Listen on localhost:0 instead of 0.0.0.0:0 by default.

This avoids any possible problem caused by other people on your network using you as a proxy. If you want to allow this, you can force it back to the old way using the --listen option. Thanks to 'tass' on github for reporting portscans that revealed this potential security problem.
2024-11-21 23:43:18 +01:00 · 2010-12-31 21:21:17 -08:00 · 2010-12-31 21:21:17 -08:00 · 7fa1c3c4e4
commit 7fa1c3c4e4
parent cca69eb496
2 changed files with 10 additions and 4 deletions
--- a/main.py
+++ b/main.py
@ -49,7 +49,7 @@ sshuttle [-l [ip:]port] [-r [username@]sshserver[:port]] <subnets...>
 sshuttle --firewall <port> <subnets...>
 sshuttle --server
 --
-l,listen=  transproxy to this ip address and port number [0.0.0.0:0]
+l,listen=  transproxy to this ip address and port number [127.0.0.1:0]
 H,auto-hosts scan for remote hostnames and update local /etc/hosts
 N,auto-nets  automatically determine subnets to route
 python= specify the name/path of the python interpreter on the remote server [python]
--- a/sshuttle.md
+++ b/sshuttle.md
@ -1,6 +1,6 @@
-% sshuttle(8) Sshuttle 0.42
+% sshuttle(8) Sshuttle 0.44
 % Avery Pennarun <apenwarr@gmail.com>
-% 2010-11-09
+% 2010-12-31

 # NAME

@ -41,7 +41,13 @@ entire subnet to the VPN.
 -l, --listen=*[ip:]port*
 :   use this ip address and port number as the transparent
    proxy port.  By default sshuttle finds an available
-    port automatically, so you don't need to override it.
+    port automatically and listens on IP 127.0.0.1
+    (localhost), so you don't need to override it, and
+    connections are only proxied from the local machine,
+    not from outside machines.  If you want to accept
+    connections from other machines on your network (ie. to
+    run sshuttle on a router) try enabling IP Forwarding in
+    your kernel, then using `--listen 0.0.0.0:0`. 

 -H, --auto-hosts
 :   scan for remote hostnames and update the local /etc/hosts