Security changes - restricting uhttpd addresses

Etienne Champetier champetier.etienne at gmail.com
Wed Oct 26 09:55:54 PDT 2022


Le mar. 25 oct. 2022 à 17:47, Michael Richardson
<mcr+ietf at sandelman.ca> a écrit :
>
>
> Peter Naulls <peter at chocky.org> wrote:
>     > Nevertheless, the security people are looking at this config
>     > statically, and not seeing that it's bound to the LAN interface IP
>     > only.
>
> I don't think they are really security people, but...
>
>     > For my use, I've changed the default binding to the LAN IP, and also
>     > added another init.d script to check the current LAN address, and
>     > update the uhttpd config if need be and then restart it (and add
>     > a config hook to the network config). Obviously this isn't
>     > very satisfactory, open to better suggestions here.
>
> So, it needs to bound to *all* the IPv6 "LAN" IPs.
> That means:
>   a) the ULA that is created.
>   b) the LL-IPv6 that are always present
>   c) the GUA IPv6 that is delegated
>
> And when we make guest LANs, we may also need to bind it to that, because
> there are things that guests might need to know, such as seeing the status
> page to see if the network is up.
>
>     > It might also be better if uhttpd could be configured to bind
>     > to a specific interface rather than knowing its IP upfront, but
>     > that might be impractical.
>
> It's totally impractical.

Can't we bind to 0.0.0.0 and use SO_BINDTODEVICE to make sure it's
really only responding on the right interface ?
With complicated routing setup it changes a bit the behavior, but this
might be the simplest option if we don't want to rely only on the
firewall


> --
> Michael Richardson <mcr+IETF at sandelman.ca>, Sandelman Software Works
>  -= IPv6 IoT consulting =-



More information about the openwrt-devel mailing list