starred/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2026-01-11 20:00:28 +01:00
Code Issues 98 Packages Projects Releases 10 Wiki Activity

Default to a FilterDenyAll instead of tailcfg.FilterAllowAll if no acl policy defined #663

New Issue
Closed
opened 2025-12-29 02:21:45 +01:00 by adam · 1 comment
adam commented 2025-12-29 02:21:45 +01:00
Owner
Copy Link

Originally created by @andy-netltd on GitHub (Mar 6, 2024).

Why

If no acl policy is defined then headscale defaults to tailcfg.FilterAllowAll which allows all devices visibility of all other devices and the ability to communicate with them on any protocol. This complete openness does not appear to fit with a zero trust network design. A more robust default security response that locks down device visibility and communication would be a more appropriate response.

Description

Proposal is to do following in hscontrol > policy > acts.go:

  • add a new tailcfg.FilterRule of FilterDenyAll (as no appropriate policy appears to be available within tailscale);
  • update the GenerateFilterAndSSHRules so that if there is no policy defined headscale now:
    • logs a warning message of Default deny all ACL rules being applied;
    • defaults to the FilterDenyAll rather than tailcfg.FilterAllowAll.

The proposed FilterDenyAll would be:

var FilterDenyAll = []tailcfg.FilterRule{
	{
		SrcIPs:  []string{},
		SrcBits: nil,
	},
}
Originally created by @andy-netltd on GitHub (Mar 6, 2024). ## Why If no acl policy is defined then headscale defaults to `tailcfg.FilterAllowAll` which allows all devices visibility of all other devices and the ability to communicate with them on any protocol. This complete openness does not appear to fit with a zero trust network design. A more robust default security response that locks down device visibility and communication would be a more appropriate response. ## Description Proposal is to do following in `hscontrol > policy > acts.go`: - add a new `tailcfg.FilterRule` of `FilterDenyAll` (as no appropriate policy appears to be available within tailscale); - update the `GenerateFilterAndSSHRules` so that if there is no policy defined headscale now: - logs a warning message of `Default deny all ACL rules being applied`; - defaults to the `FilterDenyAll` rather than `tailcfg.FilterAllowAll`. The proposed `FilterDenyAll` would be: ``` var FilterDenyAll = []tailcfg.FilterRule{ { SrcIPs: []string{}, SrcBits: nil, }, } ```
adam added the enhancement label 2025-12-29 02:21:45 +01:00
adam closed this issue 2025-12-29 02:21:45 +01:00
adam commented 2025-12-29 02:21:45 +01:00
Author
Owner
Copy Link

@kradalby commented on GitHub (Mar 6, 2024):

Tailscale has a default allow policy and we will adhere to the same as upstream.

@kradalby commented on GitHub (Mar 6, 2024): Tailscale has a default allow policy and we will adhere to the same as upstream.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
CLI
DERP
DNS
Nix
OIDC
SSH
bug
database
documentation
duplicate
enhancement
faq
good first issue
grants
help wanted
might-come
needs design doc
needs investigation
no-stale-bot
out of scope
performance
policy 📝
pull-request
Mirrored from GitHub Pull Request
 question
regression
routes
stale
tags
tailscale-feature-gap
well described ❤️
wontfix
No Label enhancement
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/headscale#663
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?