Access to foris via internet

Hi, all!

Yesterday I was shocked as I got access to my router’s foris and luci interface via the internet. Since I couldn’t find anything helpful here in the forum, I started seeking for a solution of my obvious security problem:

  1. Log in to your router via ssh: ssh root@router.lan
  2. Stop lighttpd: /etc/init.d/lighttpd stop
  3. Open lighttpd’s config file: vi /etc/lighttpd/lighttpd.conf
  4. Bind lighttpd to internal interface only: server.bind = ""
  5. Start lighttpd again: /etc/init.d/lighttpd start

Hope that helps someone who’s concerned like me.


A more consistent way (with the rest of config) would seem to do this in the firewall. That’s how e.g. DNS queries from outside are blocked ATM, too.

I personally do use foris or luci over the internet, occasionally. Note that the luci password also works for ssh as the root user…

From the security’s point of view it is better not to offer a service instead of blocking an offered one. Therefore I suggest to bind lighttpd to the LAN interface by default. If someone prefers to have the configuration interface available to everybode via internet, it’s his / her own decision, indeed.

It would be “safer”, but LAN may not be a single address, so it’s not that easy. See discussion on

EDIT: though whether you want the http server by default in guest lan, VPN, etc…

I know, that my approach won’t satisfy everybody’s needs. But in fact, it is possible to bind lighttpd to more than one IP address. Perhaps it is possible to find a sense making secure standard solution as well as a possibility to change that settings without the need of using ssh.

Is it generally possible to access it from the Internet, or generally only from the LAN? I have changed except for individual forwarding to the home network in the firewall section nothing. The redirects go with direct fixed IPs to devices in the LAN, not the Omnia itself. The basic idea should be to my knowledge so that one has access only from the LAN and only with intentional changes from outside. When I call my public IP from the outside, nothing happens, which should be so. That you could easily access confuses me a bit …

I was confused too. When I clicked accidently on the link of my domain in the managemant interface of my DDNS provider I expected the well-known error message. But the login screen of my router appeared.

Silly question, the host you tried to access your router from was located on the wan side of the omnia? So you are not testing from inside the omnia’s LAN section whether you can reach the management interface by using its external IP address, correct?

Best Regards

1 Like

The question is not silly: In fact I tried to reach the external IP from inside the LAN, but there are afaik no firewall rules for the external interface which differ between internal and external access. Therefore the result should be the same independently from if it is an access from LAN or WAN.

I’m using ddns and tried to reach foris http from outside and it’s not working - which is great so I assume you made changes that made it possible at first. And I have public IP (on UPC modem and turris behind as DMZ because bridge mode was causing problems for UPC STB IPTV services - UPC problem but only solution was to disable bridge)

Sounds reasonable. But I didn’t change the standard config of lighttpd as well as the firewall except portforwarding for port 80 - which couldn’t work since that port was already occupied.

Oh, I think this is called hair-pin routing or nat loopback and lede does that as well, I am not sure whether this actually has an explicit firewall rule even though it does seem to be implemented via iptables.
I think the really important test for your claim of wan side access to foris is to actually attempt to access it from a host that is physically located on thw WAN side. I tried with my omnia and failed for both foris/luci and ssh, YMMV.

Best Regards

Access to foris or any other service from the LAN side with the WAN IP works because the packets enter from the LAN interface and match the LAN rules where access is allowed. Real routing does not happen as the destination IP is a local IP.

I think the default is to block all inbound WAN connections. So if it is really accessible from the outside, you’d have to explicitly allow it.

THANK YOU @neuni!

I also spilled the coffee, when I discovered that I could access the router from the internet by default.

I do not find this default configuration to be in line with the generally high level of security in the Turris project. I am at fortis version 100.5

So did you test this from outside your LAN? Using the external IP address from inside the LAN is not the same situation as using the outside IP address from the WAN side. The former is benign, the latter a safety issue, please let us know which situation you see.

Hi @moeller0

I did not test from the outside, only from the LAN.

The situation was the following: I rebooted the router from the Fortis interface. When the interface reloaded after the router was back, the IP address in the URL-bar showed my public IP address ( and the Fortis interface.

I logged out of Fortis and logged in to Fortis again with the same password as I use on
At that point I got a bit concerned, and found the post by @neuni .

Checking the firewall rules from the LuCi interface it shows the following:

I expect this to mean that it rejects incoming connections from the WAN.

You may be right, that the connection is still coming from the LAN side, even though the URL shows the public IP, and that it is not actually accessible from the WAN. I’ll test with a VPN as soon as possible.

Thank you for following up.