Dropbear: Enable SSH from WAN firewall rule #7138
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The wan_ssh_allow firewall rule should be pre-configured but disabled by default. For the main Dropbear instance will be shown an additional flag to enable the rule. Once the rule is enabled, the only way to disable it is on the Firewall page. Signed-off-by: Sergey Ponomarev <stokito@gmail.com>
The wan_https_allow firewall rule should be pre-configured but disabled by default. For the main uhttpd instance will be shown an additional flag to enable the rule. Once the rule is enabled, the only way to disable it is on the Firewall page. Signed-off-by: Sergey Ponomarev <stokito@gmail.com>
The rfc1918_filter blocks access to Luci from LAN when opening it by a domain which resolves to a public IP. So we need this option here to uncheck to get access. Signed-off-by: Sergey Ponomarev <stokito@gmail.com>
…ptions A user may want to change the uhttpd port or IP address e.g. set it to 192.168.1.1. If the user switched to another web server e.g. nginx or lighttpd he may also want to stop the uhttpd. The settings normally shouldn't be changed, but if a user starts to use a second web server then it will be enough to change only these options. Signed-off-by: Sergey Ponomarev <stokito@gmail.com>
I'm pretty sure the typical usage is to not allow SSH/HTTP/HTTPS on WAN port. Why overload UI (and risk unintentional exposure for newbies) for the very fringe use cases? |
I had the same thought. |
|
@stokito: It is needed to have 2 separate rules, one for HTTP and another one for HTTPS. In more, it is important to choice an external port (to have not default 80/443/22):
|
This was referenced Aug 30, 2024
|
HTTP may be needed for LetsEncrypt webroot challenge. The HTTP/S should be in a one rule. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
A draft implementation of an easy way to enable the Allow SSH from WAN rule from UI.
The whole idea is to make a Luci GUI wizard to enable WAN access #7137
The key idea is to have a firewall rule pre-defined and the GUI should only enable it.
This is a simplest implementation. It will work only for 22 port.
We may extend it later but it already covers the typical usage.
What is missing: we should show precautions for a users that this is not safe at all.
And same for the uhttpd:
Here it may be not enough to just open an access. A user may want to switch IP address of uhttpd. Additionally the rfc1918 filter should be disabled. So I copied them from luci-app-uhttpd.
This needs somehow to be managed in graceful way.