Disallow binding via tinc
Niklas Hambüchen
mail at nh2.me
Fri Jan 27 01:24:37 CET 2017
I'm looking for a way to add some (Linux) participants into my tinc
network, but I want to protect them from accidentally binding a port so
that it's accessible via tinc.
For example, `nc -l` by default listens to all interfaces.
Similarly, some software (I think mongodb < 2.6 was among those) bind to
all interfaces AND allow unauthenticated access that can do remote code
execution, which is a security nightmare.
While these are arguably cases of "the user should be careful what
interface they let their programs listen to", I want to avoid the
possibility of this all together, and want to configure tinc such that
on selected participants, there's no interface that programs could bind
to, so that only outgoing connections work.
How can I achieve that?
I imagine the easiest way would be to make it so that tinc creates no
tun device. Is the `DeviceType = raw_socket` option what I'm looking for?
Thanks!
Niklas
More information about the tinc
mailing list