How to recognize tinc TCP connection with iptables
Guus Sliepen
guus at tinc-vpn.org
Sun Sep 1 11:14:23 CEST 2013
On Sat, Aug 31, 2013 at 05:15:29PM -0700, Nikolaus Rath wrote:
> > You are mistaken. Luckily, otherwise sslh wouldn't work either :)
>
> I don't feel very comfortable contradicting tinc's very author, but I
> think sslh only works because it uses a default protocol if it doesn't
> get any packet by the client for a specified number of seconds. If I
> don't set this default to tinc, it doesn't work.
>
> Further evidence is that "nc -l -v -p 655" does not show any incoming
> data when I try to connect to it with tinc, and all my wireshark traffic
> dumps also show the server sending a message first.
>
> I tested this with tinc 1.0.19 from Debian wheezy.
Hm, you are right! The code is written with the intent that it immediately
sends the ID message, regardless of whether it is the client or server side of
a connection. However, in 1.0.x, the select() call only checks for readability
of a socket that has just been created, not for writability. So if the other
side does not send anything, it doesn't notice the connection has already been
established. Tinc 1.1 does it right... but I'll backport the fix to 1.0.
--
Met vriendelijke groet / with kind regards,
Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20130901/2b9ab5df/attachment.sig>
More information about the tinc
mailing list