Disallow binding via tinc

Azul mail at azulinho.com
Fri Jan 27 16:42:03 CET 2017 

I do the opposite, i block traffic on my public interface except for p22
and 655 and explicitly trust and allow traffic on my tinc interface as I
trust that vpn.

Think that by default enabling your firewall on most OS will block all
incoming connections on all interfaces.
Wouldnt that be enough for your usage case?

On 27 Jan 2017 3:34 pm, "Niklas Hambüchen" <mail at nh2.me> wrote:

> That would probably work, too; it's harder to configure though and
> easier to get wrong.
>
> If I could avoid having the tun0, that would trivially solve the problem.
>
> On 27/01/17 09:41, Azul wrote:
> > Why not just firewall incoming traffic on the clients?
> >
> >
> > On 27 Jan 2017 8:37 am, "Niklas Hambüchen" <mail at nh2.me
> > <mailto:mail at nh2.me>> wrote:
> >
> >     I'm looking for a way to add some (Linux) participants into my tinc
> >     network, but I want to protect them from accidentally binding a port
> so
> >     that it's accessible via tinc.
> >
> >     For example, `nc -l` by default listens to all interfaces.
> >
> >     Similarly, some software (I think mongodb < 2.6 was among those)
> bind to
> >     all interfaces AND allow unauthenticated access that can do remote
> code
> >     execution, which is a security nightmare.
> >
> >     While these are arguably cases of "the user should be careful what
> >     interface they let their programs listen to", I want to avoid the
> >     possibility of this all together, and want to configure tinc such
> that
> >     on selected participants, there's no interface that programs could
> bind
> >     to, so that only outgoing connections work.
> >
> >     How can I achieve that?
> >
> >     I imagine the easiest way would be to make it so that tinc creates no
> >     tun device. Is the `DeviceType = raw_socket` option what I'm looking
> >     for?
> >
> >     Thanks!
> >     Niklas
> >     _______________________________________________
> >     tinc mailing list
> >     tinc at tinc-vpn.org <mailto:tinc at tinc-vpn.org>
> >     https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
> >     <https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc>
> >
> >
> >
> > _______________________________________________
> > tinc mailing list
> > tinc at tinc-vpn.org
> > https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
> >
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170127/17c4f165/attachment.html>

More information about the tinc mailing list