-
Notifications
You must be signed in to change notification settings - Fork 67
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enhancement: allow disabling WAN access to HTTP admin #848
Comments
Would would need port 80 removal as well correct? Seems I can access via both 80 and 8080 over WAN interface. |
I'll be honest, I'm not sure why we'd want any sort of incoming access on the WAN port and I'm a little horrified to discover that we do. I didnt think this was the case and I wonder if I messed something up in the latest release (we had to rewrite the entire firewall stack because of underlying changes to OpenWRT). So I'm inclined to not ever make this an option, but just to block all incoming traffic from WAN (except tunnels). Unless anyone thinks there's a good reason not to do that? |
As an FYI, N7IME also mentioned that port 2222 seems to be open on WAN for SSH. It makes sense for this to be an option for those that configure a SSH key but maybe shouldn't be on by default. |
I have to say that I do visit nodes http via the WAN.
…On Thu, May 25, 2023, 9:30 PM AI7NC ***@***.***> wrote:
As an FYI, N7IME also mentioned that port 2222 seems to be open on WAN for
SSH. It makes sense for this to be an option for those that configure a SSH
key but maybe shouldn't be on by default.
—
Reply to this email directly, view it on GitHub
<#848 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAEW6LAJC77P3BTXO5SCYPDXIAWVBANCNFSM6AAAAAAYOA5BJQ>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
It's been enabled in AREDN firmware for years, so it's not your fault :) I think it was even in HSMM. For me it's handy on my home network, where I have control of it, but obviously in other deployments it's undesirable. I'd like options to enable SSH and 80/8080 access on the WAN interface, even if they're off by default. For what it's worth, OpenWRT manages SSH by running separate dropbear instances on the WAN and LAN interfaces, as configured by luci. I think we're running both dropbear and uhttpd on 0.0.0.0. We could even get by with manual config in /etc/config/firewall and /etc/config/dropbear, as long as the AREDN web interface doesn't clobber those entries. But two toggles in advanced config would be super handy. |
Thanks for moving fast on this Tim! |
Looks good |
For nodes that are connected to a WAN that's not controlled by the node owner, or worse, on a public IP address, it's desirable to be able to completely disable HTTP access to even the node status pages from other WAN users.
Could we add an option to block port 8080 from the WAN?
Prototype:
The text was updated successfully, but these errors were encountered: