yggdrasil-go icon indicating copy to clipboard operation
yggdrasil-go copied to clipboard

Published 20 hours ago verified publisher icon yggdrasil-network

Security Question: Are all ports open to yggdrasil on a windows machine?

Open Merith-TK opened this issue 2 years ago • 7 comments

I am running windows 11 and I have noticed that yggdrasil does not show up in any of windows's firewall settings outside as a network interface.

I have also found that others are just straight up able to directly connect to open ports on my machine, I had some a few friends test port :80, :443, and several random minecraft "open to lan" ports, and all were able to connect without issue.

it appears that every single port, regardless of what it is, on a windows machine is open, which is concerning due to windows security issues that have been around for a while.

This is a serious concern I have as it feels like I have my computer connected directly inplace of a router to the clearnet, which anyone can just scan and find open ports on and exploit them as i have gotten no firewall pop up for windows, which is concerning as even for docker, I had to allow a firewall popup

Merith-TK avatar Nov 30 '21 18:11 Merith-TK

I am not a Windows expert by any means but I was always under the understanding that Windows Firewall will treat all interfaces as Public until otherwise configured.

I guess if Windows is mis-classifying the interface as something more trustworthy (which may be the fault of the Wintun driver), or if it is allowing connections on a Public interface (probably a user configuration thing somewhere), then it makes sense that incoming connections would not be filtered.

neilalexander avatar Nov 30 '21 19:11 neilalexander

Well it is not showing up as any form of connection to configure, all I can find is in the "Network Connections" control panel, and even then there is little to no configuration options for it. And windows, as of windows 8.1 no longer asks if the network you connect to is a home or public network,

and the places it does show up, it reports that it is disconnected when I am able to use it just fine

Merith-TK avatar Nov 30 '21 19:11 Merith-TK

yes, all your ports will be opened (if you have firewall disabled) all ports like 3389, 139, will be available by your ipv6 address

ghost avatar Dec 06 '21 10:12 ghost

To disable incoming connections by default you need to flag Yggdrasil network interface as Public. You can do this by running this command in admin PowerShell: Set-NetConnectionProfile -Name "Yggdrasil" -NetworkCategory Public

Revertron avatar Dec 28 '21 14:12 Revertron

for linux exist same command?

ghost avatar Dec 29 '21 14:12 ghost

Linux would have you use IP Tables, also Linux doesnt open a bunch of unnessecary ports like windows so unless you have an ssh server running on your computer, your pretty much good, if you do, look into iptables

Merith-TK avatar Dec 29 '21 18:12 Merith-TK

Linux would have you use IP Tables, also Linux doesnt open a bunch of unnessecary ports like windows so unless you have an ssh server running on your computer, your pretty much good, if you do, look into iptables

I think it would be better just to bind SSH server to any specific IPv4 address.

Revertron avatar Dec 29 '21 23:12 Revertron