Security changes - restricting uhttpd addresses

Peter Naulls peter at chocky.org
Tue Oct 25 12:00:09 PDT 2022


On 10/25/22 14:53, Luiz Angelo Daros de Luca wrote:
is much easier to let the firewall zones deal with that.
> 
>> As aside, they don't see the iptables tool in the system, and don't
>> understand that that's been deprecated (although I since did add it
>> for some unrelated legacy usage), and think there's no firewall at all.
> 
> 22.03? Did you read the release notes? nftables.

Luiz, I think you might have missed the context of my post - perhaps you
missed my earlier ones.  I'm well aware that nftables is in use, but this
is in a security review, and they see what they want to see.

> 
> It would be better to improve the uhttpd startup script, allowing it
> to bind to a list of openwrt interfaces. It is always better to
> reference an existing config than to duplicate it.
> Or leave the original bind address.

I agree that's a better solution.  I don't think I've advocated
duplicating config though.






More information about the openwrt-devel mailing list