alt Hacker NewsWhat I wish routers did was make UPNP a pending request something I could go and approve. Limit it to the device making it, let it switch it on and off but fundamentally I want to control if I want that hole made or not. OpenWRT comes without UPNP in its base images for a reason, its a major security hole. But I think there is a middle ground here where UPNP isn't just no or yes but rather authorised which will reduce the problem and provide autoconfiguration but without automated firewall holes.
It isn’t a security hole (the info page on why it is turned off literally says it is because people mistakenly believe is is a security hole)
But if you don’t have it on, software just falls back to STUN, which achieves the same exact result as upnp, just an order of magnitude slower and less reliably (though doesn’t require any router configuration or cooperation)