Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Blacklist doesn't work #656

Closed
lookasek opened this issue Jan 3, 2018 · 6 comments
Closed

Blacklist doesn't work #656

lookasek opened this issue Jan 3, 2018 · 6 comments
Labels
Type: Bug Bug to be resolved

Comments

@lookasek
Copy link

lookasek commented Jan 3, 2018

I have RPi 3 with one physical network interface eth0 (WiFi inferface is disabled) and zerotier (version 1.2.4) installed.

pi@raspberrypi:~ $ ifconfig 
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.0.70  netmask 255.255.255.0  broadcast 192.168.0.255
        inet6 fe80::ba27:ebff:fe32:d7eb  prefixlen 64  scopeid 0x20<link>
        ether xx:xx:xx:xx:xx:xx  txqueuelen 1000  (Ethernet)
        RX packets 7972  bytes 964131 (941.5 KiB)
        RX errors 0  dropped 2  overruns 0  frame 0
        TX packets 36843  bytes 5701450 (5.4 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 21034  bytes 1608701 (1.5 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 21034  bytes 1608701 (1.5 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

zt1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 2800
        inet 192.168.192.1  netmask 255.255.255.0  broadcast 192.168.192.255
        inet6 fe80::683b:40ff:fe86:2354  prefixlen 64  scopeid 0x20<link>
        ether 6a:3b:40:86:23:54  txqueuelen 1000  (Ethernet)
        RX packets 705  bytes 62980 (61.5 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 31072  bytes 2261719 (2.1 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

pi@raspberrypi:~ $ sudo zerotier-cli listnetworks -j
[
 {
  "allowDefault": false,
  "allowGlobal": false,
  "allowManaged": true,
  "assignedAddresses": [
   "192.168.192.1/24"
  ],
  "bridge": false,
  "broadcastEnabled": true,
  "dhcp": false,
  "id": "xxxxxxxxxxxxxxxx",
  "mac": "6a:3b:40:86:23:54",
  "mtu": 2800,
  "name": "Test",
  "netconfRevision": 3,
  "nwid": "xxxxxxxxxxxxxxxx",
  "portDeviceName": "zt1",
  "portError": 0,
  "routes": [
   {
    "flags": 0,
    "metric": 0,
    "target": "192.168.192.0/24",
    "via": null
   }
  ],
  "status": "OK",
  "type": "PRIVATE"
 }
]

I would like to block zerotier connection over eth0 network interface. I set following local configuration for zerotier.

pi@raspberrypi:~ $ cat /var/lib/zerotier-one/local.conf

{
	"physical": {
		"192.168.0.0/24": {
			"blacklist": true
		}
	},
	"settings": {
		"interfacePrefixBlacklist": [ "eth" ]
	}
}

pi@raspberrypi:~ $ zerotier-cli info -j
{
 "address": "xxxxxxxxxx",
 "clock": 1515013346971,
 "cluster": null,
 "config": {
  "physical": {
   "192.168.0.0/24": {
    "blacklist": true,
    "trustedPathId": null
   }
  },
  "settings": {
   "interfacePrefixBlacklist": [
    "eth"
   ],
   "portMappingEnabled": true,
   "primaryPort": 9993,
   "softwareUpdate": "disable",
   "softwareUpdateChannel": "release"
  }
 },
 "online": true,
 "planetWorldId": 149604618,
 "planetWorldTimestamp": 1452708876314,
 "publicIdentity": "xxx",
 "tcpFallbackActive": false,
 "version": "1.2.4",
 "versionBuild": 0,
 "versionMajor": 1,
 "versionMinor": 2,
 "versionRev": 4
}

Unfortunately, zerotier network is still working.

For example I can PING other divices from zt1 network:

pi@raspberrypi:~ $ ping -c 4 192.168.192.2
PING 192.168.192.2 (192.168.192.2) 56(84) bytes of data.
64 bytes from 192.168.192.2: icmp_seq=1 ttl=64 time=87.3 ms
64 bytes from 192.168.192.2: icmp_seq=2 ttl=64 time=161 ms
64 bytes from 192.168.192.2: icmp_seq=3 ttl=64 time=75.8 ms
64 bytes from 192.168.192.2: icmp_seq=4 ttl=64 time=65.2 ms

--- 192.168.192.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 65.289/97.582/161.795/37.888 ms
@joseph-henry
Copy link
Contributor

I've issued a fix for this. It's available in the dev branch.

382dd82

This will make it into the next version of ZT.

@lookasek
Copy link
Author

lookasek commented Jan 4, 2018

@joseph-henry, I've installed zerotier from dev branch.

pi@raspberrypi:~ $ sudo ZeroTierOne-dev/zerotier-one -v
1.2.5

I set following local configuration for zerotier:

pi@raspberrypi:~ $ cat Test/local.conf 
{
	"physical": {
		"192.168.0.0/24": {
			"blacklist": true
		}
	}
}

And the service doesn't want to start:

pi@raspberrypi:~ $ sudo ZeroTierOne-dev/zerotier-one -d Test/
pi@raspberrypi:~ $ cat Test/zerotier-one.pid 
845
pi@raspberrypi:~ $ ps -p 845 -o comm=

Whereas I set another local configuration for zerotier:

pi@raspberrypi:~ $ cat Test/local.conf 
{
	"settings": {
		"interfacePrefixBlacklist": [ "eth" ]
	}
}

The service is working, but network interface (eth0) isn't blocked.

pi@raspberrypi:~ $ sudo ZeroTierOne-dev/zerotier-cli info -Txxx -j
{
 "address": "xxxxxxxxxx",
 "clock": 1515093205077,
 "config": {
  "physical": null,
  "settings": {
   "controllerDbPath": null,
   "interfacePrefixBlacklist": [
    "eth"
   ],
   "portMappingEnabled": true,
   "primaryPort": 9993,
   "softwareUpdate": "disable",
   "softwareUpdateChannel": "release"
  }
 },
 "online": true,
 "planetWorldId": 149604618,
 "planetWorldTimestamp": 1452708876314,
 "publicIdentity": "xxx",
 "tcpFallbackActive": false,
 "version": "1.2.5",
 "versionBuild": 0,
 "versionMajor": 1,
 "versionMinor": 2,
 "versionRev": 5
}

I still can PING other divices from zerotier network:

pi@raspberrypi:~ $ ping -c 4 192.168.193.2
PING 192.168.193.2 (192.168.193.2) 56(84) bytes of data.
64 bytes from 192.168.193.2: icmp_seq=1 ttl=64 time=3.18 ms
64 bytes from 192.168.193.2: icmp_seq=2 ttl=64 time=82.1 ms
64 bytes from 192.168.193.2: icmp_seq=3 ttl=64 time=103 ms
64 bytes from 192.168.193.2: icmp_seq=4 ttl=64 time=23.3 ms

--- 192.168.193.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 3.185/53.005/103.356/41.063 ms

@joseph-henry joseph-henry reopened this Jan 4, 2018
@joseph-henry
Copy link
Contributor

Interesting. Perhaps there are more issues with the blacklisting code. I'll attempt to replicate this. I've re-opened this ticket for now.

@adamierymenko adamierymenko added the Type: Bug Bug to be resolved label Jan 9, 2018
@adamierymenko
Copy link
Contributor

There's probably somewhere it needs to be checked.

ZeroTier is incredibly aggressive about trying to make direct connections. It's kind of hard to stop it. :)

joseph-henry added a commit that referenced this issue Jan 9, 2018
@joseph-henry
Attempted fix for ticket #656 (failes to acknowledge physical blackli…
7e2d614 
…sts)
@joseph-henry
Copy link
Contributor

@lookasek Latest dev (640cc22) now contains a patch which fixes the logic for the interfacePrefixBlacklist option, as well as adds a new feature allowTcpFallbackRelay which will allow you to manually prevent ZeroTier from using our TCP relay and getting around your blacklisting efforts.

{
        "settings": {
                "interfacePrefixBlacklist": [ "eth" ],
                "allowTcpFallbackRelay": false
        }
}

It's important to understand how these two options complement one another. The interfacePrefixBlacklist will prevent ZeroTier from binding to any matching interfaces. However it will still attempt to reach out via our TCP fallback relay, so this is why you'll still get connections even when blacklisted. Setting allowTcpFallbackRelay to false will prevent this.

Let me know if this helps.

@adamierymenko
Copy link
Contributor

Fixed in dev

adamierymenko added a commit that referenced this issue Apr 17, 2018
@adamierymenko
* Features and Core Improvements
bbed93b 
    * Path selection has been overhauled to improve path stability, simplify code, and prepare for multi-path and trunking in the next major release.
    * This version introduces remote tracing for remote diagnostics. Network controllers can set a node (usually the controller itself) to receive remote tracing events from all members of the network or from select members. Events are only sent if they pertain to a given network for security reasons.
    * Multicast replication can now be done by designated multicast replicators on a network (flagged as such at the controller) rather than by the sender. Most users won't want this, but it's useful for specialized use cases on hub-and-spoke networks and for low-power devices.
    * Cryptographic performance improvements on several platforms.
    * Multithreaded performance improvements throughout the code base, including the use of an inline lightweight spinlock for low-contention resources.
 * Bugs fixed
    * Disappearing routes on Mac (GitHub issue #600)
    * Route flapping and path instability in some dual-stack V4/V6 networks
    * Blacklist (in local.conf) doesn't work reliably (GitHub issue #656)
    * Connection instabilities due to unsigned integer overflows in timing comparisons (use int64_t instead of uint64_t)
    * Binaries don't run on some older or lower-end 32-bit ARM chips (build problem)
    * ARM NEON crypto code crashes (build problem)
    * Fixed some lock ordering issues revealed by "valgrind" tool
    * The "zerotier-idtool" command could not be accessed from "zerotier-one" via command line switch
    * Leaking sockets on some platforms when uPnP/NAT-PMP is enabled
    * Fixed two very rare multithreading issues that were only observed on certain systems
 * Platform-Specific Changes
    * MacOS
        * Installer now loads the kernel extension right away so that High Sierra users will see the prompt to authorize it. This is done in the "Security & Privacy" preference pane and must be done driectly on the console (not via remote desktop). On High Sierra and newer kexts must be authorized at the console via security settings system preferences pane.
    * Windows
        * The Windows installer should now install the driver without requiring a special prompt in most cases. This should make it easier for our packages to be accepted into and updated in the Chocolatey repository and should make it easier to perform remote installs across groups of machines using IT management and provisioning tools.
        * The Windows official packages are now signed with an EV certificate (with hardware key).
        * The Windows UI can now log into ZeroTier Central and join networks via the Central API.
        * The `zerotier-idtool` command should now work on Windows without ugly hacks.
        * Upgraded the installer version.
        * Made a few changes to hopefully fix sporadic "will not uninstall" problems, though we cannot duplicate these issues ourselves.
    * Linux
        * Device names are now generated deterministically based on network IDs for all newly joined networks.
    * Android
        * Multicast now works on Android in most cases! Android apps can send and receive multicast and subscribe to multicast group IPs. Note that in some cases the app must bind to the specific correct interface for this to work.
        * IPv6 can be disabled in UI for cases where it causes problems.
adamierymenko added a commit that referenced this issue Apr 17, 2018
@adamierymenko
Merge branch 'master' of github.com:zerotier/ZeroTierOne
3de7691 
 * Features and Core Improvements
    * Path selection has been overhauled to improve path stability, simplify code, and prepare for multi-path and trunking in the next major release.
    * This version introduces remote tracing for remote diagnostics. Network controllers can set a node (usually the controller itself) to receive remote tracing events from all members of the network or from select members. Events are only sent if they pertain to a given network for security reasons.
    * Multicast replication can now be done by designated multicast replicators on a network (flagged as such at the controller) rather than by the sender. Most users won't want this, but it's useful for specialized use cases on hub-and-spoke networks and for low-power devices.
    * Cryptographic performance improvements on several platforms.
    * Multithreaded performance improvements throughout the code base, including the use of an inline lightweight spinlock for low-contention resources.
 * Bugs fixed
    * Disappearing routes on Mac (GitHub issue #600)
    * Route flapping and path instability in some dual-stack V4/V6 networks
    * Blacklist (in local.conf) doesn't work reliably (GitHub issue #656)
    * Connection instabilities due to unsigned integer overflows in timing comparisons (use int64_t instead of uint64_t)
    * Binaries don't run on some older or lower-end 32-bit ARM chips (build problem)
    * ARM NEON crypto code crashes (build problem)
    * Fixed some lock ordering issues revealed by "valgrind" tool
    * The "zerotier-idtool" command could not be accessed from "zerotier-one" via command line switch
    * Leaking sockets on some platforms when uPnP/NAT-PMP is enabled
    * Fixed two very rare multithreading issues that were only observed on certain systems
 * Platform-Specific Changes
    * MacOS
        * Installer now loads the kernel extension right away so that High Sierra users will see the prompt to authorize it. This is done in the "Security & Privacy" preference pane and must be done driectly on the console (not via remote desktop). On High Sierra and newer kexts must be authorized at the console via security settings system preferences pane.
    * Windows
        * The Windows installer should now install the driver without requiring a special prompt in most cases. This should make it easier for our packages to be accepted into and updated in the Chocolatey repository and should make it easier to perform remote installs across groups of machines using IT management and provisioning tools.
        * The Windows official packages are now signed with an EV certificate (with hardware key).
        * The Windows UI can now log into ZeroTier Central and join networks via the Central API.
        * The `zerotier-idtool` command should now work on Windows without ugly hacks.
        * Upgraded the installer version.
        * Made a few changes to hopefully fix sporadic "will not uninstall" problems, though we cannot duplicate these issues ourselves.
    * Linux
        * Device names are now generated deterministically based on network IDs for all newly joined networks.
    * Android
        * Multicast now works on Android in most cases! Android apps can send and receive multicast and subscribe to multicast group IPs. Note that in some cases the app must bind to the specific correct interface for this to work.
        * IPv6 can be disabled in UI for cases where it causes problems.
bradleydiggs referenced this issue Jul 3, 2021
@adamierymenko
Revert wireguard blacklist by default... turns out we have people who…
a1b6cc4 
… depend on that. may revisit.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Type: Bug Bug to be resolved
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@adamierymenko @joseph-henry @lookasek