Undocumented/unexpected port opening and server exposure

[khoschi]

I'm using Ubuntu 24 LTS and Nextcloud 33 and ran into the same issue like #338, which can be fixed by entering a valid IP within the configuration option "Allow list for WOPI requests".
The working entry for me is "127.0.0.1/8,::1/128,external IPv6,external IPv4" which exposes the server to the internet. It should be "127.0.0.1/8,::1/128" or "Loopback only". The server refuses to use the loopback at all and listens on IPv6 external only on port 9983, which is on also open on IPv4. The IPv6 first policy maybe leads to this expected, but new behaviour.

To check:
root@server ~ #netstat -an | grep 9983
tcp6 0 0 :::9983 :::* LISTEN

Verfiy from external v6-capable host with nmap -6 -p 9983 server (and repeat for -4)

Fix - use iptables to secure the port from external IPs (as root):
iptables -I INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp --dport 9983 -j DROP
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -p tcp --dport 9983 -j DROP

Verfiy fix from external host with nmap -6 -p 9983 server (and repeat for -4) again, it should show "filtered"

I recommend to bind the CODE server to loopback only OR to advise users to secure the open port via firewall.

[khoschi]

Fixed markup typo. To be clear - entering loopback IPs only opens up ports for external as well.