Tinc and firewall

[Julien dupont]

Hello,

Early this year I got help here to setup tinc tunnels between users and a
company LAN. Now I would like to try something different for a home usage
and I have a question regarding security.

The setup would look like as follows:

- My home LAN has a classical topology where my ISP router is doing NAT and
is blocking all incoming connection. I'm planning to enable port forwarding
on the router: port 655 (tinc) and 656 (ssh) to a Raspberry Pi running
Raspbian. It would have a static IP.
- The ssh daemon listening on port 656 on the Rapsberry Pi will be hardened
(only one user can login, strong password, protocol 2 only, fail2ban
installed, etc.).
- Tinc daemon will be listening on port 655.
- I would use a DDNS service to find the current public IP of my router.

The goal is to be able to establish a Tinc tunnel from a laptop outside the
LAN to the Raspberry Pi and access all computers behind my router from that
point on. Thanks to the previous help I know how to setup Tinc and the
routing rules to achieve that.

Now I'm wondering if and why I would need to implement any additional
precaution, like a firewall on the Raspberry Pi with that specific setup.
I'm assuming that:

- It is impossible to reach any other port than 655 and 656 from the
outside as only those two are forwarded.
- It is impossible to directly reach any other computer than the Raspberry
Pi so they don't need to be protected.
- It is impossible, or very hard, to defeat ssh and tinc daemons security.
- It is thus impossible to access the Raspberry Pi otherwise than through a
tinc tunnel or a SSH connection so no firewall is needed.

Am I right there?

Thanks,
Julien
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20190423/38a6b2c8/attachment.html>