-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
settings/primaryPort not fully respected #915
Comments
Just curious: does anyone know if this was addressed through a recent update? I was getting this flapping behavior pretty regularly in a bridged-LANs-over-WAN setup, but it stopped about 2-3 weeks ago and everything's been stable since then. I didn't change anything, so am wondering if this got patched. |
Seems like a small change... but how to specify it? Should just using
or how about
|
I think I'd vote for something along the lines of option 2... Clear individual options for controlling whether UPnP & the secondary port are enabled or disabled. |
For firewall security reasons, I need the ability to fully control all incoming/opened ports on my server/router. This is ESPECIALLY true when talking about security audit compliance, such as PCI-DSS. Every open port must be justified to an external audit company, and with ZT arbitrarily opening additional ports if there are ANY issues at all with the defualt 9993 just causes havoc for these security audits (as well as the route flapping issue causing 100% CPU usage and dropped packets) |
@darkain Thanks, we've added the ability to turn off any non-primary port assignments via:
|
This landed in 1.4.0 stable, but the config setting is actually allowSecondaryPort (true/false, where false disables the extra port bindings.) I assume this basically also sets |
Describe the bug
Relates to the issues with: #779
If a connection cannot be established on the primary port (usually 9993), then ZeroTier will pick an arbitrary port to try and use instead. This defeats the entire purpose of having a primary port configuration. I have specific firewall rules in place for 9993 for a combination of security and to deal with issue #779. However, at some point ZT added support to "try other ports" that are outside of the configuration, which means the firewall rules in place for #779 no longer work, which means route flapping returned, broken connections, and excessively high CPU usage again. I also tried disabling port mapping to see if that was the issue, but this didn't resolve the issue either. There needs to be a way to force ZT to use one port and one port ONLY.
The text was updated successfully, but these errors were encountered: