Disallow binding via tinc
Azul
mail at azulinho.com
Fri Jan 27 09:41:44 CET 2017
Why not just firewall incoming traffic on the clients?
On 27 Jan 2017 8:37 am, "Niklas Hambüchen" <mail at nh2.me> wrote:
> I'm looking for a way to add some (Linux) participants into my tinc
> network, but I want to protect them from accidentally binding a port so
> that it's accessible via tinc.
>
> For example, `nc -l` by default listens to all interfaces.
>
> Similarly, some software (I think mongodb < 2.6 was among those) bind to
> all interfaces AND allow unauthenticated access that can do remote code
> execution, which is a security nightmare.
>
> While these are arguably cases of "the user should be careful what
> interface they let their programs listen to", I want to avoid the
> possibility of this all together, and want to configure tinc such that
> on selected participants, there's no interface that programs could bind
> to, so that only outgoing connections work.
>
> How can I achieve that?
>
> I imagine the easiest way would be to make it so that tinc creates no
> tun device. Is the `DeviceType = raw_socket` option what I'm looking for?
>
> Thanks!
> Niklas
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170127/3ae8967b/attachment.html>
More information about the tinc
mailing list