---

@user4321 wrote:

I logged into my (secure?) FIOS router this morning and found that xlive port forwarding has been enabled to all of my (firewalled?) home computers.

How did this happen?  Did Verizon enable it?  Did my kid's game enable it?  If so, how could it enable it without knowing my admin password to the router?  If I forcefully disable it (uncheck), is it going to re-enable itself?

---

What is "xlive"  ?? do you mean Xbox?

There is no way that I know of  to to port forward the same port to multiple destinations.  If you attempt to do it you will get an error saying there is a port conflict.

A picture of your port forwarding setting might help.

Why bother unchecking them, if you can, why not just delete them, again if you can.

Typically anything added by Verizon is marked as Verizon Fios Service and is to do with the STBs, there is no way to uncheck or delete those entries short of issuing a router reset  to defaults.

I'm pretty sure the OP means Xbox Live. Do you by any chance own an Xbox 360? If so, it's possible the Xbox 360 created the Port Forwarding rules itself if you have UPnP enabled in the ActionTec. Otherwise, it's possible the kids may have created the Port Forwarding rules so that their games may work correctly. Verizon will not create port forwarding entries out of the blue for you.

If this is the case, what I do suggest doing is configuring the Xbox 360 to use a Static IP address on the network. You should do this either by configuring the Xbox manually, or by using DHCP Reservation to ensure the Xbox will obtain the same IP address every time on the network. From there, if you wish to disable UPnP so that Port Forwards are not automatically created as applications request them, you can do so from the ActionTec's "Advanced" menu. Lastly, the Xbox 360 should have the needed ports forwarded to it so that Xbox Live and games work with little issue if any.

We don't own an Xbox, but the kids do play video games on their PC.  I suspect that this is the problem but my question is "how could an application on the PC create a port-forwarding rule on the router?  The router admin account is password protected and neither the kids nor the PC know this password.

Do applications have a backdoor to the router configuration? If I delete the rules, will the app recreate them?

Is there a setting somewhere in the router that allows apps to modfiy the port forwarding rules?  I can't find one.

It's called UPnP (or Universal Plug and Play)

It's a protocol which allows devices behind a router to advertise the "services" they support and for which the router should configure a port forward pointed to them to service.  There are a number of inherent security risks with UPnP amongst them the ability for rogue devices inside a network to potentially map a backdoor entry (or redirect legimate inbound traffic).

You can turn UPnP on/off by logging into the router, going to the Advanced tab, and then selecting Universal Plug and Play and disabling the ability to allow network users to control wireless broadband network features.

---

@lasagna wrote:

It's called UPnP (or Universal Plug and Play)

It's a protocol which allows devices behind a router to advertise the "services" they support and for which the router should configure a port forward pointed to them to service.  There are a number of inherent security risks with UPnP amongst them the ability for rogue devices inside a network to potentially map a backdoor entry (or redirect legimate inbound traffic).

You can turn UPnP on/off by logging into the router, going to the Advanced tab, and then selecting Universal Plug and Play and disabling the ability to allow network users to control wireless broadband network features.

---

I agree that turning of upnp would be a good thing, that being said I've never done it and have never had any issues

However
Why would upnp set up port forwarding rules for XboxLive for the OP when the OP doesn't have such a device in hisnetwork?

and

How could it set up such port forwarding rules to every machine in his network without creating conflicting errors in the rules?

Doesn't this rather point out that the user may have a virus of some sort in his network that has opened some back door access into his network and that maybe he should be looking at his machines to find a listener on the ports defined in the port forwarding rules?

I believe the Xboxlive might well be a "guess" by the router based on the forward to ports rather than anything actual service name.  

The forward to multiple systems could again be the same as above.   The bigger question is do the rules actually overlap or are they simply mapping different inbound ports (all identified as Xboxlive) to ports on the PC (I've seen MSN messenger, Skype, and various other programs do this).

While it could be a backdoor piece of malware, I think it's more likely got a less nefarious explanation.

I generally advise turning UPnP off on routers -- almost nothing requires it to actually be enabled -- most gaming networks even detect and change their connectivity philosophy transparently without impact.   It removes the scenario where a piece of malware is able to instruct your router to open up ports to allow in intruders while generally breaking nothing.

Thank you all for your responses, they ponited me in the right direction and I think it's under control now.

Here's what I think is going on:

My kid is using some game that uses the Xbox live servers and uPnP is enabled. The router is automatically setting up the port-forwards for the game.  Because we use DHCP, every time he gets a new IP assigned, it sets up another Port Forwarding rule. It doesn't seem that the Port Forwards ever expire on the router so, before long, it gets set up on every IP address, including the ones that are being used by other PCs, including my professional laptop for which I definitely do NOT want any port-forwards.

So, my solution was to assign a fixed IP to the kids' PC and manually deleted all of the existing port forwards.  Just to be safe, I let him play for day (so they got recreated) and then disabled uPnP.  In the future, he may run into problems when he tries to install some new game that wants an automatic port-forward but, when that happens, I will knowingly re-enable uPnP, let it make the port forward, and then disable uPnP again.  At least this way, I stay in control without having to check all the time to make sure nothing insidious is happening.

I think you will find that most gaming services as well as other applications which can leverage a UPnP port forward are also capable of adapting their methodology for routers which don't support a UPnP setup using encapsulation protocols like Teredo or STUN working with a vendor hosted relay point ... so the likelihood is that turning it off will never have any real impact on the operation.     Some will say that UPnP direct will give better performance (potentially allowing direct communication between two endpoints instead of being proxied by an intermediary termination partner), but my experience is that this is generally not the case (YMMV) and the security benefits of not having UPnP on the network outweigh any performance implications.

The only performance benefits I have seen come out of anything UPnP are usually you hosting a game server from a game console. You obviously would not experience what we call in the gaming world "Lag," or delays/loss in data reception, but as for others on the other end, there's no real difference whether it's enabled or not if they are hosting.