Peter Naulls <pe...@chocky.org> wrote:
> Nevertheless, the security people are looking at this config
> statically, and not seeing that it's bound to the LAN interface IP
> only.
I don't think they are really security people, but...
> For my use, I've changed the default binding to the LAN IP, and also
> added another init.d script to check the current LAN address, and
> update the uhttpd config if need be and then restart it (and add
> a config hook to the network config). Obviously this isn't
> very satisfactory, open to better suggestions here.
So, it needs to bound to *all* the IPv6 "LAN" IPs.
That means:
a) the ULA that is created.
b) the LL-IPv6 that are always present
c) the GUA IPv6 that is delegated
And when we make guest LANs, we may also need to bind it to that, because
there are things that guests might need to know, such as seeing the status
page to see if the network is up.
> It might also be better if uhttpd could be configured to bind
> to a specific interface rather than knowing its IP upfront, but
> that might be impractical.
It's totally impractical.
--
Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
