zerotier / ZeroTierOne

A Smart Ethernet Switch for Earth
https://zerotier.com
Other
14.55k stars 1.7k forks source link

settings/primaryPort not fully respected #915

Open darkain opened 5 years ago

darkain commented 5 years ago

Describe the bug Relates to the issues with: https://github.com/zerotier/ZeroTierOne/issues/779

If a connection cannot be established on the primary port (usually 9993), then ZeroTier will pick an arbitrary port to try and use instead. This defeats the entire purpose of having a primary port configuration. I have specific firewall rules in place for 9993 for a combination of security and to deal with issue #779. However, at some point ZT added support to "try other ports" that are outside of the configuration, which means the firewall rules in place for #779 no longer work, which means route flapping returned, broken connections, and excessively high CPU usage again. I also tried disabling port mapping to see if that was the issue, but this didn't resolve the issue either. There needs to be a way to force ZT to use one port and one port ONLY.

cferrey commented 5 years ago

Just curious: does anyone know if this was addressed through a recent update? I was getting this flapping behavior pretty regularly in a bridged-LANs-over-WAN setup, but it stopped about 2-3 weeks ago and everything's been stable since then. I didn't change anything, so am wondering if this got patched.

laduke commented 5 years ago

source

Seems like a small change... but how to specify it?

Should just using -p on the commmand line turn off secondary port and upnp port? That's probably not what you want most of the time. Most users are behind NAT.

'secondaryPortEnabled': true|false to go along with portMappingEnabled?

or how about

'maxBindPorts': 1-32 (default 3) heh

KBrownConsulting commented 5 years ago

I think I'd vote for something along the lines of option 2... Clear individual options for controlling whether UPnP & the secondary port are enabled or disabled.

darkain commented 5 years ago

For firewall security reasons, I need the ability to fully control all incoming/opened ports on my server/router. This is ESPECIALLY true when talking about security audit compliance, such as PCI-DSS. Every open port must be justified to an external audit company, and with ZT arbitrarily opening additional ports if there are ANY issues at all with the defualt 9993 just causes havoc for these security audits (as well as the route flapping issue causing 100% CPU usage and dropped packets)

joseph-henry commented 5 years ago

@darkain Thanks, we've added the ability to turn off any non-primary port assignments via:

'secondaryPortEnabled': true|false

Teteros commented 5 years ago

This landed in 1.4.0 stable, but the config setting is actually allowSecondaryPort (true/false, where false disables the extra port bindings.) secondaryPortEnabled doesn't even exist in the code.

I assume this basically also sets portMappingEnabled to false as well?