Hi Vasili, On Thu, Dec 5, 2019 at 10:28 PM Vasili Pupkin <[email protected]> wrote: > I've just figured out that the same effect can also be achieved with > iptables: > iptables -t filter -I INPUT -m addrtype --limit-iface-in ! --dst-type > LOCAL -j DROP
Neat trick, but it still requires this to run on all incoming packets from all interfaces, right? In other words, it enables a strong host model for the whole system instead of just with regards to addresses "owned" by the WireGuard interface. Adding support for the latter would get us back to the original rule we're using right now, right? > But for the sake of wg-quick > the filter can be enables for wireguard interface only to be sure it > wouldn't break anything else How do you propose this works? That'd require adding -d, right? In that case we're back to more or less the original rule. If you do it with -i, then it fails to filter the bad packets that we want to be filtering. Jason _______________________________________________ WireGuard mailing list [email protected] https://lists.zx2c4.com/mailman/listinfo/wireguard
