Stop services from listening on WAN [solved]

Hi folks. When I set up OpenWRT, I noticed that dropbear and uhttpd listen on WAN by default. I'm sure this is useful to some folks, but I'm perfectly OK having to be on LAN to administer my router, so I found the relevant config entries and changed dropbear to listen on LAN only and uhttpd to listen on localhost only (I use an ssh tunnel to access luci).

This works great, but it led me to wonder what else OpenWRT is exposing to the world by default. Asking netstat -tulpn, it turns out that dnsmasq, odhcp6c and odhcpd are listening on all interfaces.

I imagine that odhcp6c listening on WAN is normal? On the other hand, I don't see why dnsmasq and odhcpd should, at least for my home router configuration. So, this comes with two questions:

  • Am I doing the wrong assumption anywhere here? There are probably use cases where you need dnsmasq to listen on WAN (for instance, if I configured my devices to use my home router as my DNS resolver wherever I am), but anything else?
  • Are there settings that control which interfaces these services listen on? uci show doesn't seem to have anything, at least in the way that dropbear does, for instance (dropbear.@dropbear[0].Interface='lan').

Hi

maybe you are missed firewall page?
by default, it is configured to drop input on WAN zone
so, OpenWRT works with zones
WAN interface is in WAN zone
LAN interface(s) is in LAN zone

please, feel free to navigate to Network/Firewall/General and look closely

5 Likes

Exactly. This can easily be confirmed by logging into an external host, like your linode (or having your neighbor do it or whatever), and running an nmap port scan against your public IPs. You'll see that 22, 80, 443 and anything else is blocked from the outside.

Seems like it; I can connect to the WAN-facing address starting from my LAN, but I can't from a computer in another building. Thanks.

:rofl:
after all, you must admit, it will be ridiculous to community driven project with open source and many contributors will be assembled so badly that connections from WAN will be allowed by default :slight_smile:

1 Like

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! :slight_smile:

1 Like

Dropbear and uhttpd listen on everything by default.

But it is the firewall that control the traffic between zones and zones to/from the device.

So unless the specific listing ports are open in the firewall the listening for dropbear and uhttpd will be very quiet open listening.

The only connection that isn’t controlled by the firewall is the physical serial connection.

The idea with “listening” function is pretty useless in standard setup with wan and lan. But in a multi vlan/interface setup then the listening setting is what actually defines the router IP address, or else you can call it by what ever ip address from “wrong” interface if the firewall zone settings allows the connection if only the port number is right. And the router will answer.
So the setting brings order to the meeting but it has nothing to do with security.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.