WireGuard Archive on lore.kernel.org
 help / color / Atom feed
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
To: Vasili Pupkin <diggest@gmail.com>
Cc: "William J. Tolley" <william@breakpointingbad.com>,
	WireGuard mailing list <wireguard@lists.zx2c4.com>
Subject: Re: Regarding "Inferring and hijacking VPN-tunneled TCP connections"
Date: Fri, 6 Dec 2019 16:18:49 +0100
Message-ID: <CAHmME9pTt2MPH3gxks8S=3hVKS6P2XFkJd5eT7uivsoK7QPMJg@mail.gmail.com> (raw)
In-Reply-To: <fdc450ad-f382-87d7-4c63-c31d595295df@gmail.com>

Hi Vasili,

On Thu, Dec 5, 2019 at 10:28 PM Vasili Pupkin <diggest@gmail.com> wrote:
> I've just figured out that the same effect can also be achieved with
> iptables:
> iptables -t filter -I INPUT -m addrtype --limit-iface-in ! --dst-type
> LOCAL -j DROP

Neat trick, but it still requires this to run on all incoming packets
from all interfaces, right? In other words, it enables a strong host
model for the whole system instead of just with regards to addresses
"owned" by the WireGuard interface. Adding support for the latter
would get us back to the original rule we're using right now, right?

>  But for the sake of wg-quick
> the filter can be enables for wireguard interface only to be sure it
> wouldn't break anything else

How do you propose this works? That'd require adding -d, right? In
that case we're back to more or less the original rule. If you do it
with -i, then it fails to filter the bad packets that we want to be
filtering.

Jason
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

  reply index

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-12-05 19:13 Jason A. Donenfeld
2019-12-05 19:50 ` Vasili Pupkin
2019-12-05 20:24   ` Jason A. Donenfeld
2019-12-05 21:28     ` Vasili Pupkin
2019-12-06 15:18       ` Jason A. Donenfeld [this message]
2019-12-06 17:21         ` Vasili Pupkin
2019-12-07 20:51         ` Lonnie Abelbeck
2019-12-06 12:58     ` William J. Tolley
2019-12-06 15:06     ` Jordan Glover
2019-12-06 15:08       ` Jason A. Donenfeld
2019-12-06 16:03         ` Vasili Pupkin
2019-12-06 16:12           ` Jordan Glover
2019-12-06 17:06             ` Vasili Pupkin
2019-12-05 20:10 ` zrm

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAHmME9pTt2MPH3gxks8S=3hVKS6P2XFkJd5eT7uivsoK7QPMJg@mail.gmail.com' \
    --to=jason@zx2c4.com \
    --cc=diggest@gmail.com \
    --cc=william@breakpointingbad.com \
    --cc=wireguard@lists.zx2c4.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

WireGuard Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/wireguard/0 wireguard/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 wireguard wireguard/ https://lore.kernel.org/wireguard \
		wireguard@lists.zx2c4.com
	public-inbox-index wireguard

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/com.zx2c4.lists.wireguard


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git