I'm a little confused about something. After digging through the OpenWrt documentation to harden my router setup, I read that uhttpdlistens to all interfaces by default, including a WAN interface.
Would it not be safer to have uhttpd by default only listen on LAN interfaces? Is there a reason why it is not setup in this way? Is this something that the developers will look to change?
For example, dropbear is configured to listen on LAN by default, despite the default firewall being set to reject connections to uhttpd or dropbear from the WAN.
I wonder about this myself..
When somehow the firewall is failing all services will be exposed to the internet.
(if they listen on all interfaces/wildcard)
Not only luci....
Also Unbound has the same problem, the uci scripts even add the public interface IP addresses to the trusted IP addresses. (access-control in unbound.conf)
By default unbound allows any requests... (deny-any in unbound.conf)
This is one of the many reasons that security-conscious people/organizations don't run any services on their firewalls that they don't need to.
Edit:
Another reason to “bind to wildcard” is the desire of people to manage through LuCI on a step-by-step basis. Change your LAN IP and, if you’re listening to a fixed IP, no more LuCI, SSH, ... It’s a usability trade-off for non-CLI users.
There should be in option in the unbound luci interface to let the user specify the listen interfaces
and way to manage the allowed networks/IP-Ranges that unbound should answer queries for.
Also there seems to be a bug with uhttpd or netifd? I have configured uhttpd to listen on a ipv4 and ipv6 address. For ipv4, it works fine. For ipv6 it does not. I have to restart uhttpd manually after boot to make it listen on that address.