I had an issue, almost certainly due to some mistake I made, but it brought up something on which I would like a better understanding.
I am using Neil Pang's routine described here: https://github.com/Neilpang/acme.sh/wiki/How-to-run-on-OpenWRT
It works.
My understanding (in case I am wrong) is that this process:
-
Uses the package uHTTPd with open ports 80 and 443 on all interfaces, including outside
-
Depends on iptables to close those ports on the outside except during renewal.
I'm particularly a bit confused by step 5 of his procedure, which seems to use the GUI to open the ports in the underlying config, which seems to have them open all the time?
I was also embarrassed that having done this, it implicitly allowed admin access to my guest network, and I missed it. Fortunately I have had well behaved guests so far.
Now I think, maybe, hopefully I have caught these and closed them appropriately but my questions relate to doing this better:
First, do I understand properly? That uHTTPd has to be listening on the outside interface (and more precisely for this script to work, doing so all the time then blocked by iptables except during the actual renewal)?
WIth a DHCP outside address, how can I avoid listening on my guest interface? My only thought is to, again, use iptables to block it. Unless there's a way to listen on an interface name, not address in the uHTTPd config file (vs gui)? The doc doesn't show that as possible.
I'm particularly confused how the GUI Firewall setup (mentioned in step 5 of the procedure) should be done, and how that relates to the explicit iptables rules. What should I have done in step 5? Doesn't opening 80/443 in that step open it all the time? It almost seems like I should NOT open it there, but let the script open it momentarily itself? What is meant by step 5 there?
Hopefully it goes without saying that I do not want the outside interface to ever show a login dialog, ideally, but at least at no time other than the brief window during renewal. I feel like now I have it working, but not in a robust way -- any error in the script might leave it open?
Is there a more secure way, to block admin access entirely via the outside interface not just by port (sometimes)?