UPnP support

[dragonwap]

Is filezilla server able to request upnp portforwading from the router?
If it isn't when this will be implemented?

[botg]

UPnP is totally useless, just configure your hardware properly.

[bugmenot]

I know this is an old topic, but it shouldn't matter. I searched for UPnP and found this thread.

I totally disagree with UPnP being "totally useless". I don't understand that statement at all. UPnP does more than prevent you from having to manually configure your router--it helps ensure that:

1) Ports (i.e. 21, 990, and any applicable PASV ports) are only forwarded when the server is actually running, rather than all the time. Maybe this isn't a critical issue, but I prefer not forwarding ports when the FTP server isn't running.

2) The correct ports are forwarded. What if you want the server to listen on a custom, non-standard port? Very feasible, and much easier with UPnP.

3) The ports are available. What if you have manually configured the router to forward a series of ports for PASV (e.g. 50000-50108), but some other application began using those ports (or just some of them) before the FTP server tried using them? With manual router configuration, you are out of luck, unless you have configured a wide range of ports for PASV (which not everyone likes to do). With UPnP, it could be handled automatically and on-the-fly.

If you don't want to bother adding UPnP support, I can understand. But unsubstantiated claims that it is "useless" don't make sense.

[eddan]

If anyone out there is interested in making a patch, http://sourceforge.net/projects/platinum is a cross platform upnp library that might get the job done rather easily.

[alasdairrr]

I work for an ISP where we recommend FileZilla to our clients on a regular basis.

uPNP support would be of real benefit to us, and several other popular Windows FTP clients support it, such as SmartFTP:

http://www.smartftp.com/support/kb/upnp-f174.html

I don't see what the huge problem is with supporting it. If you're so against uPNP, then leave it disabled by default, but at least make it an option - many people could benefit from uPNP support.

[botg]

How should I implement a feature I cannot test? My whole network is proper, don't want to taint it with UPnP.

[alasdairrr]

I'm not suggesting you personally implement and/or test it. Hopefully someone who wants uPNP support will contribute a patch!

[grimholtz]

I am surprised that you have no plans for ZeroConf in FileZilla Server. There are other options if you don't like UPnP IDG. The most well-known alternative is probably Apple's Bonjour, but others include DPWS.

Out of curiosity, what is your particular issue with adding UPnP support? You said it is totally useless. Is that your feeling about UPnP in particular, or ZeroConf services in general? If the latter, I urge you to consider the less technically-inclined. For example, plenty of my friends are FTP-savvy but have no idea how to configure their routers for port forwarding. Sure, they could be taught how to do it, but it's not really something they want to spend time learning.

How should I implement a feature I cannot test? My whole network is proper, don't want to taint it with UPnP.

You can run a UPnP IDG server from free software now. SmoothWall, which can be booted from LiveCD if you prefer, is one example, but there are plenty of others. Your network wouldn't be "tainted" if the computer running SmoothWall is blocked from the internet. That can be done physically or with your router/firewall at the MAC address level, as I'm sure you know. Alternatively, I would be very glad to send you one of my old 802.11b routers with UPnP for free. Again, your network wouldn't be "tainted" (i.e., put at security risk) if you properly isolate the router from the external world.

[boco]

So if every software may use UPnP to configure port-forwardings, what's the point of having a router firewall? The point of a (hardware) firewall is that nothing except the network admin (human) can pierce holes into it. I, personally, consider UPnP a security risk. There's nothing better than well educated users. If they don't want to learn how to configure their networks themselves, they shouldn't run servers. Sounds hard but true.

[grimholtz]

So if every software may use UPnP to configure port-forwardings, what's the point of having a router firewall? The point of a (hardware) firewall is that nothing except the network admin (human) can pierce holes into it. I, personally, consider UPnP a security risk. There's nothing better than well educated users. If they don't want to learn how to configure their networks themselves, they shouldn't run servers. Sounds hard but true.

It is indeed a security risk if you haphazardly and arbitrarily install software because that software could hijack UPnP to punch a hole in your firewall. However, if you don't install arbitrary software on your server--and any server admin knows that is a basic rule--then you're completely safe from the risk you describe.

However, this discussion you are starting is irrelevant to FileZilla. You are arguing the security risk of a protocol. We can go back and forth about the inherent risks of that protocol. But that is irrelevant to FileZilla Server because the protocol is already out in the wild and quite popular. Whether or not FileZilla implements it and whatever we discuss here about the protocol will not change that. So, in a sense, you are hijacking this thread with a red herring. If you are addressing my question about your issue with UPnP, then I apologize, but you don't appear to be the siteadmin to whom I was addressing the question.

Implementing the feature with it OFF by default is no security risk. To claim that you won't support it because it's a security risk is like saying you won't support unencrypted FTP because usernames/passwords are sent in the clear. That, too, is a security risk (arguably a much LARGER one than UPnP support), yet FileZilla server already supports it.

[da chicken]

I wouldn't have a problem with UPnP or NAT-PMP if they were authenticated protocols.

[grimholtz]

I wouldn't have a problem with UPnP or NAT-PMP if they were authenticated protocols.

Some of the alternative protocols I linked to do require authentication. Once again, let me point out the FileZilla Server supports unencrypted authentication, so credentials are passed in the clear over the internet -- potentially much worse than anything uPnP exposes you to.

[cszeto]

Non-commercial software is written due to the interests of the programmer who wrote it. If they are not interested in a feature or capability, then it's not in the program period! All the badgering and begging goes nowhere.

Now if you are willing to support their efforts in a monetary way, that might persuade them to your cause, but that will vary based on their motivations as to why they wrote what they did in the first place.

As open sourced efforts, no one is prohibited from writing their own extensions or even rewriting the entire application itself. You can fund efforts that way too by engaging the appropriate programming talent, which may or may not be related to the original efforts.

Outside of that, you can put a request and they can either accept it and it makes the next revision on their time table or they can just say no...

[grimholtz]

Non-commercial software is written due to the interests of the programmer who wrote it. If they are not interested in a feature or capability, then it's not in the program period! All the badgering and begging goes nowhere.

Now if you are willing to support their efforts in a monetary way, that might persuade them to your cause, but that will vary based on their motivations as to why they wrote what they did in the first place.

As open sourced efforts, no one is prohibited from writing their own extensions or even rewriting the entire application itself. You can fund efforts that way too by engaging the appropriate programming talent, which may or may not be related to the original efforts.

Outside of that, you can put a request and they can either accept it and it makes the next revision on their time table or they can just say no...

I don't really need a lecture in the ways of open-source software as I am one myself. I still await a reply from botg, the admin, if he has the time to address my original question.

[cszeto]

"open-source software as I am one myself"

??? Eliza???

If botg doesn't respond, then botg's not interested...