Firewall-like filtering of connecting nodes #15
Comments
|
You can limit the port exposure using yggstack plus |
|
Hmm, I've now tested this: Node 1 runs yggstack and exposes 127.0.0.1:12345 (which is just a simple http server serving a directory) on port 12345 and has one public key set in Node 2 runs yggstack and exposes a local socks server. Both nodes have one of the public yggdrasil peers set. A curl on node 2 through the socks proxy is now able to reach the http server and get the directory listing. This suggests to me that |
|
Port exposure is controlled by CLI options - with yggdrasil, everything listening on [::] is availablefrom ygg side. |
|
Yes, but I don't see a way with yggstack to restrict who can access the exposed port by their public key or IP address; neither in the config file nor in the CLI options. With yggdrasil this could be done using the hosts firewall. Maybe I am a bit dense, but given the above test scenario how could I restrict the exposed http server such that only node 2 can access it, but not another node 3 that also participates in the yggdrasil network? |
With yggdrasil a firewall can be used to limit incoming connections to specific nodes. Is there any way to do something comparable with yggstack?
The only possibly related configuration option I could find is
AllowedPublicKeys, but yggdrasil's genconf output contains this warning for the option:(yggstack on the other hand does not include that warning, so maybe it does act like a firewall for yggstack? If yes it would be nice to make that explicit.)
The text was updated successfully, but these errors were encountered: