Disallow binding via tinc

Niklas Hambüchen mail at nh2.me
Fri Jan 27 16:34:53 CET 2017


That would probably work, too; it's harder to configure though and
easier to get wrong.

If I could avoid having the tun0, that would trivially solve the problem.

On 27/01/17 09:41, Azul wrote:
> Why not just firewall incoming traffic on the clients?
> 
> 
> On 27 Jan 2017 8:37 am, "Niklas Hambüchen" <mail at nh2.me
> <mailto:mail at nh2.me>> wrote:
> 
>     I'm looking for a way to add some (Linux) participants into my tinc
>     network, but I want to protect them from accidentally binding a port so
>     that it's accessible via tinc.
> 
>     For example, `nc -l` by default listens to all interfaces.
> 
>     Similarly, some software (I think mongodb < 2.6 was among those) bind to
>     all interfaces AND allow unauthenticated access that can do remote code
>     execution, which is a security nightmare.
> 
>     While these are arguably cases of "the user should be careful what
>     interface they let their programs listen to", I want to avoid the
>     possibility of this all together, and want to configure tinc such that
>     on selected participants, there's no interface that programs could bind
>     to, so that only outgoing connections work.
> 
>     How can I achieve that?
> 
>     I imagine the easiest way would be to make it so that tinc creates no
>     tun device. Is the `DeviceType = raw_socket` option what I'm looking
>     for?
> 
>     Thanks!
>     Niklas
>     _______________________________________________
>     tinc mailing list
>     tinc at tinc-vpn.org <mailto:tinc at tinc-vpn.org>
>     https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>     <https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc>
> 
> 
> 
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
> 


More information about the tinc mailing list