Broadcast-Storm

[Markus Dangl]

Erik Logtenberg schrieb:
> Personally, I don't think it is a wise plan to try and build packet
> filtering in tinc. Packet filtering is a complex task, which is quite
> different from the VPN-task that tinc is designed for. There already are
> great implementations for packet filtering available, so you'd be
> re-inventing the wheel in a specifically contra-intuitive place.
> 
> I think you'd be better off just using the firewall-software that is
> available on the different platforms that you use. The fact that this is
> not portable sucks, but I don't think you are suggesting the right solution.
> My two cents: if you would really want to solve the problem that you
> describe (the problem that you cannot use the samen firewall software on
> different platforms), then solve that by picking the one you like most
> and porting that to the target platform(s).
> 
> -- Erik

Thank you for your opinion, Erik. I think a little bit different about
it, though:
An implementation integrated with tinc would have some additional benefits:

1. You could filter any traffic that tinc handles, that includes traffic
forwarded for other hosts. (Atm i don't see that much use in it)

2. Like already mentioned, it would be a portable solution.

3. Added benefit for the administrator: You don't have to rely on your
VPN users to configure their "firewalls" correctly. You can supply them
with a ready-made config file - and when you have lots of users (tinc is
made for that) you really don't want to explain packet filtering to
everyone of them ;)

4. Most important: Tinc's packet filter would have more information than
the operating system's filter. Tinc knows which client actually sent the
packet (thanks to using ssl) and doesn't need to rely on possibly wrong
(spoofed?) Ethernet or IP adresses.

If you don't really trust every single client in your Tinc-VPN (and you
usually shouldn't trust everyone when you are building a larger VPN that
you don't completely control) you can still rely on the public/private
key system. With intergrated packet filtering you could easily build a
switched VPN where clients can only use their assigned Ethernet- and/or
IP-Adresses. So you could use Tinc as an open source replacement for the
ever-so-popular Hamachi. This is kind of what i'm trying to do.

I really don't like re-inventing the wheel with packet filtering either,
but IMHO it's a whole different scenario with "peer to peer" VPN
software. A scenario that e.g. the linux packet filter wasn't really
made for.

Looking forward to your opinion,
Markus