Why not just firewall incoming traffic on the clients?
On 27 Jan 2017 8:37 am, "Niklas Hambüchen" <[email protected]> wrote: > I'm looking for a way to add some (Linux) participants into my tinc > network, but I want to protect them from accidentally binding a port so > that it's accessible via tinc. > > For example, `nc -l` by default listens to all interfaces. > > Similarly, some software (I think mongodb < 2.6 was among those) bind to > all interfaces AND allow unauthenticated access that can do remote code > execution, which is a security nightmare. > > While these are arguably cases of "the user should be careful what > interface they let their programs listen to", I want to avoid the > possibility of this all together, and want to configure tinc such that > on selected participants, there's no interface that programs could bind > to, so that only outgoing connections work. > > How can I achieve that? > > I imagine the easiest way would be to make it so that tinc creates no > tun device. Is the `DeviceType = raw_socket` option what I'm looking for? > > Thanks! > Niklas > _______________________________________________ > tinc mailing list > [email protected] > https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc >
_______________________________________________ tinc mailing list [email protected] https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
