Regarding "Inferring and hijacking VPN-tunneled TCP connections"
diggest at gmail.com
Fri Dec 6 18:21:08 CET 2019
On 06.12.2019 18:18, Jason A. Donenfeld wrote:
>> But for the sake of wg-quick
>> the filter can be enables for wireguard interface only to be sure it
>> wouldn't break anything else
> How do you propose this works? That'd require adding -d, right? In
> that case we're back to more or less the original rule. If you do it
> with -i, then it fails to filter the bad packets that we want to be
Actually it appears to be harder than I first think
The -d option will let broadcast addresses to pass the rule. Is it a
problem here? In the original bulletin authors talk about TCP. Testing
for interface name doesn't make much sense either, as you said...
More information about the WireGuard