From 6c2bd91f014f2a29fd16fbe4f2d5feefe9ddd3a0 Mon Sep 17 00:00:00 2001 From: Holger Weiss Date: Fri, 22 Jan 2021 16:20:24 +0100 Subject: [PATCH] ejabberd_stun: Block loopback addresses by default Don't accept loopback addresses as TURN peers by default. This makes sure the TURN service won't allow remote clients to access local UDP services. However, this will break the case where the 'turn_ipv4_address' was set to 127.0.0.1 as fallback and TURN worked "by accident" if both clients were using the same TURN service. The service then talked to itself on the loopback interface. --- src/ejabberd_stun.erl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ejabberd_stun.erl b/src/ejabberd_stun.erl index f6d1e89a4..b4bc6b3e4 100644 --- a/src/ejabberd_stun.erl +++ b/src/ejabberd_stun.erl @@ -203,7 +203,7 @@ listen_options() -> {turn_max_port, 65535}, {turn_max_allocations, 10}, {turn_max_permissions, 10}, - {turn_blacklist, []}, + {turn_blacklist, [<<"127.0.0.0/8">>, <<"::1/128">>]}, {server_name, <<"ejabberd">>}]. -spec init_logger() -> ok.