Disallow binding via tinc
Niklas Hambüchen
mail at nh2.me
Fri Jan 27 16:34:53 CET 2017
That would probably work, too; it's harder to configure though and
easier to get wrong.
If I could avoid having the tun0, that would trivially solve the problem.
On 27/01/17 09:41, Azul wrote:
> Why not just firewall incoming traffic on the clients?
>
>
> On 27 Jan 2017 8:37 am, "Niklas Hambüchen" <mail at nh2.me
> <mailto:mail at nh2.me>> wrote:
>
> I'm looking for a way to add some (Linux) participants into my tinc
> network, but I want to protect them from accidentally binding a port so
> that it's accessible via tinc.
>
> For example, `nc -l` by default listens to all interfaces.
>
> Similarly, some software (I think mongodb < 2.6 was among those) bind to
> all interfaces AND allow unauthenticated access that can do remote code
> execution, which is a security nightmare.
>
> While these are arguably cases of "the user should be careful what
> interface they let their programs listen to", I want to avoid the
> possibility of this all together, and want to configure tinc such that
> on selected participants, there's no interface that programs could bind
> to, so that only outgoing connections work.
>
> How can I achieve that?
>
> I imagine the easiest way would be to make it so that tinc creates no
> tun device. Is the `DeviceType = raw_socket` option what I'm looking
> for?
>
> Thanks!
> Niklas
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org <mailto:tinc at tinc-vpn.org>
> https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
> <https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc>
>
>
>
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
More information about the tinc
mailing list