Skip to content

Releases: mbuesch/letmein

letmein-9.0.0

30 Dec 20:21
letmein-9.0.0
Compare
Choose a tag to compare

New features

  • The nft executable can now be pinned in the letmeind.conf configuration file to avoid $PATH searches from the letmeinfwd daemon running as root.

  • Use TCP_NODELAY for TCP connections to reduce knock latency.

Distribution packaging

In the default letmeind.conf configuration installed from distribution packaging install scripts please configure

[NFTABLES]
exe = nft

to the default path of the nft executable in your distribution.

For example:

[NFTABLES]
exe = /usr/sbin/nft

letmein-8.0.0

18 Dec 16:07
letmein-8.0.0
Compare
Choose a tag to compare

New features

  • Support for UDP control port has been added.

If you choose a UDP port as control port and configure control-error-policy=basic-auth, then the letmein service itself operates in stealth mode and doesn't respond to unauthenticated incoming messages.

Documentation

  • The documentation has been improved.

Fixes

  • Locked dependencies have been updated to not include yanked crates and crates with known security problems. Note that none of the replaced dependency crates is known to cause security problems in letmein itself.
  • Seccomp rules have been extended to include more required syscalls.

letmein-7.2.0

10 Nov 20:07
letmein-7.2.0
Compare
Choose a tag to compare

Fixes

  • Fix build with cargo-audit version >=0.21

Added features

  • Add option to suppress sending error messages to the internet, if not authenticated. This helps to not reveal what service is running on the control port to malicious scanner clients. See [GENERAL] control-error-policy in letmeind.conf. This feature is disabled by default, if the config option is missing.

letmein-7.1.0

27 Oct 16:39
letmein-7.1.0
Compare
Choose a tag to compare

Bug fixed

On letmeinfwd daemon shutdown the control port rule was not removed from the firewall. This could lead to letmeind still being reachable, if it was still running. This has been fixed.

In practice this should not be a real problem, though. If letmeind was still running, the communication with letmeinfwd would fail and the user would eventually receive a Nack for the knocking. If letmeind was also shutdown, the port would be closed anyway, regardless of the firewall rule.

An upgrade is recommended.

letmein-7.0.0

23 Oct 19:32
letmein-7.0.0
Compare
Choose a tag to compare

Fixes:

  • Add TX/RX timeouts for control messages. This helps to mitigate potential DoS (Denial of Service) attacks on the control port.

Features:

  • Optional seccomp support has been added to the firewall daemon letmeinfwd.
  • Optional seccomp support has been added to the client application letmein.
  • letmeind: Now prints the peer's IP address to the system log on unexpected protocol handling failures.

letmein-6.0.0

11 Oct 18:42
letmein-6.0.0
Compare
Choose a tag to compare

New features:

  • Support for UDP port knocking has been added.
  • The seccomp filters have been reduced further to what is necessary. This reduces the exploit surface.

letmein-5.1.0

01 Oct 18:43
letmein-5.1.0
Compare
Choose a tag to compare
  • Documentation for the configuration files has been added in CONFIGURATION.md
  • The dependency on the user_lookup crate has been removed and a simple local implementations of the needed subset of features has been added.
  • Some sanity checks for the configuration have been added. Correct and working configurations are not affected.

letmein-5.0.0

22 Sep 16:09
letmein-5.0.0
Compare
Choose a tag to compare

New features:

  • On firewall changes, now only the affected rules are touched instead of deleting and rebuilding everything each time.

Minor changes:

  • The configuration prefix has been made configurable (via environment variable LETMEIN_CONF_PREFIX) and the cargo build default has been changed from /opt/letmein/etc to /etc. However, the build.sh script still uses the /opt/letmein/etc prefix. Therefore, nothing changes for most users. The option makes distribution packaging easier.
  • API cleanup to make misuse of the protocol API harder.

letmein-4.0.0

23 Aug 20:40
letmein-4.0.0
Compare
Choose a tag to compare

Changes:

  • Move compilation of seccomp program to build.rs.

Fixes:

  • Remove sigaction from allowed syscalls.

letmein-3.0.0

30 Jul 19:08
letmein-3.0.0
Compare
Choose a tag to compare
  • The daemon has been split into a privileged part for the firewall and a public network facing part with reduced privileges. Please see README.md for instructions about how to install the required user.
  • Optional Linux seccomp support for the network daemon has been added. See the example letmeind.conf file for how to enable it.