yggdrasil-network / yggdrasil-go

An experiment in scalable routing as an encrypted IPv6 overlay network
https://yggdrasil-network.github.io
Other
3.53k stars 242 forks source link

Security Question: Are all ports open to yggdrasil on a windows machine? #869

Closed Merith-TK closed 1 year ago

Merith-TK commented 2 years ago

I am running windows 11 and I have noticed that yggdrasil does not show up in any of windows's firewall settings outside as a network interface.

I have also found that others are just straight up able to directly connect to open ports on my machine, I had some a few friends test port :80, :443, and several random minecraft "open to lan" ports, and all were able to connect without issue.

it appears that every single port, regardless of what it is, on a windows machine is open, which is concerning due to windows security issues that have been around for a while.

This is a serious concern I have as it feels like I have my computer connected directly inplace of a router to the clearnet, which anyone can just scan and find open ports on and exploit them as i have gotten no firewall pop up for windows, which is concerning as even for docker, I had to allow a firewall popup

neilalexander commented 2 years ago

I am not a Windows expert by any means but I was always under the understanding that Windows Firewall will treat all interfaces as Public until otherwise configured.

I guess if Windows is mis-classifying the interface as something more trustworthy (which may be the fault of the Wintun driver), or if it is allowing connections on a Public interface (probably a user configuration thing somewhere), then it makes sense that incoming connections would not be filtered.

Merith-TK commented 2 years ago

Well it is not showing up as any form of connection to configure, all I can find is in the "Network Connections" control panel, and even then there is little to no configuration options for it. And windows, as of windows 8.1 no longer asks if the network you connect to is a home or public network,

and the places it does show up, it reports that it is disconnected when I am able to use it just fine

ghost commented 2 years ago

yes, all your ports will be opened (if you have firewall disabled) all ports like 3389, 139, will be available by your ipv6 address

Revertron commented 2 years ago

To disable incoming connections by default you need to flag Yggdrasil network interface as Public. You can do this by running this command in admin PowerShell: Set-NetConnectionProfile -Name "Yggdrasil" -NetworkCategory Public

ghost commented 2 years ago

for linux exist same command?

Merith-TK commented 2 years ago

Linux would have you use IP Tables, also Linux doesnt open a bunch of unnessecary ports like windows so unless you have an ssh server running on your computer, your pretty much good, if you do, look into iptables

Revertron commented 2 years ago

Linux would have you use IP Tables, also Linux doesnt open a bunch of unnessecary ports like windows so unless you have an ssh server running on your computer, your pretty much good, if you do, look into iptables

I think it would be better just to bind SSH server to any specific IPv4 address.