> The default uhttpd configuration has this: > > # HTTP listen addresses, multiple allowed > list listen_http 0.0.0.0:80 > list listen_http [::]:80 > > Now, I know there's lots of practical reasons for this to be the case, > and I know also that the firewall setup in OpenWrt is robust and > isn't going to allow WAN-side access. > > Nevertheless, the security people are looking at this config > statically, and not seeing that it's bound to the LAN interface IP > only.
It might be easy to bind to the LAN interface in a simple product but OpenWrt might have multiple interfaces. It is much easier to let the firewall zones deal with that. > As aside, they don't see the iptables tool in the system, and don't > understand that that's been deprecated (although I since did add it > for some unrelated legacy usage), and think there's no firewall at all. 22.03? Did you read the release notes? nftables. > For my use, I've changed the default binding to the LAN IP, and also > added another init.d script to check the current LAN address, and > update the uhttpd config if need be and then restart it (and add > a config hook to the network config). Obviously this isn't > very satisfactory, open to better suggestions here. It would be better to improve the uhttpd startup script, allowing it to bind to a list of openwrt interfaces. It is always better to reference an existing config than to duplicate it. Or leave the original bind address. > It might also be better if uhttpd could be configured to bind > to a specific interface rather than knowing its IP upfront, but > that might be impractical. No, there are dozens of services that do just that. Regards, Luiz _______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/mailman/listinfo/openwrt-devel
