Broadcast-Storm
Markus Dangl
sky at q1cc.net
Wed Mar 17 13:40:05 CET 2010
Guus Sliepen schrieb:
> Tinc does not understand STP, but it ensures that the tinc network itself is
> loop free. So, you can see your VPN as a dumb switch, with each node being one
> port of that switch. I think that if you bridge the VPN interface to LAN
> interfaces, and the bridge itself supports STP, then everything should be fine.
Thanks, thats exactly what i need to know.
> There is an option in the latest version in the git repository that might help:
>
> Forwarding = kernel
>
> This will disable tinc's internal forwarding, and will send all received
> packets directly to the VPN interface. Most likely the kernel will try to send
> it back to the VPN interface, since the packets are not for the local node, but
> it would have to get past the firewall first.
>
> But, there is no guarantee other nodes will send all packets via your central
> node. So this is more of a debugging tool than a security feature.
That is a great aid for debugging.
> Also, it does not tell you which node the packets came from. A solution to that
> could be to add a VLAN or MPLS tag (with a unique ID for each node) to packets
> sent to the VPN interface. However, that is not implemented yet.
>
> As for filtering in tinc: I really do not want to duplicate pf or netfilter in
> tinc. It would also be primarily of use for forwarded packets, not for ingress
> or egress packets. The best way to keep the clients safe is to educate them how
> to set up their firewalls.
Thanks a lot for the tips!
More information about the tinc
mailing list