Description of problem: If cjdns does not create a tun interface, then fc00::/8 packets will go to the default route. If the default gateway runs cjdroute, then pinging and connecting to the default gateway will "work" - but the packets are not encrypted or authenticated. Version-Release number of selected component (if applicable): cjdns-17.4-6.fc24.x86_64 How reproducible: always Steps to Reproduce: 1. with cjdns stopped, ping cjdns IP of gateway 2. 3. Actual results: unencrypted connectivity Expected results: no routing of cjdns IPs with cjdroute down Additional info: This does not depend on Fedora version. Apps on the gateway will see an ICANN source ip, and a firewall on the gateway could block forwarding between ICANN <-> cjdns ips. This bug is basically indicating a need for some kind of simple firewall or routing hack that the package can install without breaking any non-cjdns configuration.
This message is a reminder that Fedora 24 is nearing its end of life. Approximately 2 (two) weeks from now Fedora will stop maintaining and issuing updates for Fedora 24. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '24'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 24 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Still outstanding.
(In reply to Stuart D Gathman from comment #2) > Still outstanding. Does this still happens in later versions?
It's not a bug in cjdns itself, but in system configuration. I'd like to make it more foolproof for new users, so they are not exposed if they don't pay much attention to their firewall. Basically, the firewall needs to block fc00::/8 when not coming from the cjdns tun device - if you are relying in any way on those IPs being authenticated and end-to-end encrypted. I haven't thought of a bulletproof way to drop that in as a default. On a different, but similar note, I just discovered that the default configuration on squid allows fc00::/7 unrestricted use of the proxy. I noticed that unknown entities on cjdns had been using one of my proxies to download stuff (mostly from Russia it looks like - I don't recognize any of the sites). I'll have to add a warning about that to the cjdns README.
Note - one very simple way to avoid this problem is to use 2000::/3 instead of :: for your default route. That is what I do, and I think I could at least recommend it at this point in the cjdns README (based on a reasonable length of experience). But I can't have the package go monkeying with people's default route on install...
What about this idea: the rpm checks for a default route, and issues a warning referencing a more detailed description in the Fedora cjdns README - where I recommend *not* having a default route, but using 2000::/3 instead. Would that enlighten new users? Or confuse and scare them? Note, that this issue applies to *any* VPN where you whitelist VPN ips for some service and the VPN is down. It is not unique to cjdns. It's just an easy security hole to fall into.
I've updated the Fedora README with these two sections: ### Routing security If cjdns is not running, cjdns packets will get routed in plaintext to your default gateway by default. An attacker could then play man-in-the-middle. If your default gateway is running cjdns, this could even happen accidentally. This can be blocked by restricting ```fc00::/8``` to the interface used by cjdroute in the firewall. An even simpler solution is to not have a "default" route. Instead route ```2000::/3``` to your gateway. All globally routable ips begin with ```001``` as the first three bits. ### Application security The squid cache package default config allows ```fc00::/7``` unrestricted access to the proxy. If the proxy port is not otherwise firewalled, you probably want to change this to ```fd00::/8``` when using cjdns on the proxy server. Apart from that default config, squid works very well with cjdns - you can allow specific cjdns ips unrestricted access: ``` acl adultpcs src fc25:dede:dede:dede:dede:dede:dede:dede acl adultpcs src fc37:daaa:daaa:daaa:daaa:daaa:daaa:daaa http_access allow adultpcs ```
This message is a reminder that Fedora 26 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 26. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '26'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 26 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.