That would probably work, too; it's harder to configure though and easier to get wrong.
If I could avoid having the tun0, that would trivially solve the problem. On 27/01/17 09:41, Azul wrote: > Why not just firewall incoming traffic on the clients? > > > On 27 Jan 2017 8:37 am, "Niklas Hambüchen" <[email protected] > <mailto:[email protected]>> wrote: > > I'm looking for a way to add some (Linux) participants into my tinc > network, but I want to protect them from accidentally binding a port so > that it's accessible via tinc. > > For example, `nc -l` by default listens to all interfaces. > > Similarly, some software (I think mongodb < 2.6 was among those) bind to > all interfaces AND allow unauthenticated access that can do remote code > execution, which is a security nightmare. > > While these are arguably cases of "the user should be careful what > interface they let their programs listen to", I want to avoid the > possibility of this all together, and want to configure tinc such that > on selected participants, there's no interface that programs could bind > to, so that only outgoing connections work. > > How can I achieve that? > > I imagine the easiest way would be to make it so that tinc creates no > tun device. Is the `DeviceType = raw_socket` option what I'm looking > for? > > Thanks! > Niklas > _______________________________________________ > tinc mailing list > [email protected] <mailto:[email protected]> > https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc > <https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc> > > > > _______________________________________________ > tinc mailing list > [email protected] > https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc > _______________________________________________ tinc mailing list [email protected] https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
