Listen on localhost instead of all available IPs #14
Conversation
|
Hello jlusiardi, thank you for your work. The only big problem i see are Raspberry Pi (and similar) users that have Bricks/Bricklets connected to a RPi and control them from a PC. This is very common and i would like for this to work out of the box. As far as i know it is not easily possible to allow connections from the local network but not from the internet, right? |
|
Hello @borg42, no problem at all. I see your point regarding the raspberry pi users. Would it then be possible to add hints to the pages regarding the installation of the brick daemon? Regard |
|
I talked to @photron and he had the idea to that we could add a third "local net" option (next to 0.0.0.0 and 127.0.0.1) in the config. With this option the listen address would be 0.0.0.0, but if a connection is opened from an IP that is not in the local subnet the connection would immediately be closed again. This third option could then be the default. We would have to discover the currently used local IP (or multiple IPs in case that there is for example a Ethernet and WIFI connection) for this. But that doesn't actually sound unreasonable i think? |
|
I have to admit, i am not sure where most of your devices are used and most brick daemons are installed. When I opened the pull request I was also thinking about classrooms, labs and other occasions where there might be brick daemons in place. All of those might use the same local subnet. In case of IPv6 there isn't really a concept of local networks, i guess. |
|
I understand your concern and i agree that there are probably very few people that change any of the default configurations. To add some rationale to my objections: We are currently working on generic linux support for Bricklets and on Raspberry Pi Hats that directly support (the new co-processor 2.0 type of) Bricklets. With this new software and the new products a RPi (or other linux boards) can be used as a replacement for a Master Brick+Ethernet/WIFI Extension. For that the Bricklets connected to the RPi need to be at least reachable by a PC in the same network. |
|
Ok, so as I proposed in my 2nd comment, perhaps just add some hints in the documentation? Would be fine for me. |
|
I would feel more comfortable with using tinkerforge if it used a secure by default approach. In this case it means it would listen only on the loopback interface by default (seems like ::1 with dual-stack enabled would be my preference). The installation/usage instructions can then show a clear warning of the risks of make the daemon listen on any interface and allow the user to change this setting if required. The documentation is probably needed anyhow to ensure that users also configure the firewall appropriately. |
For security reasons, i would prefer the brickd to listen on localhost as a default. A informed user can change it back (with security enabled) if required. For the simple use case of tinkering around for the first time this should be kind of an improvement.