Security changes - restricting uhttpd addresses
Etienne Champetier
champetier.etienne at gmail.com
Wed Oct 26 09:55:54 PDT 2022
Le mar. 25 oct. 2022 à 17:47, Michael Richardson
<mcr+ietf at sandelman.ca> a écrit :
>
>
> Peter Naulls <peter at chocky.org> wrote:
> > Nevertheless, the security people are looking at this config
> > statically, and not seeing that it's bound to the LAN interface IP
> > only.
>
> I don't think they are really security people, but...
>
> > For my use, I've changed the default binding to the LAN IP, and also
> > added another init.d script to check the current LAN address, and
> > update the uhttpd config if need be and then restart it (and add
> > a config hook to the network config). Obviously this isn't
> > very satisfactory, open to better suggestions here.
>
> So, it needs to bound to *all* the IPv6 "LAN" IPs.
> That means:
> a) the ULA that is created.
> b) the LL-IPv6 that are always present
> c) the GUA IPv6 that is delegated
>
> And when we make guest LANs, we may also need to bind it to that, because
> there are things that guests might need to know, such as seeing the status
> page to see if the network is up.
>
> > It might also be better if uhttpd could be configured to bind
> > to a specific interface rather than knowing its IP upfront, but
> > that might be impractical.
>
> It's totally impractical.
Can't we bind to 0.0.0.0 and use SO_BINDTODEVICE to make sure it's
really only responding on the right interface ?
With complicated routing setup it changes a bit the behavior, but this
might be the simplest option if we don't want to rely only on the
firewall
> --
> Michael Richardson <mcr+IETF at sandelman.ca>, Sandelman Software Works
> -= IPv6 IoT consulting =-
More information about the openwrt-devel
mailing list