-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FR: Publish Little Snitch ruleset for Tailscale #1872
Comments
I guess that'd force us to enumerate it all:
Really, I'd like to say:
Otherwise they're going to have a bad time and it'll kinda-usually-but-not-always work and they'll just blame Tailscale. I assume the rules are scoped by process, so maybe that's sufficient to say UDP/* for IPNExtension/etc? Is it also involved in filtering traffic on the Tailscale utun interface? If so, we need to allow everything on that, otherwise lots of stuff (including peerapi) will break. |
The same question has come in to support@ a few times about locked-down environments where the firewall does not allow outgoing connections except those explicitly allowed. If we generate a list for LittleSnitch we should also be able to use it for environments like those. |
Unfortunately most firewalls don't support scoping rules by process, so us saying "lol everything" isn't very satisfactory to a 5-tuple-only firewall. |
The rules are scoped by process, and allow the use of wildcards. So, we can make the rules as precise or as loose as we're comfortable with, with the caveat of course that LS users might decide we're overreaching and not use our rules (but then they're no better off than before). Roughly speaking, I was thinking just allow everything in/out for the Tailscale app IDs (LS does support matching on applications, not just 5-tuple). If we want to down-scope a bit more, |
It may seem absurd, but even an exceptionally broad Internet Access Policy would be acceptable if accompanied by the justifications provided in this thread. Without an IAP, Little Snitch users are bound to trial-and-error their way into setting up rules, which may be a lot more fragile than they should be. I was going to limit Tailscale to 41641 until I saw this issue, for instance. |
Is it |
The default is 41641, which can be modified by:
|
Why isn't it randomized by default? 41641 isn't a registered well-known port or anything. |
This allows things like AWS security groups or ufm on a Linux server to allow ingress of UDP 41641 as a way to enable direct connections. We're more likely to add a second UDP port, to always have UDP/41641 as well as a random port. |
You should probably fill out the IANA form, then. It shouldn't take more than a few minutes to submit. Personally, I think it'd make more sense to make randomization the default and have anyone who needs firewall traversal specify a port of their choice. |
I can not reach Tailscale for SSH even though it is completly allowed by my LittleSnitch rules and works fine over LAN, has anyone found a workaround? |
Great discussion; has anyone ever actually published a rule set? |
We have already published an Internet Access Policy for Little Snitch. It is bundled within the app. Regrettably, it is technically unfeasible to publish a rule set for Tailscale, as the app connects to an arbitrary number of IPs to establish direct connections, in addition to the coordination server and DERP servers. So even with a rule set, you're going to end up with a very large amount of connection prompts. |
Little Snitch is a macOS application layer firewall, popular among privacy enthusiasts. By default, it (correctly) blocks Tailscale from dialing out, and also blocks inbound UDP, which makes some easy NAT traversal cases harder.
According to https://help.obdev.at/littlesnitch4/lsc-rule-group-subscriptions , we can publish a Little Snitch ruleset on tailscale.com (or pkgs.tailscale.com or whatever), with the exact ruleset we need to have Tailscale work. LS users can then subscribe to that for a more seamless experience than "piecemeal authorize individual bits of what Tailscale does".
The text was updated successfully, but these errors were encountered: