commit d2d812174872d70ade77fe282a8766b875f75cc4
from: Omar Polo <op@omarpolo.com>
date: Fri Dec 02 10:57:24 2022 UTC

don't listen everywhere by default; restrict to localhost

if -b was given without a explicit host, it defaulted to listen on any
address.  it's not a good idea given this would allow anyone on the same
network to (ab)use the ssh forwarding.

commit - 4164fc92a7b5022258d7ee83a1703da316db9a4e
commit + d2d812174872d70ade77fe282a8766b875f75cc4
blob - 3aa3c87f529e2dd9480c8c183b092663caee624a
blob + 6d665bdcf621260289fa9544e0f5fdbdbcce8ea4
--- lstun.1
+++ lstun.1
@@ -62,6 +62,9 @@ Fed to
 flag.
 .It Fl b Oo Ar host : Oc Ns Ar port
 Where to bind the local socket.
+If not specified,
+.Ar host
+defaults to localhost.
 .It Fl d
 Do not daemonize.
 .Nm
blob - f90988dfb32aaa18e6e06ab124a5d6ac0f10c5a0
blob + 81d41bc7f70b8f7391307e1e3a5611d40d9ed5b2
--- lstun.c
+++ lstun.c
@@ -285,7 +285,7 @@ bind_socket(void)
 	const char *c, *h, *port, *cause;
 
 	if ((c = strchr(addr, ':')) == NULL) {
-		h = NULL;
+		h = "localhost";
 		port = addr;
 	} else {
 		if ((c = copysec(addr, host, sizeof(host))) == NULL)