I have myself gone through the process of getting an openwrt based product through a security audit.
> I think everyone bothering to read this understands the theatre aspects of all > this that I called out in my original post. Whether things should actually be > fixed (or "fixed") is certainly an open question, but if I can save someone > some future grief, or at least have the discussion, then I might save myself > or > someone else some time. The issue of HTTP listening on all interfaces also came up in my audit, but the auditors were happy with the explanation that the firewall prevented any access through the WAN interface. If the people auditing your system are only interested in security 'theatre', then that is really a poor quality/incompetent audit process. > That said, I think that limiting the listening ports of uhttpd is a good > idea. I > hardly see any downside to it, apart from maybe adding some complexity. I think adding complexity here is a pretty good argument against this. Regard, Reuben _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel