Disable WebUI access from WAN

[mechcozmo]

I was troubleshooting VPN access (which seems broken, incidentally...) and I discovered that the web UI is accessible from the WAN IP.

This should be disabled by default (and only optionally enabled via the UI) for security purposes, especially as the login page is not protected via HTTPS nor any kind of rate-limiting against brute forcing of passwords...

[matt]

Did you open port 80 on the firewall? I had to do so explicitly to get access to lighttpd remotely. Admittedly I'm still running R065.

[eldaria]

By default the WAN port is closed for everything and it has been like this since the earliest Dev and Beta versions went out.
So if you could access the WebUI then you must have enabled this by misstake.
However unless you have another firewall and the Almond+ is not directly exposed to Internet, then I would recommend you turn that off as soon as possible, you should never have anything open unless you really have a need for it, and can monitor for intrusions. I would not even want to have such a service running on a standard port such as port 80.

[LGNilsson]

Have a look in the LCD UI under Settings, WAN Access. Web Access (Port 80) should be disabled.

[mechcozmo]

Have a look in the LCD UI under Settings, WAN Access. Web Access (Port 80) should be disabled.

Has no effect.

At first, I thought, "Maybe I'm just not understanding the UI?  Did I accidentally flip it on?"  But surely, greyed out means "not selected".  Just to be sure (and maybe the UI wasn't matching the underlying system?), I tried it both ways.  Nothing.  Still accessible from the WAN.