How to Windows Live Messenger and Webcam through OpenBSD and PF

Windows Live Messaging is cool! All the others just suck! - At least that’s what almost everyone I know tells me. I mean… it has nice features, but it uses such a complex protocol that I don’t even want to think about security.

During the Christmas time I visited my family and one evening I wanted to talk to a cousine  using MSN and my Dell XPS M1530’s Webcam, but HELL this crappy SoHo router I was connecting through made it impossible to get a picture of her on my screen or to send her mine. Back home we wanted to try again… I know it worked before, but it wasn’t reliable. Sometimes it worked, sometimes not. Mhhh…. I set up my OpenBSD 4.2’s PF “firewall” about a year ago:

1
2
3
4
5
6
rdr on $ext_if proto tcp from any to ($ext_if) port 5190 10.1.16.11
rdr on $ext_if proto tcp from any to ($ext_if) port 1863 10.1.16.11
rdr on $ext_if proto tcp from any to ($ext_if) port 6891:6901 10.1.16.11
rdr on $ext_if proto udp from any to ($ext_if) port 5190 10.1.16.11
rdr on $ext_if proto udp from any to ($ext_if) port 1863 10.1.16.11
rdr on $ext_if proto udp from any to ($ext_if) port 6891:6901 10.1.16.11
Actually I thought that’s it (according to portforward.com), but it seems like it isn’t. I then googled around a bit… found a lot of outdated information and then came across a few newer posts which stated that UPNP is important for the full Live Messenger “experience”.

O.K. another short google: MiniUPNPd. Runs on most BSDs and even supports Linux’s iptables. So I downloaded and installed it according to the INSTALL file included in the tarball. In short, just do: make, make install, add rdr-anchor miniupnpd and anchor miniupnpd to your pf.conf, reload pf.conf, setup miniupnpd.conf or start with miniupnpd -i -a . That’s it.

To test if it’s working I found http://www.microsoft.com/windows/using/tools/igd/default.mspx (GRML! requires Windows, Internet Explorer and admin privileges) to be pretty useful. The UPNP test passed successfully. Aaaaand… et voilà she could see me and I could see her.

BUT the price of this is decreased security. Any crappy program could now modify my firewall ruleset!!! I am not going to write about UPNP security (just because I am not very familiarly with it), so if you’re curious read this post. But on the other hand, if you already have malware on your computer that wants to open ports in your firewall… you have other problems.

P.S. i know that’s the FreeBSD devil in the upper left, but I haven’t found anything better……..