Security changes - restricting uhttpd addresses
Michael Richardson
mcr+ietf at sandelman.ca
Tue Oct 25 14:45:50 PDT 2022
Peter Naulls <peter at chocky.org> wrote:
> Nevertheless, the security people are looking at this config
> statically, and not seeing that it's bound to the LAN interface IP
> only.
I don't think they are really security people, but...
> For my use, I've changed the default binding to the LAN IP, and also
> added another init.d script to check the current LAN address, and
> update the uhttpd config if need be and then restart it (and add
> a config hook to the network config). Obviously this isn't
> very satisfactory, open to better suggestions here.
So, it needs to bound to *all* the IPv6 "LAN" IPs.
That means:
a) the ULA that is created.
b) the LL-IPv6 that are always present
c) the GUA IPv6 that is delegated
And when we make guest LANs, we may also need to bind it to that, because
there are things that guests might need to know, such as seeing the status
page to see if the network is up.
> It might also be better if uhttpd could be configured to bind
> to a specific interface rather than knowing its IP upfront, but
> that might be impractical.
It's totally impractical.
--
Michael Richardson <mcr+IETF at sandelman.ca>, Sandelman Software Works
-= IPv6 IoT consulting =-
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <http://lists.openwrt.org/pipermail/openwrt-devel/attachments/20221025/956224ff/attachment.sig>
More information about the openwrt-devel
mailing list