Le mar. 25 oct. 2022 à 17:47, Michael Richardson <mcr+i...@sandelman.ca> a écrit : > > > Peter Naulls <pe...@chocky.org> wrote: > > Nevertheless, the security people are looking at this config > > statically, and not seeing that it's bound to the LAN interface IP > > only. > > I don't think they are really security people, but... > > > For my use, I've changed the default binding to the LAN IP, and also > > added another init.d script to check the current LAN address, and > > update the uhttpd config if need be and then restart it (and add > > a config hook to the network config). Obviously this isn't > > very satisfactory, open to better suggestions here. > > So, it needs to bound to *all* the IPv6 "LAN" IPs. > That means: > a) the ULA that is created. > b) the LL-IPv6 that are always present > c) the GUA IPv6 that is delegated > > And when we make guest LANs, we may also need to bind it to that, because > there are things that guests might need to know, such as seeing the status > page to see if the network is up. > > > It might also be better if uhttpd could be configured to bind > > to a specific interface rather than knowing its IP upfront, but > > that might be impractical. > > It's totally impractical.
Can't we bind to 0.0.0.0 and use SO_BINDTODEVICE to make sure it's really only responding on the right interface ? With complicated routing setup it changes a bit the behavior, but this might be the simplest option if we don't want to rely only on the firewall > -- > Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works > -= IPv6 IoT consulting =- _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel