LocalDiscovery detecting nodes through tunnel

Lance Fredrickson lancethepants at gmail.com
Thu Apr 4 23:36:33 CEST 2013 

On Thu, Apr 04, 2013 at 09:09:29AM -0600, Lance Fredrickson wrote:
>> Looking at the docs, it appears LocalDiscovery should be off by
>> default. You could also try explicitly placing 'LocalDiscovery = no'
>> in your configs.
> I didn't try it, but something tells me this will not help a lot at
> makin local discovery work. Correct me if I am wrong.
Correct, but would prevent you VPN from going down.

I've always solved this with ebtables like I said.

For example, to block DHCP

ebtables -A INPUT --in-interface tap0 --protocol ipv4 --ip-protocol udp 
--ip-destination-port 67:68 -j DROP
ebtables -A INPUT --in-interface tap0 --protocol ipv4 --ip-protocol udp 
--ip-source-port 67:68 -j DROP
ebtables -A FORWARD --out-interface tap0 --protocol ipv4 --ip-protocol 
udp --ip-destination-port 67:68 -j DROP
ebtables -A FORWARD --out-interface tap0 --protocol ipv4 --ip-protocol 
udp --ip-source-port 67:68 -j DROP
ebtables -A FORWARD --in-interface tap0 --protocol ipv4 --ip-protocol 
udp --ip-destination-port 67:68 -j DROP
ebtables -A FORWARD --in-interface tap0 --protocol ipv4 --ip-protocol 
udp --ip-source-port 67:68 -j DROP
ebtables -A OUTPUT --out-interface tap0 --protocol ipv4 --ip-protocol 
udp --ip-destination-port 67:68 -j DROP
ebtables -A OUTPUT --out-interface tap0 --protocol ipv4 --ip-protocol 
udp --ip-source-port 67:68 -j DROP

Perhaps a bit redundant in some places, but it gets the job done, just 
substituting your port number for whatever protocol.

Not sure what iptables rules you're using now.  I haven't done this 
myself, but looks like if your iptables has --pkt-type, you could try.

iptables -I INPUT --in-interface tap0 -m pkttype --pkt-type broadcast -p 
udp --dport ### -j DROP
iptables -I FORWARD --in-interface tap0 -m pkttype --pkt-type broadcast 
-p udp --dport ### -j DROP
iptables -I FORWARD --out-interface tap0 -m pkttype --pkt-type broadcast 
-p udp --dport ### -j DROP
iptables -I OUTPUT --out-interface tap0 -m pkttype --pkt-type broadcast 
-p udp --dport ### -j DROP

Of course matching your tap interface to what you're using, and adding 
the port number.
Again, perhaps redundant, but should cover all your bases I think. Maybe 
a hint at least, if at all useful.

Lance

More information about the tinc mailing list