On Wed, Oct 26, 2022 at 11:58 AM Etienne Champetier <champetier.etie...@gmail.com> wrote: > > Le mar. 25 oct. 2022 à 17:47, Michael Richardson > <mcr+i...@sandelman.ca> a écrit : > > > > > > Peter Naulls <pe...@chocky.org> wrote: > > > Nevertheless, the security people are looking at this config > > > statically, and not seeing that it's bound to the LAN interface IP > > > only. > > > > I don't think they are really security people, but... > > > > > For my use, I've changed the default binding to the LAN IP, and also > > > added another init.d script to check the current LAN address, and > > > update the uhttpd config if need be and then restart it (and add > > > a config hook to the network config). Obviously this isn't > > > very satisfactory, open to better suggestions here. > > > > So, it needs to bound to *all* the IPv6 "LAN" IPs. > > That means: > > a) the ULA that is created. > > b) the LL-IPv6 that are always present > > c) the GUA IPv6 that is delegated > > > > And when we make guest LANs, we may also need to bind it to that, because > > there are things that guests might need to know, such as seeing the status > > page to see if the network is up. > > > > > It might also be better if uhttpd could be configured to bind > > > to a specific interface rather than knowing its IP upfront, but > > > that might be impractical. > > > > It's totally impractical.
I also have to reiterate these "security audits", and this is in now way related to OpenWRT, but the people who like to think they know security. o just because a package is installed does not mean it is listening o go read some docs o learn how to port scan yourself o go read some docs o learn how to write your own exploits o go read some docs o quit reading CVEs that are not related to your product(s) o go read some docs o join LKML and read what is being done o go read some docs Leave us alone - my company uses Linux exclusively - the threats are handled way faster than any other platform (OpenWRT aside), so tell your *security* people to hire someone that is not a straight out of college noob running some 3rd part package collector and actually learn how to examine a system for exploits. Just because something is installed absolutely does not mean it is vulnerable to attack. This is becoming a headache trying to teach the recently graduated kids with security degrees or certifications (that are easily handed out nowadays) how to handle security. Everyone wants to package inspect versus network inspect. Let me tell you something - if I have physical access, there is not a damn thing you can do to stop me - so just worry about network access like everyone is telling you. If your company is not amenable to that - I would find another job. I have a rule of thumb - I do not work for people dumber than me - you should try that rather than trying to force dumber people to make you change. Rules of the world progressing (college class 101). > Can't we bind to 0.0.0.0 and use SO_BINDTODEVICE to make sure it's > really only responding on the right interface ? > With complicated routing setup it changes a bit the behavior, but this > might be the simplest option if we don't want to rely only on the > firewall _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
