabled). 133# a 600 seconds (10 minutes) interval makes sense 134clean_ruleset_interval=600 135 136# Log packets in pf (default is no) 137#packet_log=no 138 139# Anchor name in pf (default is miniupnpd) 140#anchor=miniupnpd 141 142# ALTQ queue in pf 143# Filter rules must be used for this to be used. 144# compile with PF_ENABLE_FILTER_RULES (see config.h file) 145#queue=queue_name1 146 147# Tag name in pf 148#tag=tag_name1 149 150# Make filter rules in pf quick or not. default is yes 151# active when compiled with PF_ENABLE_FILTER_RULES (see config.h file) 152#quickrules=no 153 154# UUID, generate your own UUID with "make genuuid" 155uuid=00000000-0000-0000-0000-000000000000 156 157# Daemon's serial and model number when reporting to clients 158# (in XML description) 159#serial=12345678 160#model_number=1 161 162# If compiled with IGD_V2 defined, force reporting IGDv1 in rootDesc (default 163# is no) 164#force_igd_desc_v1=no 165 166# UPnP permission rules 167# (allow|deny) (external port range) IP/mask (internal port range) 168# A port range is <min port>-<max port> or <port> if there is only 169# one port in the range. 170# IP/mask format must be nnn.nnn.nnn.nnn/nn 171# It is advised to only allow redirection of port >= 1024 172# and end the rule set with "deny 0-65535 0.0.0.0/0 0-65535" 173# The following default ruleset allows specific LAN side IP addresses 174# to request only ephemeral ports. It is recommended that users 175# modify the IP ranges to match their own internal networks, and 176# also consider implementing network-specific restrictions 177# CAUTION: failure to enforce any rules may permit insecure requests to be made! 178allow 1024-65535 192.168.0.0/24 1024-65535 179allow 1024-65535 192.168.1.0/24 1024-65535 180allow 1024-65535 192.168.0.0/23 22 181allow 12345 192.168.7.113/32 54321 182deny 0-65535 0.0.0.0/0 0-65535 183