Re: Errors Packaging Nebula

To: Nilesh Patra <nilesh@nileshpatra.info>
Cc: debian-go@lists.debian.org
Subject: Re: Errors Packaging Nebula
From: Alex David <flu0r1ne@flu0r1ne.net>
Date: Fri, 09 Jul 2021 00:00:28 +0000
Message-id: <[🔎] cf1146de-b302-e3a2-11ed-013075fc8705@flu0r1ne.net>
Reply-to: Alex David <flu0r1ne@flu0r1ne.net>
In-reply-to: <[🔎] 727469A1-76F3-498F-83B8-E603E5597DB4@nileshpatra.info>
References: <[🔎] 12591747-2a78-1692-0a7f-6c1e41730408@flu0r1ne.net> <[🔎] 936ccf50-7cbf-8bcb-d018-a9055f82318c@flu0r1ne.net> <[🔎] 075cbc38-85c2-beb1-a49d-bf577b294b1b@nileshpatra.info> <[🔎] 979da5ed-e77e-771d-549f-09249bacaa78@flu0r1ne.net> <[🔎] 5655e45e-ccb8-98c8-2ca1-bf70d1c596f1@nileshpatra.info> <[🔎] c9320d8c-7980-57db-10d1-46d844e7ada1@flu0r1ne.net> <[🔎] 3FC560A6-6CFD-440F-8C75-E7AC858110B7@nileshpatra.info> <[🔎] a3ef1a33-8b2a-99dc-cbbe-558dd2462522@flu0r1ne.net> <[🔎] 727469A1-76F3-498F-83B8-E603E5597DB4@nileshpatra.info>

Hi Nilesh,

Thanks for the feedback. I really appreciate your time. You are focused
on user experience and I'm sure we will make this really positive
experience!

I want to add a little context about how the software works and see if
you still think the default settings are too intrusive / unsafe. These
are just the settings that are currently widely distributed by virtue of
being provided by the upstream project. (The upstream instructions ask
users to copy the example config to provide the defaults.)

 > Also, I'm not comfortable with nebula binding to port 4242 by "default"

I don't see how this situation is materially different than other
network daemons with default ports (e.g. ssh[22], wireguard[51820],
prometheus[9090], etc.).

It would probably be wise to choose a higher number port that doesn't
conflict with other pieces of software, however obscure. Although, other
versions of the software are bundled with this port. If you would like,
I can ask the upstream maintainers if we want to standardize on a
different default before it has been widely adopted.

It will only bind to the port when the user takes a manual action to
start the service. By virtue of creating an authenticated virtual
network, it restricts access to only those who have a signed certificate.

 > It also seems to allow all outbound ports by default, in your
d/config.yml

To my understanding, this means that if another machine that is part of
the virtual network exposed a port, you could connect to it. It doesn't
mean that you are exposing services. Allowing outbound traffic is the
default configuration for most firewalls.

 > If you agree w/ me, please also consider to do so for a few other
settings too.

I will work on this tomorrow. Unless you think these need to be
included, I would start with other things like configuring lighthouse
behavior. These are settings the user will likely wish to modify after
installation and this is why I left in the boilerplate around the
lighthouse section (e.g. static host map). The example IP is part of the
TCP/IP standards meant as an unreachable IP for documentation purposes.
I'll prompt the user for this information.

Best,

Alex

Reply to:

Follow-Ups:
- Re: Errors Packaging Nebula
  - From: Nilesh Patra <nilesh@nileshpatra.info>

References:
- Errors Packaging Nebula
  - From: Flu0r1ne <flu0r1ne@flu0r1ne.net>
- Re: Errors Packaging Nebula
  - From: Flu0r1ne <flu0r1ne@flu0r1ne.net>
- Re: Errors Packaging Nebula
  - From: Nilesh Patra <nilesh@nileshpatra.info>
- Re: Errors Packaging Nebula
  - From: Flu0r1ne <flu0r1ne@flu0r1ne.net>
- Re: Errors Packaging Nebula
  - From: Nilesh Patra <nilesh@nileshpatra.info>
- Re: Errors Packaging Nebula
  - From: Alex David <flu0r1ne@flu0r1ne.net>
- Re: Errors Packaging Nebula
  - From: Nilesh Patra <nilesh@nileshpatra.info>
- Re: Errors Packaging Nebula
  - From: Alex David <flu0r1ne@flu0r1ne.net>
- Re: Errors Packaging Nebula
  - From: Nilesh Patra <nilesh@nileshpatra.info>

Prev by Date: Re: [RFC] Replacement of golang-github-renstrom-dedent
Next by Date: Re: [RFS] golang-github-smallstep-cli
Previous by thread: Re: Errors Packaging Nebula
Next by thread: Re: Errors Packaging Nebula
Index(es):
- Date
- Thread