ごく簡単な UPnP & NAT-PMP チェック

UPnP

# pkg install miniupmpc

# /usr/local/bin/upnpc
upnpc : miniupnpc library test client, version 2.1.
 (c) 2005-2018 Thomas Bernard.
Go to http://miniupnp.free.fr/ or https://miniupnp.tuxfamily.org/
for more information.
Usage : /usr/local/bin/upnpc [options] -a ip port external_port protocol [duration]
                Add port redirection
        /usr/local/bin/upnpc [options] -d external_port protocol <remote host>
                Delete port redirection
        /usr/local/bin/upnpc [options] -s
                Get Connection status
        /usr/local/bin/upnpc [options] -l
                List redirections
        /usr/local/bin/upnpc [options] -L
                List redirections (using GetListOfPortMappings (for IGD:2 only)
        /usr/local/bin/upnpc [options] -n ip port external_port protocol [duration]
                Add (any) port redirection allowing IGD to use alternative external_port (for IGD:2 only)
        /usr/local/bin/upnpc [options] -N external_port_start external_port_end protocol [manage]
                Delete range of port redirections (for IGD:2 only)
        /usr/local/bin/upnpc [options] -r port1 [external_port1] protocol1 [port2 [external_port2] protocol2] [...]
                Add all redirections to the current host
        /usr/local/bin/upnpc [options] -A remote_ip remote_port internal_ip internal_port protocol lease_time
                Add Pinhole (for IGD:2 only)
        /usr/local/bin/upnpc [options] -U uniqueID new_lease_time
                Update Pinhole (for IGD:2 only)
        /usr/local/bin/upnpc [options] -C uniqueID
                Check if Pinhole is Working (for IGD:2 only)
        /usr/local/bin/upnpc [options] -K uniqueID
                Get Number of packets going through the rule (for IGD:2 only)
        /usr/local/bin/upnpc [options] -D uniqueID
                Delete Pinhole (for IGD:2 only)
        /usr/local/bin/upnpc [options] -S
                Get Firewall status (for IGD:2 only)
        /usr/local/bin/upnpc [options] -G remote_ip remote_port internal_ip internal_port protocol
                Get Outbound Pinhole Timeout (for IGD:2 only)
        /usr/local/bin/upnpc [options] -P
                Get Presentation url

protocol is UDP or TCP
Options:
  -e description : set description for port mapping.
  -6 : use ip v6 instead of ip v4.
  -u url : bypass discovery process by providing the XML root description url.
  -m address/interface : provide ip address (ip v4) or interface name (ip v4 or v6) to use for sending SSDP multicast packets.
  -z localport : SSDP packets local (source) port (1024-65535).
  -p path : use this path for MiniSSDPd socket.
  -t ttl : set multicast TTL. Default value is 2.

# upnpc -a 192.168.0.10 8011 8010 tcp 30
upnpc : miniupnpc library test client, version 2.1.
 (c) 2005-2018 Thomas Bernard.
Go to http://miniupnp.free.fr/ or https://miniupnp.tuxfamily.org/
for more information.
List of UPNP devices found on the network :
 desc: http://192.168.0.1:xxxxx/rootDesc.xml
 st: urn:schemas-upnp-org:device:InternetGatewayDevice:1

Found valid IGD : http://192.168.0.1:xxxxx/ctl/IPConn
Local LAN ip address : 192.168.0.10
ExternalIPAddress = xxx.xxx.xxx.xxx
InternalIP:Port = 192.168.0.10:8011
external xxx.xxx.xxx.xxx:8010 TCP is redirected to internal 192.168.0.10:8011 (duration=30)

# cat /var/log/upnp.leases
TCP:8010:192.168.0.10:8011:1583320251:libminiupnpc
( lease_file は起動時に空だと削除される。1件目のマッピングが追加されたときに作成される。終了時にはそのまま残る。)

NAT-PMP

net/libnatpmp に /usr/local/bin/natpmpc が含まれていて、これを使えば簡単なチェックが出来るようだ。

# natpmpc -h
Usage :
  natpmpc [options]
        display the public IP address.
  natpmpc -h
        display this help screen.
  natpmpc [options] -a <public port> <private port> <protocol> [lifetime]
        add a port mapping.

Option available :
  -g ipv4address
        force the gateway to be used as destination for NAT-PMP commands.

  In order to remove a mapping, set it with a lifetime of 0 seconds.
  To remove all mappings for your machine, use 0 as private port and lifetime.

# natpmpc -a 8000 8001 tcp 30
initnatpmp() returned 0 (SUCCESS)
using gateway : 192.168.0.1
sendpublicaddressrequest returned 2 (SUCCESS)
readnatpmpresponseorretry returned -7 (FAILED)
readnatpmpresponseorretry() failed : the gateway does not support nat-pmp
  errno=61 'Connection refused'
( enable_natpmp=yes になってない )

# natpmpc -a 8000 8001 tcp 30
initnatpmp() returned 0 (SUCCESS)
using gateway : 192.168.0.1
sendpublicaddressrequest returned 2 (SUCCESS)
readnatpmpresponseorretry returned 0 (OK)
Public IP address : xxx.xxx.xxx.xxx
epoch = 2712262545
sendnewportmappingrequest returned 12 (SUCCESS)
readnatpmpresponseorretry returned -51 (FAILED)
readnatpmpresponseorretry() failed : not authorized
( allow 1024-65535 192.168.0.0/24 1024-65535 などで許可していない )

# natpmpc -a 8000 8001 tcp 30
initnatpmp() returned 0 (SUCCESS)
using gateway : 192.168.0.1
sendpublicaddressrequest returned 2 (SUCCESS)
readnatpmpresponseorretry returned 0 (OK)
Public IP address : xxx.xxx.xxx.xxx
epoch = 2712262658
sendnewportmappingrequest returned 12 (SUCCESS)
readnatpmpresponseorretry returned -52 (FAILED)
readnatpmpresponseorretry() failed : network failure
( /etc/pf.conf に rdr-anchor anchor が設定されていない。PF_FILTER_RULES=on の挙動の場合になります )

# natpmpc -a 8000 8001 tcp 30
initnatpmp() returned 0 (SUCCESS)
using gateway : 192.168.0.1
sendpublicaddressrequest returned 2 (SUCCESS)
readnatpmpresponseorretry returned 0 (OK)
Public IP address : xxx.xxx.xxx.xxx
epoch = 2712262909
sendnewportmappingrequest returned 12 (SUCCESS)
readnatpmpresponseorretry returned 0 (OK)
Mapped public port 8000 protocol TCP to local port 8001 liftime 30
epoch = 2712262909
closenatpmp() returned 0 (SUCCESS)

# cat /var/log/upnp.leases
TCP:8000:192.168.0.10:8001:1583317213:NAT-PMP 8000 tcp