Disable MDNS by default and filter out private IPs (#13)

* Disable MDNS by default and filter out private IPs, to prevent possible netscanning actions from libp2p

* Simplify privateIP detection

* Simplify the private address tests

Author: oskarszoon

client.go

@@ -11,6 +11,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"net"
 	"os"
 	"slices"
 	"strings"
@@ -28,6 +29,7 @@ import (
 	"github.com/libp2p/go-libp2p/p2p/discovery/mdns"
 	drouting "github.com/libp2p/go-libp2p/p2p/discovery/routing"
 	"github.com/multiformats/go-multiaddr"
+	manet "github.com/multiformats/go-multiaddr/net"
 
 	ds "github.com/ipfs/go-datastore"
 	dssync "github.com/ipfs/go-datastore/sync"
@@ -114,12 +116,17 @@ func NewClient(config Config) (Client, error) {
 		return nil, fmt.Errorf("failed to create pubsub: %w", err)
 	}
 
-	// Set up mDNS discovery
-	mdnsService := mdns.NewMdnsService(h, "", &discoveryNotifee{h: h, ctx: ctx, logger: clientLogger})
-	if err := mdnsService.Start(); err != nil {
-		clientLogger.Errorf("mDNS failed to start: %v", err)
+	// Set up mDNS discovery (only if explicitly enabled)
+	var mdnsService mdns.Service
+	if config.EnableMDNS {
+		mdnsService = mdns.NewMdnsService(h, "", &discoveryNotifee{h: h, ctx: ctx, logger: clientLogger})
+		if err := mdnsService.Start(); err != nil {
+			clientLogger.Errorf("mDNS failed to start: %v", err)
+		} else {
+			clientLogger.Infof("mDNS discovery started")
+		}
 	} else {
-		clientLogger.Infof("mDNS discovery started")
+		clientLogger.Infof("mDNS discovery disabled (production safe default)")
 	}
 
 	c := &client{
@@ -623,6 +630,15 @@ func (c *client) connectToDiscoveredPeer(ctx context.Context, peerInfo peer.Addr
 		return
 	}
 
+	// Filter private IPs unless explicitly allowed (default: filter for production safety)
+	if !c.config.AllowPrivateIPs {
+		peerInfo.Addrs = filterPrivateAddrs(peerInfo.Addrs)
+		if len(peerInfo.Addrs) == 0 {
+			// All addresses were private, skip this peer
+			return
+		}
+	}
+
 	if err := c.host.Connect(ctx, peerInfo); err != nil {
 		if c.shouldLogConnectionError(err) {
 			c.logger.Debugf("Failed to connect to discovered peer %s: %v", peerInfo.ID.String(), err)
@@ -913,3 +929,48 @@ func PrivateKeyFromHex(keyHex string) (crypto.PrivKey, error) {
 
 	return priv, nil
 }
+
+// filterPrivateAddrs filters out private/local IP addresses from a list of multiaddrs.
+// Returns only public routable addresses suitable for cloud/shared hosting environments.
+func filterPrivateAddrs(addrs []multiaddr.Multiaddr) []multiaddr.Multiaddr {
+	filtered := make([]multiaddr.Multiaddr, 0, len(addrs))
+
+	for _, addr := range addrs {
+		// Convert multiaddr to net.Addr to check if it's private
+		netAddr, err := manet.ToNetAddr(addr)
+		if err != nil {
+			// If we can't parse it, skip it
+			continue
+		}
+
+		// Extract IP address
+		var ip net.IP
+		switch v := netAddr.(type) {
+		case *net.TCPAddr:
+			ip = v.IP
+		case *net.UDPAddr:
+			ip = v.IP
+		default:
+			// Unknown address type, skip it
+			continue
+		}
+
+		// Filter out private/local addresses
+		if isPrivateIP(ip) {
+			continue
+		}
+
+		filtered = append(filtered, addr)
+	}
+
+	return filtered
+}
+
+// isPrivateIP checks if an IP address is private or local using Go's standard library.
+// Returns true for:
+// - RFC1918 private networks (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) via IP.IsPrivate()
+// - Link-local, loopback, and multicast addresses via built-in methods
+// - IPv6 unique local addresses (fc00::/7) via IP.IsPrivate()
+func isPrivateIP(ip net.IP) bool {
+	return ip.IsPrivate() || ip.IsLoopback() || ip.IsLinkLocalUnicast() || ip.IsLinkLocalMulticast()
+}

client_filter_private_addrs_test.go

@@ -0,0 +1,181 @@
+package p2p
+
+import (
+	"net"
+	"testing"
+
+	"github.com/multiformats/go-multiaddr"
+)
+
+func TestFilterPrivateAddrs(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    []string
+		expected []string
+	}{
+		{
+			name: "mixed_private_and_public_ipv4",
+			input: []string{
+				"/ip4/10.0.0.1/tcp/4001",    // RFC1918
+				"/ip4/8.8.8.8/tcp/4001",     // public
+				"/ip4/172.16.0.1/tcp/4001",  // RFC1918
+				"/ip4/1.1.1.1/tcp/4001",     // public
+				"/ip4/192.168.1.1/tcp/4001", // RFC1918
+				"/ip4/127.0.0.1/tcp/4001",   // loopback
+				"/ip4/169.254.1.1/tcp/4001", // link-local
+			},
+			expected: []string{
+				"/ip4/8.8.8.8/tcp/4001",
+				"/ip4/1.1.1.1/tcp/4001",
+			},
+		},
+		{
+			name: "mixed_private_and_public_ipv6",
+			input: []string{
+				"/ip6/fc00::1/tcp/4001",              // unique local
+				"/ip6/2001:4860:4860::8888/tcp/4001", // public
+				"/ip6/fe80::1/tcp/4001",              // link-local
+			},
+			expected: []string{
+				"/ip6/2001:4860:4860::8888/tcp/4001",
+			},
+		},
+		{
+			name: "rfc1918_172_range_boundaries",
+			input: []string{
+				"/ip4/172.15.0.1/tcp/4001",     // not private (below range)
+				"/ip4/172.16.0.1/tcp/4001",     // private (start of range)
+				"/ip4/172.31.255.255/tcp/4001", // private (end of range)
+				"/ip4/172.32.0.1/tcp/4001",     // not private (above range)
+			},
+			expected: []string{
+				"/ip4/172.15.0.1/tcp/4001",
+				"/ip4/172.32.0.1/tcp/4001",
+			},
+		},
+		{
+			name: "edge_cases",
+			input: []string{
+				"invalid-addr",           // invalid address
+				"/ip4/8.8.8.8/tcp/4001",  // valid public
+				"/ip4/10.0.0.1/tcp/4001", // valid private
+			},
+			expected: []string{
+				"/ip4/8.8.8.8/tcp/4001",
+			},
+		},
+		{
+			name:     "empty_input",
+			input:    []string{},
+			expected: []string{},
+		},
+		{
+			name: "all_private",
+			input: []string{
+				"/ip4/10.0.0.1/tcp/4001",
+				"/ip4/192.168.1.1/tcp/4001",
+			},
+			expected: []string{},
+		},
+		{
+			name: "all_public",
+			input: []string{
+				"/ip4/8.8.8.8/tcp/4001",
+				"/ip6/2001:4860:4860::8888/tcp/4001",
+			},
+			expected: []string{
+				"/ip4/8.8.8.8/tcp/4001",
+				"/ip6/2001:4860:4860::8888/tcp/4001",
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := filterPrivateAddrs(testParseMultiaddrs(tt.input))
+			assertAddrsEqual(t, tt.expected, result)
+		})
+	}
+}
+
+// testParseMultiaddrs converts string addresses to multiaddr.Multiaddr, skipping invalid ones
+func testParseMultiaddrs(addrs []string) []multiaddr.Multiaddr {
+	result := make([]multiaddr.Multiaddr, 0, len(addrs))
+	for _, addrStr := range addrs {
+		addr, err := multiaddr.NewMultiaddr(addrStr)
+		if err == nil {
+			result = append(result, addr)
+		}
+	}
+	return result
+}
+
+// assertAddrsEqual compares expected string addresses with actual multiaddrs
+func assertAddrsEqual(t *testing.T, expected []string, actual []multiaddr.Multiaddr) {
+	t.Helper()
+
+	actualStrs := make([]string, len(actual))
+	for i, addr := range actual {
+		actualStrs[i] = addr.String()
+	}
+
+	if len(actualStrs) != len(expected) {
+		t.Errorf("Expected %d addresses, got %d.\nExpected: %v\nGot: %v",
+			len(expected), len(actualStrs), expected, actualStrs)
+		return
+	}
+
+	for i, expectedAddr := range expected {
+		if actualStrs[i] != expectedAddr {
+			t.Errorf("Address %d: expected %s, got %s", i, expectedAddr, actualStrs[i])
+		}
+	}
+}
+
+func TestIsPrivateIP(t *testing.T) {
+	privateIPs := []string{
+		// RFC1918
+		"10.0.0.1", "10.255.255.255",
+		"172.16.0.1", "172.31.255.255",
+		"192.168.1.1", "192.168.255.255",
+		// Link-local
+		"169.254.1.1",
+		// Loopback
+		"127.0.0.1", "127.255.255.255",
+		// IPv6 unique local and link-local
+		"fc00::1", "fd00::1", "fe80::1", "::1",
+	}
+
+	publicIPs := []string{
+		// Public IPv4
+		"8.8.8.8", "1.1.1.1", "208.67.222.222",
+		// RFC1918 172.x boundaries (not in 16-31 range)
+		"172.15.0.1", "172.32.0.1",
+		// Public IPv6
+		"2001:4860:4860::8888", "2606:4700:4700::1111",
+	}
+
+	for _, ipStr := range privateIPs {
+		t.Run(ipStr, func(t *testing.T) {
+			ip := net.ParseIP(ipStr)
+			if ip == nil {
+				t.Fatalf("Failed to parse IP: %s", ipStr)
+			}
+			if !isPrivateIP(ip) {
+				t.Errorf("isPrivateIP(%s) = false, want true", ipStr)
+			}
+		})
+	}
+
+	for _, ipStr := range publicIPs {
+		t.Run(ipStr, func(t *testing.T) {
+			ip := net.ParseIP(ipStr)
+			if ip == nil {
+				t.Fatalf("Failed to parse IP: %s", ipStr)
+			}
+			if isPrivateIP(ip) {
+				t.Errorf("isPrivateIP(%s) = true, want false", ipStr)
+			}
+		})
+	}
+}

config.go

@@ -103,4 +103,22 @@ type Config struct {
 	// due to libp2p's NAT manager using non-thread-safe global state.
 	// Default: false (NAT features enabled)
 	DisableNAT bool
+
+	// EnableMDNS enables multicast DNS peer discovery on the local network.
+	// When true, the node broadcasts mDNS queries to discover peers on the same LAN.
+	// IMPORTANT: Only enable on isolated local networks with proper VLANs. On shared hosting
+	// (e.g., Hetzner, AWS) without VLANs, mDNS broadcasts appear as network scanning and may
+	// result in abuse reports.
+	// Default: false (mDNS disabled for production safety)
+	// Set to true only for local development networks with proper isolation
+	EnableMDNS bool
+
+	// AllowPrivateIPs allows connections to private/local IP addresses during peer discovery.
+	// When true, the node will attempt to connect to RFC1918 private networks (10.0.0.0/8,
+	// 172.16.0.0/12, 192.168.0.0/16), link-local addresses (169.254.0.0/16), and localhost.
+	// IMPORTANT: Only enable on private networks. On shared hosting, this may trigger network
+	// scanning alerts.
+	// Default: false (private IPs filtered for production safety)
+	// Set to true only for local development or private network deployments
+	AllowPrivateIPs bool
 }