twh/f2 Posted February 15, 2021 Share Posted February 15, 2021 (edited) Hi there, this is probably just an indirect Fujinet question rgd. thh Spectranet TNFS demon (https://github.com/FujiNetWIFI/spectranet ) Like many from us Fujinet-users, I setup a local TNFSD on a low-end RPI1B+ (Which turns out to be just the right hardware for this matter). Let's say I now want to expose the TNFSD-port (16384) to my public IP. What do you say how secure that would be? Is it likely that the tnsfd service can be exploited? Would it be beneficial to setup some kind of local firewall on the RPI? (nftables, firewalld) Should I consider putting my RPI in an isolated subnet (managed switch, WAN access only) grüße \thomas Edited February 15, 2021 by twh/f2 Quote Link to comment Share on other sites More sharing options...
tschak909 Posted February 15, 2021 Share Posted February 15, 2021 Good questions all, and I would suggest doing what you feel is appropriate. In addition, it's important to make sure file permissions are set correctly for your repository. -Thom Quote Link to comment Share on other sites More sharing options...
+mytek Posted February 15, 2021 Share Posted February 15, 2021 15 minutes ago, twh/f2 said: I setup a local TNFSD on a low-end RPI1B+ (Which turns out to be just the right hardware for this matter). Let's say I now want to expose the TNFSD-port (16384) to my public IP. What do you say how secure that would be? Is it likely that the tnsfd service can be exploited? Although your question is worth asking and also nice to know more about the security aspects, but I've got to wonder what would be exploited on RPI1B+ that is worth worrying about? Surely this isn't your main desktop computer . Just wondering. Quote Link to comment Share on other sites More sharing options...
FifthPlayer Posted February 15, 2021 Share Posted February 15, 2021 41 minutes ago, mytek said: Although your question is worth asking and also nice to know more about the security aspects, but I've got to wonder what would be exploited on RPI1B+ that is worth worrying about? Surely this isn't your main desktop computer . Just wondering. Even though it's a 1B+, there are still reasons you'd care about security. For instance, it could end up part of a botnet or bitcoin mining farm, or run something to snoop on your local subnet. 1 Quote Link to comment Share on other sites More sharing options...
twh/f2 Posted February 15, 2021 Author Share Posted February 15, 2021 36 minutes ago, FifthPlayer said: Even though it's a 1B+, there are still reasons you'd care about security. For instance, it could end up part of a botnet or bitcoin mining farm, or run something to snoop on your local subnet. exactly. I have no other files on the 1B+ than those I want to be public anyway, but that "snooping" on my local subnet is my biggest concern. Quote Link to comment Share on other sites More sharing options...
+x=usr(1536) Posted February 22, 2021 Share Posted February 22, 2021 On 2/15/2021 at 4:01 PM, twh/f2 said: exactly. I have no other files on the 1B+ than those I want to be public anyway, but that "snooping" on my local subnet is my biggest concern. If your network hardware supports it, put the RasPi in the DMZ network. Forward the ports as you would normally. Most consumer-grade routers with DMZ capability allow traffic from the LAN into the DMZ (for administration, etc.), but not from the DMZ to the LAN. This pretty much takes care of the issue of it being used as a pivot point into the internal network. On top of that, have tnfsd run as a non-privileged user inside its own chroot jail. This should pretty much negate the most obnoxious things that could be done if someone did manage to exploit it. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.