Security changes - restricting uhttpd addresses

[Peter Naulls]

On 10/25/22 17:25, Reuben Dowle wrote:
> I have myself gone through the process of getting an openwrt based product 
> through a security audit.
> 

> 
> The issue of HTTP listening on all interfaces also came up in my audit, but the 
> auditors were happy with the explanation that the firewall prevented any access 
> through the WAN interface. If the people auditing your system are only 
> interested in security 'theatre', then that is really a poor quality/incompetent 
> audit process.

Well, I agree. For clarity, years ago I had been through reviews with both
Microsoft and Intel, with some combination of Ubuntu/OpenWrt, so had some
expectation here. Those reviews turned up their share of nonsense, but things
have changed I guess.

My hands are tied, we gotta do the dance.

>> That said, I think that limiting the listening ports of uhttpd is a good idea. I
>> hardly see any downside to it, apart from maybe adding some complexity.
> 
> I think adding complexity here is a pretty good argument against this.

Certainly. But failing an official fix, I'm left to a workaround of my own 
devising, which is unlikely to be robust in the short term, but will have to do 
-  unless someone has other suggestions.

To be clear to everyone here - I appreciate the feedback, and likely agree with
everything that's been said - I've been doing this as long as you guys, so
I know the ins and outs, but I think the conversation is still worth having.